All Data Act requirements for EU companies up to date
- 7 days ago
- 4 min read
Updated: 4 days ago
Starting September 12, 2025, companies will be subject to new obligations regarding data sharing, data access, portability, and interoperability in the cloud, pursuant to the implementation of the Data Act in the EU. Here is a reminder of the main Data Act requirements for companies.
For the record, the Data Act is a European regulation published in the Official Journal of the EU in 2023 that aims to strengthen the EU's data economy and promote a competitive data market by making data (particularly industrial data) more accessible and easier to use, in order to encourage innovation based on data availability.
The Data Act completes the European Data Governance Regulation (DGA), the first concrete result of the European data strategy, which came into force in September 2023.
While the DGA strengthens confidence in voluntary data sharing mechanisms, the Data Act provides legal clarification regarding data access and use.
The changes since September 2025
The Data Act includes measures to strengthen fairness and competition in the European cloud computing market and to protect businesses against unfair contract terms in data sharing imposed by more powerful players (hyperscalers).
It also establishes a mechanism allowing public sector bodies to request data from a company in exceptional circumstances, such as public emergencies, and sets out clear rules on how such requests should be made.
In addition, it introduces safeguards to prevent public bodies in third countries from accessing non-personal data when this would be contrary to EU or national law.
Enfin, le Data Act définit des exigences essentielles en matière d'interopérabilité afin de garantir que les données puissent circuler de manière fluide entre les secteurs et les États membres, grâce aux espaces européens communs de données, ainsi qu'entre les prestataires de services de traitement de données.
In order to remedy imbalances between large cloud providers and private and public customers, the Data Act increases the transparency of cloud contracts. All providers are also required to remove barriers when their customers wish to switch providers or use multiple cloud services at the same time.
Unfair contract terms
European companies wishing to acquire data, in particular SMEs, will be protected against unfair contractual terms where, for example, one of the companies is in a stronger negotiating position (due to its size in the market) and imposes a non-negotiable (“take it or leave it”) clause on the other company regarding data access and use.
A list of unfair terms is drawn up, such as those that would inappropriately limit remedies for non-performance of contractual obligations or liability for breach of those obligations.
A clause found to be unfair will simply be removed from the contract.
Portability of Services and Data in the Cloud
The Data Act provides measures to ensure that companies can quickly and easily switch from one service provider (“source”) to another (“destination”) without loss of data or functionality.
For example, PaaS or SaaS providers will be required to provide open APIs and allow data to be exported in a commonly used format.
IaaS providers will have to facilitate the switch to another provider's service by ensuring functional equivalence, which includes, for example, the easy transfer of workloads.
No cloud exit fees
The regulation requires the full removal of charges when switching providers, including exit fees (data transfer) starting January 12, 2027.
CSPs will no longer be able to charge their customers for the services needed to facilitate the migration of services or data.
As a transition measure, during the first three years following the regulation's entry into force (from January 11, 2024, to January 12, 2027), providers will be able to continue charging these costs to their customers. It should be noted that AWS, Google Cloud, and Microsoft have already announced the removal of these exit fees.
Enhanced interoperability between cloud services
The Data Act paves the way for greater interoperability of data processing services through harmonized standards and open interoperability specifications. It sets out the requirements that providers must meet for the automated execution of data sharing agreements, to ensure that they correctly apply the provisions of the agreement and are resistant to third-party interference.
Regulation of data access and US Cloud Act
While the Data Act does not prohibit cross-border data flows, it ensures that the protection granted to data in the EU also applies to data transferred outside the EU.
If a service provider receives a request to access data stored in the EU, based on the Cloud Act for example, it can contact its national competent authority to help assess whether the conditions specified in the law are met.
In the absence of a legal basis and/or verified conditions, providers will be entitled to simply challenge or refuse the request for data access.
However, service providers and cloud providers must take all reasonable measures, including encryption, audits, and compliance with certifications, to prevent access to the systems in which they store non-personal data.
These measures must be published on their websites for greater transparency. They must also inform their customers before granting access to their data..
The market response was swift. Both Google Cloud and Microsoft has announced the removal of multicloud transfer fees for Europe and the United Kingdom in order to comply with interoperability principles.
Comments