Data Act: everything you need to know

Informes17 September 2025
The Data Act marks a turning point in Europe's digital economy by ensuring fair access to data generated by connected devices, prohibiting unfair terms, facilitating cloud portability and protecting information from illegitimate requests from third countries.

Timeline for the implementation of the Data Act

11 January 2024 → Entry into force.

12 September 2025 → General application of access obligations.

12 September 2026 → Default Access Obligation.

12 January 2027 → Total prohibition of charging for switching provider.

12 September 2027 → Application to existing contracts (unfair terms).


What is the Data Act?

European regulation establishing harmonised rules for fair access to data generated by connected products and related digital services.

  • Applies to personal and non-personal data.
  • Promotes re-use, portability and interoperability of data across the EU.
  • Creates new rights for users and obligations for data subjects.

Who is affected?

  • Manufacturers of connected products
  • Users of digital products and services in the EU
  • Data processing service providers (including cloud)
  • Public bodies
  • Excluded: Micro and small enterprises

What are the main Obligations?

Manufacturers as data subjects:

  • Default, free and real time access of users
  • Pre-contractual information on type, volume and format of data
  • Fair, reasonable and non-discriminatory terms

Cloud providers:

  • Portability without technical and commercial barriers
  • Progressive elimination of costs (total by 2027)
  • Prohibition of abusive permanence clauses
  • Transparency on infrastructure location

What are the rights of users?

  • Direct and free access to the data generated
  • Right to share data with third parties
  • Enhanced portability (complements GDPR)
  • Protection against unfair terms

How do data subjects protect their trade secrets? 

  • Must identify the data and related metadata as trade secrets.
  • Can justifiably refuse a request for access or part of it on the grounds of demonstrable serious economic harm.
  • Dispute resolution through certified bodies (within a maximum of 90 days) is possible
  • For access requests from public bodies:
    • In case of public emergency, anonymised data will be provided preferably anonymised and pseudonymised if necessary.
    • In case of non-urgent public interest access to non-personal data will be provided only

What is the sanctioning regime?

  • By 12 September 2025, each Member State must designate one or more competent authorities.
  • Sanctions will be coordinated with GDPR authorities in case personal data are involved
    • Fines of up to €20 million or 4% of overall turnover
  • Member States to provide for effective, proportionate and dissuasive sanctions
  • The assessment criteria will take into account, inter alia, seriousness, duration, profits made and turnover.
  • Non-EU entities must designate a legal representative.
Un tren de metro pasa rápidamente por la estación, mientras un reloj muestra la hora en la pared.
Download in pdf

Related partners

LATEST FROM #ECIJA