The EU’s onslaught of technology law continues unabated with the so-called EU Data Act which applies from September 2025. The Act looks at a wide range of data including data in the cloud and IoT data. The Act also seeks to regulate contractual terms in data sharing and clarifies rules for public sector access to data.
The EU Data Act is a Regulation (its full name is Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828), so it will be directly applicable to Member States instead of requiring a transposition process.
What is the EU Data Act about?
The EU Data Act is primarily concerned with rules regarding data sharing and switching between data processing services (such as cloud services). It also aims to introduce safeguards against unlawful third-party access to non-personal data and develop interoperability standards for data access and transfer.
The Data Act complements the EU’s Data Governance Act, which became applicable in September 2023.
How does the EU Data Act work with GDPR?
Firstly, it is important to know that unlike GDPR, this Act addresses both personal and non-personal data.
The European Commission’s FAQs (dated 3 February 2025) explain that the Data Act is intended to complement GDPR, and in the event of a conflict between the Data Act and GDPR, GDPR rules on the protection of personal data prevail.
What is the difference between personal data and non-personal data?
It might be obvious, but the Act tells us that non-personal data is data that is not personal data.
The Data Act defines data as any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.
The Data Act also uses the GDPR definition of personal data, which is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
See our GDPR Glossary, which includes relevant data terms.
What are the key dates?
Date
Event
11 January 2024
The Data Act entered into force.
12 September 2025
The Data Act becomes directly applicable. This date is also the deadline for EU Member States to inform the European Commission (EC) of their national rules regarding penalties. The EC is planning to publish recommendations on non-binding model contractual terms regarding data access and use by this date. These might include terms about protecting trade secrets, and non-binding standard contractual clauses for cloud computing contracts.
12 September 2026
Connected products and related services placed on the market after this date must abide by the access by design obligation as outlined below.
12 January 2027
Most Digital Service Providers (DSPs) are no longer allowed to impose charges for switching. This ban does not apply to certain custom-built DSPs.
Who is affected by the EU Data Act?
The Data Act affects individuals and organisations, and in some sense the EU Data Act affects almost everyone, especially as almost every person with a smartphone, smart home product, or GPS will likely be considered a data user or consumer under the Act.
However, the Act does affect certain types of organisations more. One of the biggest areas affected by this Act is the Internet of Things (IoT), also known as connected products or products with digital elements. See our FAQs about the EU’s Cyber Resilience Act, which addresses cybersecurity in connected products.
Who do the main regulatory obligations apply to?
Manufacturers of connected products,
Providers of the services related to the connected product: for example, the manufacturer of a smart fridge, and the provider of a grocery shopping app that is used with the fridge.
Providers of data processing services, such as edge services and cloud services.
Businesses that receive transfers of data at a consumer/user’s request. For example, an insurance company might receive data that a car owner/user has requested from the car manufacturer. As an illustration, there’s more details on the interconnected nature of vehicles at Driving Compliance: Car Tech & Data Protection in the UK & EU.
Does the EU Data Act have extra-territorial effect?
Yes. For example, this Act applies to data holders that make data available to recipients in the EU, irrespective of where the data holder is established.
Much like NIS2 and GDPR, if an organisation that is not established in the EU offers products or services in the EU and/or has EU-based customers, they’ll need to appoint an EU representative.
What are the main obligations for manufacturers of connected products, and providers of related services?
Obligation to make data accessible. The EU Data Act grants users of these products and services the right to access and use the data they generate. As such, there are obligations for manufacturers and providers to allow users to access data easily, securely, and free of charge. Manufacturers and providers will also need to start designing their products and services with the right to access in mind.
Obligation to share data. In a similar vein, manufacturers and providers are also obligated to share the user’s data with a third party if the user wishes. This will also need to be done without undue delay, easily and securely, and in a machine-readable format. In many respects this obligation is similar to the right to portability for personal data under GDPR, but wider to cover non-personal data too.
Information obligations. Sellers, renters, or service providers of connected products or related services will need to provide various types of information to the user before conclusion of the contract. Mandated information to provide includes but is not limited to details about the data the product is capable of generating, and details about how the user can access, share or retrieve the data.
FRAND terms for B2B data sharing. When both parties are businesses, and one party is obliged to make data available to the other, it must do so under FRAND (fair, reasonable, non-discriminatory) terms. For B2B data sharing agreements, a contractual term in that agreement won’t be binding if it is considered unfair under the Act.
What are the main obligations for data processing service providers?
Obligations to remove obstacles to switching. Basically, one of the main aims of the Act is for users to have fewer barriers that would inhibit them from trying to switch data processing services. As such, data processing service (DPS) providers must not impose (and should remove) barriers that inhibit customers from terminating their contracts, entering into new contracts with different providers, and porting their digital assets and data to new places. This doesn’t just apply to consumers – organisations can have rights under the Act too.
Mandated timings. The Data Act mandates set time limits that DPS providers will need to abide by when a customer wants to switch. These time limits are:
The maximum notice period required for initiating the switching process is two months.
The maximum transitional period during which the contract continues is 30 calendar days. This can be extended in limited circumstances.
A minimum data retrieval period is 30 calendar days, starting after the termination of the transitional period.
Contract information obligations. DPS providers will need to include certain terms in their customer contracts, such as but not limited to details about the customer’s right to switch, the kinds of data that can and cannot be ported, the timings (see above), and guarantees regarding data erasure.
Service continuity. The Act requires DPS providers to keep the contracted service running smoothly like normal and keep their data secure while the customer is in the middle of the switching process.
Obligations to provide information online. DPS providers will need to keep an up-to-date register online with technical information such as details of data structures and specifications and provide this to customers. The DPS provider’s website will also need to include some information about the jurisdiction of their data processing infrastructure and information about the measures they have taken to prevent unlawful governmental access to non-personal data.
Functional equivalence. Some DPS providers, mainly when the service provided is infrastructure-only like IaaS, will need to take all reasonable measures they can to aim for ‘functional equivalence’. Functional equivalence essentially means that when a customer switches providers they get materially comparable outlines in response to the same inputs.
Open interfaces. For DPS beyond infrastructure-only, such as PaaS and SaaS, providers must make open interfaces available free of charge, to facilitate the switching process.
Switching charges. For the majority of DPSs, there will be a gradual withdrawal of switching charges until 12 January 2027, which is when most will no longer be allowed to impose any charges for switching.
What else might businesses be interested in?
DPS providers, vendors of smart contracts, and participants in EU data spaces will need to keep an eye out for upcoming implementing acts on interoperability standards and specifications.
There are some safeguarding restrictions which apply when data holders grant access to non-personal data to non-EU governments, if the access would conflict with EU law or the law of an EU country.
There are also new rules regarding how public authorities in the EU can obtain data when the public authority can demonstrate “exceptional need” and needs to use that data for a specific task in the public interest.
What are the penalties for non-compliance with the EU Data Act?
This is not yet clear. Penalties will be set by each EU Member State.
The Netherlands has published draft legislation which proposed fines of up to 10% of global annual revenue or €1,030,000, whichever is greater.
What are some practical action points organisations can start considering?
How are you affected?: The first step is to confirm if your organisation will be affected by the Data Act. Additionally, since different parts of the Act affect different types of organisations and different kinds of services, it’s also important to know how your organisation is affected, and which products or services fall in scope. Furthermore, check if you are or might become a participant in a European data space.
Consumer facing language: Consider if any re-drafting exercises are needed to best ensure that users can exercise their choices and rights under the Data Act. Consider if you want to amend any user-facing language so the terms and instructions are easily understood and comprehensive, or how to best present choices in a neutral way, to avoid nudging the user to one choice over another.
Training specifically for the sales team: For manufacturers and service providers, consider if your sales teams might require special training and education. Maybe a specific FAQs document can be prepared for them.
B2B contracts: While we can expect the EC to publish some non-binding model contractual clauses for B2B data sharing agreements on or before 12 September 2025, now could still be a good time to review your standard contracts and start amending anything that could be considered unfair. Also, consider the bargaining status of your contracts, are you usually the party that has more or less negotiating power?
Data requests from governments: Start reviewing or drafting your policies and procedures on how to deal with requests for data.
Executive briefings: This is a dense and complex Regulation, and board and senior-management level awareness is always of paramount importance to support effective governance and regulatory change management.
We have helped a number of organisations with their Data Act compliance. For any organisation their plan is going to be specific to them given the wide-ranging nature of the Act and the different ways in which it will affect different organisations.
We are compliance lawyers with expertise in data protection
In this edition of our Media Round Up, we share a selection of recent articles, podcasts and insights covering a wide range of topics relevant to businesses and professionals. From...
Jonathan Armstrong was interviewed by iSMG at the Infosecurity Europe conference, 25 years after his first speaking engagement at the conference. Jonathan spoke live from the conference floor at the...
From 1 October 2026, the UK Government will introduce excise duty on vaping products — a fundamental change that will reshape how manufacturers, importers, and distributors operate in the UK...
