The EU Data Act: Where Things Stand Now

Data has become the most sought-after commodity in the digital economy − driving innovation, informing decision-making and shaping the future of a wide range of industry sectors. The EU Data Act (Regulation (EU) 2023/2854) is designed to create a Single Market for industrial data in the European Union by setting common basic rules on who can use and access data from connected (Internet of Things) devices across all economic sectors. The Regulation also aims to facilitate switching between data processing services and promote interoperability.

While the new legislation aims to foster greater transparency and open digital markets to new players, there has been considerable debate about the level of protection it offers for intellectual property and trade secrets − a discussion that continues to evolve as implementation approaches.

Key Rights and Obligations

The Data Act sets the ground rules for business-to-consumer, business-to-business and business-to-government exchange of data in the EU Single Market.

Specific measures include the following:

• Business-to-Business data sharing obligations for connected products
• Obligations for Data Holders to make data available to consumers
• Prohibited Unfair Contractual Terms related to data access
• Rules for making data available to Public Sector Bodies
• Switching between Data Processing Services
• Safeguards against unlawful international governmental access
• Facilitating Data Spaces and interoperability
• Limits to Intellectual Property rights for certain data in databases

Regarding enforcement, Member State authorities will be empowered to impose "effective, proportionate and dissuasive" financial penalties for compliance failures.

Entry into Force and Application Dates

The Data Act was published in the Official Journal of the European Union on 22 December 2023 and became applicable on 12 September 2025 for the most part.

There are, however, important staggered timelines to be aware of:

• Products placed on the market: The "data access by design" obligation under Article 3(1) − requiring that connected products and related services be designed so that data is accessible by default − applies only to products placed on the market after 12 September 2026. Businesses with existing product lines therefore have some additional runway, but new product development strategies should already be revisited.
• Contractual terms: The regime governing unfair business-to-business contractual terms (Chapter IV / Article 13) applies to contracts concluded after 12 September 2025. From 12 September 2027, it will also extend to certain long-standing contracts concluded on or before 12 September 2025 − specifically, contracts of indefinite duration, or contracts due to expire at least 10 years from 11 January 2024. Businesses operating under long-term data agreements should therefore already be reviewing those arrangements to assess whether amendments will be required by 2027.

Recent Developments: Model Contractual Terms and the Digital Omnibus

Since formal adoption, the European Commission has taken steps to assist businesses in preparing for the Data Act's requirements. The Commission has published non-binding Model Contractual Terms and Standard Contractual Clauses under Article 41, covering data access and use topics (including provisions on reasonable compensation and trade secret protection) as well as cloud computing switching arrangements. The Data Act requires the Commission to develop and recommend these non-binding tools to assist parties in drafting and negotiating contracts with fair, reasonable and non-discriminatory rights and obligations. While non-binding, these model terms provide a useful practical reference point for businesses drafting or renegotiating data-sharing and cloud agreements. The Commission has also published and updated FAQ on the Data Act. 

More significantly, the Data Act is part of the reform package called "Digital Omnibus", which the Commission has introduced in November 2025. The Digital Omnibus proposes potentially significant amendments to the Data Act across several areas. These include changes to the rules on trade secret-related refusals to share data, a narrowing of the business-to-government data access provisions, adjustments to cloud switching rules for certain contracts and providers, and the removal of the Data Act's smart contracts article without replacement. The Digital Omnibus proposals are still under discussion and have not yet been adopted, but businesses and their advisers should monitor them closely, as they could meaningfully alter the compliance landscape before the September 2025 application date.

What This Means in Practice

The Data Act is already applicable, and many organisations have already started their implementation programs. Key priorities include:

• Reviewing connected product design to assess whether data accessibility requirements are met, particularly for products being placed on the market after September 2026;
• Auditing existing data-sharing and cloud contracts to identify terms that may be caught by the unfair contractual terms rules, bearing in mind the exceptions for long-term agreements;
• Monitoring the Digital Omnibus proposals, which may yet alter key obligations; and
• Understanding the national enforcement landscape, including in Finland where Traficom, the Consumer Ombudsman and KKV will each have a role.

To find out more about the Data Act and how our experts can help you to conduct a scoping exercise, revise terms of use, or determine how third-party data could be used to improve your own services, please get in touch.