Guide to the EU Data Act

by Carl Spencer-Spear, July 2025

RM Iconheaderscentre05
Previous Story

Here's our summary of the latest EU data updates, or you can download the article here

The EU Data Act, which was approved by the European Union in January 2024, is now just a few weeks from coming into force on 12 September 2025.

The Act represents another significant step in the European Union’s mission to regulate access to and use of data, by pushing for improved transparency and portability for businesses that rely on data services. It applies to two main data services:

(1)  Data collected, generated and stored through connected products (e.g. ‘internet of things’ devices); and

(2)  Data stored within data processing services (e.g. cloud hosting).

In each case, the requirements are imposed on the provider of the product / service and aimed at improving the user’s ability to access their data, provide the data to third parties for the purpose of supporting the user, and to switch services, so that the user is not dependent on the original provider. The expectation is that this will improve data portability, increase competition, and benefit service users.

 

Who do the new laws apply to?

The laws apply to providers of connected products and cloud processing services, where those products and services are supplied within the European Union. Like the GDPR, this means that it is the user’s location that matters, not the location of the business providing the product/service.

Unlike the GDPR, the laws apply to any data collected and stored by connected products and cloud services, not only personal data.

The laws apply to both business-to-consumer and business-to-business arrangements.

 

What are the requirements for connected products?

Data collected and stored through the use of connected products must be made available to the product user and capable of being ported out or shared with third parties engaged by the user. From 12 September 2025, this portability must be provided on request if there is no direct ability for users to extract the data.

From 12 September 2026, any new connected products placed on the market will need to include direct accessibility to the data.

There are a few specific rules and exceptions worth noting:

(1) No derogations – parties cannot agree contractually to exclude the new legal requirements. Any term in a provider’s contract that attempts to do so, or weakens the user’s rights, will be unenforceable.

(2) Restrictions on use – providers can impose limits on the use and onward disclosure of the data, where it can demonstrate that doing so is necessary to protect the confidentiality of its trade secrets.

(3) Exceptions – the requirements will not apply to products or related services supplied by a microenterprise or small enterprise (unless they are partnered with or being subcontracted by a business that does not qualify as a micro or small enterprise). There is also a time limited exception for medium-sized enterprises.

 

What are the requirements for data processing services?

Data processing service providers must allow customers to switch services – and transfer their data – to a service provided by another supplier, to an on-premises solution, or to several providers at the same time. Providers must not impose any legal, technical or commercial obstacles to the customer’s ability to terminate and switch services, port exportable data and assets, or unbundle some services from others.

There are new minimum contract requirements to support these new rights, including:

·  A term that allows the customer, on request, to switch services or port its data, with a turnaround time of no more than 30 days following the notice period required from the customer (which cannot be more than two months). If the provider can demonstrate that 30 days is not technically feasible, it may indicate a longer time period, which must not exceed 7 months;

·  A term outlining the specification of all categories of data and digital assets that can be ported during the switching process;

·  A term outlining the specification of categories of data and digital assets exempt from the export requirements; and

·  The switching charges that may be imposed.

In order to support these new contract requirements, standard contract clauses have been developed. These can be found here - https://streamlex.eu/news/new-eu-model-contractual-templates-under-eu-data-act-now-available/.

It is important to note that switching charges cannot exceed the actual costs incurred by the provider in relation to the switching process. Also, charges will only be valid on switches up to 12 January 2027. After that, no charges can be imposed for switches and data porting.

 

Final thoughts and action points

The EU Data Act is intended to unlock data and put the user in control of how and where their data is stored by requiring standardisation of data structures and formats and allowing for easy switching between providers.

It will apply to providers of connected products and cloud processing services (including IaaS, SaaS, and PaaS services). Also, for businesses providing products and services in the EU but without any business establishment in any EU Member State, there is a requirement to designate a legal representative in one of the Member States.

For non-compliance, there are administrative fines that are similar to those that can be issued under the GDPR.

Here’s what you can do ahead of 12 September 2025 to prepare:

1. Review & Update Your Contract Terms

If your product or service will be caught by the new rules, you will need to update your contract terms to reflect the minimum contract requirements. As mentioned above, model clauses have been issued to help businesses but you may need help incorporating these into your existing terms / adapting them to suit your business. We would be happy to assist with this.

2. Map Your Data and Look at Interoperability

You will need to have a clear understanding of the data you are holding, in order to understand what is ‘in scope’ and ‘exempt’ when it comes to the data switching and portability requirements. Categorise the data by type, purpose, and access points, to determine what falls under the EU Data Act requirements.

You’ll also need to look at how your data is structured and the mechanisms you have in place to enable the export and import of that data so that it can continue to be used in a comparable way. The data will, as a minimum, need to be exportable in a commonly used and machine-readable format.

3. Implement policies and procedures to enable switching

As well as updating your contract terms, you will need the internal policies and procedures in place to put the contract requirements into practice. For example, how will customers give you notice and how will you action that notice? What timeframe will you specify for the switching process and how will you monitor your performance against that timeframe? If the switching timeframe is longer than 30 days, how have you justified that? If you’re going to charge costs, what will they be and how have they been calculated?

You will need to have the records necessary to demonstrate that you have addressed these points properly, in case there is any dispute or regulatory investment

Have questions or need help preparing? Let’s chat. This is a great moment to get your house in order before the new requirements come into force on 12 September 2025.

This guide is provided for general information purposes only and does not cover all aspects of the new laws or constitute legal advice.

Twitter Instagram YouTube LinkedIn Facebook Google + WhatsApp Link Email icnUpArrow Right Arrow Down Arrow Left Arrow Search Checkbox Check Close Map Pin Shopping Bag