Navigation überspringen
  • Tab oder Shift + Tab - Got to next interactive element
  • - navigate inside element
  • Enter - Activate Element
  • i - Open overview for commands
  • CTRL / CMD + + oder - - Zoom In/Out
  • Escape - Escape Out
  • m - Show Menu
Legal Insights

Data Act

The EU Data Act: New Rules for Cloud and IoT from September 2025

The European data landscape is changing. The EU Data Act (Regulation (EU) 2023/2854) comes into effect from September 12, 2025, setting out new requirements for providers of cloud, such as SaaS, and connected products. While early debates have often centered on the impact for IoT devices, the scope and practical impact is much broader and also focusses cloud services such as SaaS, PaaS and AIaaS. For many businesses, both legal and technical adjustments are on the horizon.

Easier Cloud Switching

A central objective of the Data Act is to reduce the so-called vendor lock-in effect. Cloud service providers will be required to ensure customers can transfer services and data to another provider without a loss of functionality. This means providers must clearly document relevant processes, formats, and interfaces, and provide sufficient support for seamless migrations.

Transparency is also being enhanced. Providers must disclose key technical details via an online register, enabling customers to better compare offerings and make informed decisions.

A notable shift concerns so-called egress fees, the often very costly charges associated with transferring data out of a cloud service. Until January 12, 2027, such charges are capped, but after that, all switching and data egress fees are prohibited.

IoT and Connected Devices: Data Access by Design

The Data Act goes further, introducing specific rules for connected products and related services. From September 12, 2026, newly released IoT devices must be designed to provide usage and service data access by default. Users have the right to access this data directly, securely, and free of charge, in a machine-readable format.

Importantly, users can also share their data with third parties. This could mean granting an independent repair shop access to vehicle telemetry, enabling third-party apps to analyze smart home data, or allowing alternative providers to offer predictive maintenance services for industrial equipment.

Manufacturers and service providers must navigate these obligations carefully, not only to enable access and interoperability, but also to safeguard trade secrets, system security, and personal data.

Fairness in B2B Data Contracts

The Data Act also covers contract fairness in the business-to-business context. One-sided or unreasonably restrictive clauses, such as those excluding all liability or unduly limiting data use after contract termination, will be no longer enforceable. Going forward, terms must meet the standard of fair, reasonable, and non-discriminatory (FRAND) conditions.

Access for the Public Sector

In certain circumstances, public authorities may request access to data, particularly in situations of “exceptional need”, such as public emergencies. These requests must remain proportionate, purpose-limited, and protective of confidential information.

 

Enforcement and Sanctions

National authorities will oversee compliance with the Act. In Germany, for example, the draft implementation foresees the Federal Network Agency (BNetzA) as the lead regulator. The risks of non-compliance are significant: fines may reach up to 4% of global annual turnover or €5 million.

 

Next Steps for Businesses

For cloud providers, the urgent to-do list includes:

  • Revising contracts, especially around switching and exit provisions
  • Thoroughly documenting technical formats and interoperability
  • Preparing for the phase-out and eventual prohibition of egress fees

For IoT manufacturers and service providers, the focus shifts to:

  • Designing devices and services for seamless data access by default
  • Establishing practical processes for third-party data requests
  • Making necessary updates to contract templates for FRAND compliance

 

Looking Ahead

The Data Act marks a significant evolution for Europe’s digital economy. Initial cloud switching rules come into force in September 2025; IoT data access requirements follow in September 2026; and all egress fees are eliminated by January 2027.

For organizations across all sectors, timely adaptation is essential. Those that review their contracts, update technical systems, and modernize their data governance now will not only meet new legal requirements but also gain a stronger foothold in Europe’s rapidly evolving digital market.

to the top
^