Explore our collection of PDF documents and enrich your knowledge now!
back
12 September 2025: Implementation of Certain Provisions of the Data Act
Article IT and Data Protection | 12/09/25 | 3 min. | Marc Mossé Léa Margono Charlotte Chen
Regulation (EU) 2023/2854 of 13 December 2023, establishing common rules on fair access to and use of data (the “Data Act”), governs the access, sharing, and portability of data generated by connected products and related services. Its objective is to ensure that users have effective control over the data they generate.
The Data Act applies to a broad range of stakeholders: manufacturers of connected products, data holders (which may include such manufacturers or providers of related services), data processing service providers, users (whether individuals or businesses), data recipients (any natural or legal person, including third parties, receiving data from a data holder on a user’s request or under a legal obligation), and public sector bodies.
Entered into force on 11 January 2024, several of its provisions take effect 12 September 2025.
Access to Data Generated by Connected Products
Starting 12 September 2025, connected product manufacturers and providers of related services must ensure that users can easily access the data generated by these products and services. Access must be free of charge and provided in a complete, structured, commonly used, and machine-readable format.
However, this obligation applies only to connected products and related services placed on the market after 12 September 2026.
Data Sharing with Third Parties
Chapter III of the Data Act also takes effect after 12 September 2025. It governs situations where data holders are required, under EU or national law, to make data available.
Under these provisions, users may request that their data be shared with any third party of their choosing. Manufacturers and service providers must facilitate such data transfers without imposing contractual restrictions and must do so in a secure and documented manner.
Regulation of Data-Sharing Contracts
Chapter IV of the Data Act addresses unfair contractual terms in business-to-business (B2B) agreements relating to access to and use of data. These provisions will apply to all contracts signed after 12 September 2025.
For contracts concluded on or before 12 September 2025 that are either of indefinite duration or set to expire ten years or more after 11 January 2024, Chapter IV will apply starting 12 September 2027.
To facilitate compliance, the European Commission has published non-binding model contractual clauses covering data access, data use, fair compensation, and protection of trade secrets.
Cloud Service Portability
Cloud service providers are required to enable customers to migrate their data to another provider easily. As of 12 September 2025, all technical and contractual barriers to such transfers must be removed.
Starting in 2027, providers will no longer be permitted to charge migration fees.
Sanctions
Under Article 40 of the Data Act, Member States must notify the European Commission by 12 September 2025 of the penalties applicable for violations of the Regulation and the measures adopted to ensure their enforcement.
In particular, for breaches relating to:
- Data sharing between businesses and consumers or between businesses,
- Obligations of data holders to make data available, and
- The provision of data to public sector bodies, the Commission, the European Central Bank, or EU institutions in cases of exceptional need
Article 40 specifies that national supervisory authorities, such as the CNIL in France, will have the power to impose administrative fines under the same regime as Article 83 of the GDPR — that is, up to €20 million or 4% of global annual turnover, whichever is higher.