The EU Data Act: Are You Ready?

Anita Hodea, associate at Katten Muchin Rosenman UK LLP, discusses the impact that the EU Data Act will have on companies, and gives practical tips for companies to ensure EU Data Act compliance

The EU Data Act comes into force today, 12 September 2025, setting a new benchmark for Europe’s digital economy and how data is accessed, shared and governed.

Aiming to create a fairer and more competitive data ecosystem the Act encompasses all data processing activities, covering both personal and non-personal data.

How might the EU Data Act impact you?

The EU Data Act (“EDA”) will fundamentally change how companies handle data from connected products and related services. The EDA gives users (both businesses and consumers) rights to access, use and share data generated by IoT devices, smart appliances, or industrial equipment. This impacts manufacturers, service providers and cloud operators, including non-EU companies offering services to EU customers.

Cloud providers, including SaaS, PaaS and IaaS, must enable seamless switching, remove technical and contractual lock-ins and ensure interoperability. Connected products placed on the market after September 2026 must allow users to access data either directly or on request, in structured, machine-readable formats, promoting transparency and control.

The EDA also addresses contractual fairness. B2B agreements must be fair, reasonable and non-discriminatory, limiting dominant market players’ leverage. Public-sector authorities may request data during emergencies or legal mandates, generally without compensation, while companies must safeguard trade secrets and prevent unauthorised access, including from non-EU governments.

In short, the EDA is intended to spur competition, innovation and user empowerment, but compliance with the EDA will require operational, technical and contractual changes. Companies must review contracts, adapt infrastructure and coordinate across legal, IT and product teams to avoid fines or litigation.

Key issues companies/compliance teams need to be aware of

Companies should first assess whether they fall within the EDA’s scope, which covers manufacturers of connected products, providers of digital services and cloud operators serving users in the EEA. From 12 September 2025, users will have the right to request both personal and non-personal data and share it with third parties, requiring organisations to provide data in structured, machine-readable formats.

Compliance with the GDPR will therefore remain critical for all businesses, as even though the EDA covers all data types, it will not replace GDPR obligations. Organisations must still ensure that they have a lawful basis to process personal data, while also meeting transparency and sharing obligations under the EDA.

Transparency is central to the EDA and companies will need to clearly inform users, before contracts are signed, about what data will be collected, how it will be stored, for how long and who can access it. For example, a smart home device that collects personal data (such as user preferences) and non-personal data (such as energy usage) will require compliance with the GDPR for the personal data, while also providing users with structured, machine-readable access to all data under the EDA. The use of quick-reference tools, such as URLs or QR codes, may be useful to companies to make this information easily accessible and understandable to users.

For manufacturers, the EDA may require product redesign and the implementation of technical safeguards to make data accessible, shareable and secure. Service providers must enable data portability, ensure interoperability and remove switching barriers while SMEs are likely to benefit from protections against unfair contractual terms and gain access to data that supports innovation. Across all sectors, coordination across legal, IT and product teams will be essential to manage compliance and operational readiness under the EDA.

Sanctions or penalties attached to the legislation

Enforcement will be handled at the Member State level and penalties will vary by country. Companies operating in multiple EU states will generally be regulated by the authority in their main establishment, while non-EU companies will be required to appoint an EU representative.

Violations can include failing to provide timely data access, including unfair contractual terms, failing to ensure interoperability or seamless switching, or neglecting safeguards against non-EEA governmental access. For personal data breaches, GDPR fines remain applicable, specifically, up to €20 million or 4% of global turnover (whichever is higher).

To mitigate risk, companies should maintain clear documentation of technical, contractual and organisational measures, audit data flows and regularly review agreements and system capabilities. Non-compliance with the EDA will also expose companies to litigation, particularly over trade secrets, unfair contract terms, or data portability disputes.

How the legislation complements or conflicts with GDPR

The EDA complements the GDPR by covering non-personal and IoT-generated data, whereas the GDPR governs personal data only. Both emphasise transparency, fairness and accountability, with the EDA focused on improving data portability, interoperability and seamless switching.

Conflicts may arise when EDA obligations intersect with GDPR, for example, sharing personal data with third parties. In such cases, the GDPR will take precedence. To prepare, companies should segregate personal and non-personal data, implement safeguards and document legal bases for sharing personal data.

Providers of SaaS, PaaS and IaaS must balance portability and switching requirements with GDPR compliance, ensuring processes for user requests, transparency and consent align with both frameworks.

Top 5 practical tips for companies to ensure EU Data Act compliance

• Coordinate governance and train staff

• Compliance will require collaboration across legal, IT, product and compliance teams.

• Companies should assign clear responsibilities for handling user requests, ensuring interoperability and managing contractual obligations within their organisation.

• Organisations should train staff on the requirements of the EDA, including data sharing, transparency and security measures.

• Organisations will need to also stay updated on evolving EU guidance, model clauses and emerging technical standards.

Best Practice and Steps to take to ensure EU Data Act compliance

Assess scope and impact

1. 1. Determine whether your organisation is covered by the EDA. This includes manufacturers of connected products, providers of data processing services such as SaaS, PaaS and IaaS, and any company that collects or uses data generated in the EU.
   2. Consider extraterritorial implications, given that non-EU companies offering services to EEA users may fall under the scope of the EDA.
   3. Understand which products, services and data flows will be in scope.

Enable data access and portability

1. 1. Users must be able to access and share data generated by connected products and services. This means providing the data in structured, machine-readable formats. Options include portals, APIs, or direct device interfaces.
   2. For cloud services, this also includes ensuring that users can switch providers seamlessly, with minimal technical or contractual barriers.
   3. Companies should test their systems to ensure data can be exported, transferred, or accessed efficiently, in compliance with the EDA’s requirements.

Review contracts for fairness

1. 1. All B2B agreements must follow FRAND principles. Therefore, businesses should avoid clauses that unilaterally favour one party, impose hidden fees, or restrict data sharing.
   2. Companies should also align contracts with the Model Contractual Terms recommended by the EU Commission, which provide guidance on compensation, access rights and trade secret protections.
   3. Finally, organisations should clearly define who can use the data, for what purpose and under which conditions, to avoid disputes and potential enforcement action.

Safeguard data and document compliance

1. 1. Implement technical and organisational measures to protect trade secrets, intellectual property and non-personal data.
   2. Establish clear protocols for responding to public-sector data requests, emergencies and third-country government access.
   3. Maintain audit logs, data inventories, and internal records to demonstrate compliance during inspections or audits.

Trish Stevens Head of Content

Trish is the Head of Content for In the Channel Media Group. [email protected]

See Full Bio