The EU Data Act becomes applicable
12 Sep 2025
Today marks the first day of a new era for data-driven businesses (and their customers) in and outside Europe. The Data Act (Regulation 2023/2854) unleashes access to, and monetization of, (non) personal data generated by connected devices. It sets downs rules for a level playing field for sharing data with business and governments.
With this new data regulation, the European Commission expects to increase the EU-27 GDP by €270 billion within 3 years, thanks to the 175 zettabytes of global data available to date. The Data Act is more than a compliance exercise, it creates opportunities for:
Monetisation models: data holders may charge reasonable compensation for direct B2B data sharing obligations, creating a transparent data-licensing environment.
Fairer cloud market: easier switching and interoperability reduce vendor lock-in and stimulate price competition and multi-cloud strategies.
After-market and ancillary services: independent repairers, insurers and service providers can obtain real-time access to IoT data and build competitive offerings.
As often, the European legislation was cautious to balance the new rights and obligations with safeguards, aiming to protect company’s innovation or core know-how, the customers safety or privacy or the growth of SMEs.
Formally entered into force in January 2024, most of the obligations under Data Act became applicable on 12 September 2025, requiring businesses to reassess their data governance, update contracts, and implement data sharing processes.
Is my organisation impacted?
The opportunities (and challenges) of the Data Act do not solely apply to high tech companies and telecom providers. Every business and user wanting a productivity growth via data-driven innovation (estimated up to 10% by the Commission) can take part in the democratization of the data economy.
It impacts the following actors:
| Actor | Territorial application | Example |
Manufacturers of connected devices
|
Established:
|
Manufacturers of smart home appliances, connected cars, medical devices,...
|
Providers of related services
|
Established:
|
Providers of aftermarket services, such as repair and maintenance companies
|
Providers of data processing services
|
Established:
|
Cloud providers
|
Data holders
|
Established:
|
Any organisation holding data with a legal obligation to share such data with a third party |
Users
|
Established in the EU
|
Consumers, businesses or public bodies using connected products or related services |
| Public sector bodies | Established in the EU | Local government authorities |
The Data Act, what is in there for my organisation?
To boost the data economy, the Act leverages on several mechanisms, applicable to different situations, each allocated in different chapters of the Act. The most prominent changes are:
Main obligations
| Requirement | Applies to | |
Access by design / default
|
Connected products placed on the EU market after 12 September must allow users to retrieve product and related service data easily, securely, in real time and free of charge.
|
Manufacturers of connected devices and providers of related services |
| User right to share data with third parties | Users must be able to request the sharing of their data to a third party without undue delay. Data holders may take measures to protect their trade secrets. | Data holders
|
Fair B2B terms
|
Unilaterally imposed standard contracts must be adapted following a black and grey list of unfair contractual clauses imposed by the Data Act (e.g. excluding liability for gross negligence). If included, these clauses will (presumed to) be void. | Data holders
|
| Government requests | Mandatory data sharing in case of a public emergency or other exceptional need. | Data holders
|
Cloud switching
|
Contracts must allow customers to port all exportable data to another provider within a maximum 30 days’ transition. A gradual prohibition of switching fees is foreseen until January 2027. | Providers of data-processing services |
| Access by foreign governments | Providers must resist unlawful third-country demands for EU-stored non-personal data unless sufficient safeguards exist. | Providers of data-processing services |
What should I do now?
Next to the adoption by the Commission of (a tailored version of) the Model Contractual Clauses for data access and use (MCTs) and Standard Contractual Clauses (SCCs) for cloud computing contracts, here are a few “no regret” moves that you should take if you don’t want to miss the Data Act train:
- Map your data: identify the personal and non-personal data, products and services in scope of the Data Act. Investigate the exemptions that could be applicable to you to refuse data access and protect your business.
- Implement data sharing processes: identify possible grounds for refusal, implement measures to protect trade secrets and implement processes to respond to user requests.
- Build export buttons: implement access by design and by default features in smart products and related services.
- Review your contracts: adapt unilateral data sharing terms to avoid clauses being declared void and implement transparency requirements.
- Align with privacy and security teams: include privacy and security teams in the compliance process to ensure an integrated approach with the GDPR and cybersecurity requirements.
What’s next?
Compliance with the Data Act will be supervised by national authorities who will handle complaints and have the power to conduct investigations and impose administrative fines that are effective, proportionate and dissuasive. Infringements involving personal data can also be sanctioned under the GDPR.
There are still some documents and guidelines in the pipeline:
Guidelines from the European Commission on “reasonable compensation” for making data available
Model template by the European Commission for requests by public sector bodies for data access in cases of exceptional need
National law regulating the enforcement and competent authority in Belgium. This will likely be the BIPT (Belgian Institute for Postal Services and Telecommunications) according to the government agreement, but no official text has been released yet. Enforcement actions are therefore expected to be late in Belgium.
How we can help
Our IP, IT & Data team can assist with reviewing contracts, conducting applicability and maturity assessments, and implementing data sharing processes. Do not hesitate to reach out to discuss how we can support your organization in turning Data Act compliance into a competitive advantage.
Ready or not, data openness is now an enforceable obligation. The strategic choice is to shape it before it shapes you.
Authors: Loïc Delanghe & Isha Upadhyaya
Contact us
