The EU Data Act (the Act), despite its transformative effect for data access and sharing has not captured the attention of affected companies in the way that other data focused legislation has, and to an extent been somewhat overlooked. The Act is sector-neutral and has extraterritorial scope applicable both to companies established within the EU and outside the EU if they provide products or services to the EU. UK businesses operating in the EU should now therefore ensure that their contractual frameworks and data governance strategies are compliant with the provisions of the Act and be confident in its application. The regulatory text now must be turned into operational reality both contractually and by product design; but there is little guidance or indeed industry buzz around its implications, which will likely significantly affect the dynamics of the EU data processing services market. 

The Act came into force on 12 September 2025 and is the date from which most provisions apply from (including Chapter III provisions in relation to statutory data sharing obligations and Chapter IV provisions on unfair contractual terms). The Act establishes new rights for businesses and consumers to access data they generated using “connected devices,” limiting the exclusive control exercised by many data holders such as manufacturers and cloud service providers. These new rights for device and service holders must from now on be built into contracts, enabling data access and data sharing on fair terms. Further, the new provisions such as switching rights for data processing services, which effectively grants customers a statutory right to terminate contracts for convenience on two months’ notice has gone under the radar for some operators – auto-renewals are a thing of the past, with active customer consent now required. To help companies navigate these new rules, the European Commission has stated that it will recommend a set of model contractual terms to help companies conclude data-sharing contracts that are fair, reasonable and non-discriminatory (Chapters II and III of the Act); at the time of writing these have not been published. 

It is worth noting the Act’s retroactive application which might catch some operational teams in the SaaS, PaaS or IaaS space off-guard; from 12 September 2027, provisions on unfair contractual terms under Chapter IV apply for contracts concluded on or before 12 September 2025 which are of indefinite duration or due to expire on or after 11 January 2034. The impact of the Act seems underestimated and legal teams now need to take a proactive, cross-functional approach to ensure compliance and mitigate risk associated with the sweeping obligations around data access, portability, interoperability, and fairness. Rachel Wright sets out the Act milestones here: The EU Data Act takes effect, Rachel Wright.

As ever, the Act’s complex interaction with other laws, such as the EU Digital Operational Resilience Act (DORA), the GDPR, and the NIS 2 Directive presents a compliance challenge even for the more evolved larger scale operators in this space. There is no fixed penalty under the Act; Member States shall lay down the rules and penalties applicable to infringements, provided that the penalties shall be effective, proportionate and dissuasive. For UK companies, this means that non-compliance with the Act could make them subject to the EU members local sanctions regime and where personal data is involved, GDPR-level fines of €20m or 4% of global turnover might apply.

For a summary of the Act, please see our briefing note here from Beverley Flynn and Guy Cartwright: EU Data Act - Stevens & Bolton LLP.