The European Union Data Act took effect on September 12, 2025, ushering in sweeping new obligations for companies handling EU data.
The Data Act is far from being an EU-only regulation. United States tech and life sciences companies should pay close attention, as the Data Act’s extraterritorial reach means it may apply to your business regardless of where you're headquartered.
For a recent CLE session, Fenwick’s Ana Razmazma and Bird & Bird’s Berend Van Der Eijk discussed the Data Act’s key features and potential impact on U.S. companies, with an eye toward those in the cloud, data-processing, and connected devices sectors. Here are the key takeaways:
What Is the EU Data Act?
Think of the Data Act as the EU's comprehensive attempt to "free data" from restrictive vendor lock-in arrangements. Unlike the GDPR, which focuses specifically on personal data protection, the Data Act covers all types of data and addresses multiple scenarios where commercial arrangements have limited data sharing.
While the Data Act covers a wide variety of scenarios that may not directly affect your business, it is important to have a complete view of the Data Act’s full scope, particularly how certain obligations can extend across supply chains.
The Data Act’s sections most relevant for U.S. companies involve internet-connected products (such as IoT devices and machinery) and new requirements related to cloud service switching. The Data Act’s overarching goal is to expand data access to create a more competitive European data ecosystem.
How Can U.S. Companies Be Subject to the EU Data Act?
Don't assume distance from Brussels provides protection. The Data Act has extraterritorial reach similar to the GDPR, creating three primary scenarios where U.S. companies could face compliance obligations:
Hardware and Software Providers: If your company manufactures IoT devices, machinery, vehicles, wearables, or industrial sensors that reach EU markets or EU customers, the Data Act applies regardless of where your business is headquartered. This includes not just direct sales, but also any products placed on the EU market through distributors or partners.
Data Processing Services: Companies providing cloud, SaaS, or PaaS services to EU customers face switching and interoperability obligations. Your EU customers will also require MSAs and DPAs reflecting these requirements, effectively pushing compliance obligations up the supply chain.
Supply Chain Participants: Even if you do not directly serve EU customers, the Data Act's "unfairness test" for data access terms applies throughout the supply chain, including distributors, OEMs, and integrators. If your products or services ultimately reach EU users through any supply chain, you can expect Data Act requirements to appear in your commercial agreements.
How is the EU Data Act Changing Access and Sharing Obligations to EU Data?
The Data Act creates significant new rights around connected products and related services (like mobile apps controlling smart devices). Here's how it works:
User Rights: Anyone who owns or has temporary rights to use a connected product (including, for example, rental cars) can access relevant data the product generates. Manufacturers must design products to make this data accessible by default.
Third-Party Access: Users can also grant third parties access to their data for specific purposes. For example, a factory owner could allow an independent repair service to access robot maintenance data rather than relying solely on the original manufacturer.
Data Holder Obligations: Companies holding this data (typically manufacturers) must provide free access to it in a machine-format readable, and when possible, in real time. While there are exceptions to such access to protect trade secrets, they are limited and require notification to regulators when invoked.
FRAND Terms: When charging for third-party data access, terms must be "fair, reasonable, and non-discriminatory" (FRAND). This prevents discriminatory pricing between similar data recipients and could significantly impact existing business models.
Are Cloud and Data Processing Services Impacted by the EU Data Act?
The Data Act's provisions on “data processing services” represent perhaps the most disruptive changes for U.S. tech companies. These rules target vendor lock-in by cloud and SaaS providers:
Mandatory Termination Rights: Data processing service providers must include termination rights allowing customers to exit contracts with just two months' notice, regardless of the original contract length. While early termination fees are permitted, their scope remains uncertain.
Switching Facilitation: Providers must actively facilitate customer switching by providing detailed information about data export processes, publishing switching procedures online, and eliminating specific switching charges.
Contract Requirements: Service agreements must describe available services and the processes for switching providers. Providers must also publish information about data storage jurisdictions and the measures taken regarding government access requests.
Scope Uncertainty: While the Data Act specifically mentions SaaS, PaaS, and hosting services, the technical definition of “data processing services” leaves room for interpretation. Some SaaS companies may argue that they fall outside the Data Act’s scope, but this remains a legally uncertain area.
What Can U.S. Companies Do to Prepare for EU Data Act Compliance?
The Data Act represents a fundamental shift in how data flows within the European market. While enforcement remains in preliminary stages, U.S. companies that directly or indirectly serve European markets should begin compliance planning now. Here are several immediate steps that such U.S. companies can take:
Conduct Gap Assessments: Review existing data access capabilities and contract terms against Data Act requirements. Document current customer onboarding and offboarding processes to identify and understand compliance gaps.
Update Commercial Agreements: Incorporate FRAND terms for data access into your contracts and consider including mandatory termination rights in new agreements. However, early termination fee structures remain subject to interpretation.
Consider EU Representative Appointment: Similar to GDPR compliance, companies may need to appoint an EU representative to handle Data Act obligations, especially for enforcement-related interactions.
Learn more about Fenwick’s privacy and cybersecurity capabilities and learn more about the EU Data Act from Bird & Bird.