Introduction
On 12 September 2025, the EU Data Act (Regulation (EU) 2023/2854) will become fully applicable across the European Union. This regulation marks a fundamental change in how data is accessed, shared, and used in Europe, particularly non-personal and industrial data. For businesses in technology, manufacturing, IoT, cloud services, and data analytics, the Act brings both new obligations and opportunities.The Act is designed not only to ensure compliance but also to reshape established market dynamics. By reducing “lock-in” situations where customers are tied to certain providers due to control over data or technical barriers, it aims to open opportunities for new entrants and strengthen competition.
What is the EU Data Act?
The Data Act aims to establish a single European market for data, allowing data to flow freely across sectors and Member States. Its objectives are to promote fairness, empower users, and create a more competitive and innovative digital economy.
The regulation covers:
- Business-to-consumer and business-to-business data sharing obligations.
- Rules on making data available to public authorities in cases of exceptional need.
- Obligations on switching between cloud and other data processing services.
- Requirements to support interoperability and standardisation across data spaces.
- Data access based on fair, reasonable, and non-discriminatory (FRAND) terms.
Key Definitions
- Data Holder: any person or entity with the right or obligation to use and make data available.
- User: the owner or contractual user of a connected product or related service.
- Data Recipient: a third party, acting in the course of business, to whom data is made available.
- Connected Product: a product that generates or collects data and communicates it electronically (e.g., vehicles, wearables, industrial equipment).
- Data Processing Service Provider: providers of on-demand computing resources such as cloud and edge services.
The scope is broad, covering IaaS, PaaS, SaaS, DaaS, and most other “as-a-service” models. The Act also applies extraterritorially, requiring providers outside the EU to comply if they serve EU customers or place services on the EU market.
User Rights and Provider Obligations
Manufacturers of connected products and providers of related services must, at a user’s request, make available data and relevant metadata necessary to interpret and use it:
- Without undue delay and of the same quality as available to the data holder.
- Easily, securely, and free of charge.
- In a structured, commonly used, and machine-readable format.
- Where technically feasible, continuously and in real time.
Users are entitled to:
- Access and receive the data generated by their products.
- Request that data be shared with third parties of their choice.
- Use certified dispute resolution bodies or lodge complaints with authorities.
Unfair contractual terms restricting these rights are invalid. At the same time, users cannot misuse data to create competing products or bypass protections.
Cloud and Data Processing Services
A major focus of the Act is vendor lock-in in cloud and edge services. Providers must:
- Allow customers to switch services within 30 days.
- Remove obstacles to termination, data porting, or unbundling of services.
- Set out switching rights clearly in contracts.
- Ensure continuity and security during switching.
Switching involves more than exporting raw data — providers must support extraction, transformation, and re-uploading into a new system. For IaaS, systems must achieve “functional equivalence” after switching.
Until January 2027, providers may charge limited fees equal to direct costs. After that, switching must be free of charge. Providers must also comply with interoperability obligations through open standards, supporting both switching and multi-provider strategies.
Data Holders’ Obligations
Data holders must:
- Provide access to data without undue delay, free of charge, and in real time where possible.
- Make data available to third parties under transparent and FRAND terms.
- Avoid discriminatory treatment of comparable data recipients.
- Safeguard access through technical protections such as encryption or smart contracts.
They may receive reasonable compensation, but charges must remain fair and proportionate.
Public Sector Access
Public authorities may request access to privately held data in cases of exceptional need, such as emergencies. Requests must be proportionate and justified. Trade secrets remain protected, and compensation is payable unless the request is made during an emergency.
Enforcement and Penalties
Each Member State must appoint a national authority to enforce the Act. These authorities can request information, handle complaints, investigate breaches, and impose penalties.
Practical Difficulties and Challenges
While the Data Act creates opportunities, compliance will not be straightforward. Businesses — especially cloud and data processing service providers — face several hurdles:
- Contractual misalignment: many existing contracts lack portability and switching clauses.
- Transparency gaps: providers must explain rights and processes clearly in contracts and online.
- Revenue and process restructuring: phasing out switching fees forces new business models.
- Technical burden: ensuring “functional equivalence” is complex and resource-intensive.
- Extraterritorial reach: non-EU providers must comply, adding operational and legal complexity.
Migration in complex IT environments requires more than transferring data — it involves restructuring, testing compatibility, and ensuring continuity. Providers that delay preparation risk compliance issues and dissatisfied customers.
What This Means in Practice
The Data Act rebalances control of data, shifting from exclusive manufacturer ownership to shared access. For example:
- A homeowner can share energy data from a smart thermostat with an independent energy service to reduce bills.
- A factory can use machine data for optimisation and predictive maintenance.
- A business can switch cloud providers without high costs or technical barriers.
- Governments can access private-sector data during emergencies.
For providers, this means reduced control over customer relationships, revenue loss from switching fees, and higher compliance costs. For customers, it means stronger bargaining power, multi-service flexibility, and easier exits from unsatisfactory providers.
Key Takeaways for Businesses
To prepare, businesses should:
- Assess whether products or services fall within scope.
- Map and classify data flows.
- Review and update contracts for compliance with FRAND and switching obligations.
- Update procurement strategies to ensure portability and interoperability.
- Build processes for handling user and third-party data requests.
- Safeguard trade secrets and strengthen cybersecurity.
- Budget for compliance costs, including the loss of switching fees and new infrastructure.
Conclusion
The EU Data Act is more than a compliance exercise — it is a structural shift in Europe’s digital economy. Businesses that adapt early will not only avoid regulatory risk but also gain competitive advantages by building trust with users, enabling new data-driven partnerships, and ensuring flexibility in their IT strategies. For users, it promises greater control and portability of data. For policymakers, it is a cornerstone in Europe’s ambition to create a fair, innovative, and resilient data economy.
This article is for general informational purposes only and does not constitute legal advice.