Artifact GuideEUData Act

EU Data Act Smart Contracts for Data Sharing

Apply Data Act Article 36 to smart contracts used to execute data-sharing agreements, with controls for robustness, access control, termination, interruption, archiving, continuity, consistency, and conformity evidence.

Grounded in the Data Act and Commission materials. The page separates binding Article 36 duties from developing standards and non-binding implementation context.

Back to main artifactReview sources
Author
Sorena AI
Published
May 6, 2026
Updated
May 6, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 6, 2026
Updated May 6, 2026
Overview

Use this guide to translate Data Act Article 36 into engineering, contract, and assurance checks for smart contracts that execute all or part of a data-sharing agreement. The page focuses on the application or deployer role, required technical properties, relationship to the underlying agreement, and evidence needed for the EU declaration of conformity.

Section 1

Data Act scope: when does Article 36 apply to a smart contract for data sharing?

Article 36 applies to smart contracts used for executing data-sharing agreements. The duty is placed on the vendor of an application using smart contracts or, if there is no vendor, the person whose trade, business, or profession involves deploying smart contracts for others to make data available.

Do not scope the page by technology label alone. The key question is whether the program executes an agreement or part of an agreement to make data available. The Commission FAQ also makes clear that Article 36 regulates the computer program used for execution, not the underlying agreement as national contract law.

  • In scope: application smart-contract code that automatically executes data-sharing agreement terms or makes data available under those terms.
  • Actor to identify: vendor of the application using smart contracts, or the professional deployer acting for others when no vendor exists.
  • Not enough: calling a workflow a smart contract, using a blockchain component, or automating an internal approval with no data-sharing agreement execution.
  • Boundary to document: the agreement clauses, data availability functions, parties, deployer, administrators, keys, oracles, off-chain systems, and audit logs.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act), Article 36
Identifies the Article 36 duty holder and limits the obligation to smart contracts used to execute agreements to make data available.
European Commission Data Act FAQs
Explains that Article 36 smart-contract requirements regulate execution programs and do not change national contract law.
Section 2

Data Act essential requirements: what controls does Article 36 require of a smart contract?

Article 36 is not a general blockchain policy. It lists essential requirements that need to be translated into release gates, tests, administrative permissions, incident procedures, and evidence before the smart contract is made available.

Two separate access-control ideas matter. First, the smart contract must offer access-control mechanisms and a very high degree of robustness to avoid functional errors and manipulation. Second, it must be protected through rigorous access controls at both the governance and smart-contract layers.

  • Robustness: prove error handling, boundary checks, dependency validation, upgrade constraints, and manipulation resistance.
  • Governance access control: define who can deploy, pause, terminate, upgrade, rotate keys, change parameters, or approve emergency actions.
  • Smart-contract access control: enforce permissions in code for data availability, state changes, administrative actions, and privileged functions.
  • Safe termination and interruption: include internal functions that can reset, stop, or interrupt operation to avoid future accidental executions.
  • Archiving and continuity: preserve transactional data, logic, and code when the contract is terminated or deactivated so past operations remain auditable.
  • Consistency: test that the deployed smart contract carries out the terms of the data-sharing agreement it executes.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act), Article 36
Binding source for Article 36 essential requirements: robustness, access control, safe termination, interruption, archiving, continuity, and consistency.
European Commission - Data Act explained
Commission explanation linking Article 36 to correct execution of data-sharing agreement provisions and manipulation resistance.
Section 3

Data Act How should the smart contract stay consistent with the data-sharing agreement?

Article 36 expressly requires consistency with the terms of the data-sharing agreement that the smart contract executes. Treat the agreement as the source for functional behavior, not as an attachment added after deployment.

Create an agreement-to-code trace before release. Each executable clause should point to a function, event, parameter, permission, oracle, off-chain process, or monitoring rule. Any clause that cannot be represented or tested should be carved out of automated execution or escalated before deployment.

  • Trace data subject matter: which data, metadata, formats, quality conditions, and availability commitments the contract executes.
  • Trace usage conditions: permissions, restrictions, compensation logic, service-level terms, and expiration or termination conditions.
  • Trace roles: data provider, recipient, vendor, deployer, administrator, key custodian, oracle operator, and incident owner.
  • Trace deviations: manual steps, off-chain records, unautomated clauses, legal exceptions, and security or trade-secret holds that sit outside the smart contract.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act), Article 36
Requires the smart contract to remain consistent with the data-sharing agreement it executes.
Commission Implementing Decision C(2025) 4135 - standardisation request annexes
Implementation context for data-transaction standards work, including recording data-sharing agreements, access descriptions, permissions, and auditability.
Section 4

Data Act What termination, interruption, archiving, and continuity evidence should exist?

Article 36 requires more than an emergency pause button. The contract needs a mechanism to terminate continued transaction execution and internal functions that can reset, stop, or interrupt operation. Those functions should be tested under ordinary termination, incident response, administrator error, oracle failure, and key-compromise scenarios.

Archiving and continuity must be designed before termination. If a smart contract is terminated or deactivated, Article 36 expects the ability to archive transactional data, smart-contract logic, and code so the record of past data operations remains auditable.

  • Termination evidence: who can trigger it, what checks are required, which functions stop, and what transactions remain impossible afterward.
  • Interruption evidence: pause or stop conditions, reset behavior, dependency failure handling, and prevention of accidental future executions.
  • Archiving evidence: transaction history, logs, contract logic, deployed code version, configuration, oracle inputs, and off-chain records needed for auditability.
  • Continuity evidence: how authorised parties retrieve archived records, reconcile post-termination state, and preserve proof that past operations matched the agreement.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act), Article 36
Binding source for termination, interruption, archiving, continuity, and auditability requirements for Article 36 smart contracts.
European Commission - Rolling Plan for ICT standardisation, Data Economy
Broader Commission standardisation context for data lifecycle, record keeping, archival, and long-term preservation concerns.
Recommended next step

Data Act Build the Article 36 evidence file before deployment

Use the smart-contract scope record, agreement-to-code trace, control matrix, test results, and conformity documents as one review pack for legal, security, engineering, and assurance teams.

Research workflow
Open Research Copilot

Answer Data Act scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through implementation

Review your product scope, contracts, evidence model, and next actions.

Explore next step
Section 5

Data Act What conformity assessment and declaration file should be retained?

Article 36 requires the vendor or professional deployer to perform a conformity assessment against the essential requirements and issue an EU declaration of conformity when those requirements are fulfilled. Drawing up the declaration carries responsibility for compliance with those requirements.

The practical evidence file should be technical enough for engineering review and structured enough for legal or assurance review. It should prove what was assessed, which version was deployed, which controls were tested, and how the deployed behavior remains tied to the data-sharing agreement.

  • Scope record: agreement name, parties, data made available, smart-contract application, vendor or deployer, and deployment environment.
  • Requirement matrix: Article 36 requirement, control design, test method, result, residual limitation, owner, and evidence link.
  • Code and operation record: code version, deployment address or environment, configuration, privileged roles, key custody, oracle dependencies, and monitoring rules.
  • Declaration support: reviewer approval, conformity assessment result, EU declaration of conformity, and triggers for reassessment after agreement, code, key, governance, or standards changes.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act), Article 36
Binding source for the Article 36 conformity assessment, EU declaration of conformity, and responsibility for compliance.
Section 6

Data Act What is the standards and common specifications status?

Article 36 creates a standards route, but the source set for this page does not show an Article 36 harmonised standard reference already published in the Official Journal or an Article 36 common specification already adopted. Therefore, do not present a draft, standardisation request, or standards-body update as a completed conformity route for Article 36.

The Data Act says a smart contract that meets harmonised standards published in the Official Journal is presumed in conformity only to the extent those standards cover the Article 36 requirements. It also allows common specifications as a fall-back where the standardisation route has failed, been delayed, or is insufficient and no relevant harmonised-standard reference is available or expected within a reasonable period.

  • Current binding anchor: Article 36 itself, including the essential requirements and conformity-assessment duty.
  • Standards route: use only harmonised standards whose references are published in the Official Journal, and only for the requirements they actually cover.
  • Common specifications route: treat as an exceptional fall-back implemented through Commission implementing acts, not as a default substitute for standards.
  • Adjacent standards work: the European Trusted Data Framework request and accepted M/614 programme support Article 33 data-space interoperability and trusted data transactions, so label it as context unless relying on a specific Article 36 source.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act), Article 36
Binding source for Article 36 presumptions of conformity through harmonised standards and common specifications.
European Commission Data Act FAQs
Explains the Commission's stated preference for standards and describes common specifications as an exceptional fall-back.
Commission Implementing Decision C(2025) 4135 - standardisation request annexes
Shows the Article 33 European Trusted Data Framework request and trusted-data-transaction deliverables, which are useful context but not an Article 36 OJ citation.
CEN-CENELEC - Data Act standardization request accepted
Confirms acceptance of the M/614 Data Act standardisation request and development of seven European standardisation deliverables.
Section 7

Data Act smart contract evidence: what claims should the documentation avoid?

Do not claim that automation itself satisfies Article 36. The defensible claim is narrower: the vendor or deployer assessed a specific smart contract version against the Article 36 essential requirements and issued a declaration only if those requirements were fulfilled.

Do not add unsupported penalties, thresholds, or certification labels. The Commission materials in this grounding set say penalties are set by Member States and should be effective, proportionate, and dissuasive; they do not provide an Article 36-specific fine table for this page.

  • Avoid saying a smart contract is compliant because it is immutable; Article 36 requires stop, interrupt, archive, and continuity mechanisms.
  • Avoid saying standards are satisfied unless the source is a relevant published harmonised standard or adopted common specification covering the requirement.
  • Avoid hiding off-chain dependencies such as APIs, storage, keys, administrators, oracle inputs, and manual exception handling.
  • Avoid treating the smart contract as the agreement itself; Article 36 regulates the execution program, while the agreement and national contract-law issues remain distinct.
Sources for this answer
Regulation (EU) 2023/2854 (Data Act), Article 36
Binding source showing why immutability or automation alone cannot replace Article 36 termination, interruption, archiving, and conformity checks.
European Commission Data Act FAQs
Supports the contract-law boundary and avoids presenting Article 36 as changing the agreement itself.
European Commission - Data Act explained
Supports the penalty caveat: Member States set penalties and the EU-level description is effective, proportionate, and dissuasive rather than an Article 36 fine table.
Primary sources

References and citations

European Commission - Data Act explained
digital-strategy.ec.europa.eu
Referenced sections
  • Supports the penalty caveat: Member States set penalties and the EU-level description is effective, proportionate, and dissuasive rather than an Article 36 fine table.
European Commission Data Act FAQs
ec.europa.eu
Referenced sections
  • Supports the contract-law boundary and avoids presenting Article 36 as changing the agreement itself.
Related guides

Explore more topics

Data Act and Common European Data Spaces
How Data Act Article 33 connects data-space participation with metadata, vocabularies, APIs, access terms, data quality, governance, and standards monitoring.
Data Act and Data Governance Act Overlap FAQ
FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows.
Data Act and GDPR Personal Data Overlap FAQ
FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing.
Data Act Audit Evidence And Request Logs FAQ
FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries.
Data Act B2B Data-Sharing Contract Clauses
Clause guide for EU Data Act B2B data sharing: FRAND terms, compensation, trade secret safeguards, recipient limits, termination, logs, and GDPR boundaries.
Data Act B2B Data-Sharing Contract Template
A usable EU Data Act B2B data-sharing template outline covering access requests, data schedules, permitted use, trade secrets, security, compensation, GDPR boundaries, audit records, and termination.
Data Act B2G Exceptional-Need Requests
A grounded guide to EU Data Act Chapter V requests from public bodies: exceptional need, public emergencies, request contents, limits, safeguards, costs, and records.
Data Act Cloud Switching Compliance Checklist
A grounded EU Data Act checklist for cloud and data processing service providers covering switching clauses, notices, export formats, charges, interoperability, and evidence.
Data Act Cloud Switching Contract Terms FAQ
FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records.
Data Act Cloud Switching Fees And Deadlines FAQ
FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records.
Data Act Complaints and Dispute Settlement FAQ
FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records.
Data Act Exportable Data and Metadata FAQ
FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded.
Data Act FAQ for Aftermarket Repair and Mobility Services
FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services.
Data Act Functional Equivalence FAQ
FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence.
Data Act Indirect Access Request Flows FAQ
FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited.
Data Act International Government Access FAQ
FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers.
Data Act Interoperability Standards FAQ
FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614.
Data Act Model Contractual Terms FAQ
FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence.
Data Act Public Emergency Requests FAQ
FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records.
Data Act SME Exceptions and Startups FAQ
FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms.
Data Act Trade Secret Technical Protection Measures FAQ
FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence.
Data Act Trade Secrets and Protection Measures
Data Act guide for protecting trade secrets during access and sharing: classification, safeguards, refusal thresholds, notices, evidence records, and reviews.
Data Act Unfair Contractual Terms | Article 13 B2B Contract Review
Review B2B data-sharing clauses under EU Data Act Article 13: unilateral terms, always unfair examples, presumed unfair terms, model clauses, evidence, and remediation.
Data Act Vehicle Data Guidance
Commission-grounded guide to Data Act vehicle data access: connected vehicles, vehicle-related services, raw and pre-processed data, aftermarket use cases, access routes, safeguards, and GDPR boundaries.
Data Act vs GDPR: connected-product data access
Compare EU Data Act connected-product access duties with GDPR personal-data rules: scope, roles, lawful basis, data subject rights, third-party sharing, trade secrets, and conflicts.
EU Data Act and Common European Data Spaces FAQ
FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation.
EU Data Act Applicability Test
Check whether a product, related service, data holder, cloud service, data-space role, smart contract, or B2G request is in scope of the EU Data Act.
EU Data Act Application Dates And Transition FAQ
FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain.
EU Data Act Article 3 Pre-Contract Information
What Article 3 of the EU Data Act requires before connected-product purchase, rent, lease, or related-service contracting: data categories, access, data holder identity, third-party sharing, complaints, and evidence.
EU Data Act Article 36 Smart Contract Controls FAQ
FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires.
EU Data Act B2B Data Sharing Compensation FAQ
FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards.
EU Data Act B2G Compensation and Costs FAQ
FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep.
EU Data Act B2G Exceptional Need FAQ
When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence.
EU Data Act Checklist for Product, Cloud, and Contract Teams
A grounded EU Data Act checklist for connected-product data access, third-party sharing, B2G requests, cloud switching, unfair terms, smart contracts, personal data boundaries, evidence, and owners.
EU Data Act Cloud Switching and Exit Plans
A grounded EU Data Act guide for data processing service exit plans: switching contracts, exportable data, assistance, charges, interoperability, retrieval, erasure, and records.
EU Data Act Cloud Switching Procurement FAQ
Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence.
EU Data Act Compliance Program
Build a Data Act compliance program for connected-product data access, contracts, B2G requests, cloud switching, smart contracts, GDPR boundaries, records, and ownership.
EU Data Act Connected Product Scope and Data Types
Classify EU Data Act connected products, related services, product data, related-service data, readily available data, metadata, and excluded derived outputs.
EU Data Act Connected Product Scope FAQ
FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope.
EU Data Act Data Processing Service Switching
A grounded EU Data Act guide for provider and customer switching duties: exit assistance, exportable data, contract clauses, charges, interoperability, retrieval, and erasure.
EU Data Act data spaces interoperability FAQ
FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence.
EU Data Act deadlines and compliance calendar
A source-linked calendar for EU Data Act application dates, product design timing, contract remediation, cloud switching charges, response periods, standards work, and evidence records.
EU Data Act Direct Access by Design FAQ
FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act.
EU Data Act Enforcement And Competent Authorities FAQ
FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible.
EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates
Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates.
EU Data Act Non-Emergency Public-Sector Requests FAQ
FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence.
EU Data Act Non-Personal Data and Mixed Datasets FAQ
FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records.
EU Data Act Penalties and Enforcement
Grounded guide to Data Act penalties under Article 40, Member State enforcement, penalty factors, complaints, judicial remedies, and the GDPR enforcement boundary.
EU Data Act Pre-Contractual Information FAQ
FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries.
EU Data Act Product Data vs Related Service Data FAQ
FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs.
EU Data Act Readily Available Data FAQ
FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics.
EU Data Act Related Services FAQ
FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply.
EU Data Act requirements
Source-grounded EU Data Act requirements for connected-product data access, B2B sharing terms, B2G exceptional needs, cloud switching, smart contracts, interoperability, GDPR boundaries, and records.
EU Data Act Smart Contracts for Data Sharing FAQ
Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status.
EU Data Act Third-Party Data Sharing FAQ
FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers.
EU Data Act Trade Secret Safeguards FAQ
FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records.
EU Data Act Unfair Contractual Terms FAQ
FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence.
EU Data Act User Access and Portability Rights
Practical guide to EU Data Act user access, connected-product data portability, third-party sharing, trade secret safeguards, and the GDPR boundary.
EU Data Act Users, Data Holders, and Recipients FAQ
FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries.
EU Data Act Vehicle Data Guidance FAQ
FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries.
EU Data Act vs Data Governance Act
Compare the EU Data Act with the Data Governance Act: connected-product access, cloud switching, B2B/B2G duties, protected public-sector reuse, intermediaries, altruism, governance, and enforcement.