European Tech Regulation

The Data Act

The Data Act aims to establish a comprehensive framework for fair access to and use of data within the European Union. Its scope covers both personal and non-personal data generated by connected devices and related services, ensuring that users have greater control over their data.

The Data Ac applies to data holders, data users, public sector bodies, and providers of data processing services, promoting transparency, interoperability, and innovation across sectors. It seeks to balance the interests of businesses, individuals, and public authorities while fostering a competitive and data-driven economy.

Affected businesses

The Data Act is a wide-ranging and sector-neutral legislation and applies to a wide range of companies – including product manufacturers, software-as-a-service (SaaS) providers, and business-to-business (B2B) and business-to-consumer (B2C) providers.

The Data Act has an extraterritorial effect, which means it also applies to manufacturers of ‘connected products’, providers of ‘related services’, data holders and providers of data processing services located outside the European Union, where they (respectively) place a ‘connected product’ on the market in the EU, provide a ‘related service’ in the EU, make data available to recipients in the EU or provide data processing services to customers in the EU.

Key impacts

The key features of the Data Act are:

  • Data sharing obligations for ‘connected products’ and ‘related services’ data.
  • Facilitating the switching between cloud service providers, removing any pre-commercial, commercial, technical, contractual or organisational obstacles inhibiting customers from switching or terminating their agreements.
  • Restrictions applicable to data sharing agreements in case of data sharing obligations and unfair unilaterally imposed terms.
  • Data sharing obligations to share data with public bodies in cases of exceptional need.
  • Safeguards for international transfers.

Enforcement

Enforcement of the Data Act is primarily the responsibility of national supervisory authorities designated by each EU Member State, supported by the European Commission. These national supervisory authorities are tasked with monitoring compliance, investigating complaints, and imposing penalties for breaches of the Act.

In cases involving cross-border issues or systemic non-compliance, the European Commission can intervene.

Sanctions for violations may include fines, restrictions on data use, or other corrective measures, depending on the severity and nature of the infringement.

Key timings

The Data Act entered into force on 11 January 2024 and will apply as of 12 September 2025. However, certain provisions will become applicable at a different date, namely:

  • The obligations resulting from Article 3(1) – dealing with requirements for simplified access to data for new products – shall apply to connected products and services related to them after 12 September 2026.
  • Chapter IV (Unfair Contract Terms Related to Data Access and Use between Enterprises) shall apply from 12 September 2027 to contracts concluded on or before 12 September 2025, provided they are of indefinite duration or due to expire at least 10 years from 11 January 2024.