As well as the EU's AI Act and the UK's Data Use and Access Act, tech businesses also need to be aware of another piece of legislation that is coming down the line – the EU's Regulation (EU) 2023/2854, otherwise known as the Data Act, which aims to create a single market for data, where data can flow freely across borders and sectors, and where data holders and users can benefit from fair and transparent conditions for data access and use. It complements the Data Governance Act, which establishes the legal framework and mechanisms for data governance and data intermediaries.

The majority of the provisions in the Data Act take effect from 12 September 2025, with some requirements coming into force later, and apply to companies operating in the EU, even if they are not based in the EU. So please keep reading if you are based in the UK and dealing with users in the EU.

The Act is particularly relevant for providers of connected products and services as well as providers of data processing services and this also covers standard SaaS providers.

What does the Regulation do?

The Data Act is divided into Chapters and deals with the following broad issues:

• Data access and data sharing and informing users about their rights to obtain data
• A ban on unfair contract terms in data-sharing agreements entered into from 12 September 2025 and requiring fair, reasonable and non-discriminatory (FRAND) terms for data sharing arrangements
• Making data available to EU and public sector bodies in case of exceptional need
• Switching between data processing services (and removing certain fees to do so)
• Transfer of non-personal data and unlawful international government access
• Changes to the Database Directive.

Enforcement

Member states will be responsible for appointing a regulator in their respective territories to handle complaints and take responsibility for enforcement action. Member states will set penalties, so there will be variation between Member states. Some countries have appointed regulators or issued draft legislation with the intention of doing so, but currently we don't know what the penalties are likely to be at a Member state level. The Netherlands have set their maximum fine at €1,030,000 or 10% of EU-wide annual turnover, whichever is higher, but it remains to be seen where other Member states will end up. That said, should the breach be of Chapters II (B2B and B2C data sharing), III (obligations to make data available) or V (to make data available to public sector and certain Union bodies) then the maximum fines are in line with GDPR, i.e. up to €20 million or 4% of global annual turnover, whichever is higher. The European Commission will also be involved and has set up the European Data Innovation Board, an expert group which facilitates cooperation between competent authorities, promotes best practices and common approaches in enforcement.

What should I do?

The first thing is to consider if you come within the scope of the Data Act.  If you do, any connected products going on sale in the EU from September 2026 need to be designed with the Act's requirements in mind. Data needs to be accessible to users. It's also wise to review your contracts to make sure that they don't contain unfair terms.  Finally, we'd suggest that you review your business processes to ensure that you can receive and deal with requests for data efficiently.  Other changes, for example affecting switching fees, come into effect from 2027. 

We'll be writing about the various aspects of the Act in the coming weeks as there are many complexities, but do contact us if you need more help.  In the meantime, the European Commission has published FAQs here.

What about the UK?

In late July, the Department for Science, Innovation and Technology called for evidence about how to introduce a Smart Data scheme in digital markets, using new powers under the Data (Use and Access) Act 2025. As noted in the UK government's Industrial Strategy, data is key for economic growth but is often too underused, siloed and fragmented for businesses and the public to reap the benefits. As part of its work to improve access to data for innovators and businesses, the government is assessing whether the new Smart Data powers introduced by the Data (Use and Access) Act 2025 should be applied to support use cases in digital markets. This includes exploring viable use cases, the design features required to deliver a successful scheme, and the potential impacts on customers, businesses, and the wider economy.