Abstract Blue Globe With Glowing Networks - Europe

The Act presents a significant overhaul of European data law, affecting most companies that handle digital products and connected services, and data processing services, in the EU.

By Sophie Goossens, Jean-Luc Juhan, Susan Kempe-Müller, Alfonso Lamadrid, Myria Saarinen, Tim Wybitul, Gail E. Crawford, James Lloyd, and Fiona M. Maclean

The EU Data Act, which took effect on September 12, 2025, is a sweeping new law that will affect any company offering connected products, related digital services, or cloud and other data processing services in the European Union (EU), even if they are based outside the EU. Until now, many companies seem to have underestimated the impact of the upcoming data regime. In particular, it gives users of digital products wide-ranging new rights regarding their data, be it personal or non-personal data, including far-reaching access rights. This type of information was previously largely unregulated. Now, providers of connected products and services, as well as other data holders, will need to amend existing contracts to grant device and service users extensive rights.

The EU Data Act also brings new information obligations and requires companies to give users access to data generated by their products and to share data with third parties on fair terms. Providers of cloud and other data processing services are subject to new service switching obligations, including mandatory terms in their customer contracts. Non-compliance can result in high fines, civil lawsuits, and regulatory investigations — similar to what many companies experience under the EU’s privacy law. The EU’s General Data Protection Regulation (GDPR), which also applies to many US companies, pursues a similar approach and is already known for its high fines and strict requirements.

Key Points:

  • The new legislation will reshape how businesses manage data, presenting both compliance challenges and potentially significant new opportunities for companies across the consumer and industrial data markets.
  • Users are granted extensive rights to access, control, and share the data generated by their use of connected products and related services. Businesses must enable this by design and through contract, and can no longer treat product or service data as their exclusive asset.
  • Providers of cloud and other data processing services are subject to new service switching requirements and mandatory customer contract terms.
  • The EU Data Act may trigger significant litigation, including class actions and regulatory investigations, particularly around the new user rights to data.

For more details, see our Client Alert.