Artifact GuideEUData Act

EU Data Act Penalties and Enforcement

Article 40 does not create one EU-wide fine table. It requires Member States to set effective, proportionate, and dissuasive penalties, while the Data Act lists factors authorities should consider when penalties are imposed.

Use this page to separate Data Act penalty exposure from GDPR enforcement, route complaints to the right authority, and build evidence around the factors that matter.

Back to main artifactReview sources
Author
Sorena AI
Published
May 6, 2026
Updated
May 6, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 6, 2026
Updated May 6, 2026
Overview

The Data Act does not set one EU-wide fine amount. Penalties depend on the Member State, the authority with competence, and the facts of the case, including whether the issue belongs with a data protection authority or another competent authority.

Section 1

Data Act Article 40 and how national penalties are set by member states

The Data Act leaves penalty rules to Member States. Article 40 requires each Member State to lay down penalties for infringements of the Regulation and to take the measures needed to implement them.

That means a compliance note should not present a universal Data Act fine cap, a guessed percentage of worldwide turnover, or an unpublished national schedule as if it were already harmonised EU law. The grounded statement is narrower: Member State penalties must be effective, proportionate, and dissuasive, and Member States had to notify the Commission of their rules and measures by 12 September 2025 and later amendments without delay.

For search visitors comparing risk, the practical takeaway is to track the national implementing measure for the relevant Member State and then apply Article 40's penalty factors to the facts of the alleged infringement.

  • Do not invent an EU-wide Data Act fine table.
  • Identify the Member State of competence before estimating exposure.
  • Check whether the Commission public register or national measure identifies the applicable penalty route.
  • Keep Data Act penalty analysis separate from GDPR administrative fine analysis unless the issue falls within DPA competence.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Article 40 requires Member States to set and implement Data Act penalties and notify those measures to the Commission.
European Commission - Data Act FAQs v1.4
Commission FAQ confirms that Data Act penalties are set by Member States rather than harmonised in one EU schedule.
Section 2

Data Act penalty factors a competent authority weighs and what to keep in the evidence file

Article 40 lists non-exhaustive criteria for penalty decisions. The file should therefore show more than a final legal conclusion; it should preserve facts that an authority could use to assess severity and proportionality.

The most useful internal record ties the alleged infringement to its affected Data Act obligation, the products or services involved, the time period, impacted parties, remediation steps, prior similar issues, any financial benefit or avoided loss that can be reliably established, and the infringing party's annual turnover in the Union for the preceding financial year.

  • Nature, gravity, scale, and duration of the alleged infringement.
  • Actions taken to mitigate or remedy damage.
  • Previous infringements by the same party.
  • Financial benefits gained or losses avoided, where reliably established.
  • Other aggravating or mitigating factors.
  • Annual turnover in the Union in the preceding financial year.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Article 40(3) lists the non-exhaustive criteria Member States should take into account when penalties are imposed.
Recommended next step

Map Data Act enforcement exposure before disputes escalate

Turn Article 40 factors, authority routing, complaint handling, and GDPR escalation into a maintained evidence file for product, legal, privacy, and engineering teams.

Research workflow
Open Research Copilot

Research Data Act authority paths, complaint issues, and source-linked obligations with cited outputs.

Explore next step
Talk to Sorena
Talk through Data Act enforcement readiness

Review your Data Act scope, GDPR boundary, complaint process, evidence model, and escalation path.

Explore next step
Section 3

Data Act competent authorities, data coordinators, and complaints

Article 37 requires each Member State to designate one or more competent authorities for Data Act application and enforcement. If a Member State designates more than one authority, it must designate a data coordinator to facilitate cooperation and assist entities on Data Act application and enforcement questions.

For a complaint or enforcement intake, record the complainant's habitual residence, place of work, or establishment, the supervised entity's establishment or legal representative, the Data Act provision involved, and whether another authority has sectoral or personal-data competence.

Article 38 gives natural and legal persons the right to lodge complaints with the relevant competent authority if they consider their Data Act rights have been infringed. The data coordinator must provide information needed to lodge complaints with the appropriate competent authority upon request.

  • Start with the Member State authority path rather than an internal generic mailbox.
  • Use the data coordinator when the correct competent authority is unclear.
  • Track authority communications, requests for information, complainant updates, and cross-border cooperation steps.
  • Keep trade secret, security, access refusal, public-sector request, and cloud switching disputes tied to the specific Data Act chapter involved.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Articles 37 and 38 establish competent authorities, data coordinators, complaint handling, and cooperation duties.
European Commission - Data Act explained
Commission explanation describes national competent authorities, data coordinators, the public register, and EDIB coordination on penalties.
European Commission - Data Act FAQs v1.4
Commission FAQ explains how complainants can use data coordinators when the appropriate competent authority is unclear.
Section 4

Data Act enforcement and the GDPR boundary when personal data is involved

The Data Act covers personal and non-personal data, but it does not supersede the GDPR. Article 1(5) says personal data protection law continues to apply and prevails in the event of conflict.

Article 37(3) gives GDPR supervisory authorities responsibility for monitoring Data Act application insofar as personal data protection is concerned. Article 40 then gives DPAs, within their competence, power to impose GDPR-style administrative fines for infringements of Data Act obligations in Chapters II, III, and V.

In practice, a Data Act enforcement file should mark whether the issue is about access to connected-product data, B2B mandatory data sharing, public-sector access, cloud switching, trade secrets, or personal data protection. Personal data questions such as valid legal basis, data subject access, portability, and classification of personal data may need DPA handling.

  • Do not use GDPR fine amounts as a shortcut for every Data Act infringement.
  • Escalate personal data issues to privacy counsel or the DPO before making access, sharing, or refusal decisions.
  • Record whether the user is the data subject or whether a separate GDPR legal basis is needed.
  • Keep Data Act and GDPR decision records linked but distinct.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Articles 1(5), 37(3), and 40(4)-(5) define the personal-data boundary and DPA/EDPS fine competence.
European Commission - Data Act FAQs v1.4
Commission FAQ explains that GDPR remains fully applicable to personal data processing under the Data Act and that DPAs enforce personal-data aspects.
European Commission - Data Act explained
Commission explanation highlights GDPR compliance, valid legal basis issues, and the difficulty of separating personal and non-personal co-generated data.
Section 5

Data Act complaints and remedy routes available to users and recipients

The Data Act gives affected natural and legal persons more than one route. Complaints can go to the relevant competent authority, and Article 39 preserves the right to an effective judicial remedy against legally binding authority decisions.

Where a competent authority fails to act on a complaint, Article 39 gives affected persons a route, under national law, to judicial remedy or review by an impartial body with appropriate expertise. That makes complaint tracking operationally important: missed responses, incomplete authority packets, and unclear ownership can become part of the dispute record.

Some Data Act disputes also have specific challenge routes. For example, where a data holder suspends, withholds, or refuses sharing on trade secret or security grounds, the user or third party may challenge the decision through a competent authority complaint, court or tribunal, or agreed dispute settlement body.

  • Log the complaint date, complainant route, authority, Data Act article, and requested remedy.
  • Preserve the response timeline and any national-law procedural deadlines identified by counsel.
  • Attach the underlying access request, refusal or suspension notice, trade secret or security rationale, and remediation steps.
  • Keep judicial remedy and dispute settlement options visible without implying they replace authority cooperation.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act)
Articles 38 and 39 establish complaint and judicial remedy rights; Articles 4 and 5 add challenge routes for certain refusal, suspension, and withholding decisions.
European Commission - Data Act explained
Commission explanation describes challenge routes for trade secret and security-based refusal, withholding, or suspension decisions.
European Commission - Data Act FAQs v1.4
Commission FAQ lists complaint, legal proceedings, and consumer protection routes for users seeking to enforce Data Act rights.
Section 6

What not to publish or claim as Data Act penalty and fine guidance

A useful penalties page should be explicit about what is not yet grounded. Avoid publishing national penalty amounts unless the applicable national measure is identified in the grounding source and current for the relevant Member State.

Avoid saying the Commission itself is the primary penalty authority for ordinary Data Act infringements. The Commission supports enforcement through public information, the European Data Innovation Board, and registers, while Member State authorities are primarily responsible for enforcement.

Avoid treating Article 40 factors as optional compliance theatre. They are the facts that make a penalty decision easier or harder to defend.

  • No invented fixed maximum fine or turnover percentage for the Data Act as a whole.
  • No copied GDPR fine cap unless the matter is within DPA competence under Article 40(4).
  • No national penalty schedule without a current national source.
  • No generic complaint playbook that omits competent authority, data coordinator, DPA, and judicial remedy routes.
Sources for this answer
European Commission - Data Act FAQs v1.4
Commission FAQ states that Member States set Data Act penalties and that the Commission's role is supportive.
Regulation (EU) 2023/2854 (Data Act)
Article 40 supports avoiding unsupported harmonised fine claims and focusing on national rules plus listed penalty factors.
Primary sources

References and citations

European Commission - Data Act explained
digital-strategy.ec.europa.eu
Referenced sections
  • Commission explanation describes challenge routes for trade secret and security-based refusal, withholding, or suspension decisions.
Regulation (EU) 2023/2854 (Data Act)
eur-lex.europa.eu
Referenced sections
  • Article 40 supports avoiding unsupported harmonised fine claims and focusing on national rules plus listed penalty factors.
Related guides

Explore more topics

Data Act and Common European Data Spaces
How Data Act Article 33 connects data-space participation with metadata, vocabularies, APIs, access terms, data quality, governance, and standards monitoring.
Data Act and Data Governance Act Overlap FAQ
FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows.
Data Act and GDPR Personal Data Overlap FAQ
FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing.
Data Act Audit Evidence And Request Logs FAQ
FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries.
Data Act B2B Data-Sharing Contract Clauses
Clause guide for EU Data Act B2B data sharing: FRAND terms, compensation, trade secret safeguards, recipient limits, termination, logs, and GDPR boundaries.
Data Act B2B Data-Sharing Contract Template
A usable EU Data Act B2B data-sharing template outline covering access requests, data schedules, permitted use, trade secrets, security, compensation, GDPR boundaries, audit records, and termination.
Data Act B2G Exceptional-Need Requests
A grounded guide to EU Data Act Chapter V requests from public bodies: exceptional need, public emergencies, request contents, limits, safeguards, costs, and records.
Data Act Cloud Switching Compliance Checklist
A grounded EU Data Act checklist for cloud and data processing service providers covering switching clauses, notices, export formats, charges, interoperability, and evidence.
Data Act Cloud Switching Contract Terms FAQ
FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records.
Data Act Cloud Switching Fees And Deadlines FAQ
FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records.
Data Act Complaints and Dispute Settlement FAQ
FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records.
Data Act Exportable Data and Metadata FAQ
FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded.
Data Act FAQ for Aftermarket Repair and Mobility Services
FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services.
Data Act Functional Equivalence FAQ
FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence.
Data Act Indirect Access Request Flows FAQ
FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited.
Data Act International Government Access FAQ
FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers.
Data Act Interoperability Standards FAQ
FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614.
Data Act Model Contractual Terms FAQ
FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence.
Data Act Public Emergency Requests FAQ
FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records.
Data Act Smart Contracts for Data Sharing
Data Act Article 36 smart contract guide for data-sharing agreements: scope, robustness, access control, termination, interruption, archiving, standards status, and conformity evidence.
Data Act SME Exceptions and Startups FAQ
FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms.
Data Act Trade Secret Technical Protection Measures FAQ
FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence.
Data Act Trade Secrets and Protection Measures
Data Act guide for protecting trade secrets during access and sharing: classification, safeguards, refusal thresholds, notices, evidence records, and reviews.
Data Act Unfair Contractual Terms | Article 13 B2B Contract Review
Review B2B data-sharing clauses under EU Data Act Article 13: unilateral terms, always unfair examples, presumed unfair terms, model clauses, evidence, and remediation.
Data Act Vehicle Data Guidance
Commission-grounded guide to Data Act vehicle data access: connected vehicles, vehicle-related services, raw and pre-processed data, aftermarket use cases, access routes, safeguards, and GDPR boundaries.
Data Act vs GDPR: connected-product data access
Compare EU Data Act connected-product access duties with GDPR personal-data rules: scope, roles, lawful basis, data subject rights, third-party sharing, trade secrets, and conflicts.
EU Data Act and Common European Data Spaces FAQ
FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation.
EU Data Act Applicability Test
Check whether a product, related service, data holder, cloud service, data-space role, smart contract, or B2G request is in scope of the EU Data Act.
EU Data Act Application Dates And Transition FAQ
FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain.
EU Data Act Article 3 Pre-Contract Information
What Article 3 of the EU Data Act requires before connected-product purchase, rent, lease, or related-service contracting: data categories, access, data holder identity, third-party sharing, complaints, and evidence.
EU Data Act Article 36 Smart Contract Controls FAQ
FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires.
EU Data Act B2B Data Sharing Compensation FAQ
FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards.
EU Data Act B2G Compensation and Costs FAQ
FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep.
EU Data Act B2G Exceptional Need FAQ
When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence.
EU Data Act Checklist for Product, Cloud, and Contract Teams
A grounded EU Data Act checklist for connected-product data access, third-party sharing, B2G requests, cloud switching, unfair terms, smart contracts, personal data boundaries, evidence, and owners.
EU Data Act Cloud Switching and Exit Plans
A grounded EU Data Act guide for data processing service exit plans: switching contracts, exportable data, assistance, charges, interoperability, retrieval, erasure, and records.
EU Data Act Cloud Switching Procurement FAQ
Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence.
EU Data Act Compliance Program
Build a Data Act compliance program for connected-product data access, contracts, B2G requests, cloud switching, smart contracts, GDPR boundaries, records, and ownership.
EU Data Act Connected Product Scope and Data Types
Classify EU Data Act connected products, related services, product data, related-service data, readily available data, metadata, and excluded derived outputs.
EU Data Act Connected Product Scope FAQ
FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope.
EU Data Act Data Processing Service Switching
A grounded EU Data Act guide for provider and customer switching duties: exit assistance, exportable data, contract clauses, charges, interoperability, retrieval, and erasure.
EU Data Act data spaces interoperability FAQ
FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence.
EU Data Act deadlines and compliance calendar
A source-linked calendar for EU Data Act application dates, product design timing, contract remediation, cloud switching charges, response periods, standards work, and evidence records.
EU Data Act Direct Access by Design FAQ
FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act.
EU Data Act Enforcement And Competent Authorities FAQ
FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible.
EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates
Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates.
EU Data Act Non-Emergency Public-Sector Requests FAQ
FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence.
EU Data Act Non-Personal Data and Mixed Datasets FAQ
FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records.
EU Data Act Pre-Contractual Information FAQ
FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries.
EU Data Act Product Data vs Related Service Data FAQ
FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs.
EU Data Act Readily Available Data FAQ
FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics.
EU Data Act Related Services FAQ
FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply.
EU Data Act requirements
Source-grounded EU Data Act requirements for connected-product data access, B2B sharing terms, B2G exceptional needs, cloud switching, smart contracts, interoperability, GDPR boundaries, and records.
EU Data Act Smart Contracts for Data Sharing FAQ
Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status.
EU Data Act Third-Party Data Sharing FAQ
FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers.
EU Data Act Trade Secret Safeguards FAQ
FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records.
EU Data Act Unfair Contractual Terms FAQ
FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence.
EU Data Act User Access and Portability Rights
Practical guide to EU Data Act user access, connected-product data portability, third-party sharing, trade secret safeguards, and the GDPR boundary.
EU Data Act Users, Data Holders, and Recipients FAQ
FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries.
EU Data Act Vehicle Data Guidance FAQ
FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries.
EU Data Act vs Data Governance Act
Compare the EU Data Act with the Data Governance Act: connected-product access, cloud switching, B2B/B2G duties, protected public-sector reuse, intermediaries, altruism, governance, and enforcement.