Compliance · EU Data Act

The EU Data Act and vehicle data: what changes for OEMs and fleets

The EU Data Act turns connected-vehicle data from a proprietary asset into a regulated, shareable one. Here is what it requires and how to be ready in time.

Talk to our team

The EU Data Act requires vehicle manufacturers to make the data their connected products generate available to the user and, at the user's request, to authorized third parties, in a usable, real-time, and non-discriminatory way. For OEMs and the fleets that operate their vehicles, that means the connected data a car produces can no longer sit behind a closed first-party portal. It has to be accessible, with the owner's consent, to the services the owner chooses.

In short: the car is becoming an open data source by law, and the OEMs that treat it as an architecture problem now, instead of a legal scramble later, will be the ones who turn it into revenue instead of liability.

The timeline that is not moving

The Data Act became applicable in September 2025, with the obligations that bite hardest for connected vehicles, third-party data access at the user's request, phasing into enforcement for OEMs around September 2026. The deadline is fixed.

That matters because of simple arithmetic. A 12–18 month in-house build that starts today delivers 6–12 months late. The compliance clock does not move. An OEM that decides to build its own consent, access, and audit layer from scratch is, in most cases, already behind the regulation before the first sprint closes.

What “compliant access” actually requires

Stripped to its essentials, and read alongside GDPR, the Data Act asks for four capabilities around vehicle data:

  • Authorization. The user must explicitly grant access; implied or bundled consent does not satisfy the standard.
  • Scoping. Third parties receive only the specific data a user authorized, for the purpose authorized, not a firehose.
  • Revocation. The user can withdraw access, and the withdrawal must actually stop the flow.
  • Auditability. There must be a record of who accessed what, when, and under whose authorization.

Most existing connected-services stacks were never designed around these four. They were built to deliver first-party features, then retrofitted with a consent checkbox. The Data Act is hard precisely because it demands these properties be structural, not cosmetic.

How a session model meets it

A vehicle session is an access event with those four properties built in. When a session is created, it carries the user's identity, a defined data scope, and a time limit; when it ends, access revokes atomically and a signed, independently verifiable record is sealed. Consent is part of creating the session, not a policy attached afterward. That is exactly what session-scoped consent describes.

Because the access primitive already produces authorization, scoping, revocation, and an audit trail, EU Data Act compliance is a byproduct of the architecture, not a retrofit. An OEM integrates one access layer and inherits the compliant behavior across every model and market, rather than re-implementing consent for each program. The same model normalizes data across 50+ OEM brands, which matters for fleets running mixed inventories.

From compliance cost to revenue

It is tempting to read the Data Act as pure cost. It is not. The same consented, scoped access that satisfies the regulation is the foundation for the software revenue OEMs are already chasing. They are collectively targeting $62–67 billion a year from software and connected services by 2030. The difference is that the compliant path and the revenue path are now the same path. An OEM that can grant a driver-authorized session can also offer per-session insurance, plug-and-charge, or maintenance services on top of it, legally, with the consent already captured.

Contrast that with the closed path. As the FTC's GM/OnStar order showed, the bulk-data-brokerage model is now a liability rather than an asset. The OEMs that win the next decade of connected-services revenue will be the ones whose data access was consented and auditable from the first session, because that is the only kind regulators, insurers, and increasingly customers will accept.

Common questions

Does this only matter for vehicles sold in the EU?

The Data Act is an EU regulation, but its gravity is global. The same architecture an OEM builds for the EU answers the FTC standard in the US and SB-1394 in California, so most manufacturers will not maintain a separate “compliant” stack for one market and a legacy stack for another. The economics push toward one consented access layer everywhere.

We already have a connected-services program. Is that enough?

Usually not. Most existing programs were designed to deliver first-party features and then retrofitted with a consent checkbox. The Data Act asks for third-party access at the user's request, with scoping, revocation, and an audit trail as structural properties. If those four are not built into how access is granted, a checkbox will not close the gap.

What OEMs and fleets should do now

  • OEMs: treat third-party access as a platform capability, not a per-program feature. Decide build-vs-integrate against a September 2026 clock, not an open-ended roadmap.
  • Fleets: if you operate vehicles in the EU, confirm your data access path is consent-backed and revocable today. See audit-ready vehicle access.

This page is educational, not legal advice. Formal certification review should be completed before using compliance language in European OEM procurement.

Related: the FTC GM/OnStar order · all compliance topics · DIMO for OEMs