Posted

The EU Data Act: Scope, Obligations and Enforcement

by , , , and

Regulation (EU) 2023/2854 (the Data Act) entered into force on January 11, 2024, and applied from September 12, 2025, with certain provisions phased in through 2026 and 2027. The Data Act is intended to create a harmonized framework for fair access to and use of data across the EU, supplementing the GDPR and sector-specific rules. The Data Act also includes specific requirements on providers of a “data processing service” to enable customers to switch to another provider (or to an on-premise solution)—this is likely to have a significant impact on the global cloud market.

Scope of Application
The Data Act applies horizontally across sectors and regulates data access, sharing and portability in both business-to-consumer (B2C) and business-to-business (B2B) contexts, as well as business-to-government (B2G) access in exceptional cases. It also regulates switching between providers of cloud and edge services, addresses unlawful third-country government access to non-personal data stored in the EU, and introduces interoperability requirements.

The territorial scope is broad. The provisions relating to connected products (IoT devices) apply to manufacturers, providers and users of such products and related services made available in the EU, regardless of establishment. Providers of data processing services (including IaaS, PaaS and SaaS) are also covered where such services are offered to customers in the EU.

Key Provisions by Chapter

  • Chapter II (IoT data sharing). Consumer and business users of connected products must be able to access and transfer the data generated through their use. This applies not only to the connected products themselves (such as smart home devices, fitness trackers, connected cars, and industrial or agricultural machinery) but also to related digital services (e.g., an app controlling a smart thermostat or software updates improving a wearable device). Users may also direct the manufacturer or service provider to share this data with a third party.

The data that is in scope is broadly defined. It includes digital information generated by the use of connected products and related services that is easily accessible to the data holder without disproportionate effort. This includes both personal and non-personal data, such as sensor readings (e.g., temperature, speed, pressure), but excludes highly enriched or derived data. For example, if a user watches a film on their connected TV, the film itself is not within scope but data on the brightness of the screen is within scope. Relevant metadata needed to interpret the data and make it usable must also be accessible to users.

Further, connected products and related services must be designed so that product and service data (including metadata) are, by default, easily and securely available to the user, free of charge, in a structured, commonly used, machine-readable format, and, where possible, directly accessible (the “Data by design” obligation).

  • Chapter III (Mandatory B2B data sharing). Chapter III introduces rules applicable where a business (a data holder) has a legal obligation to make data available to another business (as data recipient) under: (i) Chapter II of the Data Act (i.e., which relates to IoT “product data” and “related services data”); or (ii) under EU law or Member State law. The applicability of Chapter III is not limited to “product data” and “related services data” in the same way as Chapter II. Instead, it applies to any private sector data that is subject to statutory data-sharing obligations.

Whenever a data holder is subject to statutory data-sharing obligations, it must share data on fair, reasonable, non-discriminatory terms (the “FRAND” standard). The data holder may charge for access, but any price must be reasonable and non-discriminatory. It may include a profit margin except where the recipient is an SME or a not-for-profit research organization (in which case only cost recovery is permitted). To prevent unauthorized use or disclosure, a data holder may deploy “appropriate technical protection measures,” including smart contracts and encryption. These measures must not create hidden barriers or discriminate between comparable data recipients.

While Chapter III applied from September 12, 2025, and is triggered by the data-sharing obligations in Chapter II of the Data Act, it is not triggered by existing EU/Member State law. Instead, it will only apply to such laws that enter into force after September 12, 2025.

  • Chapter IV (Unfair contractual terms). Chapter IV applies only to B2B contexts and introduces protections against unfair terms unilaterally imposed by one business on another in relation to: (i) access to and use of data (including personal and non-personal data), or (ii) liability and remedies for breach or termination of data-related obligations. Chapter IV applies to such data-related clauses contained in any contract, even if the transfer and use of data is not the main subject of the contract. For example, in a contract for a bank loan to a business, where data sharing is needed for the fulfilment of the agreement, Chapter IV of the Data Act applies to the clauses related to the sharing of the client’s data with the bank.

There are certain exclusions. The requirements do not apply to terms that were meaningfully negotiated, terms that define the main subject matter or price of data access and use, or terms that simply reflect mandatory EU law.

Chapter IV sets out three levels of assessment for unfairness. First, a general test deems a term unfair if it grossly departs from good commercial practice and breaches the principle of good faith and fair dealing. Secondly, some clauses are always unfair, such as those excluding liability for gross negligence, removing remedies for non-performance, or giving one party sole authority to interpret the contract. Finally, there is a “grey list” of terms that are presumed unfair unless the imposing party can justify them. Examples include restricting remedies for breach, access/use rights to the other party’s data in a manner significantly detrimental to its interests, blocking a party’s use of its own data, preventing reasonable termination, denying access to data during or after the contract, or allowing unilateral termination or material changes without a right of termination.

The party imposing a term bears the burden of proving it was not unilaterally imposed, and of justifying any grey-listed clause. Unfair terms are unenforceable, although the rest of the contract may remain valid. Parties cannot contract out of these protections. Chapter IV applies to contracts concluded after September 12, 2025. With effect from September 12, 2027, it shall also apply to contracts concluded on or before September 12, 2025, that have indefinite duration or are due to expire after January 11, 2034.

  • Chapter V (B2G access). Chapter V introduces rules under which private-sector data holders may be compelled to make data available to public sector bodies, the Commission, the European Central Bank or EU bodies, but only in cases of “exceptional need.” Chapter V refers generally to “data” and is not limited, for example, to “product data” or “readily available data.” Article 15 defines two circumstances where a public body may compel access: (i) to respond to a public emergency, where the public body cannot obtain the data in time via other means; (ii) in non-emergency situations, where (a) the data is necessary for a task explicitly provided for by law (e.g. statistics or recovery from a crisis), and (b) the public body has exhausted other means of obtaining it (including market procurement). Article 17 includes specific requirements for access requests, such as the request must be justified, proportionate and made in writing. Article 18 sets out requirements applicable to data holders and Article 20 contains provisions relating to compensation.
  • Chapter VI (Switching between data processing services). Chapter VI creates a framework for switching across “data processing services.” Providers of such services must remove pre-commercial, commercial, technical, contractual and organizational obstacles that inhibit customers from: terminating and moving, concluding a new contract with a different provider of the same service type, porting exportable data and digital assets (including to on-premise IT infrastructure), achieving functional equivalence in the destination environment, and (where feasible) unbundling services.

Obligations are both contractual and technical and compliance is likely to impact operational and technological processes, as well as legal/contractual arrangements. In particular:

      1. Contracts must include terms that: (i) give the customer a right to switch or port all exportable data and digital assets (e.g., applications) “without undue delay” and in any event within a mandatory maximum transitional period of 30 calendar days after a notice period; (ii) cap the notice period to start switching at no more than two months; (iii) require the provider to give reasonable assistance, maintain business continuity and security during switching, and inform the customer of known risks to continuity; (iv) list all categories of exportable data/digital assets and (narrowly) identify any categories that are exempt to protect the provider’s trade secrets (without impeding switching); (v) guarantee a data retrieval period of at least 30 days after the transitional period (subject to limited exemptions); and (vi) provide for full erasure of exportable data/digital assets once retrieval ends.
      2. Providers must provide clear, free-of-charge information on switching options, export formats and data categories, maintain a single point of contact, and act in good faith during switching (e.g., timely assistance, no service degradation). In addition, providers are required to publish on their websites the jurisdiction of the ICT infrastructure and a description of measures to prevent unlawful third-country governmental access to data.
      3. Until January 12, 2027, any switching charges must be cost-based only (and clear information on such charges must be provided in advance) and from January 12, 2027, no switching charges may be levied.
      4. Providers must enable switching via standardized, open interfaces and formats and support functional equivalence in the destination environment for the same service type (subject to documented technical limitations).

The obligations of the Data Act apply notwithstanding any contractual agreements between the parties. Businesses will need to assess which contracts are within scope and existing and future contracts may need to be reviewed and remediated.

One of the less obvious risks under the Data Act concerns how mandatory termination and switching rights may affect revenue recognition, especially for providers relying on recurring revenue metrics. Because the Data Act grants customers statutory rights to terminate without cause (even in fixed-term contracts) and limits switching fees, companies may need to refund prepaid fees if they are characterized as impermissible “switching fees.” This could undermine how much revenue can be recognized up front, or force recognition on a more pro rata basis over shorter periods. To manage this, providers should work with auditors/accounting advisors to review their contracts. It is important to ensure early-termination penalties are proportionate, clearly disclosed pre-contract, and distinguishable from banned switching charges. Companies may also need to adjust their revenue recognition policies to account for these new uncertainties.

  • Chapter VII (Third-country access). Providers and customers must protect non-personal data stored in the EU against unlawful third-country government orders. When receiving a request, the addressee must assess whether it is reasoned, proportionate and specific, and whether it conflicts with EU or Member-State law or applicable international agreements (e.g., mutual legal assistance). Where a conflict exists, the addressee must challenge or seek modification of the order, seek use of international cooperation mechanisms, and (if disclosure is unavoidable) provide only the minimum data necessary, with protective measures. Policies, organizational and technical measures (e.g., encryption, access controls) must be in place; customers should be informed unless prohibited.
  • Chapter VIII (Interoperability). Establishes EU-wide standards and specifications to ensure interoperability between data spaces and cloud services.
  • Chapter IX (Enforcement). Member States must designate one or more competent authorities which will enforce the provisions of the Data Act. If multiple bodies are designated, a data coordinator must act as the single national point of contact and facilitate cooperation. Data Protection Authorities supervise the Data Act insofar as it concerns personal data, alongside their GDPR powers. Non-EU entities making connected products available or offering services in the Union must designate an EU legal representative; until designated, they may fall under the competence of all Member States. Competent authorities must be empowered to investigate and impose effective, proportionate, and dissuasive penalties, including periodic penalties and penalties with retroactive effect. Natural and legal persons have a right to lodge a complaint with the relevant competent authority and a right to an effective judicial remedy. To support implementation, the Commission will develop model contractual terms and standard contractual clauses, informed by the European Data Innovation Board (EDIB).

Timing

  • September 12, 2025: Main provisions apply (including IoT data access, mandatory B2B sharing, B2G requests, switching obligations and unfair terms for new contracts).
  • September 12, 2026: “Data by design” obligations for connected products placed on the market after this date.
  • January 12, 2027: Complete ban on charges for switching between data processing services.
  • September 12, 2027: Extension of unfair terms rules to long-running pre-2025 contracts.

Enforcement and Next Steps
As mentioned above, enforcement will be decentralized at Member State level, with penalties required to be effective, proportionate and dissuasive. Companies should prepare for coordination between data protection authorities (for personal data) and new competent authorities under the Data Act.

Businesses should now:

  • Identify their role(s) under the Data Act (e.g. manufacturer of connected products, provider (or customer) of a data processing service, data holder, and/or data recipient). Note that businesses may have several roles and may be performing different roles in relation to different relationships.
  • Update contract templates to address the unfair terms provisions and other applicable obligations.
  • Undertake a contract remediation exercise to update contracts as needed.
  • Develop procedures to respond to B2G data requests.
  • Prepare technical and contractual measures to enable data portability and service switching.
  • Monitor forthcoming Commission guidance, particularly on compensation standards and interoperability specifications.

The authors would like to thank Hermione Booth (vacation scheme student) for her contributions to this blog.

RELATED ARTICLES

EU AI Act at the Crossroads: GPAI Rules, AI Literacy Guidance and Potential Delays

The EU Accessibility Act: Impact on Those Doing Business in the EU