On 12 September 2025, the EU's Data Act will enter into force. It establishes common rules for accessing and sharing data generated by connected products and related services (primarily IoT products) across the EU. It also introduces important safeguards against unfair contract terms in data-sharing agreements and facilitates switching between data processing services.
Building on the EU's broader digital strategy, the Data Act seeks to strengthen the internal data market by enhancing access, usability, and interoperability — especially for industrial and non-personal data. It strikes a balance between ensuring a fair distribution of value among all participants in the data economy and fostering data-driven innovation.
Providers of "smart" products or related services, cloud service providers, or even data processing or data sharing providers more generally, will need to carefully review their policies, procedures and contract terms in anticipation of yet another development in the regulation of the EU data economy.
Key obligations under the Data Act
- Data access for users
Manufacturers and data holders of connected products or related services must provide users with access to the data generated by those products and services. - Sharing data with third parties
Upon user request, data holders are required to share relevant data from of connected products or related services with a third party, unless the third party qualifies as a "designated gatekeeper" under the Digital Markets Act. - Protection against unfair contract terms
Contractual terms that are imposed unilaterally by one enterprise on another, particularly those regarding data access, use, liability, or remedies, are not binding if they are deemed unfair. The Act introduces a "blacklist" of clauses that are automatically void clauses and a "greylist" of clauses presumed unfair unless proven otherwise. - Data access for public sector bodies in exceptional
cases
Where a public sector body can demonstrate an exceptional need to access specific data, data holders, provided they are legal persons other than public sector bodies, are required to make the requested data available. - Facilitating switching of data processing
services
Data processing service providers are required to enable customers to switch to alternative providers or to transfer their data to an on-premises infrastructure. - Protection against unauthorised access by third-country
authorities
Providers must implement appropriate safeguards to prevent unauthorised access to, or transfer of non-personal data stored within the EU to third-country public authorities, particularly in cases where such requests would violate EU or national laws. - Interoperability requirements for data spaces, smart
contracts, and service providers
Participants in data spaces, vendors of smart contracts, and providers of data processing services must comply with specific interoperability requirements to ensure secure, efficient, and seamless data exchange across systems and platforms.
Enforcement and penalties under the Data Act
Competent authorities
Each Member State is required to designate at least one competent authority for the enforcement of the Data Act. These authorities must coordinate with relevant sectoral regulators to ensure coherent enforcement across sectors and alignment with other EU and national laws. Data Protection Authorities appointed pursuant to the GDPR remain responsible for monitoring the application of the Data Act insofar as it relates to personal data.
In Belgium: While no official text has been released yet, the government has previously announced that the BIPT (Belgian Institute for Postal Services and Telecommunications, the telecom regulator) would be designated as the national regulator under the Data Act.
In the Netherlands: The Dutch implementation law of the EU Data Act (Uitvoeringswet dataverordening) designates the Netherlands Authority for Consumers and Markets (Autoriteit Consument & Markt; ACM) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP) as the competent authorities for supervision and enforcement. The ACM bears primary responsibility, overseeing nearly all aspects of the regulation, including data access, sharing obligations, and fair contractual terms. It also serves as the coordinating supervisory authority. The AP, in turn, is responsible where the onligations under the Data Act intersect with matters of protection of personal data. Furthermore, the AP is tasked with monitoring data access requests by public authorities in situations of exceptional need (as per Chapter V Data Act), ensuring such access remains proportionate and lawful.
In Luxembourg: No official designation has been made yet regarding the competent authority under the Data Act. However, it is likely that the Commission nationale pour la protection des données (CNPD) will be involved. The CNPD has already acknowledged that new responsibilities will be added to its mandate in light of the evolving EU legal framework; expressly referring to the Data Act.
Sanctions
Each Member State must set up its own system of penalties for violations of the Data Act and notify the European Commission. These sanctions must be effective, proportionate, and dissuasive.
The regulation outlines key criteria to assess penalties, including:
- the nature, gravity, extent, and duration of the infringement;
- any action taken by the infringer to mitigate or remedy the harm caused by the infringement;
- any previous infringements committed by the infringer;
- the financial benefits gained, or losses avoided by the infringer as a result of the infringement, if such benefits or losses can be reliably established;
- any other aggravating or mitigating circumstances applicable to the case;
- the annual turnover achieved by the infringer during the previous financial year within the Union.
While Belgium and Luxembourg have not yet enacted legislation, the Netherlands has introduced an implementation law for the Data Act that grants enforcement powers to both the Authority for Consumers and Markets ACM and the AP. The ACM is authorised to impose administrative enforcement measures, including orders under administrative coercion (last onder bestuursdwang) and fines, for the majority of provisions under the Data Act, insofar as they do not concern the processing of personal data. Fines may amount to the sixth category under the Dutch Penal Code (Wetboek van Strafrecht) (i.e., € 1.030.000) or 10% of the offender's EU-wide annual turnover, whichever is higher. The AP can also impose orders under administrative coercion and administrative fines, in accordance with the aforementioned Article 40(4) ceilings. Importantly, the regime does not apply to infringements covered by the Dutch Consumer Protection Enforcement Act (Wet handhaving consumentenbescherming) or to acts of EU institutions as defined in Article 2(27) of the Data Act.
DPAs may impose fines under the GDPR for breaches of Chapters II, III, and V of the Data Act. The European Data Protection Supervisor (EDPS) may do the same under Regulation (EU) 2018/1725 for EU institutions.
Want to Learn More?
Stay tuned for detailed insights into how this new EU data regulation will affect your business, your contracts, and your practices. In the coming weeks, we will publish three in-depth articles exploring key themes of the Data Act:
- Obligations for data holders of connected products and related services
- Unfair contract terms in business-to-business data-sharing agreements
- Requirements for data processing service providers on customer switching and portability
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
