--- title: "EU Data Act Scope Decision Map: Role Logic, Data Sharing, and Switching Readiness" canonical_url: "https://www.sorena.io/artifacts/eu-data-act-scope-decision-map" source_url: "https://www.sorena.io/artifacts/eu-data-act-scope-decision-map" author: "Sorena AI" description: "Advanced EU Data Act Scope Decision Map for Regulation (EU) 2023/2854 implementation: scope and role determination." keywords: - "EU Data Act Scope Decision Map compliance" - "EU Data Act Scope Decision Map guide" - "EU Data Act Scope Decision Map checklist" - "EU Data Act Scope Decision Map requirements" - "EU Data Act Scope Decision Map template" - "Regulation EU 2023 2854 implementation" - "connected products product data access" - "related services data sharing" - "data holder user data recipient roles" - "B2G exceptional need requests" - "cloud switching charges ban 2027" - "Data Act portability requirements" - "EU Data Act Scope Decision Map" - "Regulation (EU) 2023/2854" - "Connected products data" - "B2B data sharing" - "B2G exceptional need" - "Cloud switching" - "Data portability" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU Data Act Scope Decision Map: Role Logic, Data Sharing, and Switching Readiness Advanced EU Data Act Scope Decision Map for Regulation (EU) 2023/2854 implementation: scope and role determination. ![EU Data Act Scope Decision Map by Sorena AI](https://cdn.sorena.io/cheatsheets/sorena-ai-data-act-cheatsheet-small.jpg) *Data Act* *Free Resource* ## EU Data Act Scope Decision Map This EU Data Act Scope Decision Map helps teams turn legal interpretation into implementation decisions. Confirm whether your scenario is in scope, map user and data-holder duties, and define data-sharing, contractual, and cloud-switching workflows with clear ownership. Grounded in Regulation (EU) 2023/2854, Commission Data Act FAQs (v1.4), and Commission implementation resources. Use this map as an execution control for product, legal, platform, and compliance teams. [Create my custom view](/solutions/assessment.md) ## What you can decide faster - **Scope and role**: Determine whether the product/service is in scope and identify user, data holder, and recipient responsibilities. - **Share, protect, or refuse**: Operationalise user-directed sharing while applying trade-secret, security, and legal-limit safeguards correctly. - **Switching readiness**: Implement portability, switching, and contract updates for data-processing services with measurable milestones. By Sorena AI | Updated Mar 2026 | No sign-up required ### Role-to-obligation navigator *Data Act* - **Product manufacturer**: Design access by default and establish data-availability and transparency flows. - **Data holder**: Deliver user access and user-directed sharing with legal and security safeguards. - **Data recipient**: Implement purpose limits, confidentiality controls, and onward-use governance. - **Cloud provider**: Enable switching, portability, and contractual protections against unlawful access. Use this map to move from legal scope questions to operational workflows and evidence outcomes. | Value | Metric | | --- | --- | | 12 Sep 2025 | Applies | | B2B | Sharing | | B2G | Exceptional need | | 2027 | Switching fees ban | **Key highlights:** Scope first | Switching readiness | Role-based controls ## Primary sources - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj?ref=sorena.io) - Primary legal text for fair access to and use of data across connected products and services. - [European Commission Data Act policy page](https://digital-strategy.ec.europa.eu/en/policies/data-act?ref=sorena.io) - Official implementation entry point with timing, policy context, and linked implementation resources. - [European Commission FAQs on the Data Act (v1.4)](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Practical clarifications on scope, role interpretation, obligations, and legislative interplay. - [Commission Guidance on vehicle data under the Data Act (C/2025/5026)](https://eur-lex.europa.eu/eli/C/2025/5026/oj?ref=sorena.io) - Sector-specific guidance on applying Data Act access and sharing logic in vehicle-data scenarios. - [Commission C(2025) 4135 final (Data Act standardisation annexes)](https://ec.europa.eu/newsroom/dae/redirection/document/114410?ref=sorena.io) - Implementation context for interoperability and standardisation supporting Data Act execution. ## Key dates for EU Data Act implementation *Data Act Timeline* Track application and phased obligations so product, legal, and platform teams can sequence contracts, APIs, and governance changes with shared deadlines. ## What does the Data Act mean for your operating model? *Data Act Scope Decision Map* Follow the decision flow from scope and role to user-directed sharing, B2B/B2G handling, portability, and switching obligations. Each branch leads to practical implementation outcomes. *Go further* ## Turn this scope map into a complete Data Act execution program Use the EU Data Act deep-dive pages to convert scope outcomes into implementable controls, clauses, workflows, and evidence practices. - Map each role decision to accountable owners and implementation backlog items - Build user-access and user-directed sharing workflows with security and trade-secret safeguards - Operationalise B2G exceptional-need intake, triage, response, and escalation procedures - Implement cloud switching and portability controls with contract and technical evidence - **Open requirements deep dive**: Map Data Act obligations to controls, owners, and evidence outputs. - **Download Scope Map**: Share scope and role decision logic with product, legal, and platform teams. - **Download Timeline**: Share implementation milestones and switching deadlines. - **Open compliance checklist**: Use an audit-ready checklist with acceptance criteria and evidence expectations. ## Decision Steps ### START: Do any of the Data Act scope categories apply to you for this scenario? *Reference: Art. 1(3)* - Manufacturer of connected products placed on the Union market, or provider of related services (Art. 1(3)(a)). - User in the Union of connected products or related services (Art. 1(3)(b)). - Data holder making data available to data recipients in the Union, or data recipient in the Union (Art. 1(3)(c)-(d)). - Public sector body, the Commission, the ECB, or a Union body requesting data due to exceptional need, or a data holder responding (Art. 1(3)(e)). - Provider of data processing services providing services to customers in the Union (Art. 1(3)(f)). - Participant in data spaces, vendor of applications using smart contracts, or deployment of smart contracts for others in that context (Art. 1(3)(g)). - **YES** Which parts of the Data Act should you focus on? - **NO** Out of Data Act Scope ### IN SCOPE: Which parts of the Data Act should you focus on? - Follow every chapter that matches what you do in practice. Multiple chapters can apply at the same time. - Chapter II is for connected products and related services data access and user-directed sharing. - Chapters III and IV cover B2B making data available and unfair contractual terms. - Chapter V covers exceptional need requests by public sector bodies. - Chapters VI and VII cover cloud switching and safeguards against unlawful third-country access. - Chapter VIII covers interoperability and smart contracts. - -> Connected products and related services: user access and sharing ### CHAPTER II: Connected products and related services: user access and sharing - Applies if you manufacture connected products placed on the Union market, provide related services, or must provide users access to product or related service data. - Covers access by design and transparency (Article 3), user access and data holder duties (Article 4), sharing to third parties (Article 5), and third party duties (Article 6). - -> B2B making data available: terms and safeguards ### CHAPTER III: B2B making data available: terms and safeguards - Applies where, in business-to-business relations, a data holder is obliged under Article 5 or under applicable Union law or national legislation adopted in accordance with Union law to make data available to a data recipient (Art. 12(1)). - For statutory data-sharing obligations arising under other Union or national law, Chapter III applies only where that law enters into force after 12 September 2025 (Art. 50). - Covers fair and non-discriminatory terms (Article 8), compensation (Article 9), disputes (Article 10), technical protection measures (Article 11), and when Chapter III applies (Article 12). - -> Unfair terms in B2B data contracts ### CHAPTER IV: Unfair terms in B2B data contracts - Applies if you have a B2B contract governing access to or use of data and face terms imposed unilaterally. - Explains which unfair terms are not binding (Article 13). - -> Exceptional need requests from public sector bodies (B2G) ### CHAPTER V: Exceptional need requests from public sector bodies (B2G) - Applies if you issue or receive requests for data due to exceptional need by public sector bodies, or respond to such requests as a data holder. - Covers when requests are allowed (Articles 14 to 16), request requirements (Article 17), response and handling duties (Articles 18 and 19), and related rules (Articles 20 to 22). - -> Switching between data processing services (cloud switching) ### CHAPTER VI: Switching between data processing services (cloud switching) - Applies if you provide data processing services to customers in the Union or if you are a customer switching between providers or to on-premises infrastructure. - Covers contract clauses, portability, technical interfaces, and phase-out of switching charges (Articles 23 to 31). - -> Safeguards against unlawful third-country access ### CHAPTER VII: Safeguards against unlawful third-country access - Applies if you are a provider of data processing services providing services to customers in the Union, for non-personal data held in the Union (Art. 1(3)(f), Art. 32). - Covers safeguards against unlawful third-country access requests that conflict with Union or Member State law (Article 32). - -> Interoperability and smart contracts ### CHAPTER VIII: Interoperability and smart contracts - Applies if you participate in data spaces or deploy smart contracts for data sharing agreements in the relevant context. - Covers interoperability requirements (Articles 33 to 35) and smart contract requirements (Article 36). - -> Authorities, remedies, penalties, and dates ### ENFORCEMENT: Authorities, remedies, penalties, and dates - Covers competent authorities and complaints (Article 37), penalties (Article 40), model terms (Article 41), and application dates (Article 50). - Use this section to plan implementation and contract updates. - -> Data Act Compliance Checklist ## Reference Information ### Scope and precedence - Confirm whether the Data Act applies to your roles and scenario. - Check how it interacts with other laws and voluntary sharing. ### Key definitions - Map your products and services to the Regulation's definitions. - Identify roles such as user, data holder, and data recipient. ### What data is covered - Understand what data is in scope for Chapter II and what is excluded. - Pay attention to readily available data and metadata concepts. ### Exemption check - Check whether the Chapter II exemption for micro and small enterprises applies. ### Article 3: access by design and transparency - Design for user access to in-scope data and provide required pre-contract information. ### Article 4: user access and data holder duties - User access rights, data holder duties, and security-based restrictions. ### Trade secret safeguards - Measures for protecting trade secrets during access and sharing. - Rules on withholding, suspension, or refusal where applicable. ### Article 5: user sharing to third parties - Core sharing rule plus verification, data protection, and trade secret safeguards. ### Article 6: third party duties - Obligations and use limits for third parties after receiving data. ### When Chapter V applies - Exceptional need scenarios and who can request data. ### Request requirements (Article 17) - Required content, proportionality, and formalities. - Publication, routing, and penalties information tied to the request. ### Response and handling duties - How data holders respond and the deadlines and refusal grounds. - How requesting bodies must use, protect, and erase the data. ### Sharing limits and onward sharing - No reuse rules and conditions for onward sharing, including research and statistics. ### Coordination and cross-border - Cross-border cooperation and where disputes are handled. ### Definitions for switching - Key terms for switching, exportable data, and charges. ### Contract clauses for switching (Article 25) - Minimum clauses, timelines, customer choices, and retrieval and erasure. ### Information duties and transparency - Registers and procedures that support switching and transparency on international access. ### Switching charges phase-out (Article 29) - Reduced charges period then prohibition for the switching process. ### Technical interfaces, standards, limits - Portability interfaces, standards timing, limits, and exemptions. ### Authorities and governance - Competent authorities, data coordinators, legal representative duties, and governance. ### Complaints and remedies - Complaint handling and judicial remedies. ### Penalties and model terms - Penalties framework plus non-binding model contractual terms and cloud clauses. ### Interaction with other EU law - How the Data Act interacts with other Union data access laws and consumer enforcement. ### Dates and timeline - Entry into force, application dates, and key deadlines. ### Who and What the Data Act Covers - Applies to manufacturers of connected products placed on the EU market and providers of related services, regardless of place of establishment (Art. 1(3)(a)) - Applies to users in the Union of those products or services (Art. 1(3)(b)) - Applies to data holders making data available to data recipients in the Union, and to those data recipients (Art. 1(3)(c)-(d)) - Applies to public sector bodies, the Commission, the ECB, and Union bodies requesting data on exceptional need, and to data holders responding (Art. 1(3)(e)) - Applies to providers of data processing services providing to customers in the Union, regardless of place of establishment (Art. 1(3)(f)) - Also applies to participants in data spaces and certain smart contract actors in scope contexts (Art. 1(3)(g)) ### Precedence and Voluntary Data Sharing - Without prejudice to EU and national data protection, privacy and communications confidentiality rules, including GDPR and ePrivacy; in a conflict, the relevant data protection or privacy rules prevail (Art. 1(5)) - Does not apply to or pre-empt voluntary arrangements for data sharing between private and public entities (Art. 1(6)) - Does not affect Member State competences on public security, defence, national security, customs and tax administration, or health and safety of citizens (Art. 1(6)) ### Connected Products and Related Services - Connected product: obtains, generates or collects data about its use or environment, can communicate product data, and its primary function is not storing, processing or transmitting data on behalf of parties other than the user (Art. 2(5)) - Related service: digital service linked to product functionality, where absence would prevent one or more product functions, or later connected to add to, update or adapt product functions (Art. 2(6)) - References to connected products or related services include virtual assistants insofar as they interact with a connected product or related service (Art. 1(4)) - Connected products fall within scope, with the exception of prototypes (Recital 14) ### Actors and Roles - User: owns a connected product, has temporary rights to use it, or receives related services (Art. 2(12)) - Data holder: has a right or obligation to use and make available data, including product data or related service data where contractually agreed (Art. 2(13)) - Data recipient: business recipient other than the user, including a third party following a user request (Art. 2(14)) - Third party is not a separate defined term in Article 2. A third party may be a natural or legal person such as a consumer, enterprise, research organisation, not-for-profit organisation, or another professional entity. When receiving data at a user's request, a third party may also be a data recipient (Recital 33). - Processors under GDPR are not considered data holders, but can be tasked with making data available by the controller (Recital 22) ### Data Types and Availability - Product data: data generated by use of a connected product that the manufacturer designed to be retrievable by a user, data holder or third party (Art. 2(15)) - Related service data: digitisation of user actions or events related to the connected product during the provision of a related service (Art. 2(16)) - Readily available data: product data and related service data obtainable without disproportionate effort beyond a simple operation (Art. 2(17)) - Readily available data does not include data that is not stored or transmitted outside the component or product where it is generated, and the Data Act does not impose an obligation to store data centrally (Recital 20) ### Cloud Switching Terms - Data processing service: on-demand access to configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature (Art. 2(8)) - Same service type: services sharing the same primary objective, service model and main functionalities (Art. 2(9)) - Customer: person with a contract with a provider of data processing services to use one or more such services (Art. 2(30)) - Digital assets: elements in digital form, including applications, for which the customer has a right of use independent of the source provider contract (Art. 2(32)) - Switching: customer changes provider or moves on-premises, including extracting, transforming and uploading data (Art. 2(34)) - Exportable data: customer input and output data, including metadata, generated or cogenerated by use of the service, excluding providers' or third parties' IP-protected assets or trade secrets (Art. 2(38)) ### Switching and Charges Definitions - On-premises ICT infrastructure: ICT infrastructure and computing resources owned, rented or leased by the customer, located in the customer's data centre, operated by the customer or a third party (Art. 2(33)) - Data egress charges: data transfer fees charged for extracting data through the network from a provider to another provider or to on-premises infrastructure (Art. 2(35)) - Switching charges: charges other than standard service fees or early termination penalties imposed for the actions mandated by the Data Act for switching, including data egress charges (Art. 2(36)) - Functional equivalence: re-establishing a minimum level of functionality in the new environment using the customer's exportable data and digital assets, with materially comparable outcomes for shared features (Art. 2(37)) ### What Data Is in Scope - Chapter II covers data, except content, concerning the performance, use and environment of connected products and related services (Art. 1(2)(a)) - Includes product data and related service data as defined (Art. 2(15)-(16)) - Includes raw and pre-processed data plus relevant metadata, but not data cleaning or transformation requiring substantial investments (Recital 15) - Does not include inferred or derived data produced through additional investments, such as proprietary, complex algorithms, unless otherwise agreed (Recital 15) - Content and data generated from recording, transmitting, displaying, or playing content are not covered, and data processed on behalf of parties other than the user is not covered (Recital 16) ### Micro and Small Enterprise Exemption - Chapter II obligations do not apply to data generated through use of connected products manufactured or designed, or related services provided, by a microenterprise or small enterprise (Art. 7(1)) - The exemption does not apply where the enterprise has a non-SME partner or linked enterprise, or where it is subcontracted to manufacture, design, or provide the product or service (Art. 7(1)) - Transitional: applies to an enterprise that has been medium-sized for less than one year, and to connected products for one year after placement on the market by that enterprise (Art. 7(1)) - Contract terms undermining user rights under Chapter II are not binding on the user (Art. 7(2)) ### Access by design checklist (Article 3) - By default, make product data, related service data and necessary metadata easily accessible, secure and free of charge (Art. 3(1)) - Provide data in a comprehensive, structured, commonly used and machine-readable format, and where relevant and technically feasible, make it directly accessible to the user (Art. 3(1)) - The Article 3(1) design obligation applies to connected products and services related to them placed on the market after 12 September 2026 (Art. 50) ### Pre-Contract Transparency (Article 3(2)-(3)) - Before purchase, rent or lease: disclose data type, format, estimated volume, and whether generation is continuous and in real time (Art. 3(2)(a)-(b)) - Also disclose storage location and retention, and how the user can access, retrieve or erase data including technical means, terms and quality of service (Art. 3(2)(c)-(d)) - Before a related service contract: provide data nature, estimated volume and collection frequency, and how to access, retrieve or erase data (Art. 3(3)(a)-(b)) - Also disclose intended use, third party sharing, identities and contacts, complaint rights, trade secret holder details, and contract duration and termination (Art. 3(3)(c)-(i)) ### User access and data holder duties (Article 4) - If data cannot be directly accessed by the user, make readily available data and necessary metadata accessible without undue delay, of the same quality as available to the data holder, easily, securely and free of charge (Art. 4(1)) - Provide the data in a comprehensive, structured, commonly used and machine-readable format, and where relevant and technically feasible, continuously and in real time (Art. 4(1)) - Provide access on the basis of a simple request, through electronic means where technically feasible (Art. 4(1)) - Do not make exercising rights unduly difficult, including via non-neutral user interface design (Art. 4(4)) - Verify whether a person qualifies as a user using only necessary information, and keep access-related information only as needed for execution, security and maintenance (Art. 4(5)) ### Security-Based Restrictions and Authority Notification (Art. 4(2)) - If a data holder refuses to share data based on this security restriction, it must notify the competent authority (Art. 4(2), Art. 37) - Users and data holders may contractually restrict or prohibit accessing, using or further sharing data to protect connected product security requirements under Union or national law (Art. 4(2)) - Such restrictions apply only where access or sharing would result in a serious adverse effect on the health, safety or security of natural persons (Art. 4(2)) - Sectoral authorities may provide users and data holders with technical expertise in that context (Art. 4(2)) - Users can challenge a data holder's security-based refusal through a complaint or dispute settlement (Art. 4(3), Art. 10(1)) ### Limits on Data Holder Use and Disclosure - Non-personal readily available data may be used by a data holder only on the basis of a contract with the user (Art. 4(13)) - A data holder must not use such data to derive insights about the user's economic situation, assets and production methods, or use by the user, in a way that could undermine the user's commercial position (Art. 4(13)) - Data holders shall not make available non-personal product data to third parties for commercial or non-commercial purposes other than the fulfilment of their contract with the user, and where relevant, shall contractually bind third parties not to further share data received from them (Art. 4(14)) ### Trade Secret Safeguards (User Access) - Trade secrets can be shared only where the data holder and the user take necessary measures to preserve confidentiality, especially regarding third-party access (Art. 4(6)) - Identify trade secret data in metadata (Art. 4(6)) - Agree proportionate technical and organisational measures with the user, such as confidentiality agreements, strict access protocols, technical standards and codes of conduct (Art. 4(6)) ### Withholding or Refusing Trade Secret Data - If measures are not agreed, not implemented, or confidentiality is undermined, the data holder may withhold or suspend sharing, must provide a substantiated written decision, and must notify the competent authority (Art. 4(7), Art. 37) - In exceptional circumstances, a trade secret holder may refuse a request case by case if serious economic damage is highly likely despite measures, must provide a substantiated written decision, and must notify the competent authority (Art. 4(8), Art. 37) - Users can challenge refusal, withholding or suspension via a complaint or a dispute settlement body (Art. 4(9), Art. 10(1)) ### User Restrictions When Using Data - Do not use data obtained under Art. 4(1) to develop a competing connected product, and do not share data with that intent (Art. 4(10)) - Do not use data to derive insights about the economic situation, assets, and production methods of the manufacturer or data holder (Art. 4(10)) - Do not use coercive means or abuse gaps in the data holder's technical infrastructure to obtain access (Art. 4(11)) - Where the user is not the data subject, personal data can be made available only with a valid GDPR legal basis and relevant ePrivacy conditions (Art. 4(12)) ### Sharing Data With Third Parties (Core Rules) - On user request, make readily available data and relevant metadata available to a third party without undue delay, of the same quality as available to the data holder, easily, securely and free of charge to the user (Art. 5(1)) - Provide the data in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real time (Art. 5(1)) - Provide data to the third party in accordance with the arrangements and compensation rules in Articles 8 and 9 (Art. 5(1)) - Testing exception: paragraph 1 does not apply to readily available data generated during testing of new connected products, substances or processes not yet placed on the market, unless contractually permitted (Art. 5(2)) - DMA gatekeepers are not eligible third parties and cannot solicit, incentivise or receive data through the Art. 5 routes (Art. 5(3)) ### Third-Party Sharing: Verification and Access Integrity - For verification, the user or third party must not be required to provide more information than necessary (Art. 5(4)) - Data holders must not keep third-party access information beyond what is necessary for execution, security and maintenance of the data infrastructure (Art. 5(4)) - Third parties must not use coercive means or abuse gaps in a data holder's technical infrastructure to obtain access (Art. 5(5)) ### Third-Party Sharing: Data Protection and Use Limits - Data holders must not use the data to derive insights about the third party's economic situation, assets and production methods, or use, in any manner that could undermine the third party's commercial position (Art. 5(6)) - Exception: allowed only where the third party permits it and can easily withdraw permission at any time (Art. 5(6)) - Where the user is not the data subject, personal data can be made available to the third party only with a valid GDPR legal basis and relevant ePrivacy conditions (Art. 5(7)) - Failure to agree arrangements for transmitting the data must not hinder the rights of data subjects under GDPR, including data portability (Art. 5(8)) - The Art. 5 right to share data must not adversely affect data subjects' rights under applicable data protection law (Art. 5(13)) ### Sharing Data With Third Parties (Trade Secrets and Disputes) - Trade secrets may be disclosed to third parties only to the extent strictly necessary for the purpose agreed between the user and the third party, and proportionate confidentiality measures must be agreed (Art. 5(9)) - If measures are not agreed, not implemented, or confidentiality is undermined, the data holder may withhold or suspend sharing of trade secret data, must provide a substantiated written decision, and must notify the competent authority (Art. 5(10)) - In exceptional circumstances, a trade secret holder may refuse a request case by case if serious economic damage is highly likely despite measures, and must notify the competent authority (Art. 5(11)) - Third parties can challenge withholding, suspension or refusal via a complaint or a dispute settlement body (Art. 5(12), Art. 10(1)) ### Third Party Duties After Receiving Data - Process data only for the purposes and conditions agreed with the user and comply with data protection law, and erase data when no longer needed unless otherwise agreed for non-personal data (Art. 6(1)) - Do not manipulate the user's choices or rights, including through user interface design (Art. 6(2)(a)) - Do not profile using the data unless necessary to provide the service requested by the user (Art. 6(2)(b)) - Do not pass data to another third party unless contractually agreed with the user and trade secret measures are preserved, and do not make data available to DMA gatekeepers (Art. 6(2)(c)-(d)) - Do not use data to build competing products, derive insights about the data holder, or harm the security of the connected product or related service (Art. 6(2)(e)-(f)) - Maintain agreed trade secret measures and do not prevent consumers from sharing the data onward (Art. 6(2)(g)-(h)) ### When Chapter III Applies (B2B Data Sharing) - Chapter III applies where, in B2B relations, a data holder is obliged under Article 5 or other applicable Union or national law to make data available to a data recipient (Art. 12(1)) - A term that excludes, derogates from, or varies the effect of Chapter III to the detriment of a party, or where applicable the user, is not binding (Art. 12(2)) ### Fair and non-discriminatory terms (Article 8) - Agree arrangements for making data available and provide it under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner (Art. 8(1)) - Unfair contractual terms under Article 13 are not binding, and terms undermining user rights under Chapter II are not binding (Art. 8(2)) - Do not discriminate between comparable categories of data recipients, and provide information showing no discrimination upon a reasoned request (Art. 8(3)) - Do not provide data on an exclusive basis unless requested by the user under Chapter II (Art. 8(4)) - Do not require more information than necessary to verify compliance with agreed terms or legal obligations (Art. 8(5)) - Trade secrets do not need to be disclosed, unless Union or national law provides otherwise, including the safeguards in Art. 4(6) and Art. 5(9) (Art. 8(6)) ### Compensation rules and calculation basis (Article 9) - Compensation must be non-discriminatory and reasonable and may include a margin (Art. 9(1)) - Consider costs of making data available and relevant investments in collection and production (Art. 9(2)) - Compensation may depend on volume, format and nature of the data (Art. 9(3)) - For SME data recipients and not-for-profit research organisations without larger partners, compensation must not exceed the costs of making the data available (Art. 9(4)) - Commission shall adopt guidelines on the calculation of reasonable compensation, taking into account EDIB advice (Art. 9(5), Art. 42) - Data holder shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail (Art. 9(7)) ### Dispute Settlement Bodies - Users, data holders and data recipients must have access to certified dispute settlement bodies for disputes under Art. 4(3) and Art. 4(9), Art. 5(12), and disputes about fair, reasonable and non-discriminatory and transparent data sharing (Art. 10(1)) - Customers and cloud providers must have access for disputes about rights and obligations under Articles 23 to 31 (Art. 10(4)) - Decisions must be adopted within 90 days of receipt of the request (Art. 10(9)) - Decisions are binding only where the parties explicitly consented to binding nature before the proceedings (Art. 10(12)) ### Technical protection measures and remedies (Article 11) - Data holders may apply technical protection measures, including smart contracts and encryption, to prevent unauthorised access and to ensure compliance (Art. 11(1)) - Measures must not discriminate between data recipients or hinder lawful user and third-party rights to access, retrieve, use, or share data (Art. 11(1)) - Users, third parties and data recipients must not alter or remove protection measures unless agreed by the data holder (Art. 11(1)) - Where a third party or data recipient falls within the circumstances in Art. 11(3), it must comply without undue delay with requests to erase copies, stop infringing goods or services where proportionate, inform users, and compensate harmed parties (Art. 11(2)-(3)) - Similar remedies can apply where users undermine protection measures, and users may have comparable rights where a data recipient infringes certain third-party limits (Art. 11(4)-(5)) ### Unfair Contractual Terms (B2B): Core Rules - Unilaterally imposed terms about data access and use, or liability and remedies for breach or termination of data obligations, are not binding if unfair (Art. 13(1)) - Terms reflecting mandatory Union law, or terms that would apply absent contractual regulation, are not considered unfair (Art. 13(2)) - A term is unfair if it grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing (Art. 13(3)) - Burden of proof is on the party supplying the term to show it was not unilaterally imposed (Art. 13(6)) - If an unfair term is severable, the remaining terms of the contract stay binding (Art. 13(7)) - Cannot exclude or derogate from Article 13, and it does not apply to main subject matter or adequacy of price (Art. 13(8)-(9)) ### Unfair term examples (Article 13) - Always unfair: excluding liability for intentional acts or gross negligence, excluding remedies, or giving exclusive right to determine conformity or interpret terms (Art. 13(4)) - Presumed unfair: limiting remedies or extending liability, allowing data access or use significantly detrimental to legitimate interests, or preventing the other party from using its data (Art. 13(5)(a)-(c)) - Also presumed unfair: blocking reasonable termination, preventing copies, unreasonably short notice termination, or unilateral changes to price or substantive data-sharing conditions without valid reason and a termination right (Art. 13(5)(d)-(g)) ### Exceptional Need Overview - In exceptional need, legal-person data holders, other than public sector bodies, must provide requested data and relevant metadata upon a duly reasoned request (Art. 14) - Public emergency: exceptional need exists when the requester cannot obtain the data by alternative means in time and effectively under equivalent conditions (Art. 15(1)(a)) - Non-emergency exceptional need covers non-personal data only and requires a specific public-interest task explicitly provided for by law (Art. 15(1)(b)(i)) - Requester must have exhausted other means, including market purchase and relying on existing obligations or new legislation (Art. 15(1)(b)(ii)) - Non-emergency exceptional need does not apply to microenterprises and small enterprises (Art. 15(2)) - For official statistics, no duty to show inability to purchase where national law does not allow purchase (Art. 15(3)) - Chapter V does not affect reporting, access-to-information, or compliance verification obligations under Union or national law (Art. 16(1)) ### Request Content (Article 17(1)) - Specify the data and relevant metadata, justify the choice of data holder, and state the legal provision allocating the public-interest task (Art. 17(1)(a), Art. 17(1)(e), Art. 17(1)(h)) - Demonstrate exceptional need, explain purpose, intended use and duration, and identify other bodies and third parties expected to receive the data (Art. 17(1)(b)-(c), Art. 17(1)(f)) - Where personal data is requested, specify the safeguards and explain how the processing addresses the exceptional need (Art. 17(1)(c), Art. 17(1)(g)) - Specify, if possible, when the data are expected to be erased by all parties with access to them (Art. 17(1)(d)) - Set the deadline for making data available and the deadline for the data holder to decline or seek modification (Art. 17(1)(i), Art. 18(2)) - Make best efforts to avoid the request resulting in data holder liability for infringement of Union or national law (Art. 17(1)(j)) ### Request Formalities and Proportionality (Article 17(2)(a)-(e)) - Request must be in writing and in clear, concise and plain language understandable to the data holder (Art. 17(2)(a)) - Request must be specific and correspond to data the data holder controls, and be proportionate in granularity, volume and access frequency (Art. 17(2)(b)-(c)) - Request must respect legitimate aims of the data holder, commit to trade secret protection, and account for the cost and effort required (Art. 17(2)(d), Art. 19(3)) - Request must concern non-personal data, and only if insufficient, request personal data in pseudonymised form and set the protective measures to be taken (Art. 17(2)(e)) ### Request Routing, Publication, and Penalties (Article 17(2)(f)-(i)) - Request must inform the data holder of penalties for non-compliance (Art. 17(2)(f), Art. 40) - Public body requests are transmitted to the data coordinator for publication unless publication would create a public security risk, and Commission, ECB and Union body requests are published online (Art. 17(2)(g)-(h)) - Where personal data are requested, notify the GDPR supervisory authority, and the ECB and Union bodies inform the Commission of their requests (Art. 17(2)(i)) ### No Reuse and Limited Sharing (Article 17(3)-(4)) - Do not make Chapter V data available for reuse under the Data Governance Act or the Open Data Directive, and those instruments do not apply to Chapter V data held by public sector bodies (Art. 17(3)) - Exchange with other public sector bodies, the Commission, the ECB or Union bodies is allowed for completing the Art. 15 tasks, as specified in the request (Art. 17(4)) - Data may be made available to a third party for delegated technical inspections or other functions under a publicly available agreement, and Article 19 safeguards also apply to that third party (Art. 17(4), Art. 19) - Notify the data holder without undue delay when data is transmitted or made available under Article 17(4) (Art. 17(4)) ### Complaints and Model Template (Article 17(5)-(6)) - If the data holder considers its rights under Chapter V were infringed by transmission or making data available of data, it may lodge a complaint with the competent authority (Art. 17(5)) - The Commission will develop a model template for requests (Art. 17(6)) ### Data Holder Response - Data holders must provide data without undue delay, considering technical, organisational and legal measures (Art. 18(1)) - Data holders may decline or seek modification within 5 working days for public emergency requests and within 30 working days for other cases (Art. 18(2)) - Refusal grounds include not controlling the data, prior similar request without erasure notification, or non-compliant requests under Art. 17(1)-(2) (Art. 18(2)(a)-(c)) - If declining based on a prior request for the same purpose, indicate the identity of the earlier requesting body (Art. 18(3)) - Where personal data is included, properly anonymise unless disclosure is necessary, then pseudonymise (Art. 18(4)) - Disputes about refusal or the request are referred to the competent authority of the Member State where the data holder is established (Art. 18(5)) ### Public Sector Duties After Receiving Data - Use data only for the stated purpose, implement confidentiality and security measures, and erase when no longer necessary and notify relevant parties, unless archiving is required by transparency law (Art. 19(1)) - Do not use data or insights to develop or enhance competing connected products or related services, and do not share data for that purpose (Art. 19(2)) - Trade secret disclosure is limited to what is strictly necessary, and requesting bodies must take appropriate measures to preserve confidentiality (Art. 19(3)) - Requesting body is responsible for the security of the data it receives (Art. 19(4)) ### Compensation Rules - Public emergency data is provided free of charge by data holders other than micro and small enterprises, and public acknowledgement may be required if requested (Art. 20(1)) - For non-emergency exceptional need, data holders are entitled to fair compensation covering costs and a reasonable margin, and on request provide the basis for the calculation (Art. 20(2)) - Micro and small enterprises may claim compensation under the non-emergency route (Art. 20(3)) - No compensation is due for official statistics where purchasing data is not allowed by national law, and Member States notify the Commission where purchase is not allowed (Art. 20(4)) - Disputes about compensation can be brought to the competent authority (Art. 20(5)) ### Sharing With Researchers and Statistical Bodies (Article 21) - Requesting bodies may share Chapter V data for compatible scientific research or analytics, and with national statistical institutes and Eurostat for official statistics (Art. 21(1)) - Recipients must act not-for-profit or under a public-interest mission recognised in law, and must not be significantly influenced by commercial undertakings likely to lead to preferential access to results (Art. 21(2)) - Recipients must follow the no reuse rule and the Article 19 obligations (Art. 21(3), Art. 17(3), Art. 19) - Recipients may keep the data for up to six months after erasure by the requesting body (Art. 21(4)) - Before sharing, notify the data holder with identity, purpose, usage period, and measures taken, and the data holder may complain if it disagrees (Art. 21(5)) ### Cross-Border Cooperation (Article 22) - Public sector bodies, the Commission, the ECB and Union bodies cooperate and assist one another to apply Chapter V consistently (Art. 22(1)-(2)) - Before requesting data from a data holder in another Member State, notify the competent authority in the data holder's Member State, and that authority examines the request (Art. 22(3)) - After examination, the authority transmits the request and may advise cooperation to reduce burden, or rejects the request on substantiated grounds (Art. 22(4)) - Requester takes into account the authority's advice and grounds before further action, including resubmission (Art. 22(4)) ### Removing Obstacles and Scope - Do not impose and remove pre-commercial, commercial, technical, contractual and organisational obstacles that inhibit switching, porting, functional equivalence, and unbundling where feasible (Art. 23) - Obstacles include contract termination after notice and successful switching, porting exportable data and digital assets including after free-tier, achieving functional equivalence, and unbundling where feasible (Art. 23(a)-(e)) - Provider responsibilities apply only to the services, contracts and commercial practices of the source provider (Art. 24) ### Contract: Switching Process Minimum Clauses (Article 25) - Switching rights and obligations must be in a written contract provided before signing, in a form that can be stored and reproduced (Art. 25(1)) - Contract must allow switching or porting without undue delay and no later than the 30 calendar day transitional period after the notice period (Art. 25(2)(a)) - During the transitional period: provide reasonable assistance and maintain continuity (Art. 25(2)(a)(i)-(ii)) - Also: inform known continuity risks and maintain a high level of security during transfer and retrieval (Art. 25(2)(a)(iii)-(iv)) - Contract must support the customer's exit strategy, including by providing all relevant information (Art. 25(2)(b)) - Contract must specify termination and customer notification after successful switching, or after the notice period if the customer chooses erasure (Art. 25(2)(c)) - Maximum notice period to initiate switching must not exceed two months (Art. 25(2)(d)) ### Contract: Data Scope, Retrieval, Erasure, Charges (Article 25) - Contract must specify all categories of data and digital assets that can be ported, including at minimum all exportable data (Art. 25(2)(e)) - Provider may exempt internal-functioning data categories where trade secret breach risk exists, but exemptions must not impede or delay switching (Art. 25(2)(f), Art. 23) - Provide a minimum retrieval period of at least 30 calendar days after the transitional period, and guarantee full erasure after the retrieval period or an alternative agreed later period once switching is completed (Art. 25(2)(g)-(h)) - Contract must state any switching charges that may be imposed under Article 29 (Art. 25(2)(i)) ### Customer Choices and Transitional Period Extensions (Article 25(3)-(5)) - At the end of the maximum notice period, customer may choose: switch to another provider, switch to on-premises, or erase its exportable data and digital assets (Art. 25(3)) - If the 30-day transitional period is technically unfeasible, notify the customer within 14 working days, justify, and propose an alternative transitional period up to seven months, with continuity ensured (Art. 25(4)) - Customer has the right to extend the transitional period once, for a period it considers more appropriate (Art. 25(5)) ### Information and Cooperation - Provide procedures for switching and porting, including methods, formats, restrictions and known technical limitations (Art. 26(a)) - Provide an up-to-date online register listing data structures, formats, relevant standards and open interoperability specifications for exportable data (Art. 26(b)) - All parties, including destination providers, must cooperate in good faith to make switching effective and maintain continuity (Art. 27) ### Transparency on International Access and Contract Listing (Art. 28) - Contracts must list the websites where the Article 28(1) information is published (Art. 28(2)) - Publish the jurisdiction governing the ICT infrastructure used for processing each service (Art. 28(1)(a)) - Publish a general description of measures to prevent third-country governmental access or transfer of non-personal data held in the Union where it would conflict with Union or Member State law (Art. 28(1)(b)) - Keep those websites up to date and aligned with the service as operated (Art. 28(1)-(2)) ### Switching charges and data egress charges (Article 29) - From 12 January 2027, providers must not impose any switching charges on the customer for the switching process (Art. 29(1)) - Between 11 January 2024 and 12 January 2027, providers may impose reduced switching charges, limited to costs directly linked to the switching process (Art. 29(2)-(3)) - Before contract, disclose standard service fees, early termination penalties, and any reduced switching charges that might apply (Art. 29(4)) - Provide information on highly complex or costly switching scenarios, or where switching is impossible without significant interference (Art. 29(5)-(6)) - Commission may establish a monitoring mechanism for switching charges via delegated acts (Art. 29(7)) - Competent authorities are tasked with ensuring that switching charges are withdrawn when required (Art. 37(5)(i), Art. 29) - Technical compatibility obligations can start at least 12 months after references to standards or common specifications are published in the central Union standards repository (Art. 30(3), Art. 35(8)) ### Technical Switching Interfaces - Infrastructure-only services must take reasonable measures to help customers achieve functional equivalence after switching and provide capabilities, information, support and tools (Art. 30(1)) - Other services must provide open interfaces free of charge and equally to customers and destination providers, with sufficient information for portability and interoperability (Art. 30(2)) ### Standards and Export Requirements (Article 30(3)-(5)) - Ensure compatibility with common specifications or harmonised standards at least 12 months after references are published in the central Union standards repository (Art. 30(3), Art. 35(8)) - Update the online register to reflect those standards or common specifications (Art. 30(4), Art. 26(b)) - If no standards or common specifications are published for a service type, export all exportable data in a structured, commonly used and machine-readable format on customer request (Art. 30(5)) ### Limits and Exemptions (Article 30(6), Article 31) - No obligation to develop new technologies or services, or disclose or transfer digital assets protected by intellectual property rights or constituting a trade secret, or compromise security and integrity of service (Art. 30(6)) - Custom-built services not offered at broad commercial scale and non-production test versions are exempt from certain Chapter VI obligations (Art. 31(1)-(2)) - Before contract, inform prospective customers which Chapter VI obligations do not apply for services under Article 31 (Art. 31(3)) ### International Governmental Access and Transfer - Take adequate technical, organisational and legal measures to prevent third-country governmental access or transfer of non-personal data held in the Union where it would conflict with Union or Member State law (Art. 32(1)) - Third-country decisions requiring access or transfer are enforceable only when based on an international agreement such as a mutual legal assistance treaty (Art. 32(2)) - Without an international agreement, access or transfer can occur only under specific conditions covering proportionality, judicial review, and consideration of EU legal interests (Art. 32(3)) - If conditions apply, provide the minimum data permissible and inform the customer before complying, except for justified law enforcement secrecy (Art. 32(4)-(5)) ### Opinion, One-Month Rule, and EDIB Guidelines - The addressee may ask the opinion of the relevant national body or authority for international legal cooperation to assess whether the Article 32(3) conditions are met (Art. 32(3)) - Do this especially where the request involves trade secrets, commercially sensitive data, intellectual property rights, or re-identification risks (Art. 32(3)) - That national body or authority may consult the Commission (Art. 32(3)) - If the addressee considers the request may affect Union or Member State national security or defence interests, it shall request an opinion on whether the data requested concerns such interests (Art. 32(3)) - If no reply is received within one month, or if the opinion concludes the conditions are not met, the addressee may reject the request for transfer or access on those grounds (Art. 32(3)) - The EDIB shall advise and assist the Commission in developing guidelines on assessing whether the Article 32(3) conditions are met (Art. 32(3), Art. 42) ### Data Spaces Interoperability Requirements - Describe dataset content, use restrictions, licences, collection methodology, data quality and uncertainty to enable find, access and use, and where applicable in machine-readable format (Art. 33(1)(a)) - Describe data structures, formats, vocabularies, classification schemes, taxonomies and code lists in a publicly available and consistent manner (Art. 33(1)(b)) - Describe APIs and other technical access means, terms of use, and quality of service to enable automated access and transmission, including real-time where feasible (Art. 33(1)(c)) - Where applicable, provide means enabling interoperability of tools automating data sharing agreements, including smart contracts (Art. 33(1)(d)) ### Data Space Standards and Common Specifications - Commission may adopt delegated acts to further specify the Article 33(1) essential requirements, taking EDIB advice into account (Art. 33(2), Art. 42) - Harmonised standards and common specifications can create a presumption of conformity for the requirements they cover (Art. 33(3), Art. 33(8)) - Commission may request harmonised standards and, where standards are unavailable or insufficient, adopt common specifications by implementing acts (Art. 33(4)-(7)) - Commission may adopt guidelines on interoperable frameworks for common European data spaces (Art. 33(11)) ### Parallel Use of Data Processing Services - Switching-related requirements also apply to facilitate interoperability for the purposes of in-parallel use of data processing services (Art. 34(1)) - Providers may impose data egress charges for parallel use only to pass through egress costs, without exceeding those costs (Art. 34(2)) ### Interoperability Standards for Data Processing Services - Interoperability specs and harmonised standards should enable interoperability for the same service type, enhance portability of digital assets, and facilitate functional equivalence where feasible (Art. 35(1)) - They should not harm security and integrity and should allow technical advances and innovation (Art. 35(1)(d)-(e)) - Standards should address transport, syntactic, semantic, behavioural and policy interoperability, plus data and application portability aspects (Art. 35(2)) - Commission may request harmonised standards, adopt common specifications, and publish references in a central Union standards repository (Art. 35(4)-(5), Art. 35(8)) ### Smart Contracts for Data Sharing Agreements - Smart contracts used to execute data sharing agreements must meet essential requirements on robustness, access control, safe termination, auditability, and consistency with the executed agreement (Art. 36(1)) - Vendor or deployer must perform a conformity assessment and issue an EU declaration of conformity and is responsible for compliance (Art. 36(2)-(3)) - Harmonised standards and common specifications can create a presumption of conformity (Art. 36(4)-(6)) ### Competent Authorities and Legal Representative - Each Member State designates competent authorities for enforcement, and if more than one is designated, a data coordinator is appointed (Art. 37(1)-(2)) - GDPR supervisory authorities monitor Data Act compliance for personal data aspects, and the EDPS monitors EU institutions where relevant (Art. 37(3)) - Competent authorities handle complaints and investigations, cooperate cross-border, ensure switching charges withdrawal, and examine Chapter V requests (Art. 37(5)(b)-(j)) - Competence is the Member State where the entity is established. If the entity is established in more than one Member State, competence is the Member State of its main establishment, meaning the head office or registered office from which principal financial functions and operational control are exercised (Art. 37(10)) - Any entity falling within scope that makes connected products available or offers services in the Union, and which is not established in the Union, shall designate a legal representative in one Member State (Art. 37(11)) - The legal representative is mandated to be addressed by competent authorities in addition to or instead of the entity, and must cooperate and demonstrate compliance actions upon request (Art. 37(12)) - Such an entity is considered to be under the competence of the Member State where its legal representative is located. Until a legal representative is designated, it can be under the competence of all Member States, depending on the facts (Art. 37(13)) ### Complaints and Judicial Remedies - Natural and legal persons can lodge complaints in their Member State of habitual residence, place of work, or establishment (Art. 38(1)) - Data coordinators must provide information on how to lodge complaints, and authorities must inform complainants of progress and decisions (Art. 38(1)-(2)) - Authorities cooperate to handle complaints effectively, including via electronic information exchange, including cross-border cases (Art. 38(3)) - There is a right to an effective judicial remedy against legally binding decisions, and when authorities fail to act (Art. 39) ### Penalties - Member States set penalties for infringements and must ensure they are effective, proportionate and dissuasive (Art. 40(1)) - Penalty rules must be notified to the Commission by 12 September 2025 (Art. 40(2)) - When imposing penalties, Member States must take into account EDIB recommendations (Art. 40(3)) - Non-exhaustive penalty criteria include nature, gravity, scale and duration; mitigation or remedy actions; prior infringements; and other aggravating or mitigating factors (Art. 40(3)) - Also consider financial benefits gained or losses avoided and annual EU turnover (Art. 40(3)) - For certain infringements in Chapters II, III and V, GDPR supervisory authorities can impose administrative fines under GDPR Article 83 up to Art. 83(5) amounts (Art. 40(4)) - For certain Chapter V infringements by EU institutions, the EDPS can impose fines under Regulation (EU) 2018/1725 (Art. 40(5)) ### Model Contractual Terms and Cloud Clauses - Commission will develop and recommend non-binding model contractual terms on data access and use, including compensation and trade secret protection, before 12 September 2025 (Art. 41) - Commission will also develop and recommend non-binding standard contractual clauses for cloud computing contracts, before 12 September 2025 (Art. 41) ### Database Right Limitation - The sui generis database right does not apply when data is obtained from or generated by a connected product or related service in scope, especially for user access and third-party sharing under Articles 4 and 5 (Art. 43) ### Consumer Protection and Representative Actions - The Data Act is added to the list of laws enforceable under the Consumer Protection Cooperation Regulation (EU) 2017/2394 (Art. 47) - The Data Act is added to Annex I of Directive (EU) 2020/1828 on representative actions for the protection of consumers' collective interests (Art. 48) ### Delegated Acts and Committee Procedure - Commission delegated powers for Article 29(7) and Article 33(2) apply from 11 Jan 2024 for an indeterminate period (Art. 45(2)) - The European Parliament or the Council can revoke the delegation; delegated acts take effect only if no objection is raised within 3 months (extendable by 3 months) (Art. 45(3), Art. 45(6)) - The Commission is assisted by the Committee established by Regulation (EU) 2022/868, under Regulation (EU) No 182/2011 (Art. 46) ### European Data Innovation Board (EDIB) role (Article 42) - EDIB supports consistent application of the Data Act by advising the Commission on enforcement practice for Chapters II, III, V and VII (Art. 42(a)) - EDIB facilitates cooperation between competent authorities, including methods for cross-border information exchange and coordination on penalties (Art. 42(b)) - EDIB advises the Commission on standards requests, implementing acts, delegated acts, and data space interoperability frameworks (Art. 42(c)) ### Interaction With Other EU Data Access Laws - Specific Union acts with data access and sharing obligations that entered into force on or before 11 Jan 2024 remain unaffected, including B2B, B2C and exceptional B2G regimes (Art. 44(1)) - Sector-specific Union law may set further requirements, including technical aspects of access, limits on certain data holder rights, and rules going beyond access and use (Art. 44(2)) - Except for Chapter V, the Data Act is without prejudice to Union and national law on data access and use for scientific research purposes (Art. 44(3)) ### Entry into Force and Application Dates - Enters into force 20 days after OJ publication; OJ publication date is 22 December 2023, so entry into force is 11 January 2024 (Art. 50) - Applies from 12 September 2025 (Art. 50) - The design obligation in Article 3(1) applies to connected products and related services placed on the market after 12 September 2026 (Art. 50) - Chapter III applies in relation to statutory obligations to make data available that enter into force after 12 September 2025 (Art. 50) - Chapter IV applies to contracts concluded after 12 September 2025 (Art. 50) - From 12 September 2027, Chapter IV also applies to contracts concluded on or before 12 September 2025 that are of indefinite duration, or due to expire at least 10 years from 11 January 2024 (Art. 50) ## Possible Outcomes ### [RESULT] Out of Data Act Scope The Data Act does not apply to this scenario - None of the categories in Article 1(3) apply to your scenario, so the Data Act does not apply to you for that scenario. - If your situation changes, for example you place connected products on the Union market or provide data processing services to customers in the Union, reassess scope. ### [NEXT] Data Act Compliance Checklist Map your roles, data, and contracts, then implement the relevant chapters - Identify your roles: connected product or related service manufacturer or provider, data holder, data recipient, third party recipient, cloud provider, data space participant, or smart contract vendor or deployer - Inventory product data, related service data and metadata, and ensure you can provide readily available data in structured and machine-readable formats - Implement user access and sharing workflows, with clear safeguards for security and trade secrets - Update contracts for fair, reasonable and non-discriminatory terms, compensation, trade secret measures, and cloud switching clauses where relevant - Prepare playbooks for exceptional-need requests and for third-country access requests affecting non-personal data - Track application dates and Member State enforcement guidance ## Data Act Timeline | Date | Event | Reference | | --- | --- | --- | | 2020-02-19 | European Strategy for Data published | COM(2020) 66 | | 2022-02-23 | Commission proposal for the Data Act published | COM(2022) 68 | | 2023-06-27 | Council and Parliament reach a provisional agreement (political agreement) | Council press release | | 2023-11-09 | European Parliament position adopted | OJ L 2023/2854 note (4) | | 2023-11-27 | Council decision adopted | OJ L 2023/2854 note (4) | | 2023-12-13 | Regulation (EU) 2023/2854 dated 13 December 2023 | Reg. 2023/2854 | | 2023-12-22 | Published in the Official Journal (OJ L, 22.12.2023) | Reg. 2023/2854 | | 2024-01-11 | Enters into force (20 days after publication) | Art. 50 | | 2024-01-11 | Start of reduced switching charges period for the switching process | Art. 29(2) | | 2024-01-11 | Delegated act powers for Articles 29(7) and 33(2) begin | Art. 45(2) | | 2025-07-01 | Commission Implementing Decision on standardisation request adopted (European Trusted Data Framework) | C(2025) 4135 | | 2025-07-07 | CEN and CENELEC accept the Standardisation Request under Mandate M/614 | M/614 (CEN-CENELEC) | | 2025-09-12 | Data Act starts applying (general application date) | Art. 50 | | 2025-09-12 | Operational timing rules apply (for example user access without undue delay, B2G response windows, cloud switching contract periods) | Art. 4(1), Art. 17(1)(i), Art. 18(2), Art. 25 | | 2025-09-12 | Chapter III applies only to statutory data-sharing obligations entering into force after this date | Art. 50 | | 2025-09-12 | Chapter IV applies to contracts concluded after this date | Art. 50 | | 2025-09-12 | Deadline: Member States notify penalties rules to the Commission | Art. 40(2) | | 2025-09-12 | Deadline: Commission develops and recommends non-binding model contractual terms and non-binding standard contractual clauses for cloud contracts | Art. 41 | | 2026-03-01 | Standardisation deadline: technical specification on a data catalogue implementation framework due | C(2025) 4135 Annex I | | 2026-06-01 | Standardisation deadline: Trusted Data Transactions harmonised standards Part 1 due | C(2025) 4135 Annex I | | 2026-09-01 | Standardisation deadlines: technical specifications on semantic assets and a maturity model for Common European Data Spaces due | C(2025) 4135 Annex I | | 2026-09-12 | Article 3(1) design obligation applies to connected products and related services placed on the market after this date | Art. 50 | | 2026-11-01 | Standardisation deadline: Trusted Data Transactions harmonised standards Part 2 due | C(2025) 4135 Annex I | | 2027-01-12 | Switching charges prohibited for the switching process | Art. 29(1) | | 2027-03-01 | Standardisation deadline: European standard on a quality framework for internal data governance due | C(2025) 4135 Annex I | | 2027-05-01 | Standardisation deadline: Trusted Data Transactions harmonised standards Part 3 due | C(2025) 4135 Annex I | | 2027-09-12 | Chapter IV extends to certain contracts concluded on or before 12 Sep 2025 (indefinite duration or expiring at least 10 years from 11 Jan 2024) | Art. 50 | | 2028-09-12 | Commission evaluation due | Art. 49 | ## Compliance Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2023-11-09 | European Parliament position adopted | Legislative History | | | 2023-11-27 | Council decision adopted | Legislative History | | | 2023-12-13 | Regulation adopted (Data Act) | Legislative History | | | 2023-12-22 | Published in Official Journal | Official Publication | | | 2024-01-11 | Entry into force | Official Publication | | | 2024-01-11 | Reduced switching charges period | Cloud Switching | Art. 29(2) | | 2024-01-11 | Delegated powers conferred | Commission Deliverables | Art. 45(2) | | 2024-09-06 | Commission publishes Data Act FAQs | Commission Deliverables | | | 2025-07-01 | Commission standardisation request (European Trusted Data Framework) | Standardisation | | | 2025-07-07 | CEN and CENELEC accept the standardisation request (Mandate M/614) | Standardisation | | | 2025-09-12 | Data Act applies | Applicability | | | 2025-09-12 | Member States notify penalties rules | Member State Duties | Art. 40(2) | | 2025-09-12 | Model contractual terms and cloud clauses deadline | Commission Deliverables | Art. 41 | | 2025-09-15 | Commission guidance on vehicle data (C/2025/5026) | Commission Deliverables | | | 2025-12-16 | Commission launches Data Act legal helpdesk | Commission Deliverables | | | 2026-01-22 | Data Act FAQs updated (v1.4) | Commission Deliverables | | | 2026-03-01 | Data catalogue technical specification deadline | Standardisation | | | 2026-06-01 | Trusted data transactions standards Part 1 deadline | Standardisation | | | 2026-09-01 | European Trusted Data Framework deliverables deadline | Standardisation | | | 2026-09-12 | Connected product access-by-design obligations | Applicability | | | 2026-11-01 | Trusted data transactions standards Part 2 deadline | Standardisation | | | 2027-01-12 | Switching charges prohibited | Cloud Switching | Art. 29(1) | | 2027-03-01 | Internal data governance quality framework standard deadline | Standardisation | | | 2027-05-01 | Trusted data transactions standards Part 3 deadline | Standardisation | | | 2027-09-12 | Chapter IV extends to older contracts | Applicability | | | 2028-09-12 | Commission evaluation report deadline | Commission Deliverables | Art. 49(1) | **Event details:** - **2023-11-09 - European Parliament position adopted**: The Regulation records the European Parliament position of 9 November 2023 in the legislative history footnote. - **2023-11-27 - Council decision adopted**: The Regulation records the Council decision of 27 November 2023 in the legislative history footnote. - **2023-12-13 - Regulation adopted (Data Act)**: Regulation (EU) 2023/2854 is adopted and signed in Strasbourg. - **2023-12-22 - Published in Official Journal**: Regulation (EU) 2023/2854 is published in the Official Journal (OJ L, 2023/2854, 22.12.2023). - **2024-01-11 - Entry into force**: The Data Act enters into force on the twentieth day following publication in the Official Journal. - **2024-01-11 - Reduced switching charges period**: From 11 January 2024 to 12 January 2027, providers of data processing services may impose reduced switching charges for the switching process. - **2024-01-11 - Delegated powers conferred**: The Commission is conferred the power to adopt delegated acts for an indeterminate period of time from 11 January 2024 for specified delegated powers under the Regulation. - **2024-09-06 - Commission publishes Data Act FAQs**: The Commission publishes Frequently Asked Questions about the Data Act to support implementation. - **2025-07-01 - Commission standardisation request (European Trusted Data Framework)**: Commission Implementing Decision of 1 July 2025 issues a standardisation request to CEN, CENELEC and ETSI in support of the Data Act (C(2025) 4135 final). - **2025-07-07 - CEN and CENELEC accept the standardisation request (Mandate M/614)**: CEN and CENELEC accept the Commission standardisation request on the European Trusted Data Framework (Mandate M/614). - **2025-09-12 - Data Act applies**: The Data Act applies from 12 September 2025. - **2025-09-12 - Member States notify penalties rules**: Member States notify the Commission of penalties rules and measures by 12 September 2025. - **2025-09-12 - Model contractual terms and cloud clauses deadline**: Before 12 September 2025, the Commission develops and recommends non-binding model contractual terms on data access and use and non-binding standard contractual clauses for cloud computing contracts. - **2025-09-15 - Commission guidance on vehicle data (C/2025/5026)**: The Commission publishes guidance on vehicle data accompanying the Data Act (OJ C, 15.9.2025). - **2025-12-16 - Commission launches Data Act legal helpdesk**: The Commission launches a Data Act Legal Helpdesk to support stakeholders with practical implementation questions. - **2026-01-22 - Data Act FAQs updated (v1.4)**: The Commission updates the Data Act FAQs page and publishes FAQs Data Act version 1.4 dated 22 January 2026. - **2026-03-01 - Data catalogue technical specification deadline**: Deadline for adoption of technical specification(s) on a data catalogue implementation framework (Annex I). - **2026-06-01 - Trusted data transactions standards Part 1 deadline**: Deadline for adoption of harmonised standards on Trusted Data Transactions Part 1: terminology, concepts and mechanisms (Annex I). - **2026-09-01 - European Trusted Data Framework deliverables deadline**: Deadline for adoption of technical specification(s) on semantic assets and technical specification(s) on a maturity model for Common European Data Spaces (Annex I). - **2026-09-12 - Connected product access-by-design obligations**: The obligation resulting from Article 3(1) applies to connected products and related services placed on the market after 12 September 2026. - **2026-11-01 - Trusted data transactions standards Part 2 deadline**: Deadline for adoption of harmonised standards on Trusted Data Transactions Part 2: trustworthiness requirements (Annex I). - **2027-01-12 - Switching charges prohibited**: From 12 January 2027, providers of data processing services shall not impose any switching charges on the customer for the switching process. - **2027-03-01 - Internal data governance quality framework standard deadline**: Deadline for adoption of the European standard on a quality framework for internal data governance (Annex I). - **2027-05-01 - Trusted data transactions standards Part 3 deadline**: Deadline for adoption of harmonised standards on Trusted Data Transactions Part 3: interoperability requirements (Annex I). - **2027-09-12 - Chapter IV extends to older contracts**: Chapter IV applies from 12 September 2027 to certain contracts concluded on or before 12 September 2025 (indefinite duration or expiring at least 10 years from 11 January 2024). - **2028-09-12 - Commission evaluation report deadline**: By 12 September 2028, the Commission carries out an evaluation of the Regulation and submits a report to the European Parliament and the Council. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu-data-act-scope-decision-map