+49(0)202 / 9422900 Phone
11.09.2025

Data Act: Everything you need to know

1 Introduction: What is the EU Data Act?

The EU Data Act(Data Regulation, Regulation (EU) 2023/2854) came into force on January 11, 2024 and forms a central component of the European data strategy. The aim is to distribute the added value from data more fairly, promote innovation and reduce barriers to competition.

Specifically, the aim is to make data - for example from networked devices, machines or cloud services - more easily accessible, transferable and usable in future. In this way, companies, consumers and public authorities should benefit from the enormous amounts of data in Europe.

2. who is affected?

The regulation affects almost all companies that work with data - in particular:

  • Manufacturer of networked devices (IoT products)
  • Providers of data processing services such as cloud services
  • Companies that use or pass on data
  • Public bodies that require access to company data in exceptional cases

3 What does the Data Act regulate?

The regulation contains the following key points, among others:

  1. Access rights: Users are granted access to the data generated by their devices.
  2. B2B data sharing: Companies must provide data on fair, reasonable and non-discriminatory terms.
  3. Unfair contract terms: protecting smaller companies from unfair contract terms.
  4. Cloud portability: It must be easy to switch between cloud providers in future - technical and contractual hurdles are inadmissible.
  5. B2G data access: Authorities are granted access to company data in exceptional situations.
  6. Protection of business secrets and security: Data does not have to be disclosed if this jeopardizes legitimate protection interests.
  7. Interoperability: Uniform standards should facilitate data exchange.

4. schedule & deadlines

  • January 11, 2024: Entry into force of the ordinance
  • September 12, 2025: General applicability - most obligations apply from this date and fines can be imposed
  • September 12, 2026: New products must be designed "accessibly"(Access by Design)
  • September 12, 2027: Cloud providers may no longer charge switching fees when changing providers. From this date, switching must be possible completely free of charge.

5 When do fines start to be imposed?

Companies have until September 12, 2025 to adapt their processes, contracts and technical systems. Sanctions will be imposed for the first time from this date.

The fines can be severe:

  • up to EUR 20 million or
  • up to 4% of global annual turnover - whichever is higher.

From September 2026, the Access by Design obligation will also apply to new products. Violations of this can also be sanctioned.

6 What do companies need to do now?

To ensure that your company is prepared in good time, you should take the following measures:

  • Inventory: Which products, data and contracts are affected?
  • Check and adapt contracts: General terms and conditions, cloud and service contracts must comply with the new requirements.
  • Technical preparation: ensure data portability, create interfaces, implement interoperability.
  • Consider data protection & IP: Protect business secrets and security interests.
  • Create internal processes: Regulate handling of data access requests and access by authorities.
  • Train employees: Sensitize management, IT and specialist departments.
  • Monitoring: Observe developments, FAQs and future guidelines of the EU Commission.

7 Conclusion: Act now instead of being liable later

The EU Data Act brings great opportunities - but also clear obligations. For decision-makers, this means that all relevant steps must be taken by September 2025 at the latest.

👉 O ur tip: Don't wait and see. Plan the necessary adjustments now - and take the opportunity to future-proof your company.

Michael Ullrich, LL.M.

Michael Ullrich, LL.M.

Attorney-at-law, Partner
Specialist attorney for industrial property law
Specialist attorney for information technology law

+49 (0) 202 - 9422900
info@goldberg.de

Last posts

Archive