The EU Data Act is a cornerstone of Europe’s data strategy. It aims to unlock value from data generated in the EU by giving users greater control and establishing clear duties for manufacturers, service providers, and data holders, but it raises a number of questions for those having to comply.
The Data Act has largely applied across the EU since 12 September 2025 (with certain switching obligations for cloud services fully effective from 12 January 2027) and complements the GDPR, covering the sharing of both personal and non-personal data, and cloud service switching provisions.
As an aid to compliance, the European Commission published non-binding, technical FAQs, last updated on 12 September 2025. These do not create new law, but provide a strong indicator of the Commission’s current reading of Data Act compliance and what national authorities may rely on in practice. Do these provide enough information given the complexities involved? Here we cover the most frequent client queries we get and also look at what the EC FAQs have to say
Who has to comply with the Data Act?
Broadly:
- manufacturers of connected (IoT) products placed on the EU market (eg smart vehicles, appliances, tools)
- providers of related services (apps that monitor/control devices), and
- providers of data processing services (notably cloud/edge service providers).
The Data Act applies irrespective of where the company is based if products or services are offered in the EU. The EU FAQs add that in relation to the IoT data access right, the user and any data recipient must be EU-established, and data holders are not obliged to share IoT data with recipients outside the EU. They also clarify that once a product is "placed on the EU market”, data generated from its use abroad still falls under the Act.
What new rights do users get over “their” data?
Users (consumers and businesses) gain rights to access and use data generated through their use of a product/service free of charge, in real time, in a machine-readable format. Where technically feasible, products should enable data access by design. Data holders must also provide necessary metadata and set up low-threshold electronic request channels with appropriate user authentication. The EC FAQs clarify that this right covers raw and pre-processed data plus necessary metadata (not inferred/derived “value-added” data or excluded “content”). Furthermore “readily available” data includes what is stored/retrievable/transmitted externally. Edge-only designs with no external storage/transmission are generally out of scope.
Do data holders have to share data with third parties?
Yes – at the user’s request, data must be made available to data recipients without undue delay, free of charge, and in a machine-readable format. Direct transfers to a recipient require a contract on fair, reasonable and non-discriminatory (FRAND) terms. In B2B settings, cost-based compensation (for making data available) may be charged, but unjustified or excessive pricing is prohibited. DMA gatekeepers cannot be recipients. The EC FAQs add that data recipients must be EU-established (data holders are not obliged to share with third-country recipients). FRAND compensation must rest on objective, transparent cost criteria and cannot include a profit margin where the recipient is an SME or a non-profit research organisation.
How does the Data Act interact with the GDPR?
The Data Act covers personal and non-personal data; where personal data is involved, the GDPR prevails. Misclassifying data creates risk in both directions (unlawful denial under the Data Act vs unlawful disclosure under the GDPR). For mixed datasets that are inseparable, GDPR rules apply. Access under the Data Act is not a legal basis for processing personal data – you still need a GDPR basis (often consent when the user and data subject align; trickier when they don’t). Expect case-by-case analysis and close monitoring of developments. The EC FAQs confirm that the GDPR “fully applies” to any personal data processed under the Data Act, that DPAs remain competent and that if the user is not the data subject, a valid Article 6 GDPR legal basis is required to process the personal data.
How should access requests be handled without breaching confidentiality?
The Data Act doesn’t grant carte blanche over trade secrets, but it limits refusals (see here for more). Data holders should agree proportionate confidentiality and security measures (eg NDAs, need-to-know access, technical restrictions). Refusal is possible only if measures can’t be agreed/implemented, or if disclosure would likely cause serious economic damage – and any suspension/refusal must be justified in writing and notified to the authority. The EC FAQs confirm the “trade secrets handbrake” sequence: first agree to and implement safeguards; if there is no agreement, the measures aren’t implemented, or confidentiality is undermined, the holder may withhold or suspend the data. Only in exceptional cases may the holder refuse, in which case the authority must be notified and reasons given.
Can public authorities compel access to data?
Yes, in cases of “exceptional need” which means:
- public emergencies (eg disasters, pandemics, cybersecurity incidents), and
- clearly defined public-interest tasks in non-emergencies (for non-personal data), when other means are exhausted.
Requests must be in writing, justified, and include safeguards (especially for personal data). Response deadlines are five working days (emergency) and 30 days (other). Compensation is allowed for non-emergency requests and SMEs can also get compensation in emergency cases. Compensation must be fair and cover technical and organisational costs. The EC FAQs add useful details about processes here. Cross-border requests must be notified ex-ante to the data holder’s national authority. Also, outside of emergencies authorities should first try to purchase non-personal data at market price before relying on the Data Act rules.
What about “unfair” clauses in data contracts?
The Data Act polices unilaterally imposed contract terms (including B2B) related to data access and use, liability, and remedies. Certain clauses are automatically unfair (eg excluding liability for gross negligence), others are presumed unfair (eg one-sided access to protected data, preventing reasonable termination). These rules can’t be waived. There are limited exemptions for certain long-term contracts until 12 September 2027. The EC FAQs clarify that rules around unfairness also apply when data clauses are included in a broader contract.
What changes for cloud and edge services?
“Data processing services” (most cloud/edge/XaaS models) must remove obstacles to switching, porting data/digital assets, and unbundling. Contracts must include mandatory clauses (eg a maximum 30-day switching window, switching initiation notice of up to two months, specification of portable data). Switching charges may only reflect direct costs until 12 January 2027; after that, switching must be free (early termination fees aside). Certain egress charges may continue in multi-cloud arrangements. Interoperability requirements will be further specified and supported by Commission standard clauses which have been published in draft (see here for more on the SCCs). The EC FAQs elaborate that SaaS providers must provide open interfaces and common formats aligned with a forthcoming Union interoperability repository; and that the 30-day transition period may be extended up to a hard cap of seven months, with objective justification.
What are the enforcement and sanctions risks?
Member State Authorities can handle complaints, assess disputed access denials, and impose penalties. Member States set the sanctions which must be effective, proportionate, dissuasive. This was supposed to have been done by 12 September 2025 with amounts notified to the Commission, however, many Member States are behind on this which means that sanctions are not yet determined. Where personal data is involved, GDPR fines can also apply (up to €20m or 4% worldwide turnover). The EC FAQs add that national data coordinators act as a central contact point (including for cross-border requests). The FAQs also explain how the competent authority is identified (based on the data holder’s establishment) and that the Commission will publish the Member States’ penalties in a central register once notified.
How should we approach edge cases (eg personal vs non-personal data access) in practice?
Treat each request individually – context matters. Build a documented triage process that:
- classifies data sets
- records the GDPR legal basis where needed,
- applies proportionate confidentiality measures for trade secrets, and
- routes public authority requests to a prepared playbook.
What should organisations do now?
The EC FAQs are a good starting point for compliance despite the fact that there are a number of grey areas (for some examples see here). We still need further clarity on a number of issues (eg detailed compensation guidance, and interoperability repository). But in-scope organisations should be:
- mapping data flows
- adapting contracts
- creating access workflows
- preparing for public-sector requests
- aligning with GDPR compliance.
