--- title: "EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates" canonical_url: "https://www.sorena.io/artifacts/eu/data-act/faq" source_url: "https://www.sorena.io/artifacts/eu/data-act/faq/items/page/10" author: "Sorena AI" description: "Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates." published_at: "2026-05-06" updated_at: "2026-05-25" keywords: - "EU Data Act FAQ" - "Data Act scope" - "connected product data" - "B2G data sharing" - "cloud switching" - "GDPR Data Act" - "EU Data Act" - "Data Act FAQ" - "Regulation (EU) 2023/2854" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates. *FAQ* *EU* *Data Act* ## EU Data Act FAQ hub Answers to the recurring EU Data Act questions that decide whether connected-product data, related-service data, B2G requests, cloud contracts, or smart-contract tooling need a compliance review. Use this index to orient product, legal, cloud, procurement, data protection, security, and public-sector request teams before opening the deeper topic modules. The EU Data Act, Regulation (EU) 2023/2854, creates horizontal rules for fair access to and use of data. Its FAQ set is not only about IoT data portability: it also covers mandatory B2B sharing terms, unfair contractual terms, public-sector access in exceptional need, cloud and edge switching, safeguards against unlawful third-country government access to non-personal data, interoperability, smart contracts, enforcement, and the boundary with GDPR. ## Browse sub-FAQ modules ### [Data Act and Data Governance Act Overlap FAQ](/artifacts/eu/data-act/faq/data-governance-act-overlap.md) FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows. - 12 items ### [Data Act and GDPR Personal Data Overlap FAQ](/artifacts/eu/data-act/faq/gdpr-personal-data-overlap.md) FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing. - 12 items ### [Data Act Audit Evidence And Request Logs FAQ](/artifacts/eu/data-act/faq/audit-evidence-and-request-logs.md) FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries. - 12 items ### [Data Act Cloud Switching Contract Terms FAQ](/artifacts/eu/data-act/faq/cloud-switching-contract-terms.md) FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records. - 12 items ### [Data Act Cloud Switching Fees And Deadlines FAQ](/artifacts/eu/data-act/faq/cloud-switching-fees-and-deadlines.md) FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records. - 12 items ### [Data Act Complaints and Dispute Settlement FAQ](/artifacts/eu/data-act/faq/complaints-and-dispute-settlement.md) FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records. - 12 items ### [Data Act Exportable Data and Metadata FAQ](/artifacts/eu/data-act/faq/exportable-data-and-metadata.md) FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded. - 12 items ### [Data Act FAQ for Aftermarket Repair and Mobility Services](/artifacts/eu/data-act/faq/aftermarket-repair-and-mobility-services.md) FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services. - 12 items ### [Data Act Functional Equivalence FAQ](/artifacts/eu/data-act/faq/functional-equivalence.md) FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence. - 12 items ### [Data Act Indirect Access Request Flows FAQ](/artifacts/eu/data-act/faq/indirect-access-request-flows.md) FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited. - 12 items ### [Data Act International Government Access FAQ](/artifacts/eu/data-act/faq/international-government-access.md) FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers. - 12 items ### [Data Act Interoperability Standards FAQ](/artifacts/eu/data-act/faq/interoperability-standards.md) FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614. - 12 items ### [Data Act Model Contractual Terms FAQ](/artifacts/eu/data-act/faq/model-contractual-terms.md) FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence. - 12 items ### [Data Act Public Emergency Requests FAQ](/artifacts/eu/data-act/faq/public-emergency-requests.md) FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records. - 12 items ### [Data Act SME Exceptions and Startups FAQ](/artifacts/eu/data-act/faq/sme-exceptions-and-startups.md) FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms. - 12 items ### [Data Act Trade Secret Technical Protection Measures FAQ](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md) FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence. - 12 items ### [EU Data Act and Common European Data Spaces FAQ](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md) FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation. - 12 items ### [EU Data Act Application Dates And Transition FAQ](/artifacts/eu/data-act/faq/application-dates-and-transition.md) FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain. - 12 items ### [EU Data Act Article 36 Smart Contract Controls FAQ](/artifacts/eu/data-act/faq/article-36-smart-contract-controls.md) FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires. - 12 items ### [EU Data Act B2B Data Sharing Compensation FAQ](/artifacts/eu/data-act/faq/compensation-for-b2b-data-sharing.md) FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards. - 12 items ### [EU Data Act B2G Compensation and Costs FAQ](/artifacts/eu/data-act/faq/b2g-compensation-and-costs.md) FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep. - 12 items ### [EU Data Act B2G Exceptional Need FAQ](/artifacts/eu/data-act/faq/b2g-exceptional-need.md) When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence. - 13 items ### [EU Data Act Cloud Switching Procurement FAQ](/artifacts/eu/data-act/faq/cloud-switching-procurement-checklist.md) Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence. - 12 items ### [EU Data Act Connected Product Scope FAQ](/artifacts/eu/data-act/faq/scope-connected-products.md) FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope. - 12 items ### [EU Data Act data spaces interoperability FAQ](/artifacts/eu/data-act/faq/data-spaces-interoperability.md) FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence. - 12 items ### [EU Data Act Direct Access by Design FAQ](/artifacts/eu/data-act/faq/direct-access-by-design.md) FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act. - 12 items ### [EU Data Act Enforcement And Competent Authorities FAQ](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md) FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible. - 12 items ### [EU Data Act Non-Emergency Public-Sector Requests FAQ](/artifacts/eu/data-act/faq/non-emergency-public-sector-requests.md) FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence. - 12 items ### [EU Data Act Non-Personal Data and Mixed Datasets FAQ](/artifacts/eu/data-act/faq/non-personal-data-and-mixed-datasets.md) FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records. - 12 items ### [EU Data Act Pre-Contractual Information FAQ](/artifacts/eu/data-act/faq/pre-contractual-information.md) FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries. - 12 items ### [EU Data Act Product Data vs Related Service Data FAQ](/artifacts/eu/data-act/faq/product-data-and-service-data.md) FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs. - 12 items ### [EU Data Act Readily Available Data FAQ](/artifacts/eu/data-act/faq/readily-available-data.md) FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics. - 12 items ### [EU Data Act Related Services FAQ](/artifacts/eu/data-act/faq/related-services.md) FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply. - 12 items ### [EU Data Act Smart Contracts for Data Sharing FAQ](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md) Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status. - 12 items ### [EU Data Act Third-Party Data Sharing FAQ](/artifacts/eu/data-act/faq/third-party-data-sharing.md) FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers. - 12 items ### [EU Data Act Trade Secret Safeguards FAQ](/artifacts/eu/data-act/faq/trade-secrets-safeguards.md) FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records. - 12 items ### [EU Data Act Unfair Contractual Terms FAQ](/artifacts/eu/data-act/faq/unfair-contractual-terms.md) FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence. - 12 items ### [EU Data Act Users, Data Holders, and Recipients FAQ](/artifacts/eu/data-act/faq/users-data-holders-and-recipients.md) FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries. - 12 items ### [EU Data Act Vehicle Data Guidance FAQ](/artifacts/eu/data-act/faq/vehicle-data-guidance.md) FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries. - 12 items Browse all indexed questions: [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) ## All FAQ items *Page 10 of 24. Showing 20 of 469 items.* ### [Can an EU Data Act data holder use trade secrets to block product or related service data access?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#can-an-eu-data-act-data-holder-use-trade-secrets-to-block-product-or-related-service-data-access) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Not as a blanket answer. Articles 4 and 5 preserve trade secrets, but they require the data holder or trade secret holder to identify the protected data and agree necessary, proportionate technical and organisational measures before disclosure. The Commission FAQ is explicit that a trade secret claim by itself is not enough to defeat Data Act access rights. - Do not mark an entire export, API, log stream, or dataset as unavailable without identifying the trade secret elements. - Record whether the issue arises under Article 4 user access or Article 5 sharing with a third party, because the recipient and challenge route differ. - Separate trade secret protection from personal data, product security, and competitive-use restrictions so each limit has its own legal basis and evidence. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 4(6) and Article 5(9) preserve trade secrets while requiring identified protected data and proportionate measures before disclosure. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Question 23 explains that a trade secret claim alone is not enough to prevent the Data Act access rights from being exercised. ### [What technical and organisational measures can protect trade secrets under the EU Data Act?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#what-technical-and-organisational-measures-can-protect-trade-secrets-under-the-eu-data-act) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* The Data Act points to proportionate technical and organisational measures such as model contractual terms, confidentiality agreements, strict access protocols, technical standards, and codes of conduct. Article 11 also allows technical protection measures, including smart contracts and encryption, to prevent unauthorised access or disclosure and to support compliance with Articles 4, 5, 6, 8, and 9. - Tie each measure to a named risk: exposure of a formula, calibration logic, production method, model feature, supplier know-how, or confidential process. - Show why the measure is proportionate: enough to protect the secret, but not more restrictive than needed for the requested access. - Keep the access design usable: a technical protection measure should not become a disguised refusal or an unreasonable access barrier. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 11 allows technical protection measures while prohibiting discriminatory measures or measures that hinder Data Act access and sharing rights. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The FAQ lists confidentiality agreements, strict access protocols, technical standards, codes of conduct, and model terms as possible trade secret safeguards. ### [What should teams document when they rely on EU Data Act trade secret safeguards or technical protection measures?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#what-should-teams-document-when-they-rely-on-eu-data-act-trade-secret-safeguards-or-technical-protection-measures) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, the record should show what data was requested, which parts were identified as trade secrets, which proportionate measures were agreed, who must implement them, and how the data was delivered. If the holder withholds or suspends sharing, it should also document the missing agreement, the unimplemented measure, or the confidentiality incident, plus the written reasons and authority notification required by Articles 4 and 5. - Keep the written decision and the evidence trail together so the record is usable for a complaint, court review, or dispute settlement. - Store the exact trade-secret fields or metadata that were protected, not just a generic label such as confidential data. - Retain the notification sent to the competent authority and the user or third party without undue delay. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4(7), 4(8), 5(10), 5(11), 10, and 37 support written reasons, competent-authority notifications, and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - The Commission explanation confirms that users and third parties can challenge trade secret withholding, suspension, or refusal through courts, competent authorities, or dispute settlement. ### [When may a data holder withhold data while trade secret measures are agreed under the EU Data Act?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#when-may-a-data-holder-withhold-data-while-trade-secret-measures-are-agreed-under-the-eu-data-act) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, a data holder may withhold or suspend sharing only where the user or third party fails to implement the agreed technical and organisational measures, or where confidentiality is breached, and the holder must give written reasons and notify the competent authority. Withholding is the narrow exception, not the default response to a trade secret claim. - Document the specific safeguard that was not implemented before treating sharing as suspended. - Send written reasons to the user or third party and notify the competent authority without undue delay. - Reopen access once the agreed measure is implemented; do not convert a suspension into a permanent block. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [When can refusal of access be justified in exceptional cases under the EU Data Act trade secret rules?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#when-can-refusal-of-access-be-justified-in-exceptional-cases-under-the-eu-data-act-trade-secret-rules) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, a data holder may refuse a specific request only in exceptional circumstances, where it demonstrates with objective evidence that disclosure is highly likely to cause serious economic damage despite the agreed technical and organisational measures. Refusal must be assessed per request and supported by demonstrable, case-specific reasoning. - Limit any refusal to the precise data fields that would cause serious economic damage if disclosed. - Keep objective evidence of likely serious economic damage rather than a general competitive worry. - Notify the competent authority of the refusal and preserve the user or third-party challenge route. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [How do technical protection measures interact with third-party sharing under the EU Data Act?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#how-do-technical-protection-measures-interact-with-third-party-sharing-under-the-eu-data-act) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, technical protection measures applied under Article 11 must not be used to prevent a user from exercising the right to share readily available data with a third party, and must not discriminate between data recipients. The same controls that protect a trade secret in user access should carry through to the third-party path under Article 5. - Carry confidentiality controls into the third-party agreement, not only the user-facing access path. - Bind the third party to Article 6 use restrictions and onward-sharing limits in writing. - Avoid measures that single out particular recipients or make the sharing right impractical to use. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [How should trade secret safeguards be coordinated with personal data rules under the EU Data Act?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#how-should-trade-secret-safeguards-be-coordinated-with-personal-data-rules-under-the-eu-data-act) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, trade secret protection is a separate question from personal data protection, and both can apply to the same export. The Regulation is without prejudice to the GDPR, so a confidentiality control that protects a secret does not remove the need for a valid legal basis when the same dataset contains personal data. - Classify each field for both trade secret sensitivity and personal data content before disclosure. - Apply a GDPR basis and minimisation to personal data even when trade secret controls are already in place. - Keep the trade secret record and the data protection record separate so neither limit is over-applied. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [Which controls help keep EU Data Act trade secret measures proportionate rather than over-restrictive?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#which-controls-help-keep-eu-data-act-trade-secret-measures-proportionate-rather-than-over-restrictive) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, technical and organisational measures must be necessary and proportionate, so the right control is the least restrictive one that still protects the identified secret. A measure that effectively blocks all access, or that is far broader than the risk, can itself breach the prohibition on hindering Data Act access rights. - Match each control to a specific protected element rather than the whole dataset or interface. - Prefer scoped, reversible controls over measures that make the access right impractical. - Review whether a less restrictive control would still protect the secret before applying a stronger one. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [What source evidence should teams keep for an EU Data Act trade secret protection decision later?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#what-source-evidence-should-teams-keep-for-an-eu-data-act-trade-secret-protection-decision-later) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, the evidence file should let a later reviewer rebuild the decision: the Article 4, 5, or 11 basis relied on, the identified trade secret fields, the agreed measures, the delivery method, and any withholding, suspension, or refusal record. Each factual claim about scope or risk should map to a cited source. - Map the protection decision to a cited Data Act source URL and the specific article relied on. - Store the identified secret fields, agreed measures, and the implemented controls together. - Record the decision date and recipient assumptions so the file can be rechecked after changes. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [Which team should own EU Data Act trade secret safeguard work and keep the measures current over time?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#which-team-should-own-eu-data-act-trade-secret-safeguard-work-and-keep-the-measures-current-over-time) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, one accountable owner should be able to change the access design and the safeguard set, with security, legal, product, and data operations recorded as consulted teams. Spreading the decision across functions without a named owner is how confidentiality measures drift out of date. - Name a single owner who can change both the access design and the confidentiality controls. - Record security, legal, product, and data operations as consulted rather than co-owners. - Give the owner authority to trigger a new review when the product, API, or recipient changes. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [When should an EU Data Act trade secret protection decision be reviewed again as conditions change?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#when-should-an-eu-data-act-trade-secret-protection-decision-be-reviewed-again-as-conditions-change) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, the decision should be reviewed whenever the protected data, the access path, the recipient, or the safeguard set changes. A new firmware build, a new export field, a new third-party recipient, or a change in confidentiality terms can each move the risk and the proportionality balance. - Review the decision when the protected fields, access route, or recipient set changes. - Trigger a review after a confidentiality incident, a complaint, or a dispute settlement outcome. - Recheck proportionality when new safeguards become available or contract terms change. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [What mistakes should teams avoid when applying EU Data Act trade secret protection measures?](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md#what-mistakes-should-teams-avoid-when-applying-eu-data-act-trade-secret-protection-measures) *Module: [Data Act Trade Secret Technical Protection Measures](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md)* Under the Data Act, the most common mistake is treating a trade secret label as an automatic block. The Regulation preserves trade secrets but still requires identified data, proportionate measures, and a usable access route, so a blanket unavailable response is not defensible. - Do not mark whole exports or interfaces as confidential without identifying the secret elements. - Do not refuse a request without case-specific objective evidence of serious economic damage. - Do not skip the written reasons and competent-authority notifications the Data Act requires. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act trade secret preservation, proportional technical and organisational measures, technical protection measures, withholding, suspension, refusal, dispute settlement, complaints, and cloud switching exportable-data exclusions. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ source for the practical trade secrets handbrake explanation, including safeguard examples and challenge routes. - [European Commission - Data Act Explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explanatory source for Data Act access limits, trade secret safeguards, withholding or suspension, challenge routes, and cloud switching exclusions. ### [Does the EU Data Act require companies to join common European data spaces?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#does-the-eu-data-act-require-companies-to-join-common-european-data-spaces) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* No. The grounding sources support common European data spaces as EU-backed infrastructure and governance initiatives, not as a general Data Act duty for every company to join. The Data Act creates obligations for specific actors and fact patterns, including connected-product data access, B2B data sharing, public-sector exceptional-need requests, cloud switching, interoperability, and smart contracts. - Ask whether the organisation is a data-space participant offering data or data services to other participants. - Separate voluntary participation, sector programme conditions, and binding Data Act obligations. - Do not treat data-space membership as proof that connected-product access, B2B sharing, B2G requests, or cloud-switching duties are already satisfied. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Supports the narrow Article 33 trigger for data-space participants that offer data or data services to other participants. - [European Commission staff working document on data spaces](https://digital-strategy.ec.europa.eu/en/library/staff-working-document-data-spaces?ref=sorena.io) - Supports the explanation that common European data spaces are strategic sector and public-interest initiatives. ### [What Data Act obligations matter most for common European data spaces?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#what-data-act-obligations-matter-most-for-common-european-data-spaces) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* The most direct Data Act obligation is Article 33 on interoperability of data, data-sharing mechanisms and services, and common European data spaces. It requires relevant data-space participants to describe dataset content, use restrictions, licences, collection methodology, data quality, uncertainty, data structures, formats, vocabularies, classification schemes, taxonomies, code lists, access methods, terms of use, quality of service, and, where applicable, tools such as smart contracts. - Maintain machine-readable metadata where Article 33 calls for it. - Publish or make consistently available the formats, vocabularies, taxonomies, code lists, and API terms needed for interoperability. - If automated data-sharing agreements or smart contracts are used, document the means that enable tool interoperability. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Supports the list of Article 33 interoperability requirements for data, mechanisms, services, and data spaces. ### [How do common European data spaces differ from ordinary data portals or file downloads under the Data Act?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#how-do-common-european-data-spaces-differ-from-ordinary-data-portals-or-file-downloads-under-the-data-act) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* The Data Act context is the starting point for this answer. The Commission describes common European data spaces as combining data infrastructures with governance frameworks for data pooling and sharing. The data.europa.eu panel report adds that data spaces are service-focused, user-centric, decentralised, automated, and based on common standards. That is a different operating model from simply publishing a static catalogue or downloadable files. - Treat the data space as a governed exchange environment, not just a publication page. - Record who controls participant admission, access rights, data quality, standards, and dispute handling. - Keep API, bulk download, real-time access, or other technical-access terms aligned with the actual service. Sources for this answer: - [European Commission staff working document on data spaces](https://digital-strategy.ec.europa.eu/en/library/staff-working-document-data-spaces?ref=sorena.io) - Supports the definition of common European data spaces as infrastructure plus governance for pooling and sharing. - [Publications Office report on European data spaces](https://op.europa.eu/en/publication-detail/-/publication/70d01867-8ce1-11ee-8aa6-01aa75ed71a1/language-en?ref=sorena.io) - Supports the distinction between data spaces and conventional portals or simple downloads. ### [How do the Data Act and Data Governance Act fit together in data-space governance?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#how-do-the-data-act-and-data-governance-act-fit-together-in-data-space-governance) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* The Data Act and the Data Governance Act address different parts of the EU data-sharing framework. The Data Act supplies horizontal rules on fair access and use of data and Article 33 interoperability requirements for data spaces. The Data Governance Act supports trust in voluntary data sharing through rules for protected public-sector data reuse, data intermediation services, data altruism, and the European Data Innovation Board. - Tag each exchange as Data Act, Data Governance Act, GDPR, open-data, sector-law, contract, or programme-governance driven. - If a data intermediary is used, check neutrality, transparency, structural separation, notification, and recognised-provider claims under the Data Governance Act. - If personal data is present, keep the GDPR legal basis and data-subject protections separate from the Data Act interoperability analysis. Sources for this answer: - [European Commission - Data Governance Act explained](https://digital-strategy.ec.europa.eu/en/policies/data-governance-act-explained?ref=sorena.io) - Supports the distinction between voluntary data-sharing trust tools, data intermediaries, data altruism, and public-sector reuse under the Data Governance Act. - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Supports the Data Act role in fair access, use, and interoperability rather than Data Governance Act intermediary status. ### [Which sector data spaces should teams treat as examples, not universal Data Act templates?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#which-sector-data-spaces-should-teams-treat-as-examples-not-universal-data-act-templates) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* The Data Act context is the starting point for this answer. The Commission's staff working document identifies data spaces in strategic fields such as health, agriculture, manufacturing, energy, mobility, finance, public administration, skills, the European Open Science Cloud, and the Green Deal priority, with later examples including media and cultural heritage. Individual data spaces then add sector-specific datasets, identifiers, services, governance, and access arrangements. - Use Article 33 as the horizontal interoperability baseline, then add the sector data-space rulebook. - For procurement data, verify TED, API, open-data, confidentiality, and procurement-specific standards before reuse. - For legal data, verify legal-identifier, case-law, EUR-Lex, and national legal-depository arrangements before reuse. Sources for this answer: - [European Commission staff working document on data spaces](https://digital-strategy.ec.europa.eu/en/library/staff-working-document-data-spaces?ref=sorena.io) - Supports the list of strategic fields and the warning that data spaces are sector and domain specific. - [data.europa.eu - Public Procurement Data Space](https://data.europa.eu/en/PPDS?ref=sorena.io) - Supports the procurement example, including TED resources and automated procurement-data access. - [data.europa.eu - European Legal Data Space](https://data.europa.eu/en/ELDS?ref=sorena.io) - Supports the legal-data example, including legal depositories and case-law collections. ### [What safeguards should be built into a Data Act data-space participation file?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#what-safeguards-should-be-built-into-a-data-act-data-space-participation-file) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* A useful participation file should show both access and protection. Under Article 33, recipients need enough metadata, format, vocabulary, taxonomy, licence, quality, and access information to find and use data. Under the Data Act more broadly, technical protection measures such as encryption and smart contracts may be used to prevent unauthorised access, but they must not become a disguised barrier to lawful access. - Document the data category, metadata, licence, use restriction, quality statement, uncertainty, and access method. - Record protection measures such as identity management, access control, encryption, secure processing, or confidentiality terms. - Explain any refusal, delay, redaction, aggregation, anonymisation, or restricted-access environment with a source-linked reason. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Supports the need to describe metadata, restrictions, access means, and protection measures without hindering lawful rights. - [European Commission - Data Governance Act explained](https://digital-strategy.ec.europa.eu/en/policies/data-governance-act-explained?ref=sorena.io) - Supports examples of reuse safeguards such as anonymisation, pseudonymisation, secure processing environments, and confidentiality agreements. ### [What evidence should show that a data-space exchange is Data Act ready?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#what-evidence-should-show-that-a-data-space-exchange-is-data-act-ready) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* The Data Act context is the starting point for this answer. Keep evidence that connects the legal trigger to the operational exchange. The minimum useful set is a participant-role map, data catalogue, metadata profile, licence and use-restriction record, standards mapping, API or access specification, quality-of-service terms, security controls, smart-contract assessment where relevant, and a log of requests, refusals, restrictions, and changes. - Keep the Article 33 checklist beside the data-space rulebook, not buried in general compliance notes. - Version metadata, vocabularies, code lists, APIs, quality statements, and access terms when they change. - Retain the source and owner for any decision that limits access because of confidentiality, personal data, trade secrets, security, or sector rules. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Supports the evidence fields tied to Article 33 interoperability requirements. - [Publications Office report on European data spaces](https://op.europa.eu/en/publication-detail/-/publication/70d01867-8ce1-11ee-8aa6-01aa75ed71a1/language-en?ref=sorena.io) - Supports evidence needs around decentralisation, automation, common standards, governance, legal, and compliance building blocks. ### [What is the main implementation risk when mapping the Data Act to common European data spaces?](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md#what-is-the-main-implementation-risk-when-mapping-the-data-act-to-common-european-data-spaces) *Module: [EU Data Act and Common European Data Spaces](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md)* The main risk is overgeneralising. A team may say that a data space is interoperable or EU-backed without proving the specific Article 33 items for the exchange it operates. The opposite risk is also common: treating a sector data-space participation decision as only a policy project and missing binding Data Act access, interoperability, contract, cloud-switching, or public-sector request duties. - Avoid unsupported claims that participation is mandatory, complete, compliant, or sufficient by itself. - Do not reuse one sector data-space rulebook for another sector without checking the source and governance model. - Re-check the matrix when standards, APIs, participant roles, datasets, access restrictions, or sector rules change. Sources for this answer: - [European Commission second staff working document on data spaces](https://digital-strategy.ec.europa.eu/en/library/second-staff-working-document-data-spaces?ref=sorena.io) - Supports the need to track evolving data-space support actions, sector initiatives, standards, and interoperability work. - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Supports the binding Article 33 analysis that should sit behind each data-space exchange row. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 10 of 24 Pages: [1](/artifacts/eu/data-act/faq/items.md) | [2](/artifacts/eu/data-act/faq/items/page/2.md) | [3](/artifacts/eu/data-act/faq/items/page/3.md) | [4](/artifacts/eu/data-act/faq/items/page/4.md) | [5](/artifacts/eu/data-act/faq/items/page/5.md) | [6](/artifacts/eu/data-act/faq/items/page/6.md) | [7](/artifacts/eu/data-act/faq/items/page/7.md) | [8](/artifacts/eu/data-act/faq/items/page/8.md) | [9](/artifacts/eu/data-act/faq/items/page/9.md) | [10](/artifacts/eu/data-act/faq/items/page/10.md) | [11](/artifacts/eu/data-act/faq/items/page/11.md) | [12](/artifacts/eu/data-act/faq/items/page/12.md) | [13](/artifacts/eu/data-act/faq/items/page/13.md) | [14](/artifacts/eu/data-act/faq/items/page/14.md) | [15](/artifacts/eu/data-act/faq/items/page/15.md) | [16](/artifacts/eu/data-act/faq/items/page/16.md) | [17](/artifacts/eu/data-act/faq/items/page/17.md) | [18](/artifacts/eu/data-act/faq/items/page/18.md) | [19](/artifacts/eu/data-act/faq/items/page/19.md) | [20](/artifacts/eu/data-act/faq/items/page/20.md) | [21](/artifacts/eu/data-act/faq/items/page/21.md) | [22](/artifacts/eu/data-act/faq/items/page/22.md) | [23](/artifacts/eu/data-act/faq/items/page/23.md) | [24](/artifacts/eu/data-act/faq/items/page/24.md) [Previous page](/artifacts/eu/data-act/faq/items/page/9.md) | [Next page](/artifacts/eu/data-act/faq/items/page/11.md) *Recommended next step* *Placement: before sources* ## Turn a Data Act FAQ answer into a scoped review Review one product, dataset, cloud contract, public-sector request, or smart-contract deployment against the cited Data Act source and keep the scope, role, evidence, and unresolved questions together. - [Open Research Copilot](/solutions/research-copilot.md): Check Data Act scope, GDPR boundaries, cloud switching, and contract questions with cited source outputs. - [Talk through Data Act implementation](/contact.md): Review one connected product, data-sharing contract, cloud switch, or public-sector request before committing to an implementation path. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/data-act/faq/items/page/10