ARTICLE
23 September 2025

The EU Data Act: What's It For And What Do I Have To Do?

LS
Lewis Silkin

Contributor

Lewis Silkin logo
We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
Explore Firm Details
The EU Data Act came into play on 12th September 2025. The Act applies to EU businesses within the EU and to importers into the EU.
European Union Privacy
Rory Campbell and Caroline McNally
Your Author LinkedIn Connections
Rory Campbell’s articles from Lewis Silkin are most popular:
  • within Privacy topic(s)
  • with Finance and Tax Executives and Inhouse Counsel
  • with readers working within the Consumer Industries, Healthcare and Technology industries

The EU Data Act came into play on 12th September 2025. The Act applies to EU businesses within the EU and to importers into the EU.

What's the Act about and what should businesses be doing to comply with it?

The EU recognises that businesses and society hold huge volumes of valuable data, both personal and non-personal. The EU wants to make the data more accessible and usable to boost productivity, competitiveness and innovation growth, while doing so in a fair, reasonable and non‑discriminatory (FRAND) way.

What and how?

The Act aims to:

  • unlock IoT data for growth: the Act focuses on connected devices which create useful data. The EU wants users to benefit from the data, for example through data-improved aftercare services. The Act permits connected users to access directly device-generated data and share it with third parties;
  • share data fairly: if a business is obliged to share data with another business, the sharer can't impede the transfer with heavy contractual restrictions. B2B contracts can't contain "unfair" data access and use restrictions: contract terms failing an "unfairness" test are disapplied. The sharer can charge for providing access, but only on a FRAND basis;
  • reduce lock‑in: customers must be able to switch cloud providers seamlessly, with interoperability improved and switching/egress charges dropped;
  • build a single market for data: the Act prioritises interoperability (including for smart contracts and data spaces), advancing a coherent EU data ecosystem;
  • enable emergency government access to data: public sector entities can, in exceptional circumstances, access data held by the private sector;
  • protect sensitive interests: the Act balances data access with protection of trade secrets and IP, and introduces safeguards against unlawful third‑country government access to non‑personal data stored in the EU. Where personal data is involved, the Act always allows the protections imposed by the GDPR to take precedence.

What should I do?

  • Work out if you're in scope and map your role: identify whether you are a data holder (manufacturer/service provider), user, data recipient, or data processing service provider (cloud/edge).
  • If you're a data holder:
    • audit your connected products, related services, data flows and contracts;
    • for connected products sold after September 2026, ensure "access by design" so users can retrieve data. Provide pre‑contractual information on data types, volume, frequency and access;
    • put simple processes in place to deliver data "without undue delay";
    • use the Act's protections of trade secrets and "crown jewel" information to prevent disclosure. Classify sensitive datasets, protect trade secrets by appropriate business cultures.
  • If you're a data holder or a data processing service provider:
    • review your contracts for data-sharing FRAND compliance;
    • remove contractual and technical obstacles to enable easy switching, and stop switching/egress charges by January 2027;
    • it's GDPR all over again: get executive buy-in, update policies, training and records;
    • guard against third‑country government access by implementing reasonable measures (encryption, audits, certifications) to prevent unlawful access.

When?

  • The Act applies from 12 September 2025.
  • Access by design obligations apply to products on the market after 12 September 2026.
  • Cloud switching/egress fees must be dropped by 12 January 2027.
  • Unfair-terms rules will apply to contracts from September 2027.
  • National competent authorities will enforce; penalties are set by each EU country.

We say...

The EU Data Act is another compliance obligation. But it's also a commercial opportunity: design for data access, increase protection of your sensitive assets, make switching real for your customers, and overhaul your contracts and processes to show regulators, business partners and customers that you're ahead of the game.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Rory Campbell
Rory Campbell
Person photo placeholder
Caroline McNally
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More