Addleshaw Goddard LLP > Insights & News > Insights & briefings > EU Data Act: Is Your Business Ready?
< Insights & briefings
13 October 2025
Share Print

EU Data Act: Is Your Business Ready?

To The Point
(6 min read)

The EU Data Act is now in force, introducing significant new obligations for organisations manufacturing connected products (IoT) and related services, and for cloud service providers providing services (SaaS, PaaS, IaaS) in the EU market. Businesses across sectors such as technology, manufacturing, healthcare, and retail must ensure users can access and share data generated by their devices and services, and cloud providers must facilitate easier switching between service providers. With most provisions already applicable from 12 September 2025, organisations should urgently review product designs, contracts, and compliance strategies to avoid sanctions and seize new opportunities for data monetisation.

The EU Data Act (Regulation (EU) 2023/1542), “Data Act”, is EU-wide legislation that aims to transform the way organizations handle data, creating new compliance obligations while also opening up substantial opportunities across both consumer and industrial data ecosystems.  With the core of its provisions applying from 12 September 2025, it significantly impacts multiple industries, affecting how data (personal and non-personal) is shared, how contracts are structured, and how value is generated and captured from digital products and services.

Purpose of the Data Act

The Data Act aims to unlock the value of non-personal data. Users of connected products and related services should be able to share data with others, including for commercial purposes, with minimal legal and technical effort. The means to achieve this under the Data Act are:

  • increasing access to, and re-use of, data concerning the performance, use of connected products (IoT) and related services;
  • introduction of provisions which aim to facilitate switching between data processing services (e.g. cloud services);
  • conditions applicable to B2B and B2C data sharing and data access;
  • rights for public sector access to privately held data in cases of exceptional need; 
  • requirements relating to data spaces’ interoperability.

Products and services affected by the Data Act 

The Data Act primarily affects products and services that generate, store, or process data, both personal and non-personal, in particular:

  • connected devices: Internet of Things (IoT) products such as consumer devices (fitness trackers, tablets, laptops, smartwatches), household appliances (smart TVs, streaming boxes, smart lighting, smart locks, fridges),  industrial machinery (sensors in manufacturing, smart meters, connected medical devices, point-of-sale terminals, networked printers and scanners), infrastructure (routers, modems, traffic management systems, environmental monitoring stations), automotive (GPS navigation systems, connected cars, EV charging stations);
  • data processing services: cloud services (SaaS, IaaS, PaaS) and edge services;
  • frameworks for governmental bodies to request access to data held by businesses in situations of exceptional need, such as responding to public requests.

The Data Act is a horizontal regulation and applies across all sectors, including manufacturing, healthcare, retail, energy, technology, and the financial sector. It is intended to unlock value in the data economy but also reshapes competitive dynamics. For some, it opens new opportunities for data monetisation. For others, it introduces new compliance burdens and risks if contracts or technical systems are not adjusted to the new legal requirements.

Does it apply only to EU businesses?

The Data Act has extraterritorial effect and may apply to certain entities operating in the EU market regardless of where they are based. For instance, manufacturers of connected products placed on the market in the EU and entities providing data processing services in the EU will be bound by the Data Act’s provisions. 

Moreover, users are granted extensive rights to access, control, and share the data generated by their use of connected products and related services. Businesses must enable this by design and through contract, and can no longer treat product or service data as their exclusive asset.

Providers of cloud and other data processing services are subject to new service switching requirements and mandatory customer contract terms, allowing customers to easily switch between service providers without additional, unjustified costs.

Timeline for compliance

  • From 12 September 2025, most obligations began to apply.
  • From January 2027, providers of data processing services shall not impose any switching charges on the customer for the switching process.
  • From 12 September 2027, provisions on unfair contractual terms related to data access and use between enterprises begin to apply (for contracts of indefinite duration; or due to expire at least 10 years from 11 January 2024).


Sanctions

Each EU Member State must lay down rules for effective, proportionate and dissuasive penalties for violations of the Data Act. The Data Act creates a national, rather than EU-wide, penalty regime – fines could therefore vary from country to country for the same violations. Interestingly, for infringements of obligations relating to the processing of personal data, the GDPR will remain applicable. 

Required action

  • Build a cross-functional compliance roadmap (legal, technical, commercial), as implementation takes time, especially for product redesigns or renegotiation of long-term agreements. 
  • IoT product manufacturers should ensure that users (both businesses and consumers) can access the data generated by their devices and share it with third parties upon request, free of charge, and ensure their product’s design technically enables this functionality. 
  • Cloud service providers should review their existing contracts with EU customers and align them to allow for switching between vendors. The possibility of charging early termination fees should be assessed and aligned with a broader business strategy.

The Data Act should be treated not only as a compliance exercise, but as a strategic opportunity. Businesses should assess whether they can benefit from new data access and sharing rights.

Next steps

If you have a query that you would like to discuss, please get in touch with one of your specialists.

Key contacts

Szymon Sieniewicz
View profile
Szymon Sieniewicz

Counsel, Head of TMT/IP (Poland)

+48 22 526 5042
Helena Brown
View profile
Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

+44 (0)131 222 9544
Claire Edwards
View profile
Claire Edwards

Partner, Commercial and Data Protection
Manchester

+44 (0)161 934 6206
Ross McKenzie
View profile
Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

+44 (0)12 2444 4328
Manuela Finger
View profile
Manuela Finger

Partner, Intellectual Property, Data Protection & IT, Commercial
Germany

+49 (0)89 2620 21 746
David Hackett
View profile
David Hackett

Partner, IP/IT & Data Protection
Dublin, Ireland

+353 (0) 1 202 6454
Elisabeth Marrache
View profile
Elisabeth Marrache

Partner, IS and Technology, Data Protection & Intellectual Property
France

+33 (0)1 84 13 59 88
Samuel Martínez
View profile
Samuel Martínez

Counsel, Head of IS and Technology, Data Protection and Intellectual Property
Madrid, Spain

+34 91 426 0050

To the Point 

Subscribe for legal insights, industry updates, events and webinars to your inbox

Sign up now