The EU Data Act, Regulation (EU) 2023/2854, has applied since 12 September 2025. That is not a proposal date or a transposition target. Article 50 sets the general application date, and the operational consequence is already live: if you manufacture connected products, hold the data they generate, or run a cloud service used by EU customers, you are inside the scope now.
Here is what changed, what bites next, and the mechanism behind each obligation. Every article number and date below is traced to the Regulation text.
What is the EU Data Act (Regulation (EU) 2023/2854) and who does it actually bind?
The Data Act lays down harmonised rules on making product data and related service data available to users, on data sharing between data holders and recipients, on facilitating switching between data processing services, and on safeguards against unlawful third-party access to non-personal data (Article 1(1)).
The binding perimeter is broad and extraterritorial. Article 1(3) applies the Regulation to manufacturers of connected products placed on the market in the Union and providers of related services "irrespective of the place of establishment of those manufacturers and providers," to data holders that make data available to recipients in the Union, and to providers of data processing services "providing such services to customers in the Union" regardless of where they are established.
If you sell a connected product into the EU or run a cloud service for EU customers, establishment outside the Union does not exempt you. Article 37(11) goes further: any in-scope entity not established in the Union must designate a legal representative in a Member State.
The mechanism to internalise:
→ You place a connected product on the EU market or serve EU cloud customers → The Data Act binds you regardless of headquarters location → Non-EU entities appoint an EU legal representative under Article 37(11) → Competent authorities can address that representative on all compliance matters
This is a posture you can defend in front of a regulator, a board, or a plaintiff only if you have mapped which of your entities and products cross that line. Our regulatory intelligence approach starts there.
Which application dates matter: 12 September 2025, and the Article 3(1) design mandate from September 2026
Article 50 stages the obligations. Treat these as four separate clocks, not one.
→ 12 September 2025 — the Regulation applies generally. → 12 September 2026 — the Article 3(1) design-by-default obligation applies to "connected products and the services related to them placed on the market after 12 September 2026." Products already on the market before that date are not retrofitted by Article 3(1). → Contracts concluded after 12 September 2025 — Chapter IV on unfair contractual terms applies immediately. → 12 September 2027 — Chapter IV extends to contracts concluded on or before 12 September 2025 where they are of indefinite duration or due to expire at least 10 years from 11 January 2024.
A fifth date sits inside Chapter VI: from 12 January 2027, switching charges disappear entirely (Article 29(1)). Between 11 January 2024 and 12 January 2027, only reduced switching charges not exceeding the provider's directly linked costs are permitted (Article 29(2) and (3)).
The design mandate deserves emphasis. The connected products data access rules in Article 3(1) are a manufacturing constraint. If your product roadmap ships hardware after 12 September 2026, the data-by-default architecture is not optional tuning. It is a placing-on-the-market condition.
Connected products: what Chapter II requires on data access, pre-contract disclosure, and third-party sharing
Chapter II carries the core data sharing obligations for both business-to-consumer and business-to-business relationships. Three duties matter most.
Design by default (Article 3(1)). Connected products "shall be designed and manufactured, and related services shall be designed and provided," so that product data and related service data, including relevant metadata, are "by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user."
Pre-contract disclosure (Article 3(2) and (3)). Before a purchase, rent, or lease, the seller must tell the user the type, format, and estimated volume of product data the product can generate, whether it generates data continuously and in real time, whether it stores data on-device or remotely with retention periods, and how the user can access, retrieve, or erase it. For related services, Article 3(3) adds a longer list, including the identity of the prospective data holder and whether the data holder holds trade secrets contained in the data.
User access and third-party sharing (Articles 4 and 5). Where the user cannot get data directly from the product, the data holder must make readily available data accessible "without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge" (Article 4(1)). On the user's request, the data holder must make that data available to a third party under the same standard (Article 5(1)).
One structural exclusion: Article 5(3) bars any undertaking designated as a gatekeeper under Article 3 of the Digital Markets Act (Regulation (EU) 2022/1925) from being an eligible third party. You cannot route Data Act sharing to a gatekeeper.
How the Chapter VI cloud switching rules end egress fees and lock-in
Chapter VI is the provision most likely to reshape cloud commercials. The cloud switching rules require providers of data processing services to remove the obstacles that trap customers.
Article 23 obliges providers to "not impose and shall remove pre-commercial, commercial, technical, contractual and organisational obstacles" that inhibit customers from terminating a contract, contracting with a different provider of the same service type, porting exportable data and digital assets, and achieving functional equivalence on the new provider.
Article 25 hard-codes the contract mechanics:
→ A written switching contract available before signing (Article 25(1)) → A mandatory maximum transitional period of 30 calendar days to complete switching (Article 25(2)(a)) → A maximum notice period for initiating switching that "shall not exceed two months" (Article 25(2)(d)) → A minimum data-retrieval period of at least 30 calendar days after the transitional period ends (Article 25(2)(g)) → Where 30 days is technically unfeasible, notification within 14 working days and an alternative period "which shall not exceed seven months" (Article 25(4))
Then the charges. Article 29(1) states that "from 12 January 2027, providers of data processing services shall not impose any switching charges on the customer for the switching process." Switching charges are defined in Article 2(36) to include data egress charges, the transfer fees for extracting data to another provider or to on-premises infrastructure (Article 2(35)). The egress-fee lever that has underwritten cloud lock-in is being switched off by regulation.
What providers must rebuild before the deadline: contractual clauses, exit tooling, functional-equivalence support, and a billing model that no longer depends on egress or switching revenue. These are engineering and finance changes, not a policy PDF.
What counts as an unfair contractual term under Article 13
Chapter IV, a single article, rewrites B2B data clauses. Article 13(1) provides that a contractual term concerning data access, use, liability, or remedies "which has been unilaterally imposed by an enterprise on another enterprise, shall not be binding on the latter enterprise if it is unfair."
The test is layered:
→ General standard (Article 13(3)) — a term is unfair if its use "grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing." → Blacklist (Article 13(4)) — terms that are always unfair, including any term that excludes or limits liability for intentional acts or gross negligence. → Greylist (Article 13(5)) — terms presumed unfair, including terms that prevent a party from obtaining a copy of the data it generated during the contract, or that let the imposing party unilaterally change price or data quality without a valid reason and an exit right.
Two mechanics change negotiating leverage. Article 13(6) puts the burden of proving that a term was not unilaterally imposed on the party that supplied it, and bars that party from arguing its own term is unfair. Article 13(9) makes the whole article non-derogable: parties "shall not exclude the application of this Article, derogate from it, or vary its effects."
If your standard data addenda were drafted to protect the stronger party, the unfair contractual terms regime now reads several of those clauses as unenforceable against your counterparty.
How the Data Act and GDPR interact when connected-product data is also personal data
Connected-product data is frequently personal data, and the Data Act does not displace the GDPR. Article 1(5) states the Regulation is "without prejudice" to Union and national law on the protection of personal data, and that "in the event of a conflict between this Regulation and Union law on the protection of personal data or privacy ... the relevant Union or national law on the protection of personal data or privacy shall prevail."
The rights stack rather than compete. Article 1(5) provides that where users are data subjects, the Chapter II rights "shall complement the rights of access by data subjects and rights to data portability under Articles 15 and 20 of Regulation (EU) 2016/679."
Where the user is not the data subject, the data holder may only share personal data if there is a valid legal basis under Article 6 GDPR and, where relevant, the Article 9 and ePrivacy conditions are met (Article 4(12) and Article 5(7)). This is the operational seam: your Data Act access flows have to carry a GDPR lawful-basis check, not assume one. Mapping the two regimes together is exactly the "answer once, assess everything" problem our GDPR posture work is built to solve.
What a defensible Data Act readiness plan should cover
A plan that survives scrutiny addresses each dimension the Regulation actually gates on:
→ Scope — identify every entity, connected product, and data processing service that touches the EU, and appoint an Article 37(11) legal representative where you are not EU-established. → Design — confirm which products ship after 12 September 2026 and are therefore inside the Article 3(1) design-by-default mandate. → Disclosure — build the Article 3(2) and 3(3) pre-contract information into your point of sale. → Access — stand up the Article 4 user-access and Article 5 third-party-sharing flows, with GDPR legal-basis gating and the gatekeeper exclusion. → Contracts — audit B2B terms against the Article 13 black and grey lists, and rebuild cloud contracts for the Article 25 timelines and the Article 29 charge withdrawal. → Data holder obligations — document the fair, reasonable, and non-discriminatory conditions and trade-secret handling required by Chapter III.
The through-line is that these controls are source-grounded. Every obligation traces to a specific article, and a regulator will ask you to show that trace. See how Aegis maps the EU Data Act against your existing GDPR and NIS2 posture at agrc.ai. Answer once. Assess everything. Not months.
You can also fold Data Act obligations into how you already track exposure through risk management, so a new regulation is a re-map, not a restart.
FAQ
What are the penalties for breaching the EU Data Act? Article 40(1) requires Member States to lay down effective, proportionate, and dissuasive penalties, and to notify the Commission of their rules by 12 September 2025 (Article 40(2)). For infringements of Chapter II, III, and V, Article 40(4) lets the GDPR supervisory authorities impose administrative fines under Article 83 GDPR "up to the amount referred to in Article 83(5)," which is the highest GDPR tier. The exact figures are set at Member State level, but the ceiling references the top GDPR band.
Is there an SME carve-out? Yes. Article 7(1) provides that the Chapter II obligations do not apply to data generated through connected products manufactured or designed, or related services provided, by a microenterprise or a small enterprise, subject to conditions about partner or linked enterprises and subcontracting. A recently qualified medium-sized enterprise gets a limited grace window described in the same paragraph. Note this is a Chapter II carve-out, not a blanket exemption from the whole Regulation.
When can a data holder withhold data to protect a trade secret? Article 4(6) requires trade secrets to be preserved and disclosed only where the holder and user take all necessary measures to keep them confidential. Under Article 4(7), if there is no agreement on those measures or the user undermines confidentiality, the data holder may withhold or suspend sharing, with a substantiated written decision and notice to the competent authority. Article 4(8) allows refusal on a case-by-case basis where the holder can demonstrate it is "highly likely to suffer serious economic damage" from disclosure. Withholding is conditional and documented, not a default.
How does the Data Act handle government access to data? Two separate tracks. Chapter V (Articles 14 to 22) lets public sector bodies, the Commission, the ECB, and Union bodies require data holders to make data available "on the basis of an exceptional need" for a task in the public interest, on a duly reasoned request (Article 14). Separately, Chapter VII (Article 32) introduces safeguards against unlawful international governmental access to and transfer of non-personal data held in the Union by data processing service providers. Exceptional-need access and unlawful third-country access are governed by different rules.


