The Data Act Regulation (Regulation (EU) 2023/2854) formally entered into force on 11 January 2024 and becomes fully applicable as of today, 12 September 2025. Its stated objective is to promote a fairer, more transparent, and more interoperable use of data generated by connected products (IoT), devices, and digital services, while strengthening users’ ability to control, use, and share their own data.
In parallel, the regulation on the European Health Data Space (EHDS) has entered into force, setting specific rules for health data. It distinguishes between primary uses (care, assistance) and secondary uses (research, regulation, policymaking), while strengthening interoperability, patient protection, and the infrastructures needed for cross-border data exchange.
The Data Act does not replace the GDPR but positions itself as a complementary regulation: it governs data access, portability, and the way devices must be designed to facilitate such access. The GDPR continues to set the rules for the processing of personal data; therefore, whenever these data intersect with healthcare use, privacy protection remains central.
The Scenario in the Life Sciences Sector
Stakeholders Involved
The primary stakeholders are, first of all, manufacturers of connected medical devices—from pacemakers to infusion pumps, from continuous monitoring sensors to wearables that collect clinical parameters. Healthcare providers and hospitals are also directly involved, as users of the data generated and, in turn, as collectors and managers of clinical information to be integrated into the EHDS. Pharmaceutical and biotech companies are particularly interested in the Real-World Evidence dimension, the development of new products or services based on real-world data, and pharmacovigilance. Beneficiaries may also include researchers, digital start-ups, and policymakers, all of whom could potentially access anonymized or pseudonymized health data.
What Will Change in Practice
The Data Act introduces changes of considerable significance. Users, whether patients or healthcare facilities, will have the right to free access to usage data generated by devices—provided such access does not require disproportionate efforts—and to transfer this data to third parties. Manufacturers will be required to provide clear information before a contract is concluded on the type, format, and scope of the data generated by the device, including metadata and access methods. From 2026 onward, connected products must also be designed to guarantee data access by default, without technical barriers. Finally, in B2B relationships, the transfer of non-personal data may be subject to financial compensation, but always under fair, reasonable, and non-discriminatory conditions.
Possible Consequences
Opportunities
The opportunities are manifold. In terms of patient empowerment, the Data Act enables individuals to exercise real control over the data generated by their devices, fostering transparency and trust while also supporting more personalized care management. For the industry, it represents a strong push toward innovation: broader access to data, including for secondary use, expands the potential for clinical research, predictive algorithm development, and artificial intelligence applications. Interoperability and standardization, mandated by the regulation, can reduce system fragmentation and lower integration costs. In addition, the possibility for users to rely on third-party services reduces lock-in and stimulates competition, opening space for new business models.
Possible Consequences
Opportunities
The opportunities are manifold. In terms of patient empowerment, the Data Act enables individuals to exercise real control over the data generated by their devices, fostering transparency and trust while also supporting more personalized care management. For the industry, it represents a strong push toward innovation: broader access to data, including for secondary use, expands the potential for clinical research, predictive algorithm development, and artificial intelligence applications. Interoperability and standardization, mandated by the regulation, can reduce system fragmentation and lower integration costs. In addition, the possibility for users to rely on third-party services reduces lock-in and stimulates competition, opening space for new business models.
Critical Issues and Risks
Alongside the benefits, significant challenges are emerging. First and foremost are the costs of compliance: ensuring access, security, and interoperability will require substantial investments, particularly for device manufacturers. On the privacy front, tensions with the GDPR are inevitable: it will be necessary to clarify when data should be considered personal, how to protect it through anonymization and pseudonymization techniques, and how to manage the risks of re-identification. Equally complex is the regulatory overlap, with the Data Act intersecting with the EHDS, GDPR, and medical device rules, creating a difficult-to-govern mosaic. Added to this is the risk that data sharing may expose trade secrets or strategic information, with consequences for intellectual property. Finally, the uneven level of digitalization among Member States could generate disparities, with some countries ready to quickly benefit from the new regulation while others lag behind in its implementation.
Realism vs Expectations
While the ambitions are high, the practical implementation of the Data Act remains complex. The compliance timeline—such as the 2026 deadline for devices designed under the “data access by default” principle—is tight and could create difficulties for companies that have not acted early. Data quality and standardization represent another challenge: accessibility alone is not enough; information must also be reliable and integrated with healthcare systems often built on legacy architectures. Economic sustainability is no minor issue either: it remains unclear how compliance costs will be distributed across the value chain. Finally, patient trust will be decisive: without strong guarantees of security and ethical use of data, willingness to share information may decline, undermining the very foundation of the regulation.
Strategic Implications for Italian Companies and Operators
For Italian companies active in the pharmaceutical and medical device supply chain, the impact of the Data Act is not a marginal issue but an immediate challenge. Compliance with the new rules requires integrating the regulation’s requirements into product development processes, contractual frameworks, and digital service models. This is not simply a matter of adding an extra module or adjusting a contract: the entire lifecycle of medical devices—from design to maintenance—will need to be rethought to ensure that data access is guaranteed by default and that sharing takes place under transparent and secure conditions.
This scenario demands significant investments in IT infrastructure, cybersecurity, and interoperability standards, as well as substantial organizational change. Legal, regulatory, and product development teams will need to work in close coordination to address the overlaps between the Data Act, GDPR, EHDS, and medical device regulations. For those who move quickly, regulatory compliance can become a competitive advantage: offering devices that are already Data Act-compliant will mean standing out as an innovative and trustworthy player, ready to fully unlock the value of data.
Future Scenarios
Looking beyond the implementation phase, the Data Act opens up scenarios that could profoundly transform the European healthcare ecosystem. One of the most promising prospects concerns the growth of secondary use of data: clinical research, public health, the development of artificial intelligence, and policy assessments will benefit from infrastructures such as HealthData@EU, designed to facilitate secure and shared access to health information. It is likely that this new availability will generate unprecedented business models, based on platforms for clinical data analysis, predictive maintenance services for medical devices, and digital offerings built on subscriptions and personalized services.
However, the picture is not without complexity. The interaction between the Data Act and the EHDS could accentuate differences among national healthcare systems: countries with more mature digital infrastructures and greater investment capacity will adapt more quickly, while others risk falling behind. At the same time, the strong focus of European regulators on safeguarding patients’ rights and protecting data suggests strict controls and potentially significant penalties in the event of violations.
The future of the Data Act, therefore, will hinge on a delicate balance between innovation and protection. On the one hand, greater data availability can fuel a dynamic and competitive ecosystem; on the other, it will be citizens’ trust—together with institutions’ ability to ensure the safe and ethical use of information—that will ultimately determine the success of this transformation.
The Data Act represents a turning point for European digital health. It is not merely a piece of legislation but a driver of transformation that can foster innovation and new models of care. Pharma and medtech companies that move early will be able to turn obligations into opportunities, consolidating trust and value. But the real challenge will lie in compliance, data protection, and the ability to build a truly interoperable ecosystem. The opportunity is on the table—those who seize it will be the key players in the new data era of healthcare.
