Policy — EU regulation

11 September 2025 marks the application date for the bulk of the Data Act, activating Articles 4-40 on data access, compensation, unfair contract terms, public-sector requests, and data processing service switching. This is one of the most significant EU digital regulations, fundamentally reshaping how data generated by connected products and related services can be accessed, shared, and monetised across the European economy.

Data Act Regulatory Context

The Data Act complements the Data Governance Act to create a full framework for the European data economy. While the DGA established rules for data intermediaries and data altruism, the Data Act addresses the significant rules for data access and sharing, particularly concerning IoT devices and cloud services. Together, these regulations implement the European Strategy for Data's vision of data as an economic asset benefiting all teams.

The regulation entered into force on 11 January 2024, with a 20-month setup period concluding on 11 September 2025 for most provisions. This transition period allowed manufacturers, service providers, and cloud operators to adapt their products, services, and business models. Some provisions, particularly those affecting existing contracts, have extended transition periods to minimize disruption to established relationships.

The Data Act applies to manufacturers of connected products placed on the EU market, providers of related services, data holders, data recipients, public sector bodies, and providers of data processing services. Its extraterritorial scope captures non-EU entities serving EU markets, requiring global businesses to assess compliance obligations regardless of their establishment location.

Connected Product Data Access Rights

Articles 4-7 establish user rights to access data generated by connected products and related services. Users have the right to access their data directly and in real-time where technically feasible. The data access right covers both the data generated by product use and associated service data that would not exist absent product functionality.

Data holders must make data available promptly, free of charge to users, and in a structured, commonly used, machine-readable format. Where direct access is not feasible, data must be provided without undue delay and continuously where applicable. Data quality, security, and integrity must be maintained in the access process.

Users may also request that data be shared with third parties of their choice. Data holders must help such sharing on fair, reasonable, and non-discriminatory terms. However, data holders may refuse sharing requests where doing so would undermine security requirements or constitute a trade secret misappropriation.

Business-to-Business Data Sharing

Articles 8-12 govern data sharing arrangements between businesses, establishing fairness requirements and addressing compensation. Data holders sharing data under user requests may agree compensation with data recipients, but terms must be fair, reasonable, and non-discriminatory. Compensation cannot exceed direct costs of making data available plus a reasonable margin.

Small and medium enterprises receive improved protection under the Data Act. Data holders must offer SME data recipients terms no less favorable than those offered to larger enterprises. Predatory pricing, exclusive arrangements, and other practices disadvantaging SMEs are prohibited.

Dispute resolution mechanisms must be available for disagreements concerning data sharing terms. Member States must designate competent authorities to handle complaints and disputes. Alternative dispute resolution and judicial remedies provide escalation paths for unresolved issues.

Unfair Contract Terms

Articles 13-14 address unfair contract terms in data sharing agreements. Contractual terms that unilaterally impose burdens on one party or exclude the other party's legitimate interests are presumptively unfair. The regulation provides a non-exhaustive list of terms that are always unfair and terms that are presumptively unfair unless rebutted.

Always unfair terms include those excluding liability for intentional damage, depriving a party of remedies for non-performance, or giving one party sole discretion to determine contract compliance. Presumptively unfair terms include those enabling unilateral termination without reasonable notice, restricting access to remedies, or imposing unjustified barriers to contract termination.

Unfair terms are not binding on the affected party. Contracts remain in force to the extent they can operate without the unfair terms. This remedial approach enables data sharing relationships to continue while excising problematic provisions.

Public Sector Data Access

Chapter V sets up a framework for public sector bodies to request data from private entities in exceptional circumstances. Exceptional circumstances include public emergencies such as health crises or natural disasters, and situations where public sector bodies need data to fulfil specific statutory tasks that cannot be otherwise accomplished.

Data requests must be proportionate, limited to what is necessary, and respectful of data holder interests. Compensation requirements vary based on whether the request relates to emergency response or other statutory needs. Emergency requests may be made without compensation, while other requests require fair compensation.

Data holders must respond to valid public sector requests within specified timeframes. Confidentiality protections apply to trade secrets disclosed under requests. Data received by public sector bodies is subject to purpose limitations and security requirements.

Cloud Switching and Interoperability

Articles 23-31 address data portability and switching between data processing services, commonly referred to as cloud switching rights. Providers must enable customers to switch to alternative services or on-premises solutions with functional equivalence. Switching assistance must be provided for a reasonable transition period.

Egress charges for data transfer to alternative providers are prohibited from 12 January 2027. Until that date, charges are capped and must be phased out progressively. Providers must publish reference prices for switching services to enable customer comparison and planning.

Interoperability requirements require providers support open interfaces and standards helping data portability. Technical specifications must enable effective switching without requiring disproportionate customer effort. Cloud switching provisions particularly impact hyperscale providers and established SaaS vendors.

Implementation and Compliance

Organizations subject to the Data Act should have completed setup programs during the transition period. Key compliance deliverables include data access APIs or portals, compensation frameworks for B2B sharing, updated contract terms, public sector request handling procedures, and cloud switching capabilities.

Compliance demonstration requires maintained documentation of technical measures, contractual arrangements, and operational procedures. Competent authorities may request evidence of compliance during investigations or inspections. Penalties for non-compliance include administrative fines, with national law determining specific sanction frameworks.

Ongoing compliance requires monitoring for regulatory developments including delegated acts, implementing regulations, and national guidance. The Commission is helped to adopt supplementary measures addressing technical specifications and sector-specific setups. Industry associations may develop codes of conduct providing setup guidance.

Strategic Implications

The Data Act creates significant strategic implications for product manufacturers and service providers. Data access obligations may require redesigning products to enable real-time access. Business models dependent on data exclusivity face disruption as users gain sharing rights. Competitive dynamics shift as data becomes more accessible across value chains.

Cloud providers face particular pressure from switching provisions. Customer retention strategies based on lock-in effects become less viable. Competition will now center on service quality, innovation, and pricing rather than switching barriers. Smaller and specialized providers may benefit from reduced barriers to customer acquisition.

Compliance investment decisions should consider both mandatory requirements and strategic opportunities. Organizations that implement data access and sharing capabilities effectively may differentiate through superior user experience. Early movers in cloud interoperability may capture customers seeking to exercise switching rights.

Similar analysis

Additional analysis covering similar themes.

Policy · Credibility 86/100 · September 10, 2025

Policy — Artificial intelligence

EU AI Act GPAI transparency requirements are in full effect. Model providers must document training data summaries, evaluation results, and intended uses. The transparency regime aims to enable downstream deployers to…

Policy · Credibility 86/100 · September 12, 2025

EU Data Act and Cyber Resilience Act

Two major EU regulations are converging: the Data Act (September 2025) and Cyber Resilience Act (phased through 2027). Connected products need data portability and security-by-design. If you are shipping IoT or smart…

Policy · Credibility 86/100 · September 9, 2025

Policy — Operational resilience

DORA's third-party ICT register requirements are now operational for EU financial entities. Maintain comprehensive records of ICT service providers, including risk assessments, contractual arrangements, and concentration…

Policy · Credibility 86/100 · September 16, 2025

Policy — AI governance

General-purpose AI providers now face live EU AI Act obligations, including transparency reports, system documentation, and compute disclosures that became enforceable twelve months after the regulation’s entry into…

Policy · Credibility 92/100 · October 12, 2025

CSRD FY2025 Data Collection: Preparing for First Sustainability Reports

CSRD-covered companies need to start collecting FY2025 sustainability data. Here's what ESRS requires and how to set up your data collection and governance structures.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

September 11, 2025

Coverage pillar

Policy

Source credibility

86/100 — high confidence

Topics

EU regulation · Data governance · Cloud services

Sources cited

3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu, iso.org)

Reading time

6 min

Further reading

1. Regulation (EU) 2023/2854 of the European Parliament and of the Council — Official Journal of the European Union
2. Data Act — European Commission
3. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization