The EU Data Act (Regulation (EU) 2023/2584) will apply from 2026. The September 2025 FAQs clarify how IoT data-sharing rules apply to medical devices.

Scope of the Data Act

The Act harmonises rules for data access from connected devices, including not only consumer electronics and industrial systems but also medical devices and IVDs increasingly using IoT functionalities.

Examples of covered devices:

smart infusion pumps with remote monitoring,
implantable cardiac devices transmitting telemetry,
IVDs with digital connectivity sending results to the cloud.

What data must be shared?

The FAQs clarify:

raw data (e.g. sensor outputs, device logs),
pre-processed data relevant for safety and clinical performance.

Exclusions include:

highly enriched datasets,
trade secret-protected data,
copyright-protected materials (e.g. proprietary algorithms).

Interaction with MDR and IVDR

The Data Act complements MDR/IVDR obligations:

MDR Annex I, Chapter 3 – requires protection and integrity of patient data; the Data Act adds obligations for secure third-party access,
interoperability – MDR/IVDR require compatibility with EU systems like Eudamed; the Data Act reinforces openness and data portability,
GDPR compliance remains mandatory for personal data processing.

Implications for manufacturers

Implementation will require:

reviewing data architecture to ensure safe sharing,
updating QMS procedures for data access and protection,
revising IFU (Instructions for Use) to specify user and third-party data rights,
preparing technical documentation showing compliance with both MDR/IVDR and Data Act.

Opportunities vs risks

Opportunities: greater transparency, trust, new business models using shared data.
Risks: privacy breaches, costly IT investments, increased administrative burden.

Recommendations:

conduct data system audits,
integrate Data Act with ISO 14971 risk management,
develop patient consent policies,
train regulatory and R&D teams.

Conclusion

The Data Act directly impacts medical technology. It requires manufacturers to treat device data as a shared resource, available under safe and legally compliant conditions. Though demanding, it could boost trust in MedTech and accelerate innovation.

Data Act and medical devices: new IoT data-sharing obligations

Scope of the Data Act

What data must be shared?

Interaction with MDR and IVDR

Implications for manufacturers

Opportunities vs risks

Conclusion

See our blog

FDA issues final guidance on Computer Software Assurance in production and quality systems

Borderline & Classification Manual 2025 – clarifying MDR/IVDR borderline cases

Updated MHRA requirements for clinical investigations of medical devices

Australian TGA issues guidance on regulating Software as a Medical Device (SaMD)

Case study

Clinical Performance Evaluation of HIV-1 RNA Kit

Efficacy and safety evaluation in clinical trial of dermal filler

Clinical performance of HIV Ag/Ab diagnostic test

Clinical performance study of SARS-CoV-2 & influenza A/B antigen test