Data regulation and cyber
Learn more
Data Act
Status: In force
- In force since 11 January 2024, application from 12 September 2025 (with certain exceptions where individual provisions or chapters have a deviating application date)
Summary
EU Regulation introducing rules for the sharing and use of data generated on the internet of things, and for cloud providers when it comes to interoperability, switching and international data transfers. Designed to improve access, exchange and use of valuable data generated by connected devices so that more public and private stakeholders can benefit from Big Data and Machine Learning.
Scope
- Data sharing obligations apply to companies that manufacture / offer connected products or related services in the EU, those who make this data available to others
- Interoperability obligations and obligations on international data transfers apply to providers of data processing services (including IaaS, PaaS, SaaS) offered to EU based customers
- Applies to personal and non-personal data
Key elements
Connected products and related services
- Obligation for companies to grant users, third companies or the public sector access to data. Implementation of fair, transparent and non-discriminatory regulation (standards) of access to data
- Extensive information requirements on the generated data vis-à-vis end users before a contract for the purchase, rent, or lease of a connected product or a related digital service is concluded
- Use of private data by government (B2G): fair, transparent access to privately held data for use in public interest (e.g. environmental protection, public health)
- Promoting data access and use in B2B relationships (fairness test against unfair, unilateral contractual terms and transparency obligations)
Data processing services (in particular cloud services)
- Obligation for cloud service providers to allow users to easily switch cloud services and to improve portability between cloud providers, and to implement safeguards against unlawful government access and for international transferof non-personal data
Enforcement
- Fines of up to EUR 20 million or 4% of annual group turnover, whichever is higher
Challenges
Connected products and related services
- Interplay with GDPR is unclear, specifically how to treat in practice mixed data sets which contain personal and non-personal data
- Implementation of data access obligations poses a significant administrative burden
- Data access rights might interfere with the protection of companies’ trade secrets
- Requirements for the technical design of data portability might be onerous: Companies in scope must fulfil access and portability requirements for data for users of networked products
Data processing services
- Compliance burden by imposing Schrems-II requirements for international transfer of non-personal data on data processing services
- Limiting switching charges, not a clear cut which costs will be in scope
- Scope of interoperability obligations is not completely clear and yet to be determined how the requirements will function regarding the practical challenges of IT migration
Contacts
Dr. Theresa Ehlen Partner
Düsseldorf, Frankfurt am Main
Dr. Christoph Werkmeister Partner
Düsseldorf
Dr. Lutz Riede Partner
Vienna, Düsseldorf
Dr. Ludwig Hartenau Partner
Vienna
Jenny Leahy Partner
London, Brussels
Dr. Gernot Fritz Counsel
Vienna
Estella Dannhausen Associate
Vienna
Julia Utzerath Senior Knowledge Lawyer
Düsseldorf