EU: The Data Act – the clock is ticking

As the European Union continues shaping its digital single market, the Data Act stands out as one of its most ambitious endeavours. The Data Act entered into force on 11 January 2024 and will apply from 12 September 2025 impacting businesses working with data-intensive products and services. Designed to boost the EU’s data economy, the Data Act establishes a framework that aims to establish fair data-sharing practices among stakeholders, including consumers, businesses, and government bodies.

The Data Act was part of the previous European Commission strategy to regulate data related services and artificial intelligence. By mandating standardised rules for accessing and using data, the Data Act aims to strike a balance between facilitating data-driven growth and safeguarding protected interests, such as intellectual property and trade secrets.

At its core, the regulation addresses three critical areas:

• Data sharing and access (mainly B2B but also B2C)
• Obligations to share essential data with government entities in defined circumstances (B2G)
• The right of customers to switch between data processing providers smoothly and at reduced cost.

Connected devices and beyond

Scope and coverage

The Data Act applies widely, covering not only data generated by connected devices, but also data sharing in general and data processing services like cloud or edge computing. It compels fair terms of access:  users can request data relevant to operating or maintaining these products; and users may instruct data holders to share data with so-called data recipients. The European Commission hopes this will lead to more competition in aftermarkets.

User rights and data accessibility

Under the Data Act, users of connected devices are entitled to receive or directly access the data generated by those products. If the data cannot be directly accessed, the holder must provide it without undue delay in a well-structured, machine-readable format. This ensures users (and their chosen third parties) can meaningfully benefit from the generated information, subject to appropriate safeguards for confidentiality and trade secrets.

Switching data processing services

A separate section of the Data Act deals with switching between data processing services. There are mainly three obligations: First, service providers need to give information about the available data and the switching process. Second, service providers need to remove all obstacles (technical, contractual and other) to switching, which means a thorough contract review. Finally, providers need to support customers to exit the service, which may in some cases require technical changes to enable interoperability. While early termination fees can still be charged, there should be no fee for switching providers.

What happens next?

The Data Act raises a lot of questions, as it is a complex law with many cross references to IPR, contract and data protection law. The European Commission will provide additional guidance and standard contractual clauses that might help to interpret the Data Act, among others:

• Guidelines for reasonable compensation under the Data Act
• Three standard contractual clauses regarding data sharing between data holders, data users and data recipients
• Standard contractual clauses regarding switching between data processing services

It is expected that these documents will published before 12 September, but the European Commission has indicated that the timetable is likely going to slip.  Additionally, the FAQs that the European Commission published about a year ago are planned to be updated this Autumn.

Organisations should start aligning their technical infrastructure, contracts, and internal policies with the Data Act’s requirements. Given the regulation’s September 2025 applicability date, businesses are advised to begin planning and implementing necessary measures now:

1. Determine whether you are in scope: Depending on your sector and role in the sector, the Data Act might be a great opportunity for you to access data and develop new services, or it might trigger urgent actions to protect trade secrets and update contractual arrangements.
2. Design obligations: Certain IoT devices and services must be designed to facilitate “access by design”, meaning data should be readily and securely accessible to users. There are longer transition periods for this.
3. Contract and transparency updates: Organisations that provide connected devices and services need to give information regarding what type of data is generated, how it is stored and how users can access the data. Agreements must accurately define data access rights and ensure fairness in terms as the Data Act introduces standard terms control for B2B contracts in certain areas. All obstacles for switching between data processing services must be removed.
4. Compliance processes: Businesses should establish internal procedures for receiving and responding to data requests—whether from users, third parties, or government bodies—and maintain records of trade secret protection measures. Under certain circumstances, data holders may claim compensation under FRAND rules, requiring the publication of compensation guidelines.

For additional insights or legal assistance in understanding and navigating the Data Act, visit our Data Act webpage here. We are ready to help you remain compliant and capitalise on the new opportunities the Data Act brings to the EU data landscape.

For more information please contact Tobias Brautigam.