EU Data Act published in Official Journal

The Data Act appeared in the EU Official Journal on 22 December 2023, formally enacting horizontal rules for access to and use of data generated by connected products and related services. The regulation enters into force 20 days after publication, with most provisions applying 20 months later (expected September 2025).

Cloud and edge providers must enable user switching without undue hurdles, manufacturers must provide access to product/service data upon user request under protective terms, and public bodies gain emergency access rights in exceptional need. Companies should map data flows, update contracts, and plan interoperability changes well ahead of application dates.

Connected Product Data Access

The Data Act establishes user rights to access data generated by connected products and related services. Manufacturers and service providers must make data available to users or third parties designated by users, in usable formats enabling downstream innovation and competition.

Connected products covered include IoT devices, industrial machinery, vehicles, smart home systems, and wearables generating data through use. The regulation applies to both consumer and business products, creating horizontal requirements across sectors previously addressed through sector-specific legislation.

Data access must occur without undue delay and in commonly used, machine-readable formats. Technical design requirements ensure products enable data extraction from initial deployment. Manufacturers cannot impose contractual restrictions preventing users from accessing data they generate.

Cloud and Edge Provider Switching

Cloud service providers face obligations ensuring customers can switch between providers or move to on-premises infrastructure without undue technical, contractual, or financial barriers. The Data Act addresses vendor lock-in concerns limiting competition and customer choice in cloud markets.

Providers must support data portability in interoperable formats enabling migration to alternative services. Switching fees face restrictions, with gradual phase-out provisions eliminating fees for certain services. Technical interfaces must support data export and functional equivalence requirements ensuring continued application operation after migration.

Cloud providers should prepare technical capabilities supporting portability requirements, including APIs, documentation, and migration assistance. Contract terms require review against fairness provisions limiting one-sided conditions disadvantaging customers.

B2B Data Sharing Framework

The Data Act creates obligations for business-to-business data sharing when data holders possess data valuable to other businesses. The framework addresses situations where dominant market positions enable data hoarding limiting competition and innovation.

Data sharing must occur on fair, reasonable, and non-discriminatory terms. Compensation may be required but cannot exceed marginal costs for data provision. Trade secret protections remain, but cannot justify blanket refusals when alternative safeguards enable sharing while protecting confidential information.

Public Sector Emergency Access

Government bodies gain rights to access privately-held data during emergencies including public health crises, natural disasters, and situations requiring statistical data for policy response. The Data Act establishes procedures and limitations ensuring proportionate access while protecting business interests.

Emergency access requests must show exceptional need and specify purposes, duration, and data categories required. Compensation provisions ensure businesses receive fair remuneration for significant data provision outside genuine emergency situations.

Unfair Contract Terms

The Data Act addresses unfair terms in data-related contracts, particularly situations where larger parties impose one-sided conditions on SMEs and consumers. Provisions establish criteria for identifying unfair terms and provide enforcement mechanisms for affected parties.

Contract reviews should identify terms potentially triggering unfairness provisions, including unilateral modification rights, excessive liability limitations, and inappropriate data access restrictions. Standard terms require evaluation against Data Act requirements before continued use.

Key dates and milestones

Most Data Act provisions apply from September 2025, providing 20 months for compliance preparation. Certain provisions including switching fee limitations follow extended timelines. If you are affected, develop setup roadmaps addressing technical, contractual, and organizational requirements.

• Official Journal publication contains the final adopted Data Act text and timelines.
• Commission publication notice reiterates the regulation's objectives, cloud switching obligations, and staged applicability.