The EU Data Act in force: What changes on 12 September 2025?

Legal Eubdate
12 September 2025
Data protection
Digital & data protection

Introduction

On 12 September 2025, the EU Data Act entered into force, introducing a transformative framework to create a fairer data economy. The Regulation clarifies who can access and use data generated by connected devices and related services, while setting out new obligations for manufacturers, service providers and users. Less well known, is the fact that the Data Act also introduces rules for contractual relationships, ranging from data access agreements to cloud service contracts. These changes will have far-reaching implications for both private and public-sector actors, reshaping how data is shared, accessed and governed. 

What is the scope and relevance of the Data Act?

The scope of the Data Act is broad, covering connected (smart”) devices (e.g. IoT devices, smart machinery, vehicles) and data processing services (e.g. cloud computing, SaaS, edge services). The Data Act complements existing EU regulations, such as the General Data Protection Regulation (GDPR) and the Data Governance Act (read our contribution on the DGA), creating a more cohesive framework for data use and governance across the EU.

Crucially, the Data Act sets out strengthened rules for contractual relationships, ranging from data access agreements to cloud service contracts. By targeting fairness, transparency and technical interoperability, the Act seeks to create a level playing field for businesses of all sizes. These changes directly impact the way data is shared in business-to-business (B2B), business-to-consumer (B2C) and business-to-government (B2G) contexts, and are designed to reduce contractual imbalances and eliminate obstacles to switching cloud providers.

The Data Act is expected to drive growth in aftermarket services and data-driven innovation across critical sectors such as healthcare, mobility and transport, finance, software, and agriculture (read our previous update on the Data Act). For small and medium-sized enterprises (SMEs), the Data Act represents a unique opportunity to access datasets that can fuel the development of innovative products and services.

As the Data Act reshapes the European data economy, it offers both opportunities and challenges for organisations. Depending on your sector and activities, the Data Act may unlock valuable opportunities for new service development, while requiring compliance with its new obligations or strategies for protection of your data.

How does the Data Act affect your organisation?

The Data Act specifically introduces the following provisions, which may be relevant for your organisation:

Data sharing and access

The Data Act establishes a framework to enable three types of data sharing: business-to-consumer (e.g. a consumer may request the data generated by a car from the manufacturer); business-to-business (e.g. from the car manufacturer to the car insurance company) and business-to-government (e.g. for exceptional needs – see below). Users of connected devices and related services also gain strong rights to access data they help generate. Connected devices and related services should therefore be designed to allow free and easy access to data generated by such products and services. 

Data portability and interoperability

Providers of data processing services (Infrastructure as a Service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS)) must remove all commercial, technical, contractual and organisational barriers that make switching between cloud services difficult. This includes the gradual elimination of switching fees by January 2027 and providing interoperable interfaces to facilitate seamless data transfers. The Data Act also specifies minimum requirements for contractual terms  and conditions concerning switching, such as an obligation to support the customer’s exit strategy, including by providing all relevant information, and a maximum notice period of two months for initiation of the switching process. 

Prohibition against unfair contractual terms

The Data Act prohibits unfair contractual terms unilaterally imposed on another enterprise with regard to data access and data use, liability and remedies for the breach or termination of data-related obligations. For instance, a contractual term that excludes or limits liability for intentional acts or gross negligence of the party that unilaterally imposed the term will be deemed unfair. 

Obligation to make data available to EU and public sector bodies for exceptional needs

Data holders (e.g. cloud service providers) will be required to share certain data upon request by public sector bodies. This may be the case when the requested data is necessary to respond to a public emergency, such as a pandemic. 

Data transfers

The Data Act requires providers of data processing services to take all adequate technical, organisational and legal measures, including contracts, to prevent unauthorised transfers of (even) non-personal data held in the EU.

What can you do to prepare your organisation for implementation of the Data Act?

  • Assess whether the Data Act applies to your organisation.
  • Map contractual frameworks for data sharing, identify potentially unfair clauses and prepare for renegotiation where necessary.
  • Implement technical solutions that support data portability and user rights.
  • Empower compliance, IT and legal teams to handle data requests and update governance.
  • Monitor updates on the final model contractual terms and standard contractual clauses from the European Commission. The deadline for publication of these terms and clauses was 12 September 2025 but was not met.
  • Prepare to phase out switching fees and update interfaces, platforms and documentation for interoperability.
  • Keep track of the following deadlines for further application of the Data Act:
    • 12 September 2025: the obligations to make data accessible to the user in Chapter III and Chapter IV on unfair contractual terms (applicable to contracts entered into on or after 12 September 2025).
    • 12 September 2026: obligations to ensure that connected products and related services are designed to make product data and related service data accessible to the user by default (article 3(1) Data Act).
    • 12 January 2027: providers of data processing services may not impose any switching charges on the customer for the switching process.
    • 12 September 2027: Chapter IV on unfair contractual terms will apply to existing long-term B2B contracts entered into on or before 12 September 2025.

 

The data team at Eubelius is closely monitoring developments and is ready to assist your organisation in navigating this complex framework.

Anneleen Van de Meulebroucke

Partner

Laura Deschuyteneer

Senior Attorney
lois

Loise Waithira

Attorney

New European GDPR procedural rules for cross-border cases on the way

On 16 June 2025, the Council and the European Parliament reached political agreement on the “GDPR Procedural Regulation” (a Regulation...

The Omnibus IV Package: the (un)expected GDPR simplification

On 21 May 2025 the European Commission published a proposal for a regulation to amend the GDPR and to introduce simplification measures for...

Are data protection class actions the next big thing?

Recent developments suggest that data protection class actions may be gaining traction in the EU, as they already are elsewhere around the...