EU Data Act since September 2025: What applies now and what upcoming deadlines legal departments need to keep an eye on

The EU Data Act at a glance

The EU Data Act has been in force in all member states since 12 September 2025. The regulation is part of the EU data strategy and creates uniform rules for the use, transfer and access to data from connected products and digital services. The aim is to harmonise data access, ensure fair conditions for exchange and reduce dependence on cloud providers. The Data Act strengthens users' rights, obliges companies to offer fair contract terms and grants authorities access rights in exceptional cases. Manufacturers of connected devices, software and cloud providers and their partners are particularly affected. For legal departments, this means that key obligations had to be fulfilled by September 2025 – further deadlines are imminent.

What had to be implemented by 12 September 2025

By the end of this transition period, the following key requirements of the EU Data Act had to be implemented:

Ensure data access: Users must be able to obtain their data free of charge, in a commonly used and machine-readable format, and without delay. To this end, export functions or APIs must be set up and internal processes for reviewing and processing requests must be established.
Fulfilling transparency obligations: Before concluding a contract, it must be disclosed what types of data are collected, how long they are stored, in what format they are available and how they can be accessed (standardised ‘data profile’).
Review and adapt contracts: Standard contracts, terms and conditions, and data licence agreements must be reviewed for unfair or unilateral clauses and supplemented with FRAND-compliant data sharing addenda that regulate scope, purpose, and remuneration. Unilateral disclaimers, unreasonable restrictions on use, or sanctions must be removed.
Set up request processes: Companies must establish central contact points and SOPs that regulate identity verification, documentation and timely processing of data requests.

Upcoming deadlines and what is important now

12 September 2026 – Data Access by Design: New products and services must be technically designed in such a way that data access is integrated ‘by design’. Interfaces or dashboards are mandatory, while manufacturers should now adjust their development cycles accordingly.
12 January 2027 – Prohibition of switching fees: Cloud and data providers may no longer charge switching fees. Legal departments should review contracts and add exit clauses, while IT departments should develop technical exit plans for data export and migration.
12 September 2027 – Old contracts: The fairness rules also apply to older B2B contracts. Unfair clauses will become invalid. Companies should review and renegotiate all old contracts in good time.
Transition periods: Micro and small businesses are exempt from many obligations, while medium-sized businesses usually have an extra year after exceeding the thresholds.

Recommended actions

To ensure that implementation does not stall, legal departments should take a structured approach now:

Catch up on compliance checks: Unmet requirements as of 12 September 2025 have the highest priority. An internal audit or external check will quickly identify any gaps.
Consolidate data inventory: A central directory of all product and usage data documents creation, storage, formats and responsibilities.
Expand contract management: Continuously check contracts with customers, partners and service providers for Data Act compliance, remove inadmissible clauses and introduce standardised contract modules.
Prepare technical processes: Adapt development processes for data access by design and prepare cloud exit scenarios, including test runs for structured data migration.
Organisation and training: Establish clear responsibilities and train teams (sales, product management, legal department) to implement duties and processes in a uniform manner.
Establish monitoring: Continuously monitor regulatory practices, EU clauses and technical guidelines; responsible parties or task forces should evaluate and implement updates.

Avoiding compliance pitfalls: risks, data protection and confidentiality

Even though national enforcement mechanisms are still being developed, the provisions of the Data Act are already binding. Violations can lead to lawsuits, contractual disputes and substantial fines. At the same time, the GDPR remains fully valid: personal data may only be transferred with the appropriate legal basis, and principles such as transparency and data minimisation must be observed. In the case of sensitive company data, confidentiality alone does not justify a refusal to provide information. Companies should therefore also rely on NDAs and technical protective measures to secure confidential information during data exchange.

Conclusion

The Data Act marks a turning point in the handling of data. Those who have implemented the mandatory measures by September 2025 are off to a good start. However, it is now important to keep an eye on the upcoming deadlines. With timely preparation, risks can be minimised and competitive advantages exploited.

The upcoming instalments of our series will focus on critical contract clauses, new opportunities arising from the EU Data Act, and practical ways to achieve compliance with the help of legal tech.

________________________________________________________________________________________________________________________________

More on this topic: An overview of our blog series for you (coming soon):

Part 1 - EU Data Act: Why the new EU regulation will also change your work
Part 3 – Which contract clauses will become problematic with the EU Data Act – what you should pay attention to
Part 4 – From risk to opportunity: How the EU Data Act opens up new possibilities
Part 5 – Using legal tech for a Data Act compliance check: How Contract Insights provides support

Auszug verwendeter Quellen:

October 9, 2025