EU Data Act 2025 Explained: Key Changes, Compliance, and Impact on Businesses

What Just Happened on September 12, 2025?

On September 12, 2025, the EU Data Act officially came into effect. It is a landmark regulation that promises to reshape the way data is accessed, shared, and governed across Europe. According to the European Commission, the Act is designed to give individuals and businesses greater control over their data, while ensuring fair competition in the digital economy.

Understanding the Data Act

The EU Data Act is like a comprehensive rulebook that governs how data flows between companies, consumers, and governments across Europe. It's not just about privacy (that's GDPR's job), but about who can access and use the massive amounts of information generated by our increasingly connected world.

Imagine data as water flowing through pipes in a city. Previously, some companies had built dams to hoard all the water (data) for themselves. The Data Act essentially breaks down these dams and creates new channels, ensuring water flows more fairly to everyone who needs it.

What the Data Act Changes

The Previous Landscape

Before the Data Act, the data economy operated like medieval fiefdoms. Device manufacturers and service providers essentially "owned" all data generated by their products. A smart thermostat company could collect detailed information about your home's energy usage, daily routines, and occupancy patterns, then use this exclusively for their own business purposes without sharing access with you or allowing you to take it elsewhere.

Cloud service providers could create "vendor lock-in" situations, making it technically difficult and financially prohibitive for customers to switch to competitors. Small and medium enterprises (SMEs) were often forced to accept unfair contractual terms because they lacked negotiating power.

Politico Europe reports that the legislation may spark legal and commercial battles as tech giants adjust their services to comply. 

The New Reality

Individuals and businesses now have legally enforceable rights to access data generated by their use of connected products. Using our smart car example, you can now demand access to your vehicle's performance data and share it with independent mechanics, insurance companies, or mobility services of your choice.

Connected products placed on the EU market after September 12, 2026, must be designed from the ground up to allow free and easy data access.

Data processing service providers must now facilitate switching between competitors with maximum transition periods of 30 days and will face the gradual elimination of switching fees by January 2027.

The Act introduces protections against unfair terms in business-to-business (B2B) data contracts, with both "blacklisted" terms (automatically invalid) and "grey-listed" terms (presumed unfair unless justified).

The shift represents a fundamental re-balancing of power in the digital economy. Previously, data controllers held virtually absolute power over data access and usage terms. Now, the Act creates a more democratic data ecosystem where users retain meaningful control over their information. This mirrors historical shifts from proprietary to open standards in technology, similar to how the Internet's success came from open protocols rather than closed systems.

The business-to-government (B2G) provisions represent perhaps the most radical change, creating mechanisms for public authorities to access privately held data during emergencies or for essential public services. This is unprecedented in its scope, establishing data access as a public utility concept during critical situations.

Key Provisions and Obligations

Connected Products and Related Services

The Act applies to "connected products" i.e. physical items that generate data about their use or environment and can transmit this information. This may be your smart appliances, industrial machinery, wearable devices, or connected vehicles. "Related services" are digital services essential for these products to function properly.

Data holders (typically manufacturers) must provide users with access to their data "without delay, free of charge, and, where applicable, continuously and in real time". The data must be provided in structured, commonly used, machine-readable formats.

Unfair Contractual Terms Protection

The Act establishes three levels of contractual fairness assessment:

  1. General Fairness Test: Terms are unfair if they grossly deviate from good commercial practice.
  2. Black List: Terms that are automatically invalid, such as excluding liability for gross negligence.
  3. Grey List: Terms presumed unfair unless the imposing party can justify them, including restrictive termination clauses or unilateral price changes.

Cloud Switching Rights

Cloud service providers must eliminate commercial, technical, and contractual obstacles to switching. This includes mandatory maximum notice periods of two months, transition periods of 30 days (extendable up to seven months for technical reasons), and progressive elimination of switching fees.

Business-to-Government Access

Public authorities can access privately held data in two scenarios:

  • Public emergencies: Such as natural disasters, pandemics, or major cybersecurity incidents
  • Public interest tasks: When authorities need specific data to fulfill legally mandated duties like producing official statistics

Read our deep dive on How GDPR Changed Data Privacy Laws Worldwide to understand the Act's foundations.

Challenges

The most fundamental challenge lies in fragmented enforcement of the Act. The Act requires the member states to designate competent authorities by the implementation date, yet many have failed to establish clear enforcement mechanisms. Only a handful of countries, including the Czech Republic, Denmark, Finland, and Latvia, have successfully designated competent authorities for data governance legislation, while fourteen member states remain unclear about their enforcement structures.

While Article 1(5) of the Data Act states that it applies "without prejudice" to the GDPR, this apparently straightforward relationship becomes problematic in practice. The European Commission's assertion that "the GDPR is fully applicable to all personal data processing activities under the Data Act" oversimplifies the reality that these regulations create potentially conflicting obligations. When datasets are "inextricably linked" (a concept neither regulation clearly defines) the entire dataset falls under GDPR provisions even if personal data represents only a small fraction. This would create compliance complexity for organizations that will now have to deal with dual regulations while ensuring they meet both data sharing obligations under the Data Act and data protection requirements under GDPR. 

Article 13 of the Data Act considers a clause 'unilaterally imposed' if it has been "drafted and provided solely by one contracting party, without affording the other party a genuine opportunity to influence or negotiate its content". However, this threshold may be set too low, as it places the burden of proof on the party proposing the clause to demonstrate it was not unilaterally imposed. This might result in situations where legitimate business terms could be challenged simply because one party had greater negotiating power, even in scenarios where both parties entered negotiations voluntarily and had reasonable opportunity to propose alternatives.

The Data Act mandates that cloud providers facilitate switching within maximum timeframes of 30 days while ensuring interoperability across different service types, yet the technical standards necessary to achieve these goals remain underdeveloped. The concept of functional equivalence would become challenging when dealing with proprietary technologies, custom configurations, or specialized services that may not have direct equivalents across different providers.

Furthermore, Article 9 of the Data Act allows data holders to request compensation that includes both direct costs of making data available and investments in data collection and production, but the valuation methodologies for these components remain largely undefined. The European Commission has committed to developing guidelines for reasonable compensation calculation, but these have not yet been published despite the Act's implementation. This would create challenges when dealing with valuable datasets, intellectual property (IP) rights, or trade secrets where traditional cost-based valuation methods do not adequately reflect the data's strategic or competitive value.

While Article 37 requires non-EU entities offering connected products or services in the EU to appoint a legal representative, the practical enforcement mechanisms remain weak until such representation is established. Until a representative is designated, the entity technically falls under the competence of all member states for enforcement purposes. However, this broad enforcement authority may prove difficult to exercise effectively in practice, as non-EU companies operating without proper representation may simply ignore enforcement actions until penalties become severe enough to compel compliance. 

Chapter VIII of the Data Act requires data processing service providers to assess the legality of foreign government access requests and implement "reasonable technical, legal and organizational measures" to prevent unauthorized transfers. However, these provisions primarily address formal legal requests rather than covert surveillance or indirect access methods that sophisticated state actors might employ. The requirement for judicial authorization and respect for fundamental rights, while important, may not effectively protect against scenarios where foreign governments have alternative means of accessing data. The Act's focus on transparency and legal process, though valuable, may not adequately address the full spectrum of threats to data sovereignty that European policymakers intend to prevent.

The Way Forward

The need of the hour is to establish coordinated enforcement structures across all EU member states. While Article 37 requires each member state to designate competent authorities, only a handful of countries (mentioned above) have made clear designations. Belgium has designated the Belgian Institute for Postal Services and Telecommunications (BIPT) as the national regulator, while the Netherlands has appointed both the Netherlands Authority for Consumers and Markets (ACM) and the Dutch Data Protection Authority (AP) as joint competent authorities. The European Commission should urgently work with lagging member states to complete these designations. Additionally, the European Data Innovation Board (EDIB) must rapidly establish operational procedures for facilitating cooperation between competent authorities, building capacity, and ensuring consistent enforcement approaches across borders.

The development of technical standards and interoperability specifications requires coordinated action from multiple European standardization bodies as well as the industry. The European Commission's Standardization Request M/614, officially accepted by CEN and CENELEC on July 7, 2025, commits these organizations to developing seven European standardization deliverables for the European Trusted Data Framework. This includes four European Standards - two intended for citation in the Official Journal of the European Union - and three Technical Specifications that will support Article 33 requirements for interoperability of data, data sharing mechanisms, and common European data spaces. The newly established CEN-CLC/JTC 25 'Data management, Dataspaces, Cloud and Edge' technical committee leads this effort, with deliverables covering trusted data sharing, cloud interoperability, and data space creation. The Commission must ensure these standards are developed within accelerated timeframes to meet the September 12, 2026 deadline for enhanced cloud service interoperability requirements and the broader data space rollout objectives. Additionally, Parallel development of harmonized standards for smart contracts, data processing service switching, and cross-border data transfers will be essential for creating the technical infrastructure necessary for effective Data Act implementation.

The European Commission's immediate focus must center on providing implementation guidance through multiple channels, building on its commitment to establish a dedicated Data Act Legal Helpdesk and expand existing frequently asked questions (FAQ) resources. The Commission's engagement with companies of all sizes, industry associations, and civil society must intensify beyond the entry into application to ensure that feedback informs future guidance and keeps implementation proportionate. Model contract clauses for data-sharing agreements will help market participants meet the requirements for fair, reasonable, and non-discriminatory (FRAND) terms.

The Commission must also expedite the development of guidelines for reasonable compensation calculation under Article 9, as these remain absent despite being essential for business-to-business (B2B) data sharing implementation. Additionally, the Commission needs to clarify the interaction between Data Act obligations and existing regulations, particularly GDPR requirements for mixed datasets, through detailed interpretative guidance that addresses practical compliance scenarios.

Industry and businesses must accelerate to meet upcoming compliance deadlines, especially the September 12, 2026 requirement for connected products to incorporate data accessibility features from the design stage. Organizations must conduct data audits to identify connected products and related services within their portfolios, assess current technical capabilities for data sharing, and develop roadmaps for system upgrades necessary to meet Data Act obligations. Companies must review their contractual arrangements for potentially unfair terms under the new B2B provisions, implement processes for handling user data access requests, and develop capabilities for facilitating cloud service switching where applicable.

Similar to how the GDPR inspired data protection legislation worldwide, including the California Consumer Privacy Act and Brazilian data protection law, the Data Act's approach to data access rights and fair contractual terms may serve as a template for other jurisdictions. The European Union's status as a large, unified market with demanding regulatory standards creates powerful incentives for MNCs to adopt Data Act compliance measures globally, potentially leading to worldwide adoption of European data sharing principles. This regulatory influence extends beyond direct compliance, as the Act's technical standards for interoperability and cloud switching may become de facto global norms as companies seek to streamline their operations across multiple jurisdictions.

Conclusion

The EU Data Act represents a fundamental shift toward user empowerment and fair competition in the digital economy. While significant implementation challenges and potential loopholes remain, the Act establishes crucial principles:

  • Users should control their data;
  • Markets should be competitive; and
  • Public authorities should access necessary data for essential services.

While the Act aims to democratize access to data, questions remain about implementation, enforcement, and global alignment. Organizations that view compliance as an opportunity to modernize data infrastructure and develop new business models will likely emerge stronger in this more open, competitive environment.

The Act's overall impact will be measured not just by regulatory compliance, but by its ability to encourage innovation, protect user rights, and create a more balanced digital economy where data serves broader societal interests rather than just corporate profits.


For further details, see the analyses from law firms such as Clifford Chance and Latham & Watkins.

Comments

Post a Comment

Popular posts from this blog

How GDPR Changed Data Privacy Laws Worldwide

One European law changed how your personal data is protected worldwide! When you share your personal information online such as your name, email, location, or even what you click on, that data can travel around the world in milliseconds. Before 2018, different countries had vastly different rules about how companies cou ld use your information. Some had strict protections, others had almost none. Then came the General Data Protection Regulation, better known as GDPR, which changed how Europe handles personal data and transformed privacy laws worldwide. What Is GDPR and Why Did It Matter? GDPR is Europe's rule book for handling personal information. When it became law on May 25, 2018, it established the strictest data protection standards the world had ever seen. But what made GDPR revolutionary is the fact that it didn't just apply to European companies. Any business anywhere in the world that wanted to serve European customers had to follow these rules. This created...
Read more

EU vs US Privacy Laws: Understanding the Global Data Protection Divide

Companies collect massive amounts of personal information including your shopping habits, location data, browsing history, and much more. The United States and the European Union stand out as two titans shaping how privacy is protected, but their approaches reveal sharply divergent philosophies, creating a " privacy divide " that affects billions of people worldwide. Think of data regulation as two different approaches to city planning. The European model resembles a comprehensive urban plan where privacy is treated as a fundamental infrastructure, like clean water or electricity, that everyone deserves regardless of their economic status. The EU's  General Data Protection Regulation (GDPR)  treats privacy as a fundamental human right meaning that before any organization can process your personal data, they must have a valid legal reason, whether that's your explicit consent, a contractual necessity, or another legally recognized basis. The American appro...
Read more