On 12 September 2025, the EU’s Data Act will enter into force. It establishes common rules for accessing and sharing data generated by connected products and related services (primarily IoT products) across the EU. It also introduces important safeguards against unfair contract terms in data-sharing agreements and facilitates switching between data processing services.
Building on the EU’s broader digital strategy, the Data Act seeks to strengthen the internal data market by enhancing access, usability, and interoperability — especially for industrial and non-personal data. It strikes a balance between ensuring a fair distribution of value among all participants in the data economy and fostering data-driven innovation.
Providers of “smart” products or related services, cloud service providers, or even data processing or data sharing providers more generally, will need to carefully review their policies, procedures and contract terms in anticipation of yet another development in the regulation of the EU data economy.
Key obligations under the Data Act
Manufacturers and data holders of connected products or related services must provide users with access to the data generated by those products and services.
Upon user request, data holders are required to share relevant data from of connected products or related services with a third party, unless the third party qualifies as a “designated gatekeeper” under the Digital Markets Act.
Contractual terms that are imposed unilaterally by one enterprise on another, particularly those regarding data access, use, liability, or remedies, are not binding if they are deemed unfair. The Act introduces a “blacklist” of clauses that are automatically void clauses and a “greylist” of clauses presumed unfair unless proven otherwise.
Where a public sector body can demonstrate an exceptional need to access specific data, data holders, provided they are legal persons other than public sector bodies, are required to make the requested data available.
Data processing service providers are required to enable customers to switch to alternative providers or to transfer their data to an on-premises infrastructure.
Providers must implement appropriate safeguards to prevent unauthorised access to, or transfer of non-personal data stored within the EU to third-country public authorities, particularly in cases where such requests would violate EU or national laws.
Participants in data spaces, vendors of smart contracts, and providers of data processing services must comply with specific interoperability requirements to ensure secure, efficient, and seamless data exchange across systems and platforms.
Each Member State is required to designate at least one competent authority for the enforcement of the Data Act. These authorities must coordinate with relevant sectoral regulators to ensure coherent enforcement across sectors and alignment with other EU and national laws. Data Protection Authorities appointed pursuant to the GDPR remain responsible for monitoring the application of the Data Act insofar as it relates to personal data.
In Belgium: While no official text has been released yet, the government has previously announced that the BIPT (Belgian Institute for Postal Services and Telecommunications, the telecom regulator) would be designated as the national regulator under the Data Act.
In the Netherlands: The Dutch implementation law of the EU Data Act (Uitvoeringswet dataverordening) designates the Netherlands Authority for Consumers and Markets (Autoriteit Consument & Markt; ACM) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP) as the competent authorities for supervision and enforcement. The ACM bears primary responsibility, overseeing nearly all aspects of the regulation, including data access, sharing obligations, and fair contractual terms. It also serves as the coordinating supervisory authority. The AP, in turn, is responsible where the onligations under the Data Act intersect with matters of protection of personal data. Furthermore, the AP is tasked with monitoring data access requests by public authorities in situations of exceptional need (as per Chapter V Data Act), ensuring such access remains proportionate and lawful.
In Luxembourg: No official designation has been made yet regarding the competent authority under the Data Act. However, it is likely that the Commission nationale pour la protection des données (CNPD) will be involved. The CNPD has already acknowledged that new responsibilities will be added to its mandate in light of the evolving EU legal framework; expressly referring to the Data Act.
Sanctions
Each Member State must set up its own system of penalties for violations of the Data Act and notify the European Commission. These sanctions must be effective, proportionate, and dissuasive.
The regulation outlines key criteria to assess penalties, including:
While Belgium and Luxembourg have not yet enacted legislation, the Netherlands has introduced an implementation law for the Data Act that grants enforcement powers to both the Authority for Consumers and Markets ACM and the AP. The ACM is authorised to impose administrative enforcement measures, including orders under administrative coercion (last onder bestuursdwang) and fines, for the majority of provisions under the Data Act, insofar as they do not concern the processing of personal data. Fines may amount to the sixth category under the Dutch Penal Code (Wetboek van Strafrecht) (i.e., € 1.030.000) or 10% of the offender’s EU-wide annual turnover, whichever is higher. The AP can also impose orders under administrative coercion and administrative fines, in accordance with the aforementioned Article 40(4) ceilings. Importantly, the regime does not apply to infringements covered by the Dutch Consumer Protection Enforcement Act (Wet handhaving consumentenbescherming) or to acts of EU institutions as defined in Article 2(27) of the Data Act.
DPAs may impose fines under the GDPR for breaches of Chapters II, III, and V of the Data Act. The European Data Protection Supervisor (EDPS) may do the same under Regulation (EU) 2018/1725 for EU institutions.
Want to Learn More?
Stay tuned for detailed insights into how this new EU data regulation will affect your business, your contracts, and your practices. In the coming weeks, we will publish three in-depth articles exploring key themes of the Data Act:
