Privacy & Information Security Law Blog

On September 12, 2025, the majority of the provisions of the EU Data Act (Regulation (EU) 2023/2854) (the “Data Act”) began to apply across EU Member States. The Data Act was formally adopted in November 2023 and entered into force on January 11, 2024. It is being rolled out in the following stages (1) core provisions apply from September 12, 2025; (2) enhanced interoperability requirements for cloud services shall take effect from September 12, 2026; and (3) full implementation of data portability standards shall take effect from September 12, 2027.

The key requirements under the Data Act include:

• Connected product data sharing: The Data Act establishes new rights for users and businesses to access data generated by connected devices and related services, such as smart home products, connected vehicles and industrial equipment. Data holders, including manufacturers and service providers, must ensure that data is made available to users and, upon request, to third parties designated by the user. Data must be shared in a structured, commonly used, machine-readable format, and provided free of charge to the user. Where a third party receives the data, the data holder may request fair compensation, however, this is limited to the direct costs incurred in making the data available. This regime applies to both personal and non-personal data, and requires organizations to implement technical mechanisms for secure, interoperable data access and sharing.
• Fair contract terms: To promote equitable access to data, the Data Act restricts the use of unfair terms in data sharing contracts, particularly those with micro enterprises and small-medium enterprises (“SMEs”). The Data Act introduces two categories of unfair terms: (1) terms deemed unfair per se, which are automatically invalid; and (2) presumptively unfair terms, which must be justified by the imposing party.
• Portability of cloud services: The Data Act complements the Article 20 right to data portability within the EU General Data Protection Regulation (“GDPR”) by imposing obligations on cloud service providers, including software-as-a-service, platform-as-a-service and infrastructure-as-a-service vendors, operating in the EU to facilitate switching between service providers. Providers must remove contractual and technical barriers to data migration, enable interoperability, and clarify pricing for data transfer and disengagement. Covered entities must ensure customers can transfer data and digital assets to another provider with a maximum transitional period of 30 days. This provision aims to avoid vendor lock-in and foster competition in the cloud market.
• Safeguards against international governmental access to data: New safeguards protect non-personal data held within the EU from access requests by non-EU governments. Organizations must assess the legality of foreign access requests under the Data Act, challenge unlawful demands, and ensure that transfers are subject to judicial authorization and respect for fundamental rights. This increases transparency and legal certainty for international data flows.
• Business-to-government data sharing: In response to public emergencies, Member State authorities may request access to data held by private entities, such as transport operators and smart infrastructure providers. In these circumstances, organizations are generally required to provide data without compensation. For non-emergency public interest requests, compensation for data sharing is permitted and must cover the costs incurred in making data available.

Member States must designate supervisory authorities and establish penalties for violations of the Data Act. Where personal data is involved, GDPR-level fines apply, i.e., up to €20 million or 4% of global turnover, whichever is higher.

For more on the background of the Data Act, read our previous blog.

Read the Data Act and European Commission’s press release.