Search for:
Artificial Intelligence

EU Data Act – Key Provisions and What You Need to Know

By: , and

The EU Data Act (or the “Act”) is a new regulation that establishes rules on who can access and use data generated by connected devices and related services – data that is often held exclusively by manufacturers and large platforms – in the EU. Its goal is to promote data sharing between businesses, consumers, and public bodies to facilitate competition, innovation and consumer choice, while ensuring fair access to the data, and safeguarding privacy and trade secrets.

The EU Data Act forms part of the EU’s broader data strategy, aimed at building a common European data space. It is likely to have a significant impact on multinational companies, either (for manufacturers and platform providers) by requiring them to share data with customers and competitors for the first time, or (for all other entities) by giving other businesses new opportunities to access valuable data that was previously unavailable to them.

Most of the Act’s requirements came into effect on 12 September 2025. This blog highlights who it applies to and what businesses need to know to stay compliant.

What is the Data Act’s Purpose?

The rapid growth of internet-enabled devices or “connected products” – from medical and fitness trackers to smart home systems, cars, and industrial machinery – has fueled a surge in data generation. These devices, often collectively referred to as the Internet of Things (“IoT”), generate valuable information often controlled solely by manufacturers and service providers.

The EU’s Data Act seeks to rebalance this data distribution by enhancing data sharing between different actors (users, manufacturers and service providers), and facilitating market competition by making it easier to switch between the service providers that process such data. It aims to remove contractual and technical barriers so that, customers – including businesses and consumers – can access and benefit from the data they generate through use of connected products and their supporting applications.

Beyond these immediate objectives, the Data Act is also expected to have broader implications for AI development. AI models depend on access to large volumes of diverse, high-quality data to train and improve their performance. By clarifying rights of access to data and mandating greater interoperability between systems, the EU Data Act may help unlock datasets that were previously inaccessible or fragmented. This, in turn, could facilitate more equitable opportunities for innovation, enabling a wider range of stakeholders to participate in AI development while maintaining safeguards around fairness, transparency and lawful data use.

While the Act’s main provisions took effect on 12 September 2025, the requirements governing the design, manufacture, and provision of connected devices and related services will apply from 12 September 2026. The rules on unfair contractual terms will come into force on 12 September 2027 for contracts of a certain length concluded on or before 12 September 2025.

Scope and Key Definitions

Applicability. The Act’s main provisions apply to:

  • Manufacturers of connected products, if they place connected products or related services in the EU market. For example, connected ships, cars, aircrafts, industrial machinery, medical devices, and smart appliances;
  • Providers of services related to connected products: businesses, regardless of whether they are established in the EU, whose applications or software accompany, support, interact with, or control connected products in the EU market (e.g., cloud services, or analytics providers) – typically this role will also be assumed by the manufacturers of the connected product;
  • Data holders: any entity, regardless of whether it is established in the EU, that collects, stores or otherwise controls data generated by connected products or related services that are placed in the EU market – typically, this will also be the manufacturer of a connected product or the provider of a related service;
  • Providers of data processing services: typically edge service and cloud service providers including Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) providers;Data recipients: downstream entities to whom the data is made available (users or third parties) are treated as part of the data chain and must comply with any associated conditions or limitations imposed under the Act.

The Act also introduces rules allowing EU public bodies, the Commission, the ECB and Union bodies to request data in exceptional situations, and it introduces safeguards to protect against unlawful access when transferring data to non-EU governments.

Covered data. The Act applies to several types of data including:

  • Product data: data generated by engaging with a connected product;
  • Related service data: data generated either intentionally by the user or as a byproduct of users’ actions during the provision of related services;
  • Exportable data: input and output data, including metadata, generated by the customer’s use of a data processing service; and
  • Metadata: a structured description of the contents or the use of data, (g., timestamps).

Within these data categories, the Act applies to both personal data (as defined in the GDPR) and non-personal data (defined as all data other than personal data). When personal data is involved, the Act operates alongside the GDPR, requiring compliance with both.

To facilitate compliance, businesses should consider assessing their role (e.g., data holder, manufacturer) and creating inventories that classify personal data to ensure that GDPR and Data Act obligations are applied in parallel.

Key Obligations

The EU Data Act introduces a range of new, novel obligations for covered entities.  Businesses involved in the provision of connected products and related services should be mindful of their potential obligations, in particular when developing new offerings.

B2B and B2C Sharing of Data Generated by Connected Products.

Direct & indirect user access

Under the Act, users of connected products and related services have a right to access the data generated through their engagement with that product or service fee of charge, in a comprehensive, structured, commonly used, and machine-readable format, through a secure and easily accessible channel.  Where feasible, this data should be “directly accessible” to the user, for example, through user‑facing dashboards or APIs. If that is not feasible, data holders must find fair and reasonable alternative mechanisms that provide access without undue delay, and where applicable on a continuous basis.

In practice, businesses should take care to design these sharing mechanisms with appropriate cybersecurity safeguards to ensure that data access remains secure and resilient, and does not expose users or systems to undue risk.

Third-party access

The Data Act also entitles third party businesses, at the user’s request, to similar data-access rights. In such cases, data holders must make the same set of product, service, and metadata available to third parties in the same quality as would be provided to the user directly. Third parties are obliged to use the data only for specific purposes and under conditions agreed to with the user. They also must erase the data once it is no longer needed to achieve the agreed purpose.

Confidentiality of trade secrets

Because access rights may involve the disclosure of sensitive business information, the Act contains safeguards for trade secrets. Data holders must identify what data is protected as trade secrets and users who receive data must take all necessary steps to preserve confidentiality. Parties are expected to rely on tools such as contractual terms, strict access protocols, technical standards, and codes of conduct. The same requirements apply to third parties.

Exceptions

Data sharing is qualified right, however. The data holder may refuse to share data:

  • where it can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets;
  • where data sharing would compromise the security requirements of the connected product; and
  • where the potential data recipient is a gatekeeper under the Data Markets Act.

Businesses should consider maintaining a documented process for invoking these exceptions in case of later challenges.

Contracting Obligations for Data Holders

The Act recognizes that in unequal bargaining situations, stronger parties may impose “take-it-or-leave-it” terms that make access to data commercially unviable or costly for smaller enterprises. To protect against this, the Act requires businesses making data available to requesting business users to do so under fair, reasonable, and non-discriminatory conditions. Unilaterally imposed terms found to be unfair, are not enforceable. For example, terms that tip the balance too heavily in favor of the data holder – such as restricting how the data can be used without justification or imposing disproportionate liability – will likely be considered non-binding.

Businesses, especially those contracting with smaller enterprises, may want to review and revise existing contracts to ensure they align with the Model Contractual Terms outlined in the EC’s Final Report of the Expert Group on B2B data sharing and cloud computing contracts.

Business-to-Government Data Sharing

The Act also allows public authorities to access data in situations of exceptional need which covers public emergencies (e.g., cyber incidents, pandemics, and natural disasters) and non-emergency situations (e.g., traffic management). Data holders (except small and micro enterprises) must provide data free of charge, but fair compensation applies when data is used to fulfill legal obligations or public-interest tasks.

Again, it will be important for business to track such requests and designate a point of contact to keep auditable records.

Safeguarding Against Foreign Government Access

To shield EU data from unlawful foreign government access, the Act requires data holders and data processing service providers to ensure non-personal data transfers comply with EU law. Foreign government requests may be honored only if they are based on an international agreement with the EU or a Member State. Absent such an agreement, providers may only share the minimum amount of data necessary and only if the foreign government’s judicial system meets certain characteristics laid out in the Act.

In practice, businesses facing competing demands will need to consider very carefully how to navigate those conflicts.

Cloud Switching

To prevent customer lock-in, the Data Act aims to facilitate switching between cloud service providers with greater ease and certainty. It requires cloud service providers to allow contract termination and migration without technical, contractual, or commercial obstacles, including for unbundling services, moving exportable data on-prem, or contracting with new providers.

Cloud service providers’ contracts must reflect portability processes, commitments to assist customers during transition, and safeguards for continuity, security, and data protection. Businesses can also consult the EC’s Final Report for suggested SCCs.

Providers may consider building off‑boarding playbooks that address export mapping, format conversion, support commitments, and security considerations during transition.

Since providers of data processing services may charge customers only for switching costs that are directly linked to the process itself up to the level of the actual costs incurred until 12 January 2027, customers should budget for increased switching costs after then and may wish to exercise these rights sooner if possible.

Enforcement and Fines

Each Member State will designate the regulatory authority or authorities that will be responsible for overseeing the Act within their jurisdiction. While most Member States have not yet designated their authorities, they will likely be the existing competition and/or data protection authorities.

Unlike other EU regimes such as the GDPR and EU AI Act, there is no EU-wide system of fines for breaching the Act. Instead, each Member State is given the power to set their own penalties provided they are “effective, proportionate and dissuasive”, meaning there could be potentially significant variances in approach.

However, if the infringement involves personal data, the Act allows (or sometimes requires) the GDPR’s penalty regime to be used – meaning fine caps of up to the higher of €20m or 4% of global turnover.

With the Data Act now in effect, data holders should be ready to evidence adherence through documented compliance programs, covering policies, training, and controls, and a plan for how to meet those requirements not yet in force.

*  *  *

Please do not hesitate to contact us with any questions.

To subscribe to the Debevoise Data Blog, please click here.

The Debevoise STAAR (Suite of Tools for Assessing AI Risk) is a monthly subscription service that provides Debevoise clients with an online suite of tools to help them with their AI adoption.

Please contact us at STAARinfo@debevoise.com for more information.

The cover art for this blog was generated by Gemini.

Author

Robert Maddox is a partner in Debevoise & Plimpton LLP’s Data Strategy & Security practice, based in London. In 2021 he was named to Global Data Review’s “40 Under 40” and is described as “a rising star” in cyber law by The Legal 500 US (2022). His practice focuses on cybersecurity incident preparation and response, internal investigations and regulatory defence. Mr. Maddox also advises on data strategy and compliance in the context of emerging technologies, including AI, and operational resilience matters. He can be reached at rmaddox@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Diane C. Bernabei is an associate in the Litigation Department. She can be reached at dcbernabei@debevoise.com.

Related Posts