Data strategy — EU Data Act

Data Act compensation and portability evidence guide

Build verifiable Article 4 portability services, cost-based Article 9 compensation, and Article 10 dispute pathways that withstand fairness reviews for SMEs and larger customers.

Updated after the European Commission published SME fairness guidelines and clarified Article 4 authentication, evidence logging, and dispute settlement access in its Regulation (EU) 2023/2854 guidance.

Briefing alignment

Build on the 22 August 2025 data strategy briefing

The Data Strategy Briefing — August 22, 2025 outlines the high-level checkpoints for user-directed access, SME protection, and switching support as Regulation (EU) 2023/2854 enters application on 12 September 2025.

Use this guide to translate that briefing into contract-ready terms, API evidence packs, and pricing guardrails referenced in Commission Q&A releases and the SME fairness guidelines.

Regulators expect organisations to be audit-ready from day one: Article 4 obligations on user-directed access apply immediately once the Regulation is in force, Chapter VI switching clauses become enforceable for cloud and edge providers after the two-year transition ending January 2027, and Article 40 empowers national authorities to request evidence packs at short notice. Aligning programme plans with these milestones keeps legal, technical, and commercial teams synchronized.

  • Scope the data. Catalog product and related service datasets required under Article 4, identify derived data that must be provided, and log any lawful Article 4(6) withholding rationales.
  • Map stakeholders. Align legal, product, security, finance, and support teams around portability SLAs, compensation reviews, and escalation paths that meet Article 10 dispute timelines.
  • Budget SME protections. Quantify the marginal cost of formatting, transfer, and storage so SME recipients are only charged actual costs under Article 9(4) and fairness guidance.

Immediate timeline and dependencies

  • Q4 2025 readiness. Demonstrate authenticated API endpoints, refusal templates, and dispute intake forms before 12 September 2025 when user portability rights start applying.
  • 2026 alignment. Update contracts and pricing annexes alongside Commission compensation guidelines (expected under Article 9(5)) and anticipated delegated acts on dispute bodies.
  • Chapter VI transition. Plan migrations now so that by January 2027 data processing services can execute 30-day switching playbooks, fee-free termination, and functional equivalence documentation under Articles 23 to 26.
Article 4 evidence

Engineer auditable portability APIs

Article 4 and Article 5 mandate machine-readable, secure delivery of product and related service data to users and designated third parties without undue delay.

Evidence packages must prove authentication, scope of data transmitted, and timeliness when national authorities or dispute settlement bodies review a case.

  • Authenticate requests. Implement OAuth 2.0 or eIDAS-compliant identity checks for users and third parties, record consent tokens, and retain logs aligned with the Commission’s guidance on verifying user mandates.
  • Capture data lineage. Version APIs, schemas, and export manifests so you can demonstrate that all "readily available" data (including relevant metadata) were transmitted, as required by Article 4(2) and clarified in Commission Q&A notes.
  • Track response clocks. Timestamp receipt and completion of each request, report median fulfilment times, and flag cases exceeding internal thresholds to prove data were delivered "without undue delay" as interpreted in the guidance.
  • Evidence refusals. When Article 4(6) trade-secret protections or rights of others justify withholding fields, store legal assessments, anonymisation steps, and communications to the requester.
  • Secure transfers. Apply mutual TLS, payload signing, and tamper-evident delivery receipts to meet Article 4(1) requirements for secure access and Article 6(2)(f) prohibitions against degrading product security.
  • Coordinate third parties. Share usage purpose statements, retention commitments, and onward transfer controls so designated recipients can satisfy Article 6 obligations.

Artifacts to maintain

  • API change logs covering authentication, rate limits, and schema updates.
  • Portability request register with requester identity, dataset scope, response time, and outcome.
  • Trade-secret masking decision templates referencing Article 4(6) safeguards.

Test and assurance cadence

  • Monthly dry runs simulating concurrent requests from enterprise users and SMEs, verifying throughput and refusal workflows.
  • Quarterly penetration tests on export interfaces with remediation tracking aligned to Article 32 GDPR obligations triggered by mixed datasets.
  • Annual third-party attestations confirming Article 6 retention limits and data use restrictions are met.
Article 9 pricing

Govern compensation models with cost transparency

Article 9 requires compensation to be non-discriminatory and reasonable, limits SME charges to cost recovery, and obliges data holders to disclose calculation bases.

The SME fairness guidelines reinforce transparent, negotiable terms and discourage take-it-or-leave-it pricing or opaque bundles.

Article 13 deems unilaterally imposed terms that grossly deviate from good commercial practice unfair, so pricing models must show parity across comparable recipients, justify any margins for large enterprises, and enshrine the Article 9(3) prohibition on compensation for data access mandated by Union law. Combine financial evidence with board-approved policies so audits can verify intent and execution.

  • Build cost catalogues. Itemise formatting, dissemination, and storage costs per dataset and channel to justify Article 9(2)(a) recoveries, and evidence investments cited in Article 9(2)(b).
  • Segment recipients. Define customer classes (SME, large enterprise, not-for-profit research) and align discount structures with Article 9(4) cost-recovery caps to avoid hidden discrimination.
  • Publish pricing policies. Share compensation matrices, SME rebates, and review cadence with customers, mirroring fairness guidance that calls for plain-language summaries and negotiation notes.
  • Automate approvals. Require legal and finance sign-off before quoting compensation, enforce SME caps through workflow tools, and log justifications for any margin applied under Article 9(1).
  • Document transparency. Provide recipients with detailed invoices or calculation sheets meeting Article 9(7) disclosure duties, and store confirmations that the information was received.

Controls to operationalise

  • Compensation calculator referencing Article 9 cost categories and SME caps.
  • Approval workflow with segregation of duties between commercial, legal, and finance teams.
  • Customer-facing pricing summary annexed to each data-sharing contract.

Documentation set

  • Working papers showing cost allocation methodology, allocation keys, and variance analyses by recipient class.
  • Negotiation logs capturing counterproposals, concessions, and rationales for any non-standard terms.
  • Annual board or risk committee attestations confirming Article 9 and Article 13 compliance.
Confidentiality & Article 4(6)

Implement proportionate trade-secret protections

Article 4(6) allows withholding or masking trade secrets only after proportionate technical and organisational measures are agreed with the user.

The fairness guidelines stress pre-contract clarity on confidentiality, purpose limitation, liability, and termination to prevent abuse of trade-secret claims.

Article 4(7) and Article 4(8) require written justification each time disclosure is suspended or refused because of trade-secret risks, including evidence that third-country enforcement would be ineffective. Coupling those records with Article 5(9) third-party confidentiality agreements demonstrates that masking decisions are proportionate and reversible once safeguards improve.

  • Classify sensitive fields. Maintain inventories of data classified as trade secrets, their statutory basis, and the mitigation technique (masking, aggregation, synthetic substitution) negotiated with the user.
  • Bind recipients. Require NDAs, data use restrictions, and audit rights that satisfy Article 4(6) and the fairness guidance expectation for balanced liability clauses.
  • Monitor access. Enforce least-privilege access to masked fields, log downstream sharing, and schedule periodic reviews to confirm confidentiality controls remain proportionate.
  • Escalate disputes. Define how disagreements about masking escalate internally, when they trigger mediation, and the timeline for submitting a case to a certified dispute body under Article 10.

Review cadence

  • Semi-annual reassessment of masking techniques against technological progress and Commission guidance updates.
  • Joint workshops with trade-secret owners and customer representatives to test whether partial disclosure can resume.
  • Standing dossier of Article 4(7) notifications and Article 4(8) refusal rationales mapped to remediation actions.
Assurance & dispute KPIs

Monitor compliance KPIs and dispute pathways

Article 10 mandates access to certified dispute settlement bodies that decide cases within 90 days, while Chapter VI switching provisions and fairness guidance expect proactive monitoring.

Operational dashboards should surface readiness indicators before authorities or dispute bodies intervene.

Article 31 cooperation duties mean competent authorities can request corrective actions after reviewing metrics, so dashboards must capture not just point-in-time performance but also remediation backlogs, owner assignments, and re-test results.

  • Track fulfilment. Report average and 95th percentile response times for portability requests, the share completed within internal targets, and any backlog breaching "undue delay" expectations.
  • Audit pricing. Monitor SME compensation adjustments, number of waived fees, and variance between quoted and actual cost recovery to ensure Article 9 compliance.
  • Log disputes. Record informal complaints, internal reviews, mediation outcomes, and referrals to Article 10 bodies, including decision timelines and reimbursement obligations highlighted in Article 10(3).
  • Switching readiness. For cloud and edge services, measure time to provide functional equivalence documentation and export tooling in line with Chapter VI, capture customer satisfaction with switch support, and align evidence with the European Commission’s Data Act standardisation request.
  • Quality controls. Track exception rates in masking decisions, third-party retention audits, and GDPR Article 32 findings to show coherence across privacy and Data Act programmes.

Dashboard essentials

  • KPI pack combining API telemetry, compensation reviews, and dispute metrics for executive oversight.
  • Quarterly assurance memo summarising Article 9/10 control tests and remediation actions.
  • Escalation matrix naming dispute leads, certified bodies, and regulatory contact points in each Member State.
  • Evidence workbook mapping each KPI to the underlying system of record and responsible control owner.