Menu
A person interacts with a smartphone, emitting light, against a backdrop featuring a digital lock surrounded by interconnected tech-related terms. Yellow stars encircle the design, symbolizing the European Union. The terms include website, account, resource, search, and monitoring.

Data Act enters into force

Effective September 12, 2025, the EU Data Act imposes new obligations on businesses offering products or services in the EU, regardless of location. For connected products and related services in the IoT sector, businesses must provide users—both consumers and business users—access to raw usage data and necessary metadata upon request where data is readily available. Pre-contract information on access options is required, terms must be updated to reflect access rights and limitations (including trade secrets), retrieval must be free and secure, and users can instruct providers to share data with third parties. From September 12, 2026, products placed on the EU market must be designed to give users direct access to raw usage data.

In B2B contracts, the Act prohibits unilateral “unfair” terms governing access to and use of data, including clauses that exclude or limit liability or remedies or grant one party exclusive control over data compliance determinations. Certain provisions are presumed unfair if they unduly restrict data use. Such terms are unenforceable against counterparties in the EU and apply to both personal and non-personal data.

For data processing services (SaaS, IaaS, PaaS), providers must enable customer switching and interoperability: disclose switching procedures and limitations, allow switching with no more than two months’ notice, remove technical, contractual, and commercial barriers, and support open interfaces and machine-readable exports. Providers must also implement measures to prevent foreign government access to non-personal EU-stored data, set processes for handling access requests, and publicly disclose these measures and ICT infrastructure locations. These rules apply to new and existing contracts. From January 12, 2027, providers may not charge switching fees, including data transfer fees.

The Act also establishes business-to-government access in cases of exceptional need, including emergencies and specified public interest scenarios, and introduces minimum requirements for smart contracts used in data-sharing agreements, such as manipulation resistance. Enforcement will be carried out by national regulators with penalties under local laws. Immediate actions include reviewing data-sharing practices for connected products, updating access processes and user notices, reassessing B2B data restrictions for enforceability, and revising cloud contracts and internal procedures to support switching and government access handling for non-personal data.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *