EU Data Act
Der Data Act (Verordnung (EU) 2023/2854) ist das europäische Horizontalgesetz für Datenzugang und Datennutzung. Es gewährt Nutzern von Produkten und Diensten Zugangsrechte zu ihren eigenen Daten, reguliert B2B- und B2G-Datensharing und schreibt Cloud-Anbieter-Wechselregeln vor, um Herstellerbindung (Vendor Lock-in) zu reduzieren. In Kraft: 11. Januar 2024; Anwendung der meisten Bestimmungen ab 12. September 2025; Cloud-Wechselgebühren ab 12. Januar 2027 verboten. Deutsche Zuständigkeit: Bundesnetzagentur (BNetzA) federführend, Bundesbeauftragte für Datenschutz (BfDI) bei personenbezogenen Aspekten.
Free EU Compliance CheckerWhat does Data Act require and when does it apply?
Data Act applies to IoT Manufacturers and Cloud Services organisations across all EU member states. The key deadline is September 12, 2025. Non-compliance carries a maximum penalty of Per member state (effective, proportionate, dissuasive). Core obligations include ensure data accessibility for users and enable data portability between services.
- Ensure data accessibility for users
- Enable data portability between services
- Protect trade secrets during data sharing
- Implement fair contract terms
- Provide data to public bodies in emergencies
| Deadline | September 12, 2025 |
| Max fine | Per member state (effective, proportionate, dissuasive) |
| Primary sectors | IoT Manufacturers, Cloud Services, Data-driven Services |
Data Act: Per member state (effective, proportionate, dissuasive) max fine
Data Act applies to IoT Manufacturers and Cloud Services organisations in all EU member states. Key deadline: September 12, 2025.
Source: Official Journal of the European Union — EU Data Act
Who does Data Act apply to?
Der Data Act gilt für Hersteller und Anbieter vernetzter Produkte und verbundener Dienste in der EU, für Dateninhaber, die Daten an Empfänger in der EU bereitstellen, für Anbieter von Datenverarbeitungsdiensten (Cloud und Edge) mit EU-Kunden sowie für öffentliche Stellen der EU-Mitgliedstaaten.
- Hersteller in der EU in Verkehr gebrachter vernetzter Produkte und Anbieter verbundener Dienste
- Dateninhaber, die zur Bereitstellung von Daten an Nutzer oder Dritte verpflichtet sind
- Empfänger von Daten, die nach diesem Gesetz bereitgestellt werden
- Anbieter von Datenverarbeitungsdiensten (Cloud/Edge), die Dienste in der EU anbieten
- Öffentliche Stellen, die Daten bei außergewöhnlichem Bedarf anfordern
What are the penalties for Data Act non-compliance?
Die Mitgliedstaaten legen Sanktionen für Verstöße gegen den Data Act fest, einschließlich periodischer Zwangsgelder. Bei Verstößen gegen Vorschriften zu personenbezogenen Daten gilt das Bußgeldregime der DSGVO parallel.
| Maximum fine | Where personal data is involved: GDPR Article 83 rates apply (€20M / 4%). Other breaches: set by member states. |
When does Data Act apply?
Der Data Act ist am 11. Januar 2024 in Kraft getreten. Die meisten Bestimmungen gelten seit dem 12. September 2025. Die Vorschriften zu den Wechselgebühren bei Cloud-Diensten gelten in einer Übergangsphase: bestehende Wechselgebühren müssen bis zum 12. Januar 2027 abgeschafft sein.
- 2024-01-11 — Entry into force
- 2025-09-12 — Most provisions apply
- 2027-01-12 — Cloud switching charges (over and above costs incurred) must be removed
Stichtag, bis zu dem Anbieter von Datenverarbeitungsdiensten alle „Wechselgebühren" (Entgelte, die über die tatsächlich entstandenen Kosten hinausgehen) abschaffen müssen, die EU-Kunden am Wechsel zu einem anderen Anbieter hindern.
Verordnung (EU) 2023/2854, Art. 29 und Art. 50
September 12, 2025
Per member state (effective, proportionate, dissuasive)
IoT Manufacturers, Cloud Services, Data-driven Services
Stichtag, bis zu dem Anbieter von Datenverarbeitungsdiensten alle „Wechselgebühren" (Entgelte, die über die tatsächlich entstandenen Kosten hinausgehen) abschaffen müssen, die EU-Kunden am Wechsel zu einem anderen Anbieter hindern.
Verordnung (EU) 2023/2854, Art. 29 und Art. 50
| Official name | Regulation (EU) 2023/2854 of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) |
| Reg. No. | (EU) 2023/2854 |
| CELEX | 32023R2854 |
| Type | regulation |
| In force | 2024-01-11 |
| Applies from | 2025-09-12 |
| Max fine | Where personal data is involved: GDPR Article 83 rates apply (€20M / 4%). Other breaches: set by member states. |
| Authorities | Member-state designated competent authorities (member-state) National Data Protection Authorities (for personal-data overlap) (member-state) |
| Source | (EU) 2023/2854 — EUR-Lex Official Journal |
How do I comply with Data Act?
- Ensure data accessibility for users
- Enable data portability between services
- Protect trade secrets during data sharing
- Implement fair contract terms
- Provide data to public bodies in emergencies
Does Data Act apply to your business?
Find out in 2 minutes with our free regulation checker.
Check now — freeData Act by Country
Explore Data Act in depth
Data Act by Industry
Related Regulations
GDPR
GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.
DSA
The DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.
eIDAS 2.0
eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.
Explore Data Act in depth
Penalties & Fines
See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.
Deadline Timeline
Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.
Industry Guides
Sector-specific Data Act guidance for SaaS, fintech, healthcare, and other affected industries.
Next step — classify
Classify your AI systems
Use the free regulation checker to find out exactly which Data Act obligations apply to your business in 2 minutes.
Check Your Compliance Obligations
Find out which Data Act obligations apply to your organisation in under 2 minutes.
Frequently Asked Questions
- What are EU Data Act obligations for SaaS companies?
- The EU Data Act (Regulation 2023/2854) primarily targets IoT products and related services. For SaaS companies: (1) If your SaaS interacts with connected products (IoT), you must make product-generated data accessible to users and third parties on request; (2) Data holders cannot impose unfair terms on data recipients (Article 13); (3) Cloud switching obligations require removal of switching barriers and data portability within 30 days (Articles 23–31); (4) Public sector bodies can request access to privately held data in exceptional circumstances. Pure SaaS companies with no IoT product have limited obligations primarily around cloud portability.
- What are the Data Act cloud switching obligations for cloud providers?
- EU Data Act Articles 23–31 require cloud service providers to eliminate barriers to switching and data portability. From September 2025: switching processes must allow customers to migrate all data, applications, and services to another provider within 30 calendar days. Providers cannot charge for data exports during the switching process beyond incremental cost; from January 2027, switching must be free. All switching processes must be documented with a switching agreement. Cloud providers must also work toward technical equivalence — the European Commission is developing standards via EUCS (EU Cybersecurity Certification Scheme for Cloud Services) to facilitate interoperable portability between major providers.
- Does the EU Data Act cover B2B data sharing between competitors?
- The EU Data Act covers data sharing between businesses, but primarily in the IoT context (data generated by connected products) and cloud switching. Article 13 applies to all B2B data sharing contracts by prohibiting unfair contract terms imposed on SMEs — terms that severely limit the SME's rights to the data are automatically unenforceable. The Data Act does not create a general obligation for one business to share commercially sensitive data with a competitor. Business-to-government data sharing is required in exceptional circumstances under Article 15, such as a public emergency or a situation where no commercial alternative is available.
For informational purposes only. This is not legal advice — consult qualified legal counsel.
Last verified: · Source: EUR-Lex 32023R2854 · Editorial policy