EuroComply
Créer un compte

EU Data Act

Le Data Act (Règlement (UE) 2023/2854) est le cadre horizontal européen d'accès et d'utilisation des données. Il accorde aux utilisateurs de produits connectés droit d'accès à leurs données, encadre partage données B2B/B2G, impose règles changement fournisseur cloud pour réduire vendor lock-in. En vigueur : 11 janvier 2024 ; application principale 12 septembre 2025 ; interdiction frais changement cloud 12 janvier 2027. France : Direction Générale Entreprises (DGE) pilote, CNIL pour données personnelles, ARCEP pour services communications électroniques.

Free EU Compliance Checker

What does Data Act require and when does it apply?

Data Act applies to IoT Manufacturers and Cloud Services organisations across all EU member states. The key deadline is September 12, 2025. Non-compliance carries a maximum penalty of Per member state (effective, proportionate, dissuasive). Core obligations include ensure data accessibility for users and enable data portability between services.

  • Ensure data accessibility for users
  • Enable data portability between services
  • Protect trade secrets during data sharing
  • Implement fair contract terms
  • Provide data to public bodies in emergencies
DeadlineSeptember 12, 2025
Max finePer member state (effective, proportionate, dissuasive)
Primary sectorsIoT Manufacturers, Cloud Services, Data-driven Services
Source: Official Journal of the EU — EU Data ActReviewed:
TL;DR

Data Act: Per member state (effective, proportionate, dissuasive) max fine

Data Act applies to IoT Manufacturers and Cloud Services organisations in all EU member states. Key deadline: September 12, 2025.

Source: Official Journal of the European Union — EU Data Act

Who does Data Act apply to?

Le Data Act s'applique aux fabricants et aux fournisseurs de produits connectés et de services associés mis à disposition dans l'UE, aux détenteurs de données fournissant des données à des destinataires dans l'UE, aux fournisseurs de services de traitement de données (cloud et edge) servant des clients de l'UE, et aux organismes du secteur public des États membres.

  • Fabricants de produits connectés mis sur le marché de l'UE et fournisseurs de services associés
  • Détenteurs de données tenus de mettre des données à disposition d'utilisateurs ou de tiers
  • Destinataires de données mises à disposition au titre du règlement
  • Fournisseurs de services de traitement de données (cloud/edge) proposant des services dans l'UE
  • Organismes du secteur public sollicitant des données en cas de besoin exceptionnel
Source: Regulation (EU) 2023/2854 (Data Act) — EUR-Lex Official Journal — Article 1 (Objet et champ d'application)Reviewed:

What are the penalties for Data Act non-compliance?

Les États membres fixent les sanctions des manquements au Data Act, y compris des astreintes périodiques. Lorsque le manquement porte sur les dispositions relatives aux données à caractère personnel, le régime de sanctions du RGPD s'applique en parallèle.

Maximum fineWhere personal data is involved: GDPR Article 83 rates apply (€20M / 4%). Other breaches: set by member states.
Source: Regulation (EU) 2023/2854 (Data Act) — EUR-Lex Official Journal — Article 40 (Sanctions)Reviewed:

When does Data Act apply?

Le Data Act est entré en vigueur le 11 janvier 2024. La plupart des dispositions s'appliquent depuis le 12 septembre 2025. Les règles sur la tarification du changement de fournisseur de services cloud se déploient progressivement : les frais de changement préexistants doivent être supprimés au plus tard le 12 janvier 2027.

  • 2024-01-11 — Entry into force
  • 2025-09-12 — Most provisions apply
  • 2027-01-12 — Cloud switching charges (over and above costs incurred) must be removed
Source: Regulation (EU) 2023/2854 (Data Act) — EUR-Lex Official Journal — Article 50 (Entrée en vigueur et application)Reviewed:
12 janvier 2027

Date butoir avant laquelle les fournisseurs de services de traitement de données doivent supprimer tous les « frais de changement » (frais excédant les coûts effectivement supportés) qui empêchent les clients de l'UE de migrer vers un autre fournisseur.

Règlement (UE) 2023/2854, articles 29 et 50

Deadline

September 12, 2025

Max Fine

Per member state (effective, proportionate, dissuasive)

Sectors Affected

IoT Manufacturers, Cloud Services, Data-driven Services

12 janvier 2027

Date butoir avant laquelle les fournisseurs de services de traitement de données doivent supprimer tous les « frais de changement » (frais excédant les coûts effectivement supportés) qui empêchent les clients de l'UE de migrer vers un autre fournisseur.

Règlement (UE) 2023/2854, articles 29 et 50

Key regulatory facts: EU Data Act
Official nameRegulation (EU) 2023/2854 of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)
Reg. No.(EU) 2023/2854
CELEX32023R2854
Typeregulation
In force2024-01-11
Applies from2025-09-12
Max fineWhere personal data is involved: GDPR Article 83 rates apply (€20M / 4%). Other breaches: set by member states.
Authorities
Member-state designated competent authorities (member-state)
National Data Protection Authorities (for personal-data overlap) (member-state)
Source(EU) 2023/2854 — EUR-Lex Official Journal

How do I comply with Data Act?

  • Ensure data accessibility for users
  • Enable data portability between services
  • Protect trade secrets during data sharing
  • Implement fair contract terms
  • Provide data to public bodies in emergencies

Does Data Act apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

Data Act by Country

🇩🇪

Germany

🇫🇷

France

🇳🇱

Netherlands

🇪🇸

Spain

🇮🇹

Italy

🇦🇹

Austria

🇧🇪

Belgium

🇵🇱

Poland

🇸🇪

Sweden

🇮🇪

Ireland

🇵🇹

Portugal

🇩🇰

Denmark

🇫🇮

Finland

🇨🇿

Czech Republic

🇷🇴

Romania

🇭🇺

Hungary

🇸🇰

Slovakia

🇧🇬

Bulgaria

🇭🇷

Croatia

🇬🇷

Greece

🇱🇺

Luxembourg

🇪🇪

Estonia

🇱🇻

Latvia

🇱🇹

Lithuania

🇸🇮

Slovenia

🇲🇹

Malta

Explore Data Act in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

Data Act by Industry

💻

SaaS & Software

💳

Fintech & Financial Services

🏥

Healthcare & MedTech

🏭

Manufacturing & Industry

🛒

E-commerce & Retail

🎓

EdTech & Education

🚚

Logistics & Transport

Energy & Utilities

📡

Telecoms & Media

👥

HR & Recruitment

⚖️

Legal & Professional Services

🏛️

Public Sector & NGOs

Data Act by Role

Connected-Product Manufacturers

The Data Act creates user access and portability rights for the data generated by connected products. Manufacturers must design products and related services so that data is, by default, accessible to the user — easily, securely, free of charge, in a comprehensive, structured, commonly used, and machine-readable format (Article 3).

Related Regulations

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

DSA

The DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.

eIDAS 2.0

eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.

Explore Data Act in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific Data Act guidance for SaaS, fintech, healthcare, and other affected industries.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which Data Act obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which Data Act obligations apply to your organisation in under 2 minutes.

Check Your EU Compliance

Frequently Asked Questions

What are EU Data Act obligations for SaaS companies?
The EU Data Act (Regulation 2023/2854) primarily targets IoT products and related services. For SaaS companies: (1) If your SaaS interacts with connected products (IoT), you must make product-generated data accessible to users and third parties on request; (2) Data holders cannot impose unfair terms on data recipients (Article 13); (3) Cloud switching obligations require removal of switching barriers and data portability within 30 days (Articles 23–31); (4) Public sector bodies can request access to privately held data in exceptional circumstances. Pure SaaS companies with no IoT product have limited obligations primarily around cloud portability.
What are the Data Act cloud switching obligations for cloud providers?
EU Data Act Articles 23–31 require cloud service providers to eliminate barriers to switching and data portability. From September 2025: switching processes must allow customers to migrate all data, applications, and services to another provider within 30 calendar days. Providers cannot charge for data exports during the switching process beyond incremental cost; from January 2027, switching must be free. All switching processes must be documented with a switching agreement. Cloud providers must also work toward technical equivalence — the European Commission is developing standards via EUCS (EU Cybersecurity Certification Scheme for Cloud Services) to facilitate interoperable portability between major providers.
Does the EU Data Act cover B2B data sharing between competitors?
The EU Data Act covers data sharing between businesses, but primarily in the IoT context (data generated by connected products) and cloud switching. Article 13 applies to all B2B data sharing contracts by prohibiting unfair contract terms imposed on SMEs — terms that severely limit the SME's rights to the data are automatically unenforceable. The Data Act does not create a general obligation for one business to share commercially sensitive data with a competitor. Business-to-government data sharing is required in exceptional circumstances under Article 15, such as a public emergency or a situation where no commercial alternative is available.

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last verified: · Source: EUR-Lex 32023R2854 · Editorial policy