Executive Summary
- The EU Data Act, whose requirements apply from 12 September 2025, establishes new rights for businesses and consumers to access data they generated using “connected devices,” limiting the exclusive control exercised by many data holders such as manufacturers and cloud service providers.
- The Data Act is intended to promote data sharing and innovation, and prevent contractual and technical lock-ins that prevent users from switching service providers. The law applies to, among others, manufacturers of connected devices, cloud service providers and any company that collects or uses data generated by internet-of-things (IoT) products.
- Data service providers and companies that design, produce or deploy IoT-enabled products will need to review and revise their contractual frameworks and data governance strategies to comply with these obligations.
- The Act imposes new rules to facilitate switching between data processing service providers, which may require data holders to alter their products to achieve the “access by design” goal of the law so data can be easily transferred.
The EU’s Data Act came into force on 11 January 2024 and is a cornerstone of the European data strategy. It is intended to drive digital transformation and support the EU’s “Digital Decade” objectives. Its provisions take effect on 12 September 2025.
The Act is intended to prevent manufacturers or service providers from retaining exclusive control over data generated by connected devices, encouraging competition and better service options for customers.
Key Provisions
Data Sharing in the IoT Market
The Data Act grants users — both businesses and consumers — the right to access, use and share data generated by their connected products and related services, such as smart home devices, industrial equipment or connected vehicles. This includes both personal (e.g., location, usage patterns) and non-personal data (e.g., sensor readings, machine performance). For example, a logistics firm operating IoT-enabled trucks must be able to access real-time data and share it with a third party maintenance provider, enabling it to use a maintenance provider other than the original manufacturer.
The obligation to enable such sharing falls on data holders — typically manufacturers or service providers who control access to the data. They must ensure that data is made available upon request, either directly to the user or a third party designated by the user. This requires companies to invest in technical infrastructure and internal processes that support timely, secure and interoperable data access.
Importantly, data sharing with the user must be provided free of charge. When a user instructs the data holder to transfer data to a third party, the data holder may request fair compensation from that third party but only for the costs directly incurred in making the data available. Users may not be charged for transfers.
Complying with the Data Act can be complex, especially when personal data is involved. Companies must assess each request under the EU’s General Data Protection Regulation (GDPR) to ensure a lawful basis for sharing, as the Data Act does not override existing data protection rules.
Protections Against Unfair Contract Terms
To promote fair access to data, the Data Act restricts the use of unfair contractual terms imposed by companies with significantly stronger bargaining power, particularly large enterprises, in a manner analogous to the Unfair Contract Terms Directive. This is especially relevant in industries where dominant players control critical operational data.
The Act introduces two categories of unfair terms:
- Terms deemed unfair per se, which are automatically void.
- Presumptively unfair terms, which are considered unfair unless the imposing party can demonstrate their fairness in a specific context.
Businesses should proactively review existing contracts and contract templates to identify and amend clauses that could fall into either category, particularly in data-sharing agreements with small and medium-sized enterprises.
Model Contractual Terms for Sharing Data
The Data Act obliges the European Commission, by September 2025, to develop and recommend Model Contractual Terms (MCTs) on data access and use, including terms on reasonable compensation as well as the protection of trade secrets. The MCTs are non-binding but may serve as a useful benchmark for companies. The following sets are being developed:
- Data Holder to User.
- User to Data Recipient.
- Data Holder to Data Recipient.
- Data Sharer to Data Recipient (voluntary data sharing).
Business-to-Government Data Sharing Obligations
In cases of a public emergency, such as a pandemic or natural disaster, public authorities may request access to data from the private sector. Such requests must be proportionate, justified and limited to what is strictly necessary. These provisions apply to businesses that hold data relevant to crisis management — such as transport operators, smart infrastructure firms or logistics providers — and require them to have clear processes in place to respond swiftly and securely to official requests. For instance, emergency services may ask private infrastructure monitoring systems for real-time data during a severe weather event to coordinate disaster response efforts.
In these emergency scenarios, companies are generally required to provide access without compensation. In contrast, when public authorities request data for non-emergency public interest purposes, the Data Act ensures companies are entitled to fair compensation, covering costs incurred in preparing and transmitting the data.
Cloud Service Portability
The Data Act requires cloud service providers, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) companies operating within the EU or offering services to EU customers to simplify the process for users to switch providers in order to reduce dependency on a particular provider. This includes ensuring interoperability and avoiding excessive contractual or technical barriers to data migration. For example, a company using a cloud-based artificial intelligence (AI) analytics platform must be able to transfer its data and models to a competitor’s service without undue restrictions.
Cloud providers are now required to remove or reduce contractual lock-in clauses, make pricing for data transfer and disengagement more transparent, and ensure that their services are designed with interoperability in mind. This includes technical compatibility for transferring data, applications, and digital assets between services, as well as standardized interfaces and data formats where applicable.
For business users of cloud services, this provision strengthens their ability to retain control over their data and digital assets. Companies — in theory — can benefit from increased flexibility, reduced switching costs and greater competition among providers. However, in practice, these measures may not fully achieve the intended effect of seamless provider switching, as pricing and technical interoperability are only part of the broader challenge. Many companies face significant organizational and operational hurdles when attempting to migrate from one cloud service to another. For instance, differences in service architecture, proprietary technologies or dependencies on provider-specific application programming interfaces (APIs) can make it difficult to replicate performance and functionality in a new environment.
The expert group is also required to develop standard contractual clauses for cloud computing contracts though, as with the MCTs, these will not be mandatory.
Safeguards Against Third-Country Government Access
The Data Act includes provisions to protect non-personal data held within the EU from access requests by third country governments (i.e., non-EU governments). These measures aim to enhance transparency and legal certainty regarding the conditions under which such data can be accessed or transferred to foreign authorities.
This provision is particularly relevant for companies and entities that process or store non-personal data within the EU, including cloud service providers, data intermediaries and businesses offering digital products and services.
For affected companies, this means they will be required to assess whether a foreign access request aligns with EU law and may need to challenge such requests if they are unlawful under the Data Act.
Companies must also ensure that any transfer of non-personal data to a third country complies with specific safeguards and conditions, including judicial authorization and respect for fundamental rights.
In practice, this increases companies’ responsibilities to carefully evaluate data access demands and maintain robust internal procedures for handling international data requests. It also provides them with stronger legal grounds to resist pressure from foreign authorities, though as many companies have seen with the GDPR, in practice it is easier said than done to resist valid government demands to access data.
Enforcement and Fines
Failure to comply with the Data Act can lead to significant penalties. Enforcement will be handled at the national level, with fines and other measures determined by each EU member state. If a violation involves personal data, data protection authorities can impose GDPR-level fines, i.e., up to €20 million or 4% of global annual turnover, whichever is higher.
Member states must designate one or more authorities to enforce the Data Act. While designations are still ongoing, a fragmented approach appears likely. However, in cases involving personal data, data protection authorities will retain jurisdiction.
It is possible that some countries will assign enforcement of both the Data Act and the AI Act to the same authority. This would be beneficial for companies, helping to reduce regulatory complexity, especially as the Data Act may be used to gain access to data for AI training purposes. A single point of contact for overlapping obligations could ease compliance burdens and ensure clearer guidance.
Member states must notify the European Commission of their national enforcement frameworks and penalties by 12 September 2025, although no fixed deadline exists for the designation of supervisory authorities.
Implications for Businesses: A To-Do List
Organizations operating in the EU should take proactive steps to ensure compliance with the Data Act, including:
Map in-scope data and use cases. Identify all data generated by connected products and related services, both personal and non-personal. Categorize the data by type, purpose and access points to determine what falls under the Data Act and how it may be subject to sharing obligations.
Review data governance and access rights. Analyze who controls access to in-scope data and assess existing data-sharing agreements, particularly in B2B settings. Clarify contractual rights, responsibilities and any limitations concerning data usage and re-use.
Reconfigure systems for interoperable data sharing. Ensure systems can provide data in standardized, structured and machine-readable formats. Develop or enhance APIs and data-sharing mechanisms to meet the Data Act’s technical requirements for accessibility, portability and interoperability.
Define and document internal data-sharing policies. Establish clear policies that align with the Act’s transparency and fairness principles. Define what data is shared, under what terms, with whom, and for what purposes. Be prepared to communicate this clearly to users and third parties.
Align with GDPR and other applicable laws. The interaction between the Data Act and existing legal frameworks, especially the GDPR, is legally uncertain. Companies should assess and document how they have navigated this trade-off. Ensure that all data-sharing processes involving personal data have a valid legal basis and are reflected in privacy policies, consent flows and records of processing activities.
Coordinate across departments. Create cross-functional teams involving legal, privacy, IT, product and business units. Promote collaboration to manage overlapping legal obligations, mitigate compliance risks and ensure technical readiness across the organization.
Ensure compliance with international data transfer restrictions. For companies operating globally, review policies for handling data access requests from non-EU authorities. Implement protocols to assess legality, notify users where required and assess transfers of non-personal data.
Monitor emerging standards and smart contract requirements. Stay informed on evolving EU standards for interoperability, smart contracts and compensation mechanisms. Integrate these into procurement processes, data-sharing agreements and automated systems where relevant.
Assign accountability and train staff. Designate responsible teams or officers for Data Act compliance. Provide training to relevant staff on handling data access requests, managing technical interoperability, and engaging with regulators or third parties.
Conclusion: A Broader Compliance Picture
The Data Act’s provisions reflect a regulatory theme across Europe promoting broader data sharing, as can be seen in the UK Data Use and Access Bill and EU Health Data Space. It is therefore important to consider how Data Act compliance fits into this broader picture, to ensure that work undertaken for Data Act compliance can support, promote and avoid conflicts with other existing and upcoming data sharing obligations.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.