EU Data Act changes rules for medical devices data

The EU has adopted Regulation (EU) 2023/2854 on data (Data Act). The aim is to create a uniform framework for fair and secure sharing of data from connected devices and digital services, strengthen user rights, and promote innovation across sectors. The Data Act will also have a significant impact on healthcare, particularly on medical devices that collect and transmit data on their use or on the patient's health status. Under the new rules, manufacturers become data holders and must ensure that this data is easily, securely, and freely available to users, i.e. hospitals, doctors, and patients, who will now be given the ability to decide on its further use.

Effective from September 12, 2025, this regulation, which is a key pillar of the European Data Strategy, imposes an obligation on data holders (persons who use or make data available) to apply the principle of "data accessibility by design" in development. This means that the data generated or collected by a medical device during its use must be easily technically accessible to its owner/renter (user), e.g. a healthcare provider or patient. This obligation applies to products and services placed on the market after September 12, 2026. Before concluding a purchase/rental agreement, the data holder must inform the user what data will be accessible, how it can be obtained, how long it will be stored, and with whom it will be shared. The user has the right to receive the data in a comprehensive and machine-readable format and, if technically possible, in real time. The user also has the right to transfer the data to a third party in the same quality.

The data holder, often the manufacturer of the product, who is obliged to make the data available, has to do so under fair, reasonable, and non-discriminatory conditions (FRAND). Unreasonable agreements limiting liability or rights to remedy are invalid. In cases of exceptional need (e.g. in an officially declared crisis situation or in the performance of public tasks laid down by the law of a Member State), public authorities or the European Commission may request access to otherwise unavailable data. In such crisis situations, the data must be provided free of charge and within specified time limits.

Better access to healthcare data

For the medical device sector, the Data Act represents a fundamental shift towards transparent and user-controlled access to data obtained through the use of medical devices within the European Union territory. Hospitals, doctors, and patients alike will gain greater control over the data generated by devices and will be able to use it effectively for diagnosis, service, or research. Manufacturers must ensure technical readiness, interoperability, and compliance with GDPR regulations and trade secret protection.

The Data Act thus paves the way for greater data openness in healthcare with full respect for the GDPR, where data truly belongs to the user and sharing it becomes the key to innovation as well as better quality patient care.

Author: Markéta Hrubá