--- title: "Compliance Program" canonical_url: "https://www.sorena.io/artifacts/eu/data-act/compliance" source_url: "https://www.sorena.io/artifacts/eu/data-act/compliance" author: "Sorena AI" description: "Turn the EU Data Act into an implementation program: chapter scoping, roles and ownership, product workflows for Chapter II access." published_at: "2026-02-23" updated_at: "2026-02-23" keywords: - "EU Data Act compliance program" - "EU Data Act implementation playbook" - "Data Act compliance roadmap" - "Data Act evidence pack" - "Data Act Chapter II access workflow implementation" - "Data Act Chapter VI cloud switching compliance" - "Data Act Chapter V B2G readiness" - "EU compliance" - "data-act compliance" - "implementation playbook" - "governance" - "evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Compliance Program Turn the EU Data Act into an implementation program: chapter scoping, roles and ownership, product workflows for Chapter II access. *Artifact Guide* *EU* ## EU Data Act: Fair Access to Connected Product Data and Cloud Switching Compliance Program Turn Data Act obligations into shippable work with owners, controls, and evidence. This page is a program playbook: governance, milestones, and artifacts across Chapters II-VI. EU Data Act compliance succeeds when it is run as a cross-functional delivery program: product UX for access rights, engineering for export pipelines, security for safeguards, legal/procurement for contract remediation, and finance for compensation and billing controls. The most reliable approach is evidence-first: design workflows and controls that automatically produce logs and artifacts you can use in disputes, audits, and procurement. ## 1) Program setup: scope memo, owners, and risk model (week 1-2) Start with a scope memo per product line and per contract type: which chapters apply, who the roles are, and what dataset is in scope. This prevents building portals for data you don't control. Assign owners by workstream, not by chapter: product, engineering, security, legal, procurement, finance. - Scope memo: chapter mapping (II-VI), role mapping, and dataset definition (including metadata and formats) - Ownership map: named accountable owner per workstream with escalation path - Risk model: prioritize by user volume, data sensitivity, trade secret exposure, and switching/B2G likelihood ## 2) Chapter II delivery: user access and portability as a product feature (weeks 2-8) Chapter II work is user-facing: transparency before purchase, access mechanism (direct or indirect), and secure delivery. Treat this like a product launch with security gates. Build a single request pipeline that can handle mixed personal and non-personal data safely. - Direct vs indirect access decision and UX design (identity binding, abuse prevention) - Export pipeline: dataset manifest, formats, minimisation filters, and delivery receipts - Third-party sharing workflow: recipient onboarding + security requirements + logging - Evidence: request logs, dataset manifests, delivery receipts, and security control artifacts ## 3) Contracts workstream: Chapter III sharing terms + Chapter IV unfair terms (weeks 4-10) Chapter III/IV work is contract-heavy. If you don't fix contract structure and annexes, the engineering work won't be usable in disputes. Treat unfair terms as a remediation project for click through B2B terms and platform contracts. - Clause matrix: dataset scope, purpose limits, compensation, trade secrets safeguards, security, remedies - Annexes: dataset manifest, security protocol, SLA, cost/fee schedule, audit evidence annex - Unfair terms remediation: remove red flags and document negotiation for key terms ## 4) Chapter V readiness: B2G exceptional need intake and secure disclosure (weeks 6-12) Chapter V requests are exceptional but urgent. Build the intake workflow now: validate exceptional need, check request completeness, minimise and secure the dataset, and calculate compensation where applicable. Treat each request as a case file with immutable logs. - Intake checklist: Article 15 lane (emergency vs non-emergency) + SME carve-out check - Request completeness: Article 17 fields; deadlines; safeguards (pseudonymisation/anonymisation) - Disclosure pipeline: secure transfer, access restriction, trade secret marking, deletion milestones - Compensation model: cost drivers, margin rules, and dispute handling ## 5) Chapter VI posture: cloud switching and exit as procurement-grade evidence (weeks 4-12) Chapter VI is both compliance and procurement. Providers must remove switching obstacles; customers should require proof before signing long commitments. Make switching a testable capability: contracts, an online register, public disclosures, and drills. - Contract terms: notice = 30 days; security maintained during switching - Online register: schemas/formats/standards for exportable data + known limitations - International access transparency: jurisdiction + measures description published and referenced in contracts - Charges: enforce Article 29 switching charges phase-out in billing controls - Evidence: switching runbook + drill report per service type ## 6) Operating cadence: controls, metrics, and continuous evidence You'll be judged on your ability to operate the program, not just publish a policy. Build an operating cadence that produces evidence continuously. Metrics should be operational (response time, export success rate, switching drill success), not just "policy exists". - Monthly: access request metrics, exceptions, disputes, and remediation backlog - Quarterly: schema change reviews; trade secret register review; contract template updates - Annually: switching rehearsal drills per service type; B2G tabletop exercise - Evidence automation: immutable logs, standardized case files, and snapshot-able registers *Recommended next step* *Placement: after the compliance steps* ## Turn EU Data Act: Fair Access to Connected Product Data and Cloud Switching Compliance Program into an operational assessment Assessment Autopilot can take EU Data Act: Fair Access to Connected Product Data and Cloud Switching Compliance Program from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU Data Act: Fair Access to Connected Product Data and Cloud Switching can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Compliance Program](/solutions/assessment.md): Start from EU Data Act: Fair Access to Connected Product Data and Cloud Switching Compliance Program and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU Data Act: Fair Access to Connected Product Data and Cloud Switching](/contact.md): Review your current process, evidence gaps, and next steps for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Compliance Program. ## Primary sources - [European Commission - Data Act policy page](https://digital-strategy.ec.europa.eu/en/policies/data-act?ref=sorena.io) - Policy context and goals for the Data Act implementation program. - [European Commission - Data Act Legal Helpdesk announcement](https://digital-strategy.ec.europa.eu/en/news/commission-launches-data-act-legal-helpdesk?ref=sorena.io) - Commission support tools for practical implementation questions (including SMEs). - [Regulation (EU) 2023/2854 (Data Act) - Official Journal (ELI)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding obligations and application dates used to structure the compliance program. ## Related Topic Guides - [Access Rights and Portability | EU Data Act: Fair Access to Connected Product Data and Cloud Switching](/artifacts/eu/data-act/access-rights-and-portability.md): EU Data Act access rights and portability (Chapter II) made practical: direct vs indirect access, "readily available" data. - [Applicability Test | EU Data Act: Connected Products, B2B Data Sharing, B2G Exceptional Need, Cloud Switching](/artifacts/eu/data-act/applicability-test.md): A practical EU Data Act applicability test you can run in 15 minutes: determine if Chapter II IoT access rights apply (connected products + related services). - [B2B Data Sharing Contract Clauses | EU Data Act: Mandatory Sharing, Unfair Terms, Trade Secrets](/artifacts/eu/data-act/b2b-data-sharing-contract-clauses.md): EU Data Act contract clauses for B2B data sharing made practical: clause library for Chapter III access/use (purpose limits, compensation, security. - [B2B Data Sharing Contract Template | EU Data Act: Data Access and Use Agreement (Drafting Checklist)](/artifacts/eu/data-act/b2b-data-sharing-contract-template.md): A practical EU Data Act-aligned B2B data sharing contract template: sections, annexes, and drafting checklist for dataset definition, permitted use. - [B2G Exceptional Need Requests | EU Data Act: Public Emergency Data Requests, Safeguards, Compensation](/artifacts/eu/data-act/b2g-exceptional-need-requests.md): EU Data Act Chapter V B2G 'exceptional need' requests made practical. - [Cloud Switching and Exit Plans | EU Data Act Chapter VI: Switch Providers, Port Data, Remove Egress Barriers](/artifacts/eu/data-act/cloud-switching-and-exit-plans.md): EU Data Act Chapter VI cloud switching made practical: Article 23 obstacle removal, Article 25 required contract terms (max 2-month notice, 30-day transition. - [Cloud Switching Compliance Checklist | EU Data Act Chapter VI: Contracts, Exportable Data, Fees, Transparency](/artifacts/eu/data-act/cloud-switching-compliance-checklist.md): A detailed EU Data Act Chapter VI cloud switching compliance checklist: Article 25 contract terms (max notice period, 30-day transition, retrieval period). - [Deadlines and Compliance Calendar | EU Data Act](/artifacts/eu/data-act/deadlines-and-compliance-calendar.md): Plan EU Data Act delivery with real dates: Regulation applies from 12 Sep 2025. - [EU Data Act Checklist | Chapter II Access, B2B Sharing, Unfair Terms, B2G Requests, Cloud Switching](/artifacts/eu/data-act/checklist.md): A comprehensive EU Data Act checklist organized by roles and chapters: Chapter II connected product data access (direct vs indirect access). - [EU Data Act vs GDPR | Differences, Overlap, Portability, Lawful Basis, Implementation Playbook](/artifacts/eu/data-act/data-act-vs-gdpr.md): EU Data Act vs GDPR made practical: how Chapter II access/portability for connected product data differs from GDPR data subject rights. - [FAQ | EU Data Act Explained: Key Dates, Access Rights, Trade Secrets, B2G Requests, Cloud Switching](/artifacts/eu/data-act/faq.md): EU Data Act FAQ with practical answers grounded in official sources: when the Data Act applies (Article 50), direct vs indirect access. - [Penalties and Fines | EU Data Act Enforcement: Member State Penalties, GDPR-Linked Fines, Risk Controls](/artifacts/eu/data-act/penalties-and-fines.md): EU Data Act penalties and fines made practical: how Member States set penalties (Article 40), the criteria authorities must consider. - [Requirements | EU Data Act Obligations Explained: Chapter II Access, Chapter IV Unfair Terms, Chapter V B2G, Chapter VI Switching](/artifacts/eu/data-act/requirements.md): A structured EU Data Act requirements breakdown across Chapters II-VI: connected product data transparency and access workflows. - [Scope, Connected Products and Data Types | EU Data Act: Fair Access to Connected Product Data and Cloud Switching](/artifacts/eu/data-act/scope-connected-products-and-data-types.md): EU Data Act scope explained: connected products vs related services, product data vs related service data, readily available data. - [Trade Secrets and Protection | EU Data Act: Confidentiality Measures, Withholding Rules, Evidence Pack](/artifacts/eu/data-act/trade-secrets-and-protection.md): EU Data Act trade secrets protection made practical: how to identify trade secret fields before disclosure, how to agree confidentiality measures (NDAs. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/data-act/compliance