EU Data Act and Data portability

The EU Data Act (Regulation (EU) 2023/2854) becomes broadly applicable on 12 September 2025, introducing new obligations for manufacturers of connected products, providers of related services, cloud and edge services, and public-sector bodies requesting data reuse. Boards must show a coordinated compliance program that spans product design, contractual frameworks, cybersecurity, competition law, and data governance. Evidence packs should show how teams enable user access to data generated by connected products, support switching between cloud providers within 30 days, implement safeguards for trade secrets, and operate transparent dispute resolution processes.

Regulatory scope and timelines

Key Data Act obligations entering into force in September 2025 include:

• Chapter II — Data access for users. Manufacturers and service providers must design products and services to allow users (and third parties acting on their behalf) to access data generated during use, free of charge and in real time, via easily understandable interfaces.
• Chapter III — Data sharing obligations. Data holders receiving requests from users must make data available under fair, reasonable, and non-discriminatory (FRAND) terms. Small and micro enterprises benefit from exemptions.
• Chapter V — Switching between data processing services. Cloud and edge providers must remove contractual, technical, and commercial barriers to switching, honor maximum 30-day transition periods, and provide functional equivalence during migration.
• Chapter VI — Interoperability. Providers must comply with future harmonized standards and open interoperability specifications once adopted.
• Chapter VII — International access safeguards. Providers must assess and mitigate risks of unlawful foreign government access to non-personal data.

Sector-specific rules for smart contracts (Article 30), public-sector B2G data access (Chapter IV), and emergency use cases also apply. Member States will appoint competent authorities and penalties—potentially significant administrative fines—for non-compliance.

Governance controls

Board oversight. Boards should review a full Data Act readiness roadmap covering legal entity scope, product catalogs, contracts, and technology changes. Minutes must evidence challenge of compliance budgets, resource allocation, and residual risks (for example, trade secret leakage).

program structure. set up a Data Act steering committee comprising product management, legal, data governance, security, procurement, and customer success leads. Define terms of reference, decision rights, and escalation pathways.

Policy updates. Refresh data governance policies, product design standards, customer contract templates, and incident response plans to include Data Act requirements. Document cross-references to GDPR, NIS2, Cyber Resilience Act, and competition law policies.

Risk management. Add Data Act risks to the enterprise risk register with inherent/residual scoring, control owners, KRIs, and remediation plans. Map dependencies across product lines and services.

Assurance. Plan internal audit reviews for cloud switching processes, data access controls, and contractual compliance. Capture findings, management actions, and due dates.

Evidence pack architecture

Build an evidence repository structured by obligation:

• Product data access. catalogs of connected products, data schemas, API specifications, user interface screenshots, and usability testing results proving real-time access.
• Contractual artifacts. Updated terms of service, FRAND pricing models, data sharing agreements, and template clauses for trade secret protection, confidentiality, and liability limitations.
• Switching procedures. Migration runbooks, service level commitments, customer communication templates, and change records showing removal of exit fees or technical barriers.
• Security safeguards. Threat assessments addressing international data access risks, encryption controls, access logs, and legal analysis of third-country requests.
• Dispute resolution. Documentation of internal complaint handling, mediation procedures, and links to certified dispute settlement bodies.
• Stakeholder engagement. Records of consultations with user groups, SMEs, industry alliances, and regulators.
• Training and awareness. Training materials, attendance logs, and competency assessments for sales, product, and support teams.

Assign metadata for obligation, product/service, region, and owner. Enforce retention schedules aligned with contractual obligations and regulatory requirements.

Product and service design controls

Embed Data Act requirements in product development:

1. Data inventory. Map data generated by connected products, including sensor outputs, diagnostics, and metadata. Classify personal vs non-personal data, trade secrets, and safety-critical information.
2. Access design. Implement APIs or dashboards enabling real-time access with standard formats (for example, JSON, OPC UA). Ensure export functionality supports third-party integration and respects cybersecurity controls.
3. Security and privacy. Apply access controls, authentication, and consent management. Integrate privacy-by-design measures for personal data and trade secret safeguards (watermarking, usage restrictions).
4. Usage policies. Define acceptable use policies for third-party access, including prohibitions on profiling minors, discriminatory practices, or cybersecurity threats. Align with Article 4 safeguards.
5. Monitoring. Establish logging and monitoring of data access requests, usage patterns, and anomalies. Connect to security operations centers for incident detection.

Cloud switching and interoperability

Cloud and edge providers must operationalize Chapter V obligations:

• Switching plans. Document transition steps, migration tools, and support services for customers moving to new providers. Provide data export in commonly used, machine-readable formats.
• Contract terms. Remove clauses imposing exit fees beyond direct costs, eliminate exclusive dealing provisions, and cap notice periods at 30 days. Provide price transparency for switching support.
• Functional equivalence. Maintain service quality during migration by offering bridging services, temporary dual-running, or compatibility layers. Document service level metrics during switching.
• Interoperability roadmaps. Track adoption of harmonized standards once published. Participate in industry standardization bodies and document setup plans.
• International access assessments. Evaluate risks of foreign government access using legal analysis, technical controls, and contractual commitments. Maintain registers of data access requests and responses.

Data sharing and contractual governance

For data holders responding to user or public-sector requests:

• Request handling workflow. Implement intake portals, identity verification, and eligibility checks. Document decision trees for approvals, rejections, or negotiation of FRAND terms.
• Pricing and compensation. Develop cost models that comply with Article 9, considering marginal costs, data preparation, and customization. Store rationale for each agreement.
• Trade secret protection. Apply technical measures (differential privacy, secure environments) and contractual clauses limiting disclosure, consistent with Article 4(3).
• Public-sector requests. Document emergency requests under Article 15, including proportionality assessments, legal basis, and response timelines.
• Dispute mechanisms. Provide escalation pathways to independent dispute settlement bodies. Maintain logs of decisions, timelines, and outcomes.

Reporting workflow

Design a reporting and attestation workflow to show compliance:

1. Monthly steering committee. Review progress against readiness milestones, issue logs, and regulatory developments.
2. Quarterly board updates. Present dashboards covering product readiness, contract remediation, training completion, and risk indicators. Capture board challenge and approvals.
3. Legal and compliance attestation (June–July 2025). Conduct readiness assessments, document residual gaps, and secure sign-offs from legal, security, and product leads.
4. Operational rehearsals (July–August 2025). Run switching simulations, data access dry runs, and incident response exercises. Capture lessons learned and remediation actions.
5. Go-live governance (September 2025). Implement heightened monitoring for the first 90 days, with weekly executive reviews and regulator engagement logs.

Training and communications

Develop targeted training for product teams, sales, customer success, and support staff. Content should cover Data Act obligations, customer rights, FRAND negotiations, and escalation routes. Track completion rates, assessment scores, and feedback. Provide customer-facing communications explaining new rights, access processes, and switching support.

Metrics and monitoring

Define KRIs and KPIs to monitor compliance:

• Percentage of connected products with live data access APIs.
• Average time to fulfil data access requests.
• Number of switching requests completed within 30 days.
• Trade secret incidents or access denials escalated.
• Training completion rates and competency scores.
• Regulator interactions and status of guidance compliance.

Set thresholds for escalation to the board. Integrate metrics into enterprise dashboards and align with risk appetite statements.

Pre-September 2025 checklist

• Complete gap assessments across product portfolios and cloud services against each Data Act obligation.
• finalize updated customer contracts and FRAND pricing models.
• Deploy production-ready data access interfaces and switching toolkits.
• Conduct tabletop exercises simulating regulator inspections or customer disputes.
• Establish dispute resolution partnerships with certified bodies.
• Publish internal and external communications explaining new customer rights and processes.

Orchestrating Data Act programs, aligning product design, contractual governance, and switching operations so the September 2025 application date lands with clear evidence of compliance.

You may also find useful

Hand-picked articles on adjacent topics.

Policy · Credibility 94/100 · September 12, 2025

EU Data Act obligations begin applying

The EU Data Act (Regulation (EU) 2023/2854) becomes applicable on 12 September 2025, forcing connected-product makers, cloud providers, and public-sector requesters to operationalize data access, switching, and…

Policy · Credibility 94/100 · September 12, 2025

EU Data Act application activates access, fairness, and switching enforcement

The EU Data Act goes live September 12, 2025. You need data access portals, fair pricing for data sharing, and cloud switching capabilities. If you are selling connected products in Europe, this changes your data…

Policy · Credibility 88/100 · September 12, 2025

EU Data Act day-one readiness, PCI DSS 4.0 post-enforcement, and APPI

EU Data Act obligations apply 12 September 2025 with cloud switching and unfair-term controls; PCI DSS 4.0 future-dated controls became mandatory 31 March 2025; and Japan’s APPI breach notification and transfer…

Policy · Credibility 94/100 · September 5, 2025

EU Data Act AI Switching Readiness

EU Data Act AI switching readiness requirements approach as September 2025 enforcement begins. Cloud and AI providers need to show customer portability and switching assistance. Vendor lock-in is becoming a regulatory…

Policy · Credibility 94/100 · May 12, 2025

EU Data Act cloud switching obligations demand proof of readiness

EU Data Act cloud switching policies require providers to enable customers to change providers without excessive friction. Exit assistance, data portability, and transition periods are mandated. Cloud vendors need…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Policy Advocacy Roadmap

  Coordinate cross-border policy advocacy aligned with EU Better Regulation, U.S. Administrative Procedure Act, Lobbying Disclosure rules, and Canadian transparency requirements.

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Export Controls and Sanctions Policy Guide

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…

Documentation

1. Regulation (EU) 2023/2854 — Data Act — eur-lex.europa.eu
2. European Commission: The Data Act — ec.europa.eu
3. Clifford Chance: EU Data Act countdown — cliffordchance.com