The EU officially adopted the Data Act in January 2024, and it came into force on September 12, 2025. The Data Act builds on existing laws like the General Data Protection Regulation and the Data Governance Act. Now that the legislation is active, companies that fall under its scope must proactively review its provisions and ensure they comply with the new obligations.
At a high-level, the Data Act establishes rules for fair access to and use of data. It is concerned with data related to connected devices (e.g., smart appliances, industrial machinery, vehicles) and cloud services providers. It aims to:
- Empower users (individuals and businesses) to access and share data they co-generate when using a connected product.
- Prevent unfair contractual terms in data-sharing agreements.
- Facilitate switching between cloud service providers.
- Enable public sector access to data in emergencies.
- Protect EU-stored non-personal data from unlawful foreign access.
Companies caught by the legislation should:
- Ensure users can access and share data (whether personal or non-personal) generated by connected products or related services.
- Establish protocols for responding to data access requests.
- Audit and revise contracts as necessary, to eliminate unfair terms, especially if your business holds a dominant market position.
- Prepare for new obligations around interoperability and switching between cloud providers.
- Develop safeguards to protect sensitive data when your company needs to share it.
- Align your internal processes, IT infrastructure, and employee training with the Data Act’s requirements to ensure all relevant stakeholders within your company stay prepared.
For further detail on the Data Act and how it may apply to your company, please see Alston & Bird’s client advisories, regarding connected products and cloud services (5 Things to Know About the Data Act and New Switching Requirements for Providers of Cloud Services).
