What is the EU Data Act and which obligations enter the marketing phase in May 2026?

The EU Data Act — Regulation (EU) 2023/2854 — is the horizontal data-sharing framework adopted in late 2023 to govern access to and use of data generated by connected products and related services in the European Union. The Act became applicable on 12 September 2025 and is now in its first substantive enforcement phase. The May 2026 phase brings several marketing-facing obligations into operational force, particularly around connected product marketing, smart contract disclosure, and B2B data-sharing claims. The Act covers a broad scope of connected products including IoT consumer devices, smart appliances, vehicles, industrial equipment, smart home hardware, and any product whose primary function depends on or is enhanced by data generated through use. The Act also covers related services that process or analyse data from connected products. The marketing implications are most significant for manufacturers, service providers, and B2B SaaS vendors that operate in this product space. The May 2026 phase introduces three substantive marketing obligations. First, the data access disclosure obligation requires connected product marketing materials to clearly communicate the user's right to access data generated by the product, the data categories covered, the access mechanism, and any technical or commercial limitations. The disclosure obligation extends to advertising materials including digital ads, product pages, and pre-sale documentation. Second, the smart contract obligation operationalises Article 36 of the Act, which sets requirements for smart contracts used in data-sharing agreements. Marketing claims about smart contract capabilities, automation features, or trustless execution must align with Article 36's essential requirements including robustness, controlled termination, data archiving, access control, and consistency. Third, the B2B data-sharing claim obligation requires marketing materials directed at business customers to accurately reflect the data-sharing terms that the customer will face. Claims about data ownership, data portability, vendor lock-in protection, and switching cost must align with the actual contractual terms. From the brand and B2B marketing perspective the May 2026 phase is operationally significant because the Act creates a layered compliance stack alongside GDPR, the Cyber Resilience Act, and the AI Act. Marketing claims for connected products and B2B SaaS must satisfy multiple frameworks simultaneously. For the broader EU regulatory frame, see EU DSA Compliance and track in-flight regulatory updates through the Policy Tracker .

Which connected products and services fall within the Data Act's marketing scope in 2026?

The Data Act applies to a broad scope of connected products and related services with several specific definitional rules that determine whether marketing obligations apply. The scope question matters operationally because product manufacturers and service providers need to identify which marketing materials trigger the Act's obligations and which fall outside. The connected products in scope include any tangible product whose primary function generates, communicates, or processes data through use. Examples include smart home appliances such as connected thermostats and smart speakers, IoT consumer devices such as fitness trackers and connected lighting, smart vehicles and vehicle-attached devices, industrial equipment with telemetry capability, smart agriculture sensors, smart energy meters, and a wide range of similar product categories. The product is in scope regardless of whether it is sold to consumers or to business customers. Related services in scope include any digital service whose primary function is to process or provide access to data generated by connected products. Examples include vehicle telematics platforms, fleet management software, smart home control apps, energy consumption analysis services, and manufacturing analytics platforms. The service is in scope where the data input originates from connected products covered by the Act. Several categories are excluded from scope. Products whose data-generating function is incidental rather than primary are generally outside scope. A smart speaker that streams music is in scope because its data-generating function is part of its primary use. A toaster with a Wi-Fi update channel for firmware patches is generally outside scope because the data-generating function is incidental to the primary function of toasting. The line between primary and incidental is fact-specific. Products covered by sector-specific frameworks may be partially or fully outside scope. Medical devices governed by MDR are covered by the Act for non-medical data only. Vehicles are covered for general-purpose data while the type-approval data is governed by sectoral frameworks. Products subject to law enforcement, defence, or national security frameworks are excluded. The marketing-scope question follows the product-scope question. Marketing materials promoting in-scope products must satisfy the Act's disclosure obligations. Marketing for excluded products is not subject to the Act but may be subject to sector-specific frameworks. From the operational perspective B2B marketers and B2C connected product brands should map their product portfolio against the Act's scope criteria and identify the marketing materials that trigger obligations. The scope analysis should be documented in advertiser-side records for response to market surveillance authority inquiries. For automated review of marketing claims against regulatory restrictions, route through AI Compliance Audit .

What specific advertising disclosure obligations apply to connected product marketing in the May 2026 phase?

Connected product marketing in the May 2026 phase faces several specific advertising disclosure obligations that translate the Data Act's user-right framework into ad-creative requirements. The disclosure obligations operate at the ad surface level rather than at the campaign level — each individual ad must satisfy the disclosure independent of broader campaign context. The first specific obligation is the data access right disclosure. Ads promoting a connected product for sale must include or link to a clear statement that the user has a right to access data generated by the product, the categories of data covered, and the access mechanism. The statement should specify whether access is real-time, batched, or on-demand; whether access requires user authentication or platform-side authorisation; and whether commercial limitations apply. Vague phrasing such as data access supported is insufficient — the disclosure should provide enough specificity for a reasonable user to evaluate the data access value proposition. The second specific obligation is the third-party sharing disclosure. Where the product transmits data to third-party services or sells data access to third parties, the ad should disclose the categories of third-party recipients and the purposes of sharing. The disclosure aligns with GDPR transparency obligations but extends beyond personal data to include non-personal product data. The third specific obligation is the data portability disclosure. Where the product supports data portability to alternative service providers, the ad should disclose the portability mechanism and any technical or commercial limitations. Marketing claims about easy switching or no vendor lock-in must align with the actual portability capability. Marketing that overstates portability creates regulatory risk under the Act and adjacent consumer protection frameworks. The fourth specific obligation is the smart contract disclosure where the product or service uses smart contracts in data-sharing arrangements. Marketing claims about smart contract capabilities — automation, trustless execution, immutability — must align with Article 36's essential requirements and must not exceed the actual contract implementation. The fifth specific obligation is the B2B contractual term disclosure for ads directed at business customers. Marketing claims about data ownership, B2B data sharing terms, and vendor lock-in protection must align with the actual contractual terms. Claims about data ownership are particularly sensitive because the Act introduces specific frameworks for data ownership and use rights that may differ from prior contractual practice. From the operational perspective advertisers running connected product campaigns should build creative templates that include the required disclosures for each product category. The templates should be reviewed by legal counsel and updated as the Act's implementing regulations are issued through 2026. For automated audit of ad creative against regulatory restrictions, run AI Compliance Audit and reference the cross-platform regulatory frame through EU DSA Compliance .

How does the Data Act affect B2B SaaS marketing claims about data ownership, portability and vendor lock-in?

The Data Act fundamentally restructures the contractual frame for B2B data sharing and produces specific marketing-claim implications for B2B SaaS providers. B2B SaaS marketing has historically relied on claims about data ownership, easy switching, and no vendor lock-in as differentiation points. The Data Act makes some of these claims structurally true through regulatory mandate and others problematic when overstated. The first marketing implication is on data ownership claims. The Act establishes user rights to access, port, and share data generated through use of connected products, regardless of contractual provisions to the contrary. B2B SaaS providers can no longer credibly claim sole ownership of customer-generated data through the connected product or related service in scope. Marketing claims about your data, your way are generally compliant. Claims about exclusive data ownership or proprietary data control over the customer's product-generated data are non-compliant. Claims should align with the Act's user-right framework rather than with the prior contractual practice. The second marketing implication is on data portability claims. The Act requires data portability mechanisms for in-scope products and services, with technical interoperability requirements that the Commission is operationalising through implementing regulations. Marketing claims about easy switching, no migration friction, or seamless data export must align with the actual portability capability under the Act's standards. Overstatement creates regulatory risk under the Act and adjacent consumer protection frameworks. The third marketing implication is on vendor lock-in claims. The Act prohibits contractual provisions that prevent or unduly restrict the user's right to switch between data processing services or to share data with third parties. B2B SaaS contracts with prohibited provisions are unenforceable, and marketing claims about no vendor lock-in are structurally true to the extent the Act's framework applies. Marketing claims that emphasise vendor lock-in protection align with the regulatory direction and are generally low-risk. The fourth marketing implication is on switching support and data-export tooling. The Act requires data processing services to provide reasonable assistance for switching, including data export tooling, transition support, and compatibility with industry-standard formats. Marketing claims about switching support should align with the actual capability provided under the Act's standards. The cross-border B2B SaaS marketing implication is significant. SaaS providers operating in the EU must satisfy the Data Act's framework regardless of where the SaaS is hosted or where the company is established. The framework applies based on the customer's EU establishment and the product's EU placement. Cross-border B2B SaaS marketing should standardise on the strict EU Data Act baseline rather than maintain region-specific creative because the operational complexity of region-specific SaaS marketing exceeds the cost of the strict baseline. For B2B SaaS marketing audit, see SaaS & Tech Compliance and run AI Compliance Audit .

How does the Data Act interact with GDPR, Cyber Resilience Act and AI Act for connected product marketing?

The Data Act sits within the broader EU tech regulatory stack and interacts with GDPR, the Cyber Resilience Act, the AI Act, and several adjacent frameworks. Connected product marketing must satisfy multiple frameworks simultaneously, and advertisers should treat the stack as a layered compliance matrix rather than as a sequence of independent regulations. The first interaction is with GDPR. GDPR applies to processing of personal data through any product or service. The Data Act extends user-right concepts to non-personal product data while preserving GDPR's personal-data framework. Marketing claims about privacy must satisfy GDPR principles regardless of Data Act compliance. Marketing claims about data access must distinguish between personal data subject to GDPR and non-personal product data subject to the Data Act. The distinction matters because the legal mechanisms, the user rights, and the controller obligations differ between the two frameworks. The second interaction is with the Cyber Resilience Act. The CRA imposes cybersecurity requirements on connected products, while the Data Act focuses on data access and sharing. Marketing claims about product security must satisfy CRA conformity declarations. Marketing claims about data access must satisfy Data Act user-right disclosures. Both frameworks apply to most connected products and create overlapping marketing disclosure obligations. The third interaction is with the AI Act. AI components within connected products are subject to the AI Act conformity assessment. Marketing claims about AI capability must align with the AI Act risk classification. The Data Act applies to data generated and processed by AI components within connected products. The combined Data Act plus AI Act framework creates layered obligations on AI-enabled connected products. The fourth interaction is with the Digital Markets Act. The DMA applies to gatekeeper platforms and creates specific obligations on data sharing and interoperability. Where a connected product or service interacts with a DMA-designated gatekeeper, the DMA's obligations apply alongside the Data Act's. Marketing claims about gatekeeper interoperability must satisfy both frameworks. The fifth interaction is with sector-specific frameworks including the Medical Devices Regulation, the General Product Safety Regulation, and the Type Approval framework for vehicles. Connected products covered by sector-specific frameworks face the sector framework's marketing obligations alongside the horizontal Data Act framework. From the operational perspective advertisers running connected product campaigns should treat marketing-claim review as a multi-stakeholder process involving product, legal, security, and marketing functions. Marketing claims that pass internal review against one framework but conflict with another framework produce regulatory risk that surfaces through enforcement actions and consumer protection investigations. For consolidated EU regulatory framework, see EU DSA Compliance and reference the EU Cyber Resilience Act implementation guide.

EU Data Act May 2026: Connected Device Marketing Compliance

Data Act & May 2026 Marketing Phase

The EU Data Act — Regulation (EU) 2023/2854 — is the horizontal data-sharing framework adopted in late 2023 to govern access to and use of data generated by connected products and related services. The Act became applicable on 12 September 2025 and is now in its first substantive enforcement phase. The May 2026 phase brings several marketing-facing obligations into operational force, particularly around connected product marketing, smart contract disclosure, and B2B data-sharing claims.

The Act covers a broad scope of connected products including IoT consumer devices, smart appliances, vehicles, industrial equipment, smart home hardware, and any product whose primary function depends on or is enhanced by data generated through use. Marketing implications are most significant for manufacturers, service providers, and B2B SaaS vendors operating in this product space.

The May 2026 phase introduces three substantive marketing obligations: connected product data-access disclosure, smart contract feature alignment under Article 36, and B2B data-sharing claim accuracy. From the brand and B2B marketing perspective the phase creates a layered compliance stack alongside GDPR, the Cyber Resilience Act, and the AI Act.

"Marketing for connected products is no longer a creative decision — it is a conformity declaration. Claims about data access, ownership, and portability must align with the regulatory framework, not with the prior contractual practice."
— AuditSocials EU Data Act marketing brief, May 2026

For the broader EU regulatory frame, see EU DSA Compliance. Track in-flight Data Act guidance through the Policy Tracker.

Connected Product & Service Scope

The Act applies to connected products and related services with definitional rules that determine which marketing materials trigger obligations.

In-Scope Categories

Smart home appliances: Connected thermostats, smart speakers, smart lighting
IoT consumer devices: Fitness trackers, connected wearables, smart kitchen tools
Smart vehicles: Vehicles and vehicle-attached devices (general-purpose data only)
Industrial equipment: Telemetry-capable industrial machinery
Smart agriculture: Connected sensors, irrigation systems
Energy: Smart meters, smart grid devices
Related services: Telematics, fleet management, smart home apps, energy analysis

Out-of-Scope or Partial

Category	Status	Reason
Incidental data products (Wi-Fi-enabled toaster)	Out of scope	Data-generating function not primary
Medical devices (MDR-governed)	Partial	Non-medical data in scope, medical data sectoral
Vehicles (general use)	Partial	General-purpose data in scope, type-approval data sectoral
Law enforcement / defence	Excluded	National security framework

For automated review of marketing claims against regulatory scope, route through AI Compliance Audit.

Ad Disclosure Obligations

Disclosure operates at the ad surface level — each individual ad must satisfy obligations independent of broader campaign context.

Required Disclosure Elements

Data access right: User's right to access data, categories covered, mechanism, real-time vs batched, authentication requirements
Third-party sharing: Categories of third-party recipients + purposes of sharing
Data portability: Portability mechanism + technical/commercial limitations; align with Article 36 standards
Smart contract features: Claims align with Article 36 essential requirements (robustness, controlled termination, archiving, access control, consistency)
B2B contractual terms: Data ownership, sharing terms, vendor lock-in protection match actual contractual provisions

Non-Compliant Phrasing Examples

Non-compliant	Compliant alternative
"Data access supported"	"Real-time API access to telemetry data; documentation at..."
"Exclusive proprietary data control"	"Your data, your way — under Article 4 user rights"
"Trustless smart contract execution"	"Article 36-compliant smart contract with controlled termination"
"No vendor lock-in (zero migration cost)"	"Switching supported under Article 23 framework"

For automated ad creative audit, run AI Compliance Audit.

B2B SaaS Marketing Implications

The Data Act fundamentally restructures B2B data-sharing contractual frame and changes which marketing claims are credible vs problematic.

Marketing Claim Mapping

Data ownership claims: Cannot claim exclusive ownership of customer-generated data through in-scope products; customer's user-right framework applies
Portability claims: Must align with Article 23 portability standards; overstatement creates regulatory risk
Vendor lock-in claims: Structurally true under the Act; emphasising lock-in protection aligns with regulatory direction
Switching support claims: Must reflect actual capability under Article 25 standards

Cross-border B2B SaaS marketing should standardise on the strict EU Data Act baseline. SaaS providers operating in the EU must satisfy the framework regardless of hosting or company-establishment jurisdiction. For B2B SaaS marketing audit, see SaaS & Tech Compliance.

GDPR, CRA & AI Act Interaction

Connected product marketing must satisfy multiple frameworks simultaneously. Treat the stack as a layered compliance matrix.

Adjacent Framework Mapping

Framework	Applies to	Marketing implication
GDPR	Personal data processing	Distinguish personal vs non-personal data in marketing claims
Cyber Resilience Act	Connected product cybersecurity	Security claims align with conformity declaration
AI Act	AI components within products	AI capability claims align with risk classification
Digital Markets Act	Gatekeeper platform interactions	Interoperability claims satisfy both frameworks
MDR / GPSR / type approval	Sector-specific products	Sector framework + Data Act applies in parallel

For consolidated EU regulatory framework and CRA mapping, see EU Cyber Resilience Act.

Connected Product Compliance Checklist

[ ] Map product portfolio against Data Act scope criteria
[ ] Document data access rights per product (categories, mechanism, real-time vs batched)
[ ] Build creative templates per product class with required disclosures
[ ] Audit existing ad copy for non-compliant ownership / portability claims
[ ] Align smart contract feature claims with Article 36 essential requirements
[ ] Update B2B contractual terms to remove prohibited lock-in provisions
[ ] Document third-party data sharing categories and purposes
[ ] Pre-clear regulated B2B SaaS claims through legal + product review
[ ] Standardise cross-border SaaS marketing on EU Data Act strict baseline
[ ] Configure multi-stakeholder review (product, legal, security, marketing)
[ ] Cross-check Data Act + CRA + AI Act + GDPR claims simultaneously
[ ] Track in-flight Data Act implementing acts through the Policy Tracker

Don't miss the next policy change.

Subscribe to the Policy Tracker — get weekly digests or instant Pro alerts across all 8 platforms. Or try our free Keyword Risk Checker first.

Subscribe Free

Report Keywords — Run AI Compliance Audit

#EU Data Act#EU Regulation#Connected Devices#IoT#Smart Contracts#B2B Marketing#GDPR#2026 Policy#Advertisers#Compliance Guide 2026#Data Sharing#Tech

Share This Report

Tweet Share

EU Cyber Resilience Act May 2026: Connected Product Marketing Disclosure, IoT Device Ad Compliance & B2B SaaS Implications

The EU Cyber Resilience Act enters its substantive marketing-disclosure phase in May 2026 — connected product ads, IoT device security claims and B2B SaaS marketing all face new transparency obligations.

EDPB Pay-or-Consent Cookie Walls May 2026: Updated Guidance, Consent Validity & Advertiser Web Tracking Workflow

The EDPB published refreshed pay-or-consent guidance in May 2026 that materially restricts the binary cookie wall pattern and tightens consent validity criteria across the EU. Here is the advertiser-side workflow.

California CPRA Q2 2026 Audience Targeting Audit: Sensitive PI, Opt-Out Signals & Advertiser Cookie Consent Workflow

California's CPPA published Q2 2026 enforcement guidance that materially tightens audience targeting, opt-out signals, and cookie consent obligations. Here is the advertiser-side workflow.

EU Data Act May 2026 Implementation: Connected Device Data Access, Smart Contract Compliance & Brand Marketing Implications