What the EU Data Act Means for Your Business

November 14, 2025

The EU Data Act (Regulation (EU) 2023/2854) is set to be the cornerstone of the European Commission’s broader digital strategy and has been designed to empower users by unlocking the value of industrial, personal and non-personal data. Applying from 12th September 2025, the act introduces broad obligations on a wide range of businesses across various sectors from manufacturing and healthcare to cloud computing and electronics.

The EU Data Act aims to establish clear rules for access, sharing and portability of data across sectors and providers. For business operating in the EU or offering connected products and services to EU customers, this legislation introduces sweeping obligations (and opportunities) to reshape their data practices, enhance transparency and build trust with their customers and partners.

What Is the EU Data Act?

The Data Act is a key part of the EU’s digital strategy, designed to foster a fair, competitive, and innovative data economy. It complements the Data Governance Act and aims to unlock the value of data ensuring equitable access and use.

Who does the EU Data Act Apply to:

The EU Data Act applies to a wide range of entities and technologies, most notably:

  • Connected Product Manufacturers: Companies producing devices that generate and transmit data, such as smart home appliances, vehicles, and industrial machinery.
  • Service Providers: Businesses offering services related to connected products, including maintenance, analytics, and software platforms.
  • Cloud and Data Processing Providers: Providers of infrastructure, platform, or software-as-a-service (SaaS) solutions used within the EU.
  • Non-EU Entities (including UK businesses): Organisations established outside the EU, such as those based in the UK, that offer connected products or related services to users within the EU, or enter into contracts with EU-based customers, may be subject to the EU Data Act’s provisions.

The regulation also covers data generated by connected products, contracts governing data access, and interoperability between data services. Products whose primary function is solely to store, process, or transmit data may fall outside the scope, and SMEs may benefit from certain exemptions such as later implementation or total exemption from the requirements of this Act, but all businesses should assess their exposure to ensure compliance in the future.

Key Provisions Businesses Must Understand

Below are some of the critical elements of the EU Data Act that businesses may need to prepare for:

1. Cloud and Data Processing Service Switching
  • Providers must allow customers to switch services easily, with no undue barriers, length procedures or exit fees. This provision means that providers of such service cannot lock in customers without providing a right to switch with a maximum notice period of two months and a maximum transitional period of 30 calendar days.
  • From 12 January 2027, all switching charges must be eliminated.
  • Contracts must include clear terms for data portability and support functional equivalence between services.
  • This provision should benefit both consumers and businesses by unlocking the market, so businesses have a larger pool of customers and consumers have a wide range of choice.
    2. User Rights to Data Access and Sharing
    • Users, both consumers and businesses, gain the right to access data generated by their connected products and related services.
    • Businesses must enable this access by design and by contract, meaning both the product themselves and the related legal agreements must support data portability and sharing.
    • Users can also instruct data holders to share data with third parties, such as repair services or analytics platforms.
    3. Fair Data Sharing Obligations
    • Data holders must share data on fair, reasonable, and non-discriminatory terms.
    • Unfair contract clauses that, for example, excluding liability for gross negligence or certain unilateral rights may be prohibited and unenforceable.
    • The Act has introduced “blacklisted” and “grey listed” clauses which mimic consumer protection law and so contracts must be reviewed and potentially updated to ensure their enforceability and legality under this new legislation.
    4. Government Access to Data
    • Public authorities can request non-personal and personal data from private entities during emergencies or for public interest tasks.
    • Requests must be in line with several strict principles and conditions and so will likely be specific, proportionate and trade secrets must be protected.
    • The Act aims to limit the sharing of personal data outside of emergency situations.
    5. Protection Against Unlawful Foreign Access
    • The Act introduces safeguards to prevent non-EU governments from accessing non-personal data stored in the EU unless strict conditions are met.
    How Businesses Must Comply with the EU Data Act

    Businesses must take proactive steps – not only to ensure compliance with the EU Data Act, but also to seize emerging opportunities in the data economy.

    Key actions include mapping data flows to understand what data is generated, where it is stored, and who controls it – this is critical for meeting sharing and portability requirements.

    Companies should update product designs to support user access and data sharing, revise contracts to eliminate unfair terms and include necessary clauses and implement protocols to protect trade secrets while fulfilling legal obligations. Training teams on new user rights and internal procedures is essential, as is staying informed about national enforcement developments.

    Beyond compliance, the EU Data Act presents a chance to innovate as businesses can create data-driven services, forge new partnerships, and build trust through transparent practices. Early adopters who embrace these changes may gain a competitive edge in the evolving EU digital landscape.

    Conclusion

    The EU Data Act is not just another regulatory hurdle; it’s a shift in data governance. Businesses that act now to understand, adapt, and align with its requirements will not only avoid penalties but also unlock new value from data.

    Herrington Carmichael’s Commercial & Regulatory Team can help you navigate this transition with confidence, offering strategic guidance, contract revisions and compliance advice. We can also provide tailored training and ongoing legal updates to ensure your teams stay informed and your operations remain compliant.

    Get in touch today to discuss how we can help you stay compliant and protect your business.

    Mark Chapman
    Partner, Commercial
    <script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>
    View profileContact Us

    This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

    Latest Legal Insights

    Best Law Firms 2024

    Herrington Carmichael has once again been named in the Times Best Law Firms. We were first listed in 2023 and have once again made the Best Law Firms list for 2024.  

    www.thetimes.co.uk/article/herrington-carmichael

    Best Law Firm 2024