EuroComply
Sign up

EU Data Act

The Data Act (Regulation (EU) 2023/2854) is the EU's horizontal law on access to and use of data. It gives users of connected products and related services the right to access the data they generate, regulates business-to-business and business-to-government data sharing, and imposes cloud-switching rules to reduce vendor lock-in.

Free EU Compliance Checker

What does Data Act require and when does it apply?

Data Act applies to IoT Manufacturers and Cloud Services organisations across all EU member states. The key deadline is September 12, 2025. Non-compliance carries a maximum penalty of Per member state (effective, proportionate, dissuasive). Core obligations include ensure data accessibility for users and enable data portability between services.

  • Ensure data accessibility for users
  • Enable data portability between services
  • Protect trade secrets during data sharing
  • Implement fair contract terms
  • Provide data to public bodies in emergencies
DeadlineSeptember 12, 2025
Max finePer member state (effective, proportionate, dissuasive)
Primary sectorsIoT Manufacturers, Cloud Services, Data-driven Services
Source: Official Journal of the EU โ€” EU Data ActReviewed:
TL;DR

Data Act: Per member state (effective, proportionate, dissuasive) max fine

Data Act applies to IoT Manufacturers and Cloud Services organisations in all EU member states. Key deadline: September 12, 2025.

Source: Official Journal of the European Union โ€” EU Data Act

Who does Data Act apply to?

The Data Act applies to manufacturers and providers of connected products and related services made available in the EU, to data holders providing data to recipients in the EU, to data processing service providers (cloud and edge) serving EU customers, and to public-sector bodies of EU member states.

  • Manufacturers of connected products placed on the EU market and providers of related services
  • Data holders required to make data available to users or third parties
  • Recipients of data made available under the Act
  • Providers of data processing services (cloud/edge) offering services in the EU
  • Public-sector bodies requesting data in cases of exceptional need
Source: Regulation (EU) 2023/2854 (Data Act) โ€” EUR-Lex Official Journal โ€” Article 1 (Subject matter and scope)Reviewed:

What are the penalties for Data Act non-compliance?

Member states set penalties for breaches of the Data Act, including periodic penalty payments. For breaches of the personal-data provisions, the GDPR penalty regime applies in parallel.

Maximum fineWhere personal data is involved: GDPR Article 83 rates apply (โ‚ฌ20M / 4%). Other breaches: set by member states.
Source: Regulation (EU) 2023/2854 (Data Act) โ€” EUR-Lex Official Journal โ€” Article 40 (Penalties)Reviewed:

When does Data Act apply?

The Data Act entered into force on 11 January 2024. Most provisions apply from 12 September 2025. The cloud-switching pricing rules phase in: pre-existing 'switching charges' must be removed by 12 January 2027.

  • 2024-01-11 โ€” Entry into force
  • 2025-09-12 โ€” Most provisions apply
  • 2027-01-12 โ€” Cloud switching charges (over and above costs incurred) must be removed
Source: Regulation (EU) 2023/2854 (Data Act) โ€” EUR-Lex Official Journal โ€” Article 50 (Entry into force and application)Reviewed:
12 January 2027

Date by which providers of data processing services must remove all 'switching charges' (charges over and above costs incurred) that obstruct EU customers from moving to another provider.

Regulation (EU) 2023/2854, Article 29 and Article 50

Deadline

September 12, 2025

Max Fine

Per member state (effective, proportionate, dissuasive)

Sectors Affected

IoT Manufacturers, Cloud Services, Data-driven Services

12 January 2027

Date by which providers of data processing services must remove all 'switching charges' (charges over and above costs incurred) that obstruct EU customers from moving to another provider.

Regulation (EU) 2023/2854, Article 29 and Article 50

Key regulatory facts: EU Data Act
Official nameRegulation (EU) 2023/2854 of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)
Reg. No.(EU) 2023/2854
CELEX32023R2854
Typeregulation
In force2024-01-11
Applies from2025-09-12
Max fineWhere personal data is involved: GDPR Article 83 rates apply (โ‚ฌ20M / 4%). Other breaches: set by member states.
Authorities
Member-state designated competent authorities (member-state)
National Data Protection Authorities (for personal-data overlap) (member-state)
Source(EU) 2023/2854 โ€” EUR-Lex Official Journal

How do I comply with Data Act?

  • Ensure data accessibility for users
  • Enable data portability between services
  • Protect trade secrets during data sharing
  • Implement fair contract terms
  • Provide data to public bodies in emergencies

Does Data Act apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now โ€” free

Data Act by Country

๐Ÿ‡ฉ๐Ÿ‡ช

Germany

๐Ÿ‡ซ๐Ÿ‡ท

France

๐Ÿ‡ณ๐Ÿ‡ฑ

Netherlands

๐Ÿ‡ช๐Ÿ‡ธ

Spain

๐Ÿ‡ฎ๐Ÿ‡น

Italy

๐Ÿ‡ฆ๐Ÿ‡น

Austria

๐Ÿ‡ง๐Ÿ‡ช

Belgium

๐Ÿ‡ต๐Ÿ‡ฑ

Poland

๐Ÿ‡ธ๐Ÿ‡ช

Sweden

๐Ÿ‡ฎ๐Ÿ‡ช

Ireland

๐Ÿ‡ต๐Ÿ‡น

Portugal

๐Ÿ‡ฉ๐Ÿ‡ฐ

Denmark

๐Ÿ‡ซ๐Ÿ‡ฎ

Finland

๐Ÿ‡จ๐Ÿ‡ฟ

Czech Republic

๐Ÿ‡ท๐Ÿ‡ด

Romania

๐Ÿ‡ญ๐Ÿ‡บ

Hungary

๐Ÿ‡ธ๐Ÿ‡ฐ

Slovakia

๐Ÿ‡ง๐Ÿ‡ฌ

Bulgaria

๐Ÿ‡ญ๐Ÿ‡ท

Croatia

๐Ÿ‡ฌ๐Ÿ‡ท

Greece

๐Ÿ‡ฑ๐Ÿ‡บ

Luxembourg

๐Ÿ‡ช๐Ÿ‡ช

Estonia

๐Ÿ‡ฑ๐Ÿ‡ป

Latvia

๐Ÿ‡ฑ๐Ÿ‡น

Lithuania

๐Ÿ‡ธ๐Ÿ‡ฎ

Slovenia

๐Ÿ‡ฒ๐Ÿ‡น

Malta

Explore Data Act in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

Data Act by Industry

๐Ÿ’ป

SaaS & Software

๐Ÿ’ณ

Fintech & Financial Services

๐Ÿฅ

Healthcare & MedTech

๐Ÿญ

Manufacturing & Industry

๐Ÿ›’

E-commerce & Retail

๐ŸŽ“

EdTech & Education

๐Ÿšš

Logistics & Transport

โšก

Energy & Utilities

๐Ÿ“ก

Telecoms & Media

๐Ÿ‘ฅ

HR & Recruitment

โš–๏ธ

Legal & Professional Services

๐Ÿ›๏ธ

Public Sector & NGOs

Data Act by Role

Connected-Product Manufacturers

The Data Act creates user access and portability rights for the data generated by connected products. Manufacturers must design products and related services so that data is, by default, accessible to the user โ€” easily, securely, free of charge, in a comprehensive, structured, commonly used, and machine-readable format (Article 3).

Related Regulations

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

DSA

The DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.

eIDAS 2.0

eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.

Explore Data Act in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific Data Act guidance for SaaS, fintech, healthcare, and other affected industries.

Next step โ€” classify

Classify your AI systems

Use the free regulation checker to find out exactly which Data Act obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which Data Act obligations apply to your organisation in under 2 minutes.

Check Your EU Compliance

Frequently Asked Questions

What are EU Data Act obligations for SaaS companies?
The EU Data Act (Regulation 2023/2854) primarily targets IoT products and related services. For SaaS companies: (1) If your SaaS interacts with connected products (IoT), you must make product-generated data accessible to users and third parties on request; (2) Data holders cannot impose unfair terms on data recipients (Article 13); (3) Cloud switching obligations require removal of switching barriers and data portability within 30 days (Articles 23โ€“31); (4) Public sector bodies can request access to privately held data in exceptional circumstances. Pure SaaS companies with no IoT product have limited obligations primarily around cloud portability.
What are the Data Act cloud switching obligations for cloud providers?
EU Data Act Articles 23โ€“31 require cloud service providers to eliminate barriers to switching and data portability. From September 2025: switching processes must allow customers to migrate all data, applications, and services to another provider within 30 calendar days. Providers cannot charge for data exports during the switching process beyond incremental cost; from January 2027, switching must be free. All switching processes must be documented with a switching agreement. Cloud providers must also work toward technical equivalence โ€” the European Commission is developing standards via EUCS (EU Cybersecurity Certification Scheme for Cloud Services) to facilitate interoperable portability between major providers.
Does the EU Data Act cover B2B data sharing between competitors?
The EU Data Act covers data sharing between businesses, but primarily in the IoT context (data generated by connected products) and cloud switching. Article 13 applies to all B2B data sharing contracts by prohibiting unfair contract terms imposed on SMEs โ€” terms that severely limit the SME's rights to the data are automatically unenforceable. The Data Act does not create a general obligation for one business to share commercially sensitive data with a competitor. Business-to-government data sharing is required in exceptional circumstances under Article 15, such as a public emergency or a situation where no commercial alternative is available.

For informational purposes only. This is not legal advice โ€” consult qualified legal counsel.

Last verified: ยท Source: EUR-Lex 32023R2854 ยท Editorial policy