The countdown is over: the EU Data Act is now a reality

As data has become a valuable economic asset, the Data Act (Regulation (EU) 2023/2854) aims to strengthen the internal data market by enhancing access, usability, and interoperability, especially for industrial and non-personal data. It strikes a balance between ensuring a fair distribution of value among all participants in the data economy and fostering data-driven innovation.

What the Data Act brings

The Data Act rests on several key pillars:

• User access and sharing rights
  Users of connected products and related services will have the right to access the data generated through their use. They can also instruct that this data be shared with third parties, subject to safeguards against abuse and protection of trade secrets. This represents a significant shift: for the first time, users can expect transparency at the design stage (what data is collected, how it is stored, and how it can be retrieved) and enforceable rights to actually use that data.

• Fairness in B2B contracts
  The Data Act addresses an often-overlooked issue: contractual imbalance in business-to-business data-sharing agreements. Where terms are imposed unilaterally, clauses that create a substantial imbalance are unenforceable. A “blacklist” prohibits clauses excluding liability for gross negligence or granting one-sided interpretative powers. A “grey list” presumes unfairness for clauses limiting access, preventing termination, or imposing excessive notice periods. This is a clear attempt to introduce good faith and fair dealing into data licensing practices.

• Switching and portability in data processing services
  Vendor lock-in has long been a concern in the cloud sector. The Data Act requires service providers to support switching and portability: customers must be able to migrate to alternative providers or on-premises infrastructure, retrieve or erase their data, and avoid disproportionate switching fees. From 2027, switching must be free of charge. This will encourage competition, reduce dependency on dominant providers, and enhance resilience in the digital ecosystem.

• Public sector access in exceptional cases
  The Data Act allows public bodies to request access to privately held data in cases of exceptional need, for example during natural disasters or public emergencies. This access must remain proportionate and subject to safeguards, including oversight by data protection authorities.

• International safeguards and interoperability
  Recognising concerns about third-country access to EU data, the Data Act obliges providers to put safeguards in place against unlawful disclosure. It also introduces interoperability standards for data spaces, smart contracts, and service providers, aiming to create a seamless and trustworthy European data infrastructure.

Enforcement across Member States

As with the GDPR, the Data Act’s impact will depend on effective enforcement. Each Member State must establish a system of sanctions and designate at least one competent authority. National data protection authorities retain oversight where personal data is involved.

• In the Netherlands, the ACM (Authority for Consumers and Markets) will play the leading role, alongside the AP (Dutch Data Protection Authority). Notably, to prepare businesses, the ACM has published a draft Data Act Guidance (Leidraad Data Delen) explaining key obligations for manufacturers, service providers, and cloud companies, which is open for consultation until 31 October 2025.
  
  

• In Belgium, the BIPT (telecom regulator) has been proposed as the national authority.

• In Luxembourg, no official designation has been made yet, but the CNPD (data protection authority) is expected to have a role.

Why this matters

The Data Act is not an isolated initiative. It is part of the EU’s broader ambition to become a leader in the global data economy:

• For users, it promises more autonomy and transparency, whether that’s a farmer wanting access to sensor data from smart irrigation systems, or a business seeking to integrate telematics data from leased vehicles.
• For businesses, it means adapting product design, revisiting contract templates, and investing in compliance processes. Legal certainty comes with obligations.
• For service providers, especially in the cloud sector, it heralds a new competitive landscape where portability and interoperability are no longer optional, but mandated.

Crucially, the Data Act is about ensuring a fair distribution of value. Data is no longer treated solely as a proprietary asset of manufacturers or platforms; it is recognised as a shared resource that can fuel innovation across industries if managed responsibly.

Looking forward

For organisations active in Europe, the time to prepare is now. This includes:

• Reviewing design and disclosure processes for connected products and related services.
• Updating contractual terms to align with fairness requirements and avoid unenforceable clauses.
• Ensuring exit strategies and portability mechanisms are embedded in cloud and data processing services.
• Developing governance processes to handle public sector requests and international data access risks.

Compliance is not just a legal necessity: it is also a way to build trust with customers, partners, and regulators in an increasingly data-driven world.

Should you require any legal or tax advice in the field of Data, not limited to the Data Act, please contact us below.