← Back to all briefings
Policy 6 min read Published Updated Credibility 94/100

EU Data Act obligations begin applying

The EU Data Act (Regulation (EU) 2023/2854) becomes applicable on 12 September 2025, forcing connected-product makers, cloud providers, and public-sector requesters to operationalize data access, switching, and interoperability controls.

Kodi C.

Editor & Research Lead

Accuracy-reviewed by the editorial team

Policy pillar illustration for Zeph Tech briefings
Policy, regulatory, and mandate timeline briefings

The EU Data Act enters into application on . Data holders for connected products and related services must enable user access and sharing on fair, reasonable, and non-discriminatory terms, support B2G requests in emergencies, and provide safeguards against unlawful third-party use. Cloud providers must support switching and functional equivalence when customers migrate workloads. This is one of the EU's most significant data economy regulations, fundamentally changing how product-generated data can be accessed, shared, and monetized.

Data Act Legislative Context

The Data Act forms a cornerstone of the European Strategy for Data alongside the Data Governance Act. While the DGA addressed data intermediaries and data altruism, the Data Act establishes significant rules for data access, sharing, and portability. Together, these regulations create a full framework for the European data economy enabling greater data use while protecting stakeholder interests.

The regulation was adopted in December 2023 following extensive legislative negotiations. Entry into force occurred 20 days after Official Journal publication, with most provisions becoming applicable 20 months thereafter on 12 September 2025. Some provisions, particularly those affecting existing contracts and cloud switching charges, have extended transition periods.

The Data Act applies extraterritorially to any entity offering products or services in the EU market, regardless of establishment location. Global manufacturers, service providers, and cloud operators must assess compliance obligations if they serve EU customers. This broad jurisdictional reach ensures full market coverage.

Connected Product Data Access

Articles 4-7 establish user rights to access data generated by connected products and related services. Users have the right to access their product-generated data directly and in real-time where technically feasible. The scope includes both raw sensor data and derived data that would not exist absent product functionality.

Data holders must provide access promptly, free of charge to users, and in structured, commonly used, machine-readable formats. Where technical design prevents direct access, data must be provided without undue delay. Continuous access should be enabled where the nature of the data and use case warrants ongoing availability.

Users may request data holders to share data with designated third parties. Data holders must help such sharing without unreasonable delay and on fair terms. However, data holders may refuse requests where sharing would undermine security requirements or enable trade secret misappropriation. Gatekeeping obligations prevent data holders from using refusal rights inappropriately.

Business-to-Business Data Sharing

Articles 8-12 govern data sharing arrangements between businesses, establishing fairness requirements for compensation and contract terms. Data holders providing data under user requests may agree compensation with data recipients, but terms must be fair, reasonable, and non-discriminatory. Compensation cannot exceed costs of making data available plus a reasonable margin.

Small and medium enterprises receive improved protections under the Data Act. Data holders must offer SME data recipients terms no less favorable than those offered to larger enterprises. Practices that disadvantage SMEs through discriminatory pricing or exclusionary terms are prohibited.

The regulation establishes dispute resolution mechanisms for data sharing disagreements. Member States must designate competent authorities to handle complaints and adjudicate disputes. Alternative dispute resolution provides efficient resolution paths. Judicial remedies remain available for parties dissatisfied with administrative outcomes.

Unfair Contract Terms

Articles 13-14 address unfair contract terms in business-to-business data sharing agreements. Unilaterally imposed terms that disadvantage one party or exclude legitimate interests are presumptively unfair. The regulation provides lists of terms that are always unfair and terms that are presumptively unfair subject to rebuttal.

Always unfair terms include those excluding liability for intentional damage, depriving parties of remedies for non-performance, or granting sole discretion to determine contract compliance. Presumptively unfair terms include enabling unilateral termination without reasonable notice, restricting remedies access, or imposing unjustified termination barriers.

Unfair terms are not binding on the disadvantaged party. Contracts continue in force to the extent they can function without unfair terms. This remedial approach preserves data sharing relationships while excising problematic provisions.

Public Sector Data Access

Chapter V sets up a framework for public sector access to private sector data in exceptional circumstances. Public emergencies including health crises, natural disasters, and major accidents may justify data requests. Statutory tasks that cannot be fulfilled through other means may also support requests in non-emergency circumstances.

Data requests must be proportionate, specific, and limited to what is necessary. Public sector bodies must document the necessity of requested data and cannot obtain data for purposes beyond the stated justification. Requests should be directed to data holders most capable of providing relevant information efficiently.

Compensation requirements vary by request type. Emergency requests may be fulfilled without compensation to avoid delays in crisis response. Other requests require fair compensation reflecting data holder costs and protecting against commercial disadvantage. Confidentiality protections apply to trade secrets disclosed under requests.

Cloud Switching and Portability

Articles 23-31 address data portability and switching between data processing services, establishing rights commonly called cloud switching. Providers must enable customers to switch to alternative services or on-premises solutions with functional equivalence. Switching assistance must be provided during reasonable transition periods.

Egress charges for transferring data to alternative providers are eliminated from 12 January 2027. During the transition period, charges must be reduced progressively and capped at cost-based levels. Providers must publish reference prices for switching services enabling customer planning and comparison.

Interoperability requirements mandate support for open interfaces and standards helping portability. Technical specifications must enable effective switching without requiring disproportionate customer effort. Standardization bodies and industry groups are developing specifications to implement interoperability requirements.

Implementation Requirements

Organizations subject to the Data Act should have significantly completed setup programs during the transition period. Key deliverables include data access APIs or portals, compensation frameworks for B2B sharing, updated contract terms, public sector request handling procedures, and cloud switching capabilities.

Compliance demonstration requires documented evidence of technical measures, contractual arrangements, and operational procedures. Competent authorities may request evidence during investigations or inspections. Administrative fines and other penalties apply for non-compliance, with Member State law determining specific sanction frameworks.

Ongoing compliance requires monitoring regulatory developments. The Commission may adopt delegated and implementing acts addressing technical specifications and sector-specific setups. Industry codes of conduct may provide setup guidance and show good faith compliance efforts.

Similar analysis

Additional analysis covering similar themes.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • AI Policy Implementation Guide

    Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

  • Digital Markets Compliance Guide

    Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

  • Semiconductor Industrial Strategy Policy Guide

    Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published
Coverage pillar
Policy
Source credibility
94/100 — high confidence
Topics
EU Data Act · Cloud switching · Connected product data access · B2G data sharing
Sources cited
3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu, iso.org)
Reading time
6 min

Further reading

  1. Regulation (EU) 2023/2854 of the European Parliament and of the Council — Official Journal of the European Union
  2. Data Act — European Commission
  3. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization
  • EU Data Act
  • Cloud switching
  • Connected product data access
  • B2G data sharing
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.