Compliance Briefing — January 11, 2024
The EU Data Act entered into force on 11 January 2024, triggering 2025 deadlines for connected product data sharing, cloud switching, smart contract controls, and safeguards against unlawful foreign access across EU and non-EU providers.
Executive briefing: The EU Data Act entered into force on 11 January 2024, launching a 20-month countdown to sweeping obligations on manufacturers of connected products, providers of related services, data processing service providers, and public bodies seeking access to privately held data. Legal, product, and data governance leaders must choreograph technical and contractual transformations so user-generated data can be shared securely, unfair terms are purged, and switching barriers in the cloud and edge ecosystems disappear ahead of the September 2025 application dates.
Regulation overview and applicability
Regulation (EU) 2023/2854—the Data Act—builds a horizontal legal framework for data access and use across the European Union. It applies to manufacturers of connected products (from industrial machinery and vehicles to consumer IoT devices), providers of data-driven services that are supplied alongside those products, third parties that users authorize to receive data, and data processing service providers offering infrastructure, platform, or software services. It also creates obligations for public sector bodies and EU institutions seeking data in exceptional circumstances. Because the regulation has extraterritorial reach, non-EU companies that place connected products on the EU market or provide related services to EU users must comply, even if they process data elsewhere.
Timeline checkpoints
The regulation entered into force on 11 January 2024. Most obligations begin to apply 20 months later, on 12 September 2025. However, the rules on switching between data processing service providers (Chapter VI) apply one year after entry into force—on 12 January 2025—requiring providers to phase out unfair contractual, commercial, technical, and organizational obstacles to switching and to support functional equivalence for at least 30 months after the switch. Meanwhile, the ban on unlawful third-country access requests and the requirement to assess foreign government demands become binding on the same date. Smart contract obligations in Article 30 also follow the 20-month timeline, meaning developers must build safe termination and reset capabilities by September 2025.
Data access obligations for connected products
Manufacturers must design connected products so that data generated through their use is easily, securely, and, where relevant, directly accessible to the user. If real-time direct access is not feasible, they must provide the data “without undue delay, free of charge and, where applicable, continuously and in real time” via a secure interface. The data must be provided in a structured, commonly used, machine-readable format, together with the relevant metadata and explanations necessary to enable understanding. Service providers supplying digital services that rely on the product data face similar obligations. Manufacturers need to publish clear information before purchase or lease explaining what data is generated, how it can be accessed, and how it can be shared with third parties.
User rights and third-party sharing
Users—whether consumers or enterprises—gain the right to share product and service data with third parties of their choice. Upon request, the data holder must make the data available to the third party under fair, reasonable, and non-discriminatory terms, including in near real time where technically feasible. The third party must use the data only for agreed purposes, maintain confidentiality, and delete the data when the purpose is fulfilled. Gatekeepers designated under the Digital Markets Act cannot receive the data under these provisions, preventing them from leveraging the Data Act to expand dominance. Contracts must also respect trade secret protections: data holders can impose technical and organizational measures to preserve confidentiality and require non-disclosure agreements, but they cannot refuse access outright unless sharing would lead to serious economic harm.
Prohibitions on unfair contractual terms
The Data Act tackles imbalances in B2B data sharing by outlawing unfair terms that are unilaterally imposed on micro, small, or medium-sized enterprises (SMEs). Any clause that excludes liability for intent or gross negligence, limits remedies for breaches of data security, or gives the imposing party unilateral power to interpret the contract may be deemed non-binding. Legal teams need to review template agreements and partner contracts to identify clauses that will become void. Compliance programs should set up guardrails ensuring procurement and sales organizations update standard terms with mutual indemnities, clear data-use scopes, security requirements, and audit rights aligned to Articles 13 to 15. Training for commercial teams must explain how the unfairness test works and how to document negotiations with SMEs.
Cloud and edge switching readiness
Chapter VI introduces prescriptive duties for data processing service providers (including IaaS, PaaS, and SaaS). Providers must remove switching fees, offer structural portability via open interfaces, and provide functional equivalence—ensuring that the customer can run applications and services in the new environment without significant loss of quality for 30 months. During the transition phase, termination periods must not exceed 30 days, and providers must support partial switching or parallel multi-cloud usage if requested. Compliance requires mapping proprietary APIs, establishing data export tooling, documenting data schemas, and building detailed switch-out playbooks that define roles, timelines, and verification steps. Providers must also produce transparency statements describing data locations, security certifications, and support for open standards. Because many providers rely on subcontractors, contract management functions need to extend these obligations downstream.
Safeguards against third-country access
The regulation tightens how providers respond to foreign government or court orders. Article 32 requires data processing service providers to assess whether third-country demands conflict with EU or member state law and to challenge or resist unlawful requests. Providers must notify the customer, unless the request prohibits disclosure, and publish aggregate transparency reports. Legal and compliance teams need escalation pathways that involve EU-based counsel, document evaluation criteria for comity analyses, and ensure records of requests are retained for five years. Multinationals should align these safeguards with existing commitments under the GDPR, the EU-U.S. Data Privacy Framework, and sector-specific rules such as the DORA incident reporting regime.
Public sector access in exceptional need
Articles 14 to 23 set out a framework for public sector bodies, the Commission, and EU agencies to request data held by enterprises when exceptional need arises, such as responding to public emergencies or executing legal mandates. Requests must be precise, proportionate, and limited to non-personal data unless personal data is strictly necessary. Data holders may seek compensation, capped at the technical costs of making the data available plus a reasonable margin for SMEs. To comply, organizations should develop request intake procedures, verification checklists that evaluate the legitimacy of the request, and approval workflows involving legal, privacy, and public policy teams. Where personal data is involved, GDPR lawful bases and minimization obligations still apply, requiring coordination with data protection officers.
Smart contracts and data sharing services
Article 30 introduces baseline requirements for smart contracts used in data-sharing agreements. They must feature access controls, transaction logging, resilience against manipulation, and a kill switch or equivalent mechanism to safely terminate or interrupt operations. Developers should apply secure coding practices, implement independent code reviews, and align with industry standards such as ISO/IEC 27001 and ETSI smart contract guidelines. Change-management policies must define how upgrades are deployed without breaking data-sharing commitments. Organizations offering data intermediation services or data-altruism organizations should integrate these controls with their trust frameworks under the Data Governance Act to present a coherent compliance posture.
Governance and operating model implications
Cross-functional governance is essential. Product management and engineering teams need roadmaps that redesign device firmware, APIs, and user interfaces to expose data access capabilities. Data governance offices must classify datasets, define sharing tiers, and implement metadata catalogs that describe quality, provenance, and usage restrictions. Security operations must expand monitoring to cover new data-exchange interfaces, while privacy teams update records of processing activities and Data Protection Impact Assessments (DPIAs) to capture Data Act flows. Procurement and vendor management units should refresh due diligence questionnaires to evaluate counterparties’ readiness, especially for cloud providers and strategic partners that will consume shared data. Internal audit should plan readiness assessments covering product design, contract management, and data portability tooling.
Implementation roadmap
Organizations can organize their response into phases. Phase one—during the first half of 2024—focuses on impact assessment: inventory products and services in scope, map data flows, review contractual portfolios, and identify technical gaps. Phase two—late 2024 through mid-2025—emphasizes build and test: develop APIs, enhance identity and access management, implement logging, craft template data-sharing agreements, and pilot switching exercises with selected customers. Phase three—leading up to September 2025—concentrates on operationalization: finalize user communications, establish support desks, roll out training, and embed metrics in governance dashboards. Throughout each phase, organizations should align Data Act deliverables with parallel EU mandates such as the Digital Services Act, the Data Governance Act, the Cyber Resilience Act, and NIS2 to avoid duplicative investments.
Risk management and assurance
Risk teams should update enterprise risk registers to capture Data Act compliance risks, including potential administrative fines (which can reach up to €20 million or 4 percent of global annual turnover, depending on member state enforcement regimes) and contractual liabilities. Controls testing should verify that data shared with third parties matches authorized scopes, that trade secret protections (such as differential privacy or secure enclaves) are functioning, and that switching support meets the functional equivalence standard. Organizations should also rehearse incident response scenarios where shared data is misused or third-country authorities issue conflicting orders, ensuring escalation to supervisory authorities and affected customers within statutory timelines.
Zeph Tech partners with data, legal, and engineering teams to deliver Data Act readiness—blending product telemetry, contract intelligence, and switching playbooks that prove compliance to EU regulators and enterprise customers alike.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.