EU Data Act Enforcement And Competent Authorities FAQ

Each Member State must designate one or more competent authorities for Data Act application and enforcement. A Member State can create a new authority or rely on an existing public body, so companies should not assume that the same office is responsible in every country.

If a Member State designates more than one competent authority, it must designate a data coordinator from among them. The data coordinator is the national single point of contact for Data Act application questions and helps route people and businesses to the appropriate competent authority.

Natural and legal persons can lodge a complaint, individually or collectively where relevant, with the relevant competent authority if they consider that their Data Act rights have been infringed. The correct Member State is tied to the complainant's habitual residence, place of work, or establishment.

The data coordinator must, on request, provide the information needed to lodge the complaint with the appropriate competent authority. After a complaint is lodged, the competent authority must inform the complainant of the progress and the decision in accordance with national law.

No single EU penalty table is set in the Data Act. Member States set the rules on penalties for Data Act infringements and must make sure the penalties are effective, proportionate, and dissuasive.

The Data Act lists criteria for penalties, including the nature, gravity, scale, and duration of the infringement, mitigation or remediation, previous infringements, financial benefits gained or losses avoided, other aggravating or mitigating factors, and the infringing party's EU annual turnover in the preceding financial year.

Under the Data Act, certified dispute settlement bodies are a voluntary route. Users, data holders, and data recipients can use them for disputes about the Chapter II handbrakes, FRAND terms, Chapter III compensation, and Chapter VI data processing services.

A dispute settlement body decision binds the parties only if they explicitly consented to its binding nature before proceedings began. The route does not remove the right to seek an effective remedy before a Member State court or tribunal.

Data Act competent authorities do not replace GDPR supervisory authorities. Under Article 37, the authorities responsible for monitoring the GDPR are responsible for monitoring the Data Act insofar as protection of personal data is concerned.

That boundary matters when a Data Act access, sharing, or complaint file involves personal data. The GDPR authority remains responsible for checking whether the data are personal, whether a valid GDPR legal basis exists, and how the personal-data rules apply in the case.

A useful enforcement file should be narrow and factual. It should show which Data Act right or obligation is involved, which Member State authority path is relevant, whether a data coordinator should route the issue, whether dispute settlement is available, and whether GDPR or sectoral authorities have separate competence.

For complaints, refusals, penalties, or authority inquiries, keep enough evidence to reconstruct the issue without relying on chat history or unsupported assumptions.

For Data Act enforcement and competent authorities, teams should keep the source clause, any Commission guidance used, the actor role, the Member State route, and the reviewer who approved the interpretation.

Keep the cited external URL, decision date, unresolved assumptions, and implementation record together so the answer stays auditable.

For Data Act enforcement, the team should name the legal, product, procurement, cloud, support, or security owner who can change the affected process.

Use one accountable owner per action, then record consulted teams and evidence dependencies separately.

Under the Data Act, the most useful evidence is the set of documents and references that let a later reviewer see why the team chose a particular authority path or complaint route.

That usually means the source article, the Commission explainer or FAQ, the authority register entry, and the internal approval note.

Under the Data Act, review the answer when the product, service model, customer base, authority structure, or national penalty rule changes.

Also review it when the Commission updates its guidance or when a new Member State authority or data coordinator appears in the public register.

Do not treat the Data Act enforcement answer as a generic checklist without checking the actual authority, route, and legal basis.

Avoid reusing an old authority list, assuming a single EU-wide penalty scale, or copying notes that are not supported by the Data Act or Commission guidance.

Under the Data Act, competent authorities must cooperate with each other and with authorities in other Member States, sharing relevant information so a cross-border issue does not fall between national gaps. The European Data Innovation Board supports consistency, including coordinating on the approach to penalties so they remain comparable across the Union.

For a complainant, this means a matter involving providers or users in several Member States can be coordinated rather than duplicated, and the data coordinator helps route the issue to the authority with competence.