The EU Data Act, which took effect on September 12, 2025, fundamentally transforms how businesses manage data from connected products and cloud services across Europe. This sweeping legislation grants users extensive rights to access, control, and share data generated by their devices, while requiring cloud providers to eliminate switching barriers and unfair contract terms. The Act affects any company offering connected products or data processing services in the EU, regardless of its location.
Comprehensive data rights transformation
The EU Data Act, adopted in late 2023, represents a seismic shift in data rights. Beginning September 12, 2025, organizations across Europe (and beyond) gain clear, enforceable rights to access and port the data they generate, regardless of the platform or service provider that holds it, according to Coalesce. In today’s AI-driven economy, where innovation depends on seamless access to trusted data, these rights have never been more important.
Under Article 4 and Article 5 of the EU Data Act, users (including both consumers and business customers) are granted extensive rights to access, control, and share the data generated by their use of connected products and related services. Users can therefore demand access at any time (including requesting real-time data access if technically feasible), decide who else can access it (such as repair shops, aftermarket service providers, or competitors), and even restrict how businesses use the generated data.
Product design requirements reshape industry
From 2026, new connected products and related services must be designed so users can access their data easily and free of charge, with direct user access required if technically feasible, requiring significant changes to product development and IT infrastructure, according to Latham & Watkins. Connected products include any physical product that collects or transmits user or device data, such as smartphones, tablets, computers, smart vehicles, industrial equipment, home appliances, medical devices, and wearables.
The Act puts the burden on data holders and service providers, but every enterprise that uses connected products, SaaS platforms, or cloud services must prepare to exercise its rights. Key steps include reviewing contracts to ensure B2B terms don’t contain clauses that would soon be unenforceable, auditing data flows to know what data organizations generate, where it resides, and whether it’s exportable.
Cloud services face switching mandates
The EU Data Act makes it much easier for businesses and individuals to switch between data processing service providers, requiring providers to allow customers to transfer their data within 30 days and banning excessive exit fees. These service switching requirements may have a significant impact on market dynamics in smaller-scale IT arrangements; practical implications may be more limited in multifaceted IT environments.
Providers of cloud and other data processing services are subject to new service switching requirements and mandatory customer contract terms. The EU Data Act introduces mandatory contractual obligations and transparency requirements for customer contracts regarding data processing services, aimed at eliminating technical, commercial, and contractual barriers that createย vendor lock-in.
Enforcement and litigation risks
Each EU Member State will appoint authorities to enforce the EU Data Act and โ if necessary โ impose significant fines. If personal data is impacted, existing data protection authorities will also be involved. The EU Data Act also allows for collective civil lawsuits (similar to US class actions) against companies that violate these rules, increasing the risk ofย mass litigation.
The EU Data Act is the most radical change in data governance since it gives users more power and introduces new compliance demands on businesses. Maturing companies that take the initiative to consider these changes and integrate strategic mechanisms can use them as a competitive benefit in compliance requirements. The legislation phases into effect as well, up to 2027, indicating that organizations need to be ready to be in a data tier where user rights and reasonable sharing are in place.