European Data Act: The EU Data Act is in Force — What Should Businesses Do?

This Essential Guide to the European Data Act is part of Orrick’s Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.

In this guide, we answer key questions about the European Data Act, which became applicable on 12 September, including what the Data Act covers, who is impacted and what businesses should do to comply:

What should businesses do to comply?

What are the objectives of the Data Act?

Who is impacted?

What rights and obligations are created under the Act?

What is the legislative status?

What should businesses do to comply?

The Data Act affects two distinct yet complementary groups of market participants:

1. Manufacturers of internet-enabled devices and the digital services that enhance or control them, called “providers of connected products and related services”
   • Examples of such connected products and services are any smart devices and their software (e.g., an app controlling a smart device)
2. Cloud-based infrastructure, platform or software vendors, collectively labelled “data processing services”
   • Most cloud and SaaS providers will likely be impacted

If your organisation falls within either of the two categories, and your goods and/or services are available in the EU, the Data Act may significantly impact your business operations. Companies that provide digital products and services should undertake and carefully document a product-by-product analysis to assess whether their offerings qualify as a “connected product,” “related service” and/or “data processing service” within the meaning of the Act.

If you provide cloud services (e.g., SaaS), you should:

• Review and, where necessary, update all existing customer, partner and vendor agreements to incorporate the Data Act’s mandatory clauses, thereby safeguarding recurring revenue streams. Although the EU Commission has issued draft Standard Contractual Clauses as a model, the final version has not yet been published. However, as the Data Act is in force, and customers may raise claims under the Data Act, it is sensible to prepare and offer interim amendments to your service agreements.
• Obtain all information required to prepare the transparency disclosures.

If you supply connected products or related services, you should:

• Evaluate the consequences for your business.
• Data holders may need to develop technical solutions to provide data access in a comprehensive, structured, commonly used and machine-readable format, which may require updating data storage standards and product design. As these changes can be complex and time-consuming, this assessment should be prioritized.
• Consider the effects on the responsible product owners and product development teams.
• Obtain all relevant information to comply with transparency obligations.
• Update customer and vendor agreements to align with fair term requirements and prepare templates for data sharing requests.
• Companies outside the EU that provide connected products and/or related services should determine whether they are required to appoint a legal representative in the EU.

What are the objectives of the Data Act?

The European Union regulation on harmonised rules on fair access to and use of data is one of the key measures intended to make more data available to both the private and public sectors. The Data Act complements the Data Governance Act adopted in 2022, which was the first deliverable under the European strategy for data.

While the Data Governance Act creates the processes and structures to facilitate sharing data, particularly in the public sector, the Data Act sets up new rules for how users of connected products and related services can use the generated data, and how and under which conditions data holders can generate economic value from such data.

The Data Act provides horizontal rules, i.e., rules across all economic sectors and situations. It aims to:

• ensure fairness in allocating value in the digital environment;
• stimulate a competitive data market;
• open opportunities for data-driven innovation; and
• make data more accessible.

It remains to be seen whether these goals can be achieved, particularly the stimulation of a competitive data market. It also remains to be seen how the economy will adopt and implement the new rules in connected devices.

The Data Act aims to make more data available and remove barriers to a functioning market for data. It should allow users of connected products to access data the devices generate while in use and to share the data with third parties providing aftermarket or other data-driven services. By regulating switching between data processing services and developing interoperability standards, the Act aims to avoid vendor lock-ins.

The Data Act sets out numerous provisions that concern personal and non-personal data. Most importantly, the regulation:

• creates a data access and sharing regime for data generated by connected devices;
• stipulates contractual requirements for data sharing agreements;
• creates a regime for public entities;
• creates rights for customers and obligations for providers of data processing services (e.g., cloud service provider) regarding the ability to switch to another service provider;
• introduces safeguards against unlawful third-party access to non-personal data (e.g., by requiring the implementation of technical protective measures); and
• provides a framework to develop interoperability standards for data to be accessed.

Who is impacted?

The Data Act applies to a wide range of people and organizations, including:

• Manufacturers of connected products (Internet of Things, e.g., connected cars, smart-home devices, medical devices, and smart and connected consumer goods, as well as industrial machinery) and providers of related services, where such products and services are placed in the market in the EU (e.g., platform services related to connected products, smartwatch providers).
• Users of connected products or related services in the EU.
• Data holders, defined as natural or legal persons (e.g., people and companies) with the right or obligation to use and make data available.
• Data recipients, defined as natural or legal persons to whom data holders make data available to non-users for commercial purposes.
• Public sector bodies of EU member states or institutions, agencies or bodies of the EU that request data holders to make data available in case of exceptional needs (e.g., public emergencies).
• Providers of data processing services ¾ in particular cloud services such as SaaS, PaaS, IaaS as governed by the EU Cloud Strategy, and edge service providers as included in the European strategy for data ¾ providing such services to customers in the Union.
• Participants in data spaces, vendors of applications using smart contracts and persons whose trade, business or profession involves the deployment of smart contracts for others.

Because the term “user” includes natural and legal persons, the Data Act’s obligations apply to business-to-consumer as well as business-to-business relationships and to public entities.

Micro, small and medium-sized enterprises (MSMEs) are partially exempted from the obligations of the Data Act.

What rights and obligations are created under the Act?

The rights and obligations under the Data Act include:

Obligation to Inform, Share Data and Provide Data in Standard Formats

Where a user cannot directly access data from the connected product or related service, the Data Act requires data holders to make data accessible or have data shared upon request without undue delay, in a common and machine-readable format, free of charge and, where relevant and feasible, continuously and in real-time.

Along with this obligation, the provider of a connected product or related service must provide information so the user better understands in advance to what extent data can be provided. In specific circumstances, data recipients have a right to receive data from the data holder. Where a data holder is obliged to disclose data to a recipient, either under the terms of the Data Act or other EU or national law, the data holder must do so on terms that are fair, reasonable and non-discriminatory (FRAND). Any compensation for making data available shall also be reasonable. Where the data recipient is an MSME or nonprofit research organization, under certain circumstances, compensation must not exceed the costs directly related to making the data available.

By requiring data to be provided in a comprehensive, structured, commonly used and machine-readable format, the Data Act removes barriers to using data and promotes the implementation of technical standards.

Incentives for Investing in Data

The Data Act maintains incentives for data holders to continue to invest in high-quality data generation by covering their transfer-related costs and excluding direct competitors from the ability to access and use data.

Public Sector Entities’ Right to Access Data

Public sector entities have the right to request and obtain data stored by a data holder where they can demonstrate an exceptional need. A data holder receiving a request for access to data is required to make the data available at no cost and without undue delay (exceptions apply to MSMEs). Among other things, the entity must specify the data required, the duration of use and the purpose for which the data is requested.

Facilitating Data Portability

The Data Act requires providers of data processing services to enable customers to switch to another data processing service, covering an equivalent service, which a different provider of data processing services provides. The Data Act thus complements the right of data portability provided in Art. 20 of the General Data Protection Regulation (GDPR). Providers of a data processing service shall not impose, and they shall remove, commercial, technical, contractual and organisational obstacles that inhibit customers from terminating, concluding new contractual agreements, porting the customer’s exportable data and achieving functional equivalence in the use of the new service in the IT environment of the different provider. For example, the Data Act requires covered entities to allow customers to switch data with a maximum transitional period of 30 days.

Rebalancing Rights of MSMEs

The Data Act contains measures to rebalance the negotiation powers for MSMEs in contracts concerning access to and use of data. These measures include provisions according to which contractual terms shall not be binding where access and use of data or the liability and remedies for a breach have been unilaterally imposed on another entity if these terms are deemed to be unfair. A contractual term will be deemed unfair if its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing. These requirements will be particularly relevant to data licensing agreements and essential to developing certain forms of AI models.

What is the legislative status?

The Data Act entered into force on 11 January 2024. With some exceptions for rules that apply 32 or 44 months after the date of entry into force, most rules of the Data Act apply in the EU from 12 September 2025.

This Essential Guide was first published in June 2023. It was updated before the Data Act started to apply on 12 September 2025.

[View source.]