Skip to main content
NormaGrid

Data Act (Data Act)

In force Data & Privacy Regulation Adopted: 13 December 2023 · Applies from: 12 September 2025

AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.

Summary

The Data Act lays down harmonised rules on fair access to and use of data generated by connected products and related services, including obligations for data holders to make such data available to users and, on the user’s request, to third parties. It also introduces protections against unfair contractual terms in certain B2B data-sharing contracts, a framework for public sector access to privately held data in exceptional need, and rules to facilitate switching and interoperability for data processing (cloud/edge) services. The Regulation includes safeguards against unlawful international governmental access to non-personal data held in the EU and complements the GDPR and the Data Governance Act within the EU data strategy.

Who is affected?

Manufacturers of connected products and providers of related services, data holders and data recipients, providers of data processing (cloud/edge) services, and users (consumers and businesses) in the EU who generate or access data from connected products and related services.

Scope

Applies to data generated by the use of connected products and related services placed on the EU market, to data sharing between users, data holders and third parties, to certain B2B data-sharing terms, to public-sector requests for privately held data in exceptional circumstances, and to switching/interoperability obligations for data processing services.

Key Points

  • Users (consumers and businesses) obtain rights to access data generated by their use of connected products and related services and to share it with third parties
  • Data holders must make data available to third parties at the user’s request under fair, reasonable and non-discriminatory conditions (with specific protections for SMEs)
  • Certain unfair contractual terms imposed unilaterally in B2B data-sharing contracts can be deemed non-binding
  • Public sector bodies and EU institutions can request access to privately held data only in situations of exceptional need (e.g., public emergencies), subject to conditions and safeguards
  • Providers of data processing services must facilitate switching and interoperability and progressively remove switching charges (with a transition to zero switching charges by 2027)
  • Safeguards are introduced to address unlawful third-country governmental access to non-personal data held in the EU

Key Deadlines

  • — Main application date (generally applies from 12 September 2025)
  • — Switching charges for data processing services to be reduced to zero by this date (transition milestone referenced in the Regulation)

Related Regulations

Frequently Asked Questions

Who must comply with the Data Act?

Manufacturers of connected products, providers of related services, data holders, data recipients, and providers of data processing (cloud/edge) services operating in the EU must comply with the Data Act. Both consumers and business users who generate or access data from these products and services are also covered.

What types of data are covered by the Data Act?

The Data Act applies to data generated by the use of connected products and related services placed on the EU market. This includes both personal and non-personal data, but the Act specifically addresses non-personal data and complements existing data protection laws like the GDPR.

What are the key obligations for data holders under the Data Act?

Data holders must make data generated by connected products and related services available to users and, upon user request, to third parties. They must do so under fair, reasonable, and non-discriminatory conditions, with special protections for SMEs.

How does the Data Act address unfair contractual terms in B2B data-sharing agreements?

The Data Act deems certain unfair contractual terms imposed unilaterally in B2B data-sharing contracts as non-binding. This aims to protect businesses, especially SMEs, from being subject to exploitative or imbalanced data-sharing conditions.

What are the rules for public sector access to privately held data?

Public sector bodies and EU institutions can request access to privately held data only in situations of exceptional need, such as public emergencies. Such requests are subject to strict conditions and safeguards to protect the interests of data holders and users.

What obligations apply to providers of data processing (cloud/edge) services?

Providers of data processing services must facilitate switching between services and ensure interoperability. They are required to progressively remove switching charges, with a transition to zero switching charges by 2027.

How does the Data Act interact with the GDPR and the Data Governance Act?

The Data Act complements the GDPR and the Data Governance Act by addressing data access and sharing for non-personal data and by establishing additional rules for data use, sharing, and interoperability. It does not override data protection obligations under the GDPR.

What are the penalties for non-compliance with the Data Act?

Penalties for non-compliance are determined by Member States and must be effective, proportionate, and dissuasive. They can include fines and other corrective measures, depending on the severity and nature of the infringement.

What practical steps should organisations take to comply with the Data Act?

Organisations should review and update their data access and sharing policies, ensure contractual terms are fair and compliant, and implement technical measures to facilitate data portability and interoperability. Providers of data processing services should prepare for the phased removal of switching charges.

When do the main provisions of the Data Act take effect?

The Data Act entered into force in 2023, but certain obligations, such as the removal of switching charges for data processing services, are subject to transitional periods, with full implementation required by 2027.

Key Terms

Connected Product
A physical item that can collect or generate data and communicate it via an electronic communications service, such as smart devices or IoT products.
Related Service
A digital service that is connected to a product and enables access to, or processes, data generated by that product.
Data Holder
An entity or individual that has the right or ability to make data generated by connected products or related services available to others.
Data Recipient
A person or entity that receives data from a data holder, typically upon the request of the user who generated the data.
Exceptional Need
A situation, such as a public emergency, in which public sector bodies may request access to privately held data under strict conditions.
Switching Charges
Fees imposed by data processing service providers when a customer moves their data or services to another provider; these must be phased out by 2027 under the Data Act.
Interoperability
The ability of different data processing services and systems to work together and exchange data seamlessly, as required by the Data Act.
Unfair Contractual Terms
Contract clauses in B2B data-sharing agreements that are imposed unilaterally and are deemed non-binding if they create significant imbalance to the detriment of one party.
Third-Party Access
The right of users to instruct data holders to make their data available to external parties of their choice under fair and non-discriminatory conditions.
Non-Personal Data
Data that does not relate to an identified or identifiable natural person, and thus falls outside the scope of the GDPR but is regulated by the Data Act.