The impact of the Data Act on the healthcare industry

Which medical devices are affected by the Data Act?

The Data Act primarily concerns connected medical devices (IoMT), such as:

• pacemakers;
• continuous glucose monitoring (CGM) systems,
• or smart insulin pumps.

It also covers the associated software, such as control apps, embedded software (SiMD) and accessories.

Legal framework

In terms of content, the Data Act supplements the General Data Protection Regulation (GDPR) and establishes a legal basis for a new data economy. It covers all product, service and metadata generated when using connected devices or services.

Personal data and trade secrets continue to be specially protected, but the complex interactions involved must be carefully evaluated on a case-by-case basis.

Staggered legal obligations under the Data Act: Implementation schedule

The new obligations will come into force in stages. From 12 September 2025, users will be entitled to free, machine-readable and qualitatively equivalent access to their data, including disclosure to third parties.

Before the contract is concluded, manufacturers must secure their own data use contractually and provide users with comprehensive information about data types, formats, and access methods.

In the B2B sector, the requirement for fair, reasonable, and non-discriminatory terms (FRAND principles) applies.

From September 2026, new products must be designed according to the “accessibility by design” principle to guarantee direct and secure data access. Finally, from 2029, the European Health Data Space Regulation (EHDS Regulation) will open up further possibilities for data access via an official approval procedure.

The interfaces between the Data Act, medical device law (MDR) and the AI Act

There are also close links between the Data Act and medical device law (MDR), and the AI Act. The principle of 'accessibility by design' affects not only data access, but also regulatory requirements under the MDR.

New data interfaces and technical adjustments can influence risk assessment, cybersecurity and CE marking. In individual cases, they can also trigger change procedures at notified bodies. Therefore, manufacturers must ensure that any implementation of the Data Act is MDR-compliant and that regulatory processes are fully documented.

Data Act compliance requirements and implementation measures

Companies should therefore check in good time whether their products, contracts and processes comply with the new requirements, making any necessary adjustments. This applies in particular to:

• GDPR interfaces;
• the protection of trade secrets;
• data inventories;
• contract clauses,
• and product design.

Companies that fail to respond are exposing themselves to increased compliance risks and potential competitive disadvantages.

At the same time, however, the new obligations also present significant opportunities.

In the future, data users will have access to valuable data that can be used for research, development and improving products. Those who adopt a strategic approach early on can gain a clear competitive advantage.

To-do checklist for companies in the healthcare industry:

• Create a data inventory and identify data types. Check the applicability of the Data Act and GDPR.
• Review product design and MDR approval processes (i.e. 'accessibility by design') if necessary.
• Analyse GDPR interfaces and trade secret protection.
• Adapt contracts and licensing models (including FRAND principles).
• Form an interdisciplinary task force comprising regulatory, data protection, IT security, sales and data science experts.
• Establish strategic usage options (e.g. AI training, research and collaborations) at an early stage.

We support companies and organisations in the healthcare sector in the following ways

Schürmann Rosenthal Dreyer Rechtsanwälte provides comprehensive support for the legally compliant implementation of GDPR, from impact analysis and contract drafting to trade secret protection, preparation for the EHDS, and the enforcement of new data access rights.