Effective September 12, 2025, the EU Data Act introduced new rules on access to and sharing of data from certain products and services in business-to-consumer (B2C), business-to-business (B2B), and business-to-government (B2G) contexts. This alert highlights the key obligations. The EU Data Act applies to any business offering products or services in the EU, regardless of its location.

New Data Sharing Requirements for Connected Products and Related Services

As of September 12, 2025, companies operating in the IoT sector (e.g., smart home devices, wearables, connected cars, industrial equipment) should:

• be capable of granting users (both individuals and business users) access to their raw usage data upon request, provided that the data is “readily available” to the business (e.g., data collected from a sensor on an airplane, usage data generated by a user interface or via a related service). This includes access to any metadata necessary to contextualize the raw data (e.g., timestamps);
• provide users with information about the data access options before users sign a contract (e.g., via a webpage or notice);
• update their terms to cover the access right and its limitations (e.g., trade secrets);
• ensure that the data retrieval is free and secure (e.g., by providing the data through the user account); and
• make the data available to a third party if requested by a user (e.g., an after-sale support provider).

Any products placed on the EU market after September 12, 2026, must be designed in a manner that provides users with direct access to the raw usage data.

“Unfair” Data Terms for B2B Contracts

The EU Data Act prohibits businesses from unilaterally imposing “unfair” terms in contracts governing access to and use of data with other businesses (as per Article 13 of the Data Act). Such terms include, for example, terms that exclude or limit liability or remedies, or that give one party the exclusive right to determine whether supplied data complies with the contract. The EU Data Act also lists certain types of contractual provisions that are presumed to be “unfair”, such as terms that may “unfairly” restrict the use of data.

These rules apply to agreements regarding the sharing of data, both personal and non-personal, by a private entity with another business. “Unfair” terms will not be enforceable against the other party in the EU.

Switching Rights for Customers of Data Processing Services (e.g., SaaS, IaaS, PaaS) and Service Interoperability

The Data Act introduces measures to facilitate switching by customers between data processing service providers or migration to on-premises solutions:

• Information obligations: Providers must inform customers about their switching procedures, including data export capabilities, duration, and any technical limitations.
• Contract requirements: Providers must allow switching with a notice period of no more than two months.
• Removal of switching obstacles: Providers must remove technical, contractual, and commercial barriers that hinder customers from switching providers or using multiple services simultaneously.
• Interoperability standards: Providers must ensure open interfaces and comply with interoperability standards to facilitate switching (e.g., data exports in commonly used, machine-readable formats).
• Government access to non-personal data: Providers must take measures to prevent foreign government access to non-personal data stored in the EU and establish processes to handle such access requests. They must also publicly disclose these measures and the locations of their Information and Communication Technology infrastructure on their websites.

The above points apply to new and existing contracts. In addition, as from January 12, 2027, providers will no longer be able to charge switching fees, including fees for data transfer.

Business-to-Government Data Sharing

EU and national public sector bodies are granted certain rights of access to data held by companies where there is an exceptional need. This includes emergency situations (e.g., cybersecurity incidents, natural disasters), and certain non-emergency situations where there is a public interest (e.g., use of location data to optimize traffic flows).

Minimum Requirements for Smart Contracts

The EU Data Act also introduces minimum requirements for the use of smart contracts for data sharing agreements (e.g., ensuring that they are manipulation resistant). A smart contract is a computer program used to automate the execution of an agreement (typically deployed on a blockchain). It automatically enforces and executes the agreed-upon rules and actions when predefined conditions are met.

Next Steps

The Data Act will be enforced by national regulators in each EU country, subject to penalties under local laws. These regulators are expected to closely monitor compliance and take action against companies that fail to comply with the Data Act. Recommended action items for clients include: 

• Companies producing connected products or offering related services should review their data-sharing practices and identify relevant data, enable retrieval and sharing, update access request policies, and revise user notices and terms.
• Companies engaging in B2B data sharing should carefully consider their use of data use restrictions to ensure their enforceability.
• Cloud service providers should update contracts, provide clear information on data handling, establish switching processes, and cover non-personal data in their internal processes for handling government data access requests.

Wilson Sonsini Goodrich & Rosati routinely advises clients on EU data regulatory issues. For further inquiries about the EU’s Data Act and other data regulations, please contact Laura De Boel, Laura Brodahl, Carol Evrard, or any attorney from Wilson Sonsini’s EU Data, Privacy, and Cybersecurity practice.

Hugh O Laoide Kelly contributed to the preparation of this alert.