Artifact GuideEU

EU Data Act: Fair Access to Connected Product Data and Cloud Switching Penalties and Fines

Understand the enforcement model and build evidence that reduces penalty risk.

Focus: Article 40 penalties framework and the GDPR-linked administrative fines route for Chapter II/III/V infringements.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
1

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

EU Data Act enforcement is not a single Union fine table. Article 40 requires Member States to set penalty rules and implement them, and it lists the non exhaustive criteria authorities should consider when imposing penalties. In addition, for infringements of Chapters II, III, and V, GDPR supervisory authorities may impose administrative fines within their competence in line with GDPR Article 83 and up to the levels in GDPR Article 83(5). The practical takeaway is that enforcement risk is largely an evidence and operating model problem.

Section 1

1) The baseline: Member States must set penalty rules (Article 40(1)-(3))

Article 40 requires Member States to lay down penalty rules for infringements and to ensure they are implemented. Penalties must be effective, proportionate, and dissuasive.

Member States were required to notify the Commission of their rules by 12 September 2025, and the Commission maintains a public register of those measures.

  • Expect local variation: enforcement mechanisms and penalty levels are set nationally
  • Cross-border reality: your exposure depends on establishment and where requests/users are located
  • Compliance implication: keep a per-Member-State enforcement tracker for your primary markets
Section 2

2) The criteria authorities consider (Article 40(3)) - build your evidence around them

Article 40 lists non-exhaustive criteria authorities should consider when imposing penalties. Treat this as a roadmap for your evidence pack.

You can't control every factor, but you can control your remediation speed, documentation quality, and operational discipline.

  • Nature, gravity, scale, and duration of the infringement
  • Mitigation/remediation actions taken to reduce harm
  • Previous infringements (repeat offender risk)
  • Financial benefits gained or losses avoided (where establishable)
  • Other aggravating/mitigating factors and the party's EU turnover
Section 3

3) GDPR-linked administrative fines for Chapters II, III, and V (Article 40(4))

Article 40(4) creates a direct bridge: for infringements of obligations in Chapter II, III and V, GDPR supervisory authorities responsible for monitoring GDPR can impose administrative fines within their competence under GDPR Article 83 and up to the amount in GDPR Article 83(5).

Operationally, this means personal-data-heavy Data Act failures can converge into familiar GDPR enforcement patterns when the supervisory authority is acting within its competence.

  • Treat mixed personal/non-personal datasets as higher enforcement risk: you must show GDPR safeguards and Data Act access compliance simultaneously
  • Build a combined evidence pack: request logs, identity checks, dataset manifests, filtering decisions, and security controls
  • Have a remediation playbook: ability to fix access workflows, contract terms, or cloud switching disclosures quickly
Recommended next step

Use EU Data Act: Fair Access to Connected Product Data and Cloud Switching Penalties and Fines as a cited research workflow

Research Copilot can take EU Data Act: Fair Access to Connected Product Data and Cloud Switching Penalties and Fines from understanding exposure and enforcement with cited answers to a reusable workflow inside Sorena. Teams working on EU Data Act: Fair Access to Connected Product Data and Cloud Switching can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Penalties and Fines

Start from EU Data Act: Fair Access to Connected Product Data and Cloud Switching Penalties and Fines and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU Data Act: Fair Access to Connected Product Data and Cloud Switching

Review your current process, evidence gaps, and next steps for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Penalties and Fines.

Explore next step
Section 4

4) Risk-reduction controls (what to implement now)

Penalty risk is reduced by predictable operations and strong audit trails. Most enforcement questions become: what did you do, when, under what authority, and with what safeguards?

Build controls that produce evidence automatically.

  • Scope memo and role mapping (user/data holder/data recipient; chapter applicability per product/service)
  • Access workflow: direct/indirect access design, identity verification, response SLAs, and immutable logs
  • Trade secrets playbook: field classification, safeguard agreements, and targeted withholding/suspension case files
  • Cloud switching posture: contract clauses, online register, jurisdiction disclosures, and switching drill reports
  • B2G readiness: intake/triage workflow, minimisation protocol, and compensation model (where applicable)
Section 5

Evidence pack checklist - what you want on the table first

If you're investigated, speed and clarity matter. Assemble a standard evidence pack so you can respond consistently and demonstrate good faith.

Structure it around Article 40 criteria: remediation actions, duration, scale, and prevention controls.

  • Request logs: timestamps, identity verification, decisions, and delivery receipts
  • Dataset manifests: schema versions, "readily available" definition, and export formats
  • Security evidence: access control model, encryption, monitoring, incident reports
  • Contract evidence: clause matrices for Chapter IV unfair terms and Chapter VI switching
  • Remediation evidence: fixes shipped, customer comms, and preventive changes
Primary sources

References and citations

Related guides

Explore more topics

Access Rights and Portability | EU Data Act: Fair Access to Connected Product Data and Cloud Switching
EU Data Act access rights and portability (Chapter II) made practical: direct vs indirect access, "readily available" data.
Applicability Test | EU Data Act: Connected Products, B2B Data Sharing, B2G Exceptional Need, Cloud Switching
A practical EU Data Act applicability test you can run in 15 minutes: determine if Chapter II IoT access rights apply (connected products + related services).
B2B Data Sharing Contract Clauses | EU Data Act: Mandatory Sharing, Unfair Terms, Trade Secrets
EU Data Act contract clauses for B2B data sharing made practical: clause library for Chapter III access/use (purpose limits, compensation, security.
B2B Data Sharing Contract Template | EU Data Act: Data Access and Use Agreement (Drafting Checklist)
A practical EU Data Act-aligned B2B data sharing contract template: sections, annexes, and drafting checklist for dataset definition, permitted use.
B2G Exceptional Need Requests | EU Data Act: Public Emergency Data Requests, Safeguards, Compensation
EU Data Act Chapter V B2G 'exceptional need' requests made practical.
Cloud Switching and Exit Plans | EU Data Act Chapter VI: Switch Providers, Port Data, Remove Egress Barriers
EU Data Act Chapter VI cloud switching made practical: Article 23 obstacle removal, Article 25 required contract terms (max 2-month notice, 30-day transition.
Cloud Switching Compliance Checklist | EU Data Act Chapter VI: Contracts, Exportable Data, Fees, Transparency
A detailed EU Data Act Chapter VI cloud switching compliance checklist: Article 25 contract terms (max notice period, 30-day transition, retrieval period).
Compliance Program | EU Data Act Implementation Playbook: Governance, Controls, Evidence, Operating Cadence
Turn the EU Data Act into an implementation program: chapter scoping, roles and ownership, product workflows for Chapter II access.
Deadlines and Compliance Calendar | EU Data Act
Plan EU Data Act delivery with real dates: Regulation applies from 12 Sep 2025.
EU Data Act Checklist | Chapter II Access, B2B Sharing, Unfair Terms, B2G Requests, Cloud Switching
A comprehensive EU Data Act checklist organized by roles and chapters: Chapter II connected product data access (direct vs indirect access).
EU Data Act vs GDPR | Differences, Overlap, Portability, Lawful Basis, Implementation Playbook
EU Data Act vs GDPR made practical: how Chapter II access/portability for connected product data differs from GDPR data subject rights.
FAQ | EU Data Act Explained: Key Dates, Access Rights, Trade Secrets, B2G Requests, Cloud Switching
EU Data Act FAQ with practical answers grounded in official sources: when the Data Act applies (Article 50), direct vs indirect access.
Requirements | EU Data Act Obligations Explained: Chapter II Access, Chapter IV Unfair Terms, Chapter V B2G, Chapter VI Switching
A structured EU Data Act requirements breakdown across Chapters II-VI: connected product data transparency and access workflows.
Scope, Connected Products and Data Types | EU Data Act: Fair Access to Connected Product Data and Cloud Switching
EU Data Act scope explained: connected products vs related services, product data vs related service data, readily available data.
Trade Secrets and Protection | EU Data Act: Confidentiality Measures, Withholding Rules, Evidence Pack
EU Data Act trade secrets protection made practical: how to identify trade secret fields before disclosure, how to agree confidentiality measures (NDAs.