Data Act

The EU Data Act aims to provide a regulatory framework to govern and make easier the sharing, use and re-use of IoT product-generated data. It also aims to make it easier to switch between cloud providers.

When did it become applicable?

The EU Data Act entered into force on January 11, 2024. Provisions relating to switching and data portability for data processing services became applicable (i.e., enforceable) on September 12, 2025. The provisions on unfair contract terms also apply to new contracts entered into after September 12, 2025 and businesses have until September 12, 2027 to amend existing long-term contracts entered into before September 12, 2025.

The requirements for simplified access to data apply to IoT devices / related services placed on the market after September 12, 2026 (i.e. not to such devices and services available on the EU market prior to this date).

Who does it apply to?

The EU Data Act primarily applies to manufacturers, suppliers and users of IoT devices/related services. It also applies to “data holders” that make data available to data recipients in the EU, public sector bodies in certain situations and data processing services providers (i.e. cloud service providers).

What are the key obligations?

Providers and manufacturers of IoT devices and related services

Data holders (i.e., the manufacturer/service provider with initial control of the IoT data) must give users (i.e., the owner or renter of the IoT product) readily available access to the data generated about them. Additionally, upon request by a user, the data holder must facilitate access to data by third parties. "Gatekeepers’ under the Digital Markets Act are not eligible to receive data under these provisions.

There are restrictions on how IoT data may be used by these third parties. For example, the third party may only use the data for the purposes and under the conditions agreed upon with the user and subject to EU/national law, erase data when it is no longer necessary for the agreed purpose, not use the data for profiling (unless the profiling is necessary for the service requested by the user) and may not use the data to develop competing products.

The EU Data Act also stipulates that data holders must make data available to public sector bodies upon request in case of an exceptional need, such as a public emergency.

Providers of data processing services

Providers of data processing services (including a wide range of cloud-based services: software-as-a-service, platform-as-a-service, and infrastructure-as-a-service) will be subject to a range of contractual, transparency and technical obligations to help users switch easily to another provider, use multiple providers at the same time (in-parallel use) or to an on-premise infrastructure. These obligations facilitate switching without pre-commercial, commercial, technical, contractual or operational obstacles, including by facilitating porting of all exportable data.

This includes a right for customers to terminate their contract with the provider for convenience on 2 months’ notice. Providers may impose 'proportionate’ early termination penalties for the termination of fixed-term contracts (unfortunately there is no clear guidance yet on the interpretation of ‘proportionate’). Reduced switching charges may also be imposed until January 12, 2027 (from that date onwards no switching charges may be imposed, except for egress charges in case of in-parallel use).

Providers must also take technical, organisational and legal measures to safeguard against non-EU governmental access that may conflict with EU laws to non-personal data that they hold.

Interoperability

There are also provisions relating to minimum standards for interoperability for operators of European Data Spaces and minimum standards for smart contracts used for data sharing.

Unfair contractual terms

Does the UK have anything similar?

Part 1 of the Data (Use and Access) Act gives the Secretary of State powers to make regulations covering similar ground to the Data Act’s provisions on IoT devices. Like the provisions under the Data Act, these schemes would create a right for individuals and businesses to access and share data held by companies. The regulations could potentially apply to any goods, services, or digital content, not just IoT, so may have more in common with European Data Spaces, like the European Health Data Space and proposed Financial Data Access Regulation. These regulations would introduce schemes similar to Open Banking in other sectors. For financial data, there are also specific provisions allowing the Treasury to make regulations enabling or requiring the Financial Conduct Authority to make rules requiring financial services providers to use a prescribed interface.

The provisions creating the powers to make these regulations came into force on June 19, 2025, though at the time of writing, no regulations have been published.

What are some of the commercial impacts of the EU Data Act?

Manufacturers and data holders that are obliged to make data available to data recipients will need to implement the design requirements to ensure the availability of data, consider what data is in scope, and draft proper licence terms and template data sharing agreements, including provisions to protect their own IPR.

Providers of data processing services will need to consider what technical steps are needed to facilitate switching and repaper existing contracts to meet the new requirements, including by introducing early termination penalties (if any) for the termination of fixed-term contracts.

The EU has published non-mandatory model contractual terms and standard contractual clauses which can be used in the context of b2b data sharing and the switching requirements.