The EU Data Act became applicable in September 2025. Businesses across the EU must comply with the new legal framework, which often means reshaping contracts, revising data access policies, and adjusting compliance priorities.
The regulation applies directly in all EU Member States, so Polish companies cannot rely on delayed national implementation. Certain procedural rules, including the designation of supervisory authorities and enforcement mechanisms, still need to be established in Poland, adding uncertainty for data-intensive sectors.
What the EU Data Act Means in Practice
The EU Data Act establishes rules for making data generated by connected devices and related services available to users, whether individuals or businesses. This encompasses a broad range of IoT products, from smart household appliances to industrial machines and medical devices. It also applies to data processing service providers, including those offering cloud and edge services, to customers across the EU. Manufacturers and service providers must ensure that users can easily access the data generated by the products they use and, at the user’s request, share that data with third parties.
For Poland, where IoT adoption is growing in consumer, logistics, transport, and industry sectors, this is particularly significant. Local subsidiaries of international corporations will need to align their products and contracts with EU-wide standards.
Another key aspect is contractual fairness. The regulation protects smaller companies against unfair terms imposed by stronger counterparts, potentially leveling the playing field in Poland’s SME-driven innovation and supply chains, also in the context of cloud-based and edge data services. However, this will also add compliance obligations for larger firms.
Impact on Cloud Services
The EU Data Act will particularly affect cloud service providers, as they manage and process large volumes of data, making compliance with access and sharing obligations critical. This applies to all types of data processing services: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). Providers of such services will need to review and update their existing contracts, including standard cloud service agreements, transparency notices, data-sharing terms and internal compliance policies, to meet the new regulatory requirements.
Impact on the Healthcare Sector
The healthcare sector will also be strongly affected. Poland ranks among the top ten global exporters of medical devices, with EUR 5.6 billion in exports in 2023, representing a 12% year-on-year increase. Connected devices generate increasing volumes of patient data, and the EU Data Act strengthens rights to access and share this information.
Impact on the Manufacturing Sector
The manufacturing sector also faces challenges. Factories using advanced machinery must ensure compliance with data access rights for operators and clients, possibly renegotiating supplier agreements and adjusting internal processes.
Regulatory Enforcement
While the EU Data Act is directly applicable across the EU, effective enforcement in Poland will require national authorities to take an active role. According to the information published by the Polish government, the President of the Office of Electronic Communications (President of UKE) will be designated as the authority responsible for implementing and supervising the regulation. Their role will be wide-ranging. It will oversee the application of the EU Data Act, handle complaints, and impose administrative fines where necessary.
The planned legislation is expected to be adopted by the government in the Q4 2025, setting the framework for the full application of the EU Data Act in Poland.
Looking Ahead
Providers of IoT products and cloud service providers operating in the EU market should immediately take steps to comply with the EU Data Act. Companies need to map the data generated by their products and services, review contractual obligations, and set up processes to respond to user requests. This will often require close cooperation between legal, compliance, IT, and product teams.
Although details of national enforcement are still emerging, the EU Data Act’s objective is clear: to unlock the value of data across the EU and foster a more competitive digital economy. For Polish businesses, this means both ensuring compliance with new rules and exploring opportunities created by broader access to data. Those businesses that act early can turn regulatory requirements into a strategic advantage.
By Szymon Sieniewicz, Head of TMT/IP Practice, and Malgorzata Czubernat, Associate, Addleshaw Goddard
This article was originally published in Issue 12.9 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
