--- title: "EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates" canonical_url: "https://www.sorena.io/artifacts/eu/data-act/faq" source_url: "https://www.sorena.io/artifacts/eu/data-act/faq/items/page/16" author: "Sorena AI" description: "Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates." published_at: "2026-05-06" updated_at: "2026-05-25" keywords: - "EU Data Act FAQ" - "Data Act scope" - "connected product data" - "B2G data sharing" - "cloud switching" - "GDPR Data Act" - "EU Data Act" - "Data Act FAQ" - "Regulation (EU) 2023/2854" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates. *FAQ* *EU* *Data Act* ## EU Data Act FAQ hub Answers to the recurring EU Data Act questions that decide whether connected-product data, related-service data, B2G requests, cloud contracts, or smart-contract tooling need a compliance review. Use this index to orient product, legal, cloud, procurement, data protection, security, and public-sector request teams before opening the deeper topic modules. The EU Data Act, Regulation (EU) 2023/2854, creates horizontal rules for fair access to and use of data. Its FAQ set is not only about IoT data portability: it also covers mandatory B2B sharing terms, unfair contractual terms, public-sector access in exceptional need, cloud and edge switching, safeguards against unlawful third-country government access to non-personal data, interoperability, smart contracts, enforcement, and the boundary with GDPR. ## Browse sub-FAQ modules ### [Data Act and Data Governance Act Overlap FAQ](/artifacts/eu/data-act/faq/data-governance-act-overlap.md) FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows. - 12 items ### [Data Act and GDPR Personal Data Overlap FAQ](/artifacts/eu/data-act/faq/gdpr-personal-data-overlap.md) FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing. - 12 items ### [Data Act Audit Evidence And Request Logs FAQ](/artifacts/eu/data-act/faq/audit-evidence-and-request-logs.md) FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries. - 12 items ### [Data Act Cloud Switching Contract Terms FAQ](/artifacts/eu/data-act/faq/cloud-switching-contract-terms.md) FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records. - 12 items ### [Data Act Cloud Switching Fees And Deadlines FAQ](/artifacts/eu/data-act/faq/cloud-switching-fees-and-deadlines.md) FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records. - 12 items ### [Data Act Complaints and Dispute Settlement FAQ](/artifacts/eu/data-act/faq/complaints-and-dispute-settlement.md) FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records. - 12 items ### [Data Act Exportable Data and Metadata FAQ](/artifacts/eu/data-act/faq/exportable-data-and-metadata.md) FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded. - 12 items ### [Data Act FAQ for Aftermarket Repair and Mobility Services](/artifacts/eu/data-act/faq/aftermarket-repair-and-mobility-services.md) FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services. - 12 items ### [Data Act Functional Equivalence FAQ](/artifacts/eu/data-act/faq/functional-equivalence.md) FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence. - 12 items ### [Data Act Indirect Access Request Flows FAQ](/artifacts/eu/data-act/faq/indirect-access-request-flows.md) FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited. - 12 items ### [Data Act International Government Access FAQ](/artifacts/eu/data-act/faq/international-government-access.md) FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers. - 12 items ### [Data Act Interoperability Standards FAQ](/artifacts/eu/data-act/faq/interoperability-standards.md) FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614. - 12 items ### [Data Act Model Contractual Terms FAQ](/artifacts/eu/data-act/faq/model-contractual-terms.md) FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence. - 12 items ### [Data Act Public Emergency Requests FAQ](/artifacts/eu/data-act/faq/public-emergency-requests.md) FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records. - 12 items ### [Data Act SME Exceptions and Startups FAQ](/artifacts/eu/data-act/faq/sme-exceptions-and-startups.md) FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms. - 12 items ### [Data Act Trade Secret Technical Protection Measures FAQ](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md) FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence. - 12 items ### [EU Data Act and Common European Data Spaces FAQ](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md) FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation. - 12 items ### [EU Data Act Application Dates And Transition FAQ](/artifacts/eu/data-act/faq/application-dates-and-transition.md) FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain. - 12 items ### [EU Data Act Article 36 Smart Contract Controls FAQ](/artifacts/eu/data-act/faq/article-36-smart-contract-controls.md) FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires. - 12 items ### [EU Data Act B2B Data Sharing Compensation FAQ](/artifacts/eu/data-act/faq/compensation-for-b2b-data-sharing.md) FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards. - 12 items ### [EU Data Act B2G Compensation and Costs FAQ](/artifacts/eu/data-act/faq/b2g-compensation-and-costs.md) FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep. - 12 items ### [EU Data Act B2G Exceptional Need FAQ](/artifacts/eu/data-act/faq/b2g-exceptional-need.md) When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence. - 13 items ### [EU Data Act Cloud Switching Procurement FAQ](/artifacts/eu/data-act/faq/cloud-switching-procurement-checklist.md) Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence. - 12 items ### [EU Data Act Connected Product Scope FAQ](/artifacts/eu/data-act/faq/scope-connected-products.md) FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope. - 12 items ### [EU Data Act data spaces interoperability FAQ](/artifacts/eu/data-act/faq/data-spaces-interoperability.md) FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence. - 12 items ### [EU Data Act Direct Access by Design FAQ](/artifacts/eu/data-act/faq/direct-access-by-design.md) FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act. - 12 items ### [EU Data Act Enforcement And Competent Authorities FAQ](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md) FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible. - 12 items ### [EU Data Act Non-Emergency Public-Sector Requests FAQ](/artifacts/eu/data-act/faq/non-emergency-public-sector-requests.md) FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence. - 12 items ### [EU Data Act Non-Personal Data and Mixed Datasets FAQ](/artifacts/eu/data-act/faq/non-personal-data-and-mixed-datasets.md) FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records. - 12 items ### [EU Data Act Pre-Contractual Information FAQ](/artifacts/eu/data-act/faq/pre-contractual-information.md) FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries. - 12 items ### [EU Data Act Product Data vs Related Service Data FAQ](/artifacts/eu/data-act/faq/product-data-and-service-data.md) FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs. - 12 items ### [EU Data Act Readily Available Data FAQ](/artifacts/eu/data-act/faq/readily-available-data.md) FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics. - 12 items ### [EU Data Act Related Services FAQ](/artifacts/eu/data-act/faq/related-services.md) FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply. - 12 items ### [EU Data Act Smart Contracts for Data Sharing FAQ](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md) Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status. - 12 items ### [EU Data Act Third-Party Data Sharing FAQ](/artifacts/eu/data-act/faq/third-party-data-sharing.md) FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers. - 12 items ### [EU Data Act Trade Secret Safeguards FAQ](/artifacts/eu/data-act/faq/trade-secrets-safeguards.md) FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records. - 12 items ### [EU Data Act Unfair Contractual Terms FAQ](/artifacts/eu/data-act/faq/unfair-contractual-terms.md) FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence. - 12 items ### [EU Data Act Users, Data Holders, and Recipients FAQ](/artifacts/eu/data-act/faq/users-data-holders-and-recipients.md) FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries. - 12 items ### [EU Data Act Vehicle Data Guidance FAQ](/artifacts/eu/data-act/faq/vehicle-data-guidance.md) FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries. - 12 items Browse all indexed questions: [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) ## All FAQ items *Page 16 of 24. Showing 20 of 469 items.* ### [Do EU Data Act Article 33 interoperability duties apply only to participants that offer data to others?](/artifacts/eu/data-act/faq/data-spaces-interoperability.md#do-eu-data-act-article-33-interoperability-duties-apply-only-to-participants-that-offer-data-to-others) *Module: [EU Data Act data spaces interoperability](/artifacts/eu/data-act/faq/data-spaces-interoperability.md)* Under the Data Act, the Article 33 essential requirements bind operators of data spaces and participants that offer data or data services to other participants, rather than every organisation that merely consumes data within a data space. The trigger is offering data or services, so a pure consumer does not carry the same description duties. - Apply Article 33 description duties to participants that offer data or data services to others. - Map each participant role per dataset, since an organisation can offer some data and consume other data. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding legal source for Article 33 data-space interoperability scope, essential requirements, harmonised standards, and common specifications. - [European Commission - Data Act FAQs](https://digital-strategy.ec.europa.eu/en/library/commission-publishes-frequently-asked-questions-about-data-act?ref=sorena.io) - Commission FAQ source used for interoperability context, metadata and portability explanations, and the central Union repository distinction. - [European Commission - Staff working document on common European data spaces](https://digital-strategy.ec.europa.eu/en/library/staff-working-document-data-spaces?ref=sorena.io) - Commission source for the concept and original strategic fields of common European data spaces. - [European Commission - Second staff working document on data spaces](https://digital-strategy.ec.europa.eu/en/library/second-staff-working-document-data-spaces?ref=sorena.io) - Commission source for the later data-space implementation context, including DSSC, Simpl, EDICs, and standards work. - [Publications Office - European data spaces and data.europa.eu](https://op.europa.eu/en/publication-detail/-/publication/70d01867-8ce1-11ee-8aa6-01aa75ed71a1/language-en?ref=sorena.io) - EU publication supporting practical context on data-space governance, participants, decentralisation, automation, and common standards. - [CEN-CENELEC - Data Act Standardization Request officially accepted](https://www.cencenelec.eu/news-events/news/2025/brief-news/2025-07-11-data-act-standardization-request/?ref=sorena.io) - Standardisation source for Mandate M/614 and planned deliverables supporting Article 33 of the Data Act. - [European Commission - Rolling Plan for ICT standardisation, Data Economy](https://interoperable-europe.ec.europa.eu/collection/rolling-plan-ict-standardisation/data-economy-rp-2025?ref=sorena.io) - Standardisation policy source for data economy interoperability, data-space interoperability, metadata, governance, and common European data spaces. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview for Data Act chapters, connected-product access, B2G requests, cloud switching, interoperability, and implementation support. ### [What does direct access by design actually mean under the EU Data Act Article 3 obligation?](/artifacts/eu/data-act/faq/direct-access-by-design.md#what-does-direct-access-by-design-actually-mean-under-the-eu-data-act-article-3-obligation) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act context is the starting point for this answer. Direct access by design means the connected product and any related service must be built so the user can access product data and related-service data by default. Article 3 requires the access path to include relevant metadata, use a comprehensive, structured, commonly used and machine-readable format, and be easy, secure, and free of charge. - Treat direct access as a product requirement for each connected product and related service, not as a later compliance add-on. - Specify the user-facing route, authentication method, data format, metadata, retention assumptions, and support fallback. - Test whether a real user can retrieve and understand the data without non-neutral interface patterns or unnecessary identity checks. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 3 states the direct-access-by-design duty for connected products and related services. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer describes Chapter II access to data generated by connected products and related services. ### [Which categories of data must the access design cover under the EU Data Act Article 3 rules?](/artifacts/eu/data-act/faq/direct-access-by-design.md#which-categories-of-data-must-the-access-design-cover-under-the-eu-data-act-article-3-rules) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act context is the starting point for this answer. The design should cover product data and related-service data that are readily available to the data holder. The Commission explains this as raw and pre-processed data generated from use of a connected product or related service that can be accessed without disproportionate effort, including relevant metadata. - Inventory generated data by field or stream, including sensor data, event data, timestamps, basic context, units, format, collection frequency, and estimated volume. - Flag data that is available on-device, sent to a remote server, generated by a related service, or unavailable because the product does not store or transmit it. - Record why each exclusion is outside the Article 3 or Article 4 access path, especially for derived insights, trade-secret material, and personal data limits. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Recital 15 explains raw, pre-processed, metadata, and derived-data boundaries. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer summarizes Chapter II scope for raw and pre-processed readily available data. ### [When is indirect access under Article 4 still needed under the Data Act?](/artifacts/eu/data-act/faq/direct-access-by-design.md#when-is-indirect-access-under-article-4-still-needed-under-the-data-act) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act context is the starting point for this answer. Article 4 applies where the user cannot directly access the data from the connected product or related service. In that case, the data holder must make readily available data and necessary metadata accessible to the user without undue delay, with the same quality available to the data holder, and through a simple electronic request where technically feasible. - Document why each dataset is direct-accessible, request-accessible, or outside the readily available data boundary. - Make the indirect request channel simple, electronic where technically feasible, and connected to the same data inventory used for product design. - Keep evidence that indirect access does not degrade quality, format, metadata, security, or user comprehension compared with what the data holder has. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 4 creates the fallback user-access duty when direct access is not available. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ explains user verification and simple request mechanisms for access requests. ### [Does direct user access remove the need to support third-party sharing under the Data Act?](/artifacts/eu/data-act/faq/direct-access-by-design.md#does-direct-user-access-remove-the-need-to-support-third-party-sharing-under-the-data-act) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act context is the starting point for this answer. No. The Commission FAQ states that users can still ask a data holder to transfer data to a third party under Article 5 even where the user already has direct access under Article 3. Direct access helps the user retrieve data, but it does not supersede the separate user right to have a data holder make readily available data available to a chosen third party. - Add a third-party sharing path alongside direct user export where a data holder has readily available data. - Exclude Digital Markets Act gatekeepers from the Article 5 third-party route where the Data Act does so. - Keep user authorization, third-party identity checks, purpose, scope, format, metadata, delivery, and safeguard records together. Sources for this answer: - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Question 31 confirms Article 5 third-party transfer rights can apply despite direct access. - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 5 sets the user's right to have readily available data made available to third parties. ### [What must be explained before the user buys, rents, leases, or takes a related service under the Data Act?](/artifacts/eu/data-act/faq/direct-access-by-design.md#what-must-be-explained-before-the-user-buys-rents-leases-or-takes-a-related-service-under-the-data-act) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act context is the starting point for this answer. Before a connected-product contract, Article 3 requires clear and comprehensible information about the type, format, and estimated volume of product data; whether data can be generated continuously and in real time; storage location and retention where applicable; and how the user may access, retrieve, or erase the data. - Keep product pages, order flows, contracts, QR-code pages, support articles, and API documentation consistent with the same access design. - Include enough detail for a user to understand what data exists, how often it is generated, where it is stored, and how to retrieve it. - Update user-facing information when product updates or service changes add accessible data or restrict previously accessible data. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 3 lists pre-contract information for connected products and related services. ### [How should security and identity controls be designed under the Data Act?](/artifacts/eu/data-act/faq/direct-access-by-design.md#how-should-security-and-identity-controls-be-designed-under-the-data-act) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act context is the starting point for this answer. Security controls can verify that the requester is a user and protect the data infrastructure, but they should not make access unduly difficult. Article 4 limits verification requests to necessary information, and the Commission FAQ points to simple request mechanisms and automatic execution where possible. - Use proportionate authentication, account, device-pairing, or proof-of-use controls that fit the product and expected user base. - Avoid dark patterns, non-neutral choices, excessive identity documents, unnecessary logs, or manual clearance where automatic access is feasible. - If security requirements justify a restriction, record the legal requirement, risk analysis, affected data, user notice, authority notification, and challenge route. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 4 covers user verification, interface design, log minimisation, and security-based restrictions. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer summarizes the security limitation and authority notification path. ### [How should trade secrets be handled without blocking lawful access under the Data Act?](/artifacts/eu/data-act/faq/direct-access-by-design.md#how-should-trade-secrets-be-handled-without-blocking-lawful-access-under-the-data-act) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act preserves trade secrets, but it does not allow a blanket trade-secret label to erase user access. The data holder or trade-secret holder must identify protected data, including in relevant metadata, and agree proportionate technical and organisational measures such as confidentiality terms, strict access protocols, technical standards, and codes of conduct. - Mark trade-secret fields in the data inventory and metadata instead of hiding the entire dataset. - Choose proportionate measures that preserve confidentiality while leaving the usable data access path open where possible. - Keep written reasons, objective evidence, user notices, competent-authority notifications, and challenge-route records for any withholding, suspension, or refusal. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 4 sets trade-secret identification, safeguard, suspension, withholding, refusal, and notification rules for user access. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer describes the trade-secret safeguard and refusal mechanism. - [European Commission - Data Act press release](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078?ref=sorena.io) - Commission press release notes further implementation tools on trade-secret protection. ### [When does the Article 3 design obligation apply under the Data Act?](/artifacts/eu/data-act/faq/direct-access-by-design.md#when-does-the-article-3-design-obligation-apply-under-the-data-act) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The Data Act generally applies from 12 September 2025, but Article 50 states that the obligation resulting from Article 3(1) applies to connected products and related services placed on the market after 12 September 2026. Teams should keep those two dates separate in release plans and customer-facing materials. - Tie the Article 3 release gate to products and related services placed on the market after 12 September 2026. - Review older products separately for request-based access, data-use contracts, third-party sharing, and support processes. - Keep the date source in the design record so sales, legal, product, and support teams do not reuse the wrong Data Act date. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 50 gives the general application date and the later timing rule for Article 3(1). - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ explains post-application contracts for data holders' use of readily available data. ### [What evidence should prove that the access design is compliant under the Data Act?](/artifacts/eu/data-act/faq/direct-access-by-design.md#what-evidence-should-prove-that-the-access-design-is-compliant-under-the-data-act) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* The evidence file should let a reviewer connect the product architecture to the Data Act duty without reconstructing decisions from tickets. Keep a data inventory, Article 3 design specification, pre-contract disclosure, UX/API evidence, security and identity assessment, trade-secret register, request-path procedure, and release approval. - Preserve a direct-access matrix showing each dataset, access route, format, metadata, retention assumption, safeguard, and owner. - Retain test evidence that the user can access data easily, securely, free of charge, and in the promised format. - Log exceptions with the affected data, legal basis, reason, user notice, authority notice where required, and remediation or review date. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 3 and 4 support evidence fields for access format, metadata, security, verification, logs, and safeguards. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer supports evidence for simple processes, free access, security limits, and trade-secret restrictions. ### [Who should own the EU Data Act direct-access design and the related review workflow over time?](/artifacts/eu/data-act/faq/direct-access-by-design.md#who-should-own-the-eu-data-act-direct-access-design-and-the-related-review-workflow-over-time) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* Under the Data Act, assign one accountable owner for the design decision itself and separate owners for the supporting work. The accountable owner should be the team that can approve changes to the product or related service, while legal, security, procurement, support, and engineering can supply review and evidence inputs. - Assign one accountable owner for the design decision and one record owner for the evidence file. - List the affected workflow, required approvals, and review trigger separately so the decision is easier to revisit later. - Keep legal, product, procurement, cloud, support, and security inputs in the file, but do not duplicate the same ownership note across sections. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Article 3 direct-access design obligations, Article 4 fallback access and safeguards, Article 5 third-party sharing, and Article 50 timing. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for user verification, direct access alongside Article 5 third-party transfer rights, and legacy-product contract context. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer for Chapter II scope, raw and pre-processed data, simple access processes, security limits, and trade-secret safeguards. - [European Commission - Data Act press release](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078?ref=sorena.io) - Commission announcement identifying implementation support on trade-secret protection and user control over connected-device data. ### [Does the EU Data Act require direct access to be free of charge for the connected-product user?](/artifacts/eu/data-act/faq/direct-access-by-design.md#does-the-eu-data-act-require-direct-access-to-be-free-of-charge-for-the-connected-product-user) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* Under the Data Act, Article 3 requires direct access to product and related-service data to be provided to the user easily, securely, and free of charge, in a comprehensive, structured, commonly used, machine-readable format with relevant metadata. A data holder cannot put the statutory user access behind a fee or a premium tier. - Provide the user's own direct access free of charge in a structured, machine-readable format. - Keep any third-party sharing compensation separate from the user's free statutory access. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Article 3 direct-access design obligations, Article 4 fallback access and safeguards, Article 5 third-party sharing, and Article 50 timing. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for user verification, direct access alongside Article 5 third-party transfer rights, and legacy-product contract context. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer for Chapter II scope, raw and pre-processed data, simple access processes, security limits, and trade-secret safeguards. - [European Commission - Data Act press release](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078?ref=sorena.io) - Commission announcement identifying implementation support on trade-secret protection and user control over connected-device data. ### [When must a connected product be redesigned to meet the EU Data Act direct-access obligation?](/artifacts/eu/data-act/faq/direct-access-by-design.md#when-must-a-connected-product-be-redesigned-to-meet-the-eu-data-act-direct-access-obligation) *Module: [EU Data Act Direct Access by Design](/artifacts/eu/data-act/faq/direct-access-by-design.md)* Under the Data Act, the Article 3 design obligation applies to connected products and related services placed on the market after 12 September 2026, so products designed before that date are not retrofitted by the rule but may still owe Article 4 access on request. Teams should map each product to the date it was or will be placed on the market. - Apply the Article 3 design obligation to products placed on the market after 12 September 2026. - Design direct access into new products rather than relying on a manual support export. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Article 3 direct-access design obligations, Article 4 fallback access and safeguards, Article 5 third-party sharing, and Article 50 timing. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for user verification, direct access alongside Article 5 third-party transfer rights, and legacy-product contract context. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer for Chapter II scope, raw and pre-processed data, simple access processes, security limits, and trade-secret safeguards. - [European Commission - Data Act press release](https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2078?ref=sorena.io) - Commission announcement identifying implementation support on trade-secret protection and user control over connected-device data. ### [Which national authorities are responsible for enforcing the EU Data Act in each Member State?](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md#which-national-authorities-are-responsible-for-enforcing-the-eu-data-act-in-each-member-state) *Module: [EU Data Act Enforcement And Competent Authorities](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md)* Each Member State must designate one or more competent authorities for Data Act application and enforcement. A Member State can create a new authority or rely on an existing public body, so companies should not assume that the same office is responsible in every country. - Use the Commission public register to check the current authority list before sending a complaint or request. - For cross-border issues, the data coordinator helps identify the right authority in the Member State concerned. - Do not guess sector-specific responsibility where another authority may have competence under Article 37. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 37 sets out competent authorities, data coordinators, cooperation duties, and the public register. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - The Commission explains that the data coordinator is the national single point of contact when several authorities are designated. ### [How can a person or company lodge a complaint about an EU Data Act infringement?](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md#how-can-a-person-or-company-lodge-a-complaint-about-an-eu-data-act-infringement) *Module: [EU Data Act Enforcement And Competent Authorities](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md)* Natural and legal persons can lodge a complaint, individually or collectively where relevant, with the relevant competent authority if they consider that their Data Act rights have been infringed. The correct Member State is tied to the complainant's habitual residence, place of work, or establishment. - Collect the contract, request history, dates, and the exact Data Act issue before filing. - If you are unsure which authority is responsible, start with the data coordinator. - Complaints can be made without giving up the right to go to court. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 38 gives the complaint right and explains the Member State link and data coordinator support. - [European Commission - Data Act FAQ](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The Commission FAQ says the data coordinator can help stakeholders with complaints and routing. ### [Are penalties for EU Data Act infringements harmonised across all EU Member States?](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md#are-penalties-for-eu-data-act-infringements-harmonised-across-all-eu-member-states) *Module: [EU Data Act Enforcement And Competent Authorities](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md)* No single EU penalty table is set in the Data Act. Member States set the rules on penalties for Data Act infringements and must make sure the penalties are effective, proportionate, and dissuasive. - Do not cite a euro amount, percentage cap, or national maximum unless it comes from the relevant Member State penalty measure. - Track national penalty rules separately from the Data Act text because Member States can update their measures. - For GDPR-related Data Act infringements within a data protection authority's competence, check the separate GDPR fine route. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 40 says Member States set Data Act penalty rules and lists non-exhaustive penalty criteria. - [European Commission - Data Act FAQ](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The Commission FAQ confirms that penalties are set by Member States, with EDIB coordination for consistency. ### [When can EU Data Act dispute settlement be used instead of a competent-authority complaint?](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md#when-can-eu-data-act-dispute-settlement-be-used-instead-of-a-competent-authority-complaint) *Module: [EU Data Act Enforcement And Competent Authorities](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md)* Under the Data Act, certified dispute settlement bodies are a voluntary route. Users, data holders, and data recipients can use them for disputes about the Chapter II handbrakes, FRAND terms, Chapter III compensation, and Chapter VI data processing services. - Use dispute settlement when both parties want a faster, lower-cost route and the dispute falls within Article 10. - Do not use it for a dispute already before another dispute settlement body or a court or tribunal. - A complaint to the competent authority is still available where the Data Act gives that route. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 10 covers dispute settlement scope, timing, refusal rules, binding effect, and court-preservation rules. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - The Commission explains dispute settlement as a practical route for parties that cannot agree on FRAND terms. ### [Where is the boundary between Data Act competent authorities and GDPR supervisory authorities?](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md#where-is-the-boundary-between-data-act-competent-authorities-and-gdpr-supervisory-authorities) *Module: [EU Data Act Enforcement And Competent Authorities](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md)* Data Act competent authorities do not replace GDPR supervisory authorities. Under Article 37, the authorities responsible for monitoring the GDPR are responsible for monitoring the Data Act insofar as protection of personal data is concerned. - Route personal-data protection questions to the GDPR supervisory authority path. - Keep the Data Act and GDPR records aligned so the same facts are described consistently. - For mixed datasets, record the personal-data assessment and the legal basis analysis. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 37(3) preserves GDPR supervisory authority responsibility where Data Act application concerns personal-data protection. - [European Commission - Data Act FAQ](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The Commission FAQ says the DPAs monitor Data Act matters within their personal-data protection competence. ### [What evidence should a Data Act enforcement file contain to support a complaint or inquiry?](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md#what-evidence-should-a-data-act-enforcement-file-contain-to-support-a-complaint-or-inquiry) *Module: [EU Data Act Enforcement And Competent Authorities](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md)* A useful enforcement file should be narrow and factual. It should show which Data Act right or obligation is involved, which Member State authority path is relevant, whether a data coordinator should route the issue, whether dispute settlement is available, and whether GDPR or sectoral authorities have separate competence. - Keep the exact legal issue, the date, the actor involved, and the request or decision that triggered the file. - Record the authority contacted, including the data coordinator if used. - Attach the cited Data Act source, any Commission guidance used, and the current version of the national penalty rule if relevant. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 37 to 40 support authority routing, complaints, cooperation, and penalty evidence. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - The Commission explains the role of the public register, the data coordinator, and the EDIB in enforcement. ### [What Data Act source evidence should teams keep for an enforcement decision?](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md#what-data-act-source-evidence-should-teams-keep-for-an-enforcement-decision) *Module: [EU Data Act Enforcement And Competent Authorities](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md)* For Data Act enforcement and competent authorities, teams should keep the source clause, any Commission guidance used, the actor role, the Member State route, and the reviewer who approved the interpretation. - Store the exact Article 37 to 40 citation used for the decision. - Keep the Commission explainer or FAQ reference that supports the routing choice. - Record the owner, the workflow affected, and the review trigger for future re-checks. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding Data Act text for competent authorities, data coordinators, complaint rights, judicial remedies, penalties, GDPR supervisory-authority boundaries, dispute settlement, and EDIB coordination. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer for the practical role of data coordinators, the Commission public register, EDIB penalty coordination, and certified dispute settlement bodies. - [European Commission - Data Act FAQ](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ used for practical explanations of enforcement bodies, complaint routing, penalties, DPAs, EDIB support, and dispute settlement limits. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 16 of 24 Pages: [1](/artifacts/eu/data-act/faq/items.md) | [2](/artifacts/eu/data-act/faq/items/page/2.md) | [3](/artifacts/eu/data-act/faq/items/page/3.md) | [4](/artifacts/eu/data-act/faq/items/page/4.md) | [5](/artifacts/eu/data-act/faq/items/page/5.md) | [6](/artifacts/eu/data-act/faq/items/page/6.md) | [7](/artifacts/eu/data-act/faq/items/page/7.md) | [8](/artifacts/eu/data-act/faq/items/page/8.md) | [9](/artifacts/eu/data-act/faq/items/page/9.md) | [10](/artifacts/eu/data-act/faq/items/page/10.md) | [11](/artifacts/eu/data-act/faq/items/page/11.md) | [12](/artifacts/eu/data-act/faq/items/page/12.md) | [13](/artifacts/eu/data-act/faq/items/page/13.md) | [14](/artifacts/eu/data-act/faq/items/page/14.md) | [15](/artifacts/eu/data-act/faq/items/page/15.md) | [16](/artifacts/eu/data-act/faq/items/page/16.md) | [17](/artifacts/eu/data-act/faq/items/page/17.md) | [18](/artifacts/eu/data-act/faq/items/page/18.md) | [19](/artifacts/eu/data-act/faq/items/page/19.md) | [20](/artifacts/eu/data-act/faq/items/page/20.md) | [21](/artifacts/eu/data-act/faq/items/page/21.md) | [22](/artifacts/eu/data-act/faq/items/page/22.md) | [23](/artifacts/eu/data-act/faq/items/page/23.md) | [24](/artifacts/eu/data-act/faq/items/page/24.md) [Previous page](/artifacts/eu/data-act/faq/items/page/15.md) | [Next page](/artifacts/eu/data-act/faq/items/page/17.md) *Recommended next step* *Placement: before sources* ## Turn a Data Act FAQ answer into a scoped review Review one product, dataset, cloud contract, public-sector request, or smart-contract deployment against the cited Data Act source and keep the scope, role, evidence, and unresolved questions together. - [Open Research Copilot](/solutions/research-copilot.md): Check Data Act scope, GDPR boundaries, cloud switching, and contract questions with cited source outputs. - [Talk through Data Act implementation](/contact.md): Review one connected product, data-sharing contract, cloud switch, or public-sector request before committing to an implementation path. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/data-act/faq/items/page/16