The EU Data Act’s implementation date is already upon us. That’s right, it becomes applicable, in part, on September 12, 2025, marking a major milestone in Europe’s data transformation journey, impacting cloud services, connected products and other data-driven industries.
What Is the EU Data Act, Anyway?
The EU Data Act is the EU’s push towards a fairer data economy and is focused on non-personal data. (By contrast, the EU General Data Protection Regulation focuses solely on personal data and will apply in parallel with the act.)
The act grants users, whether business or individuals, the right to switch “data processing services” and the right to the data generated by their connected products. These rights could correspondingly impact “data holders,” such as manufacturers of such products. In addition, customers of “data processing services,” including software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), may seamlessly switch providers of these services. The act also contains obligations regarding cybersecurity and contractual fairness.
It is important to note that the act goes into effect in a phased manner over the coming years starting September 12, 2025. Read our prior publications on what the EU Data Act means for cloud providers and its impact on data flows within and outside the EU for more details.
Key Takeaways
Below are some key takeaways of the highlights of the act:
- Extraterritorial effect: The EU Data Act has extraterritorial effect and could apply to companies established outside the European Economic Area (EEA) in certain circumstances.
- Switching data processing services: The EU Data Act requires relatively seamless switching between cloud providers and other “data processing services,” elimination of switching fees over time, interoperability standards, and safeguards against unlawful data transfers, while providing for trade secrets and intellectual property protections. Notably, customers may terminate existing cloud and related services (including SaaS, IaaS, and PaaS) with two months’ notice.
- Cybersecurity: The act requires providers to implement measures to prevent non-EEA governmental authorities from accessing non-personal data.
- Connected devices: Relative to “data holders”, users gain control over certain data relating to the Internet of Things (IoT) and other connected devices (such as smart appliances), including the right to access and port such data.
- Fairness in data contracts: The act seeks to curb potential contractual imbalances, ensuring EU companies, particularly small and medium-sized enterprises, receive protections from potentially unfair practices in data processing arrangements.
- EEA governmental access: EEA public bodies can request the covered data in certain circumstances.
What to Do Now?
Organizations subject to the EU Data Act may wish to consider the following measures:
- Assess application of act: Determine which of entities and services are subject to the act.
- Audit contracts: Are porting terms clear? Are fees spelled out and compliant with the EU Data Act’s phase-out of switching fees? Take into account the impact of the act’s mandatory two-month termination for convenience right for data processing services, and related transparency obligations. Be sure to update template customer and supplier agreements as appropriate.
- Inventory data: Prepare inventory of data processed through products and services.
- Upgrade infrastructure and implement technical solutions: Build or adapt for data portability and interoperability.
- Document safeguards: The Act requires organizations to appropriately document its manner of compliance with the Act, including data-related safeguards.
- Track regulatory developments: Track the European Union’s regulatory guidance, including model Data Act clauses. Know your EU jurisdiction’s chosen “data coordinator” who will be enforcing the EU Data Act.