In Compact and Briefing, Homepage, News

Hanover, 01.06.2026 | The Data Act is a central element of the European data strategy, which was developed under the guiding principle of “Shaping Europe’s Digital Future”. The aim of this strategy is to establish an interoperable European data ecosystem that enables the free flow of data within the European Union whilst creating a level playing field. In particular, the aim is to break up the concentration of data in the hands of a few large companies, which has frequently been observed to date. Clear legal frameworks are intended to facilitate the commercial use of data whilst promoting innovative data trust models.

Increasing digitalization means that data has become a key resource of the modern economy. Companies generate and process large volumes of data that can be used for innovation, increased efficiency and new business models. This is precisely where the Data Act comes in, by establishing regulations on data availability, technical interfaces, interoperability and contractual standards between companies. The aim is to strike a balance between the economic use and fair distribution of data.

The Data Act and its implementation

Ulrich Herfurth, Attorney at Law in Hanover and Brussel

 

Objectives of the Data Act

The objectives of the Data Act can essentially be divided into three key areas: fairness, competitiveness and data access. In the area of fairness, it ensures that data holders make data available under fair, reasonable and non-discriminatory conditions. This so-called FRAND principle is intended to prevent individual market participants from abusing their position and excluding other companies from access to data.

Furthermore, the Data Act aims to strengthen the competitiveness and innovative capacity of the European economy. High-quality and interoperable data from various sectors are intended to form the basis for new technologies and business models. Small and medium-sized enterprises in particular are set to benefit from improved access to data, as they have often lacked the resources to build up their own extensive data sets.

Another key aspect is improved data access for users. Users of networked products or connected services should have access to the data they generate at all times and be able to share it with third parties. This shifts control over data more towards users whilst promoting competition.

 

Timeline

The Data Act generally applies immediately, although individual provisions will come into force in stages. Of particular note is the ‘Access by Design’ principle, which applies to products and services newly placed on the market. This obliges companies to ensure that data is accessible right from the development stage of their products.

Furthermore, the Data Act contains specific provisions for existing contracts. In particular, the chapter on unfair contract terms also applies to older contracts, provided they meet certain time-related conditions. This ensures that even long-term contractual relationships are adapted to the new legal requirements.

 

Scope of the Data Act – Scope of Application

The scope of the Data Act is broad in terms of persons, subject matter and geographical area. In terms of persons, the regulation covers a wide range of stakeholders, including manufacturers of connected products, providers of connected services, users, data controllers and data recipients, as well as public authorities and providers of data processing services such as cloud providers.

In terms of subject matter, the Data Act covers both personal and non-personal data. It should be noted, however, that the GDPR takes precedence where personal data is concerned. This means that companies must comply with both sets of regulations in parallel, which increases legal complexity.

Small and medium-sized enterprises are also covered by the Data Act, although certain concessions are provided for them. For instance, certain provision obligations apply only in a later stage, and exceptions exist in certain cases. Nevertheless, companies cannot generally rely on their size to avoid the requirements of the Data Act.

  

Definitions of key terms

The defined terms are of central importance for understanding the Data Act. Connected products are objects that generate data about their use or environment and can make this data accessible via various communication channels. Examples include connected vehicles or industrial machinery.

Connected services are digital services that are closely linked to these products and extend or supplement their functionality. The data generated by these systems is referred to as product data or connected service data.

Furthermore, the Data Act distinguishes between various roles, such as the data user, the data holder and the data recipient. This distinction is crucial as it determines the respective rights and obligations of the parties involved.

 

Data access and data sharing

The core of the Data Act lies in the obligation to provide data. Connected products and connected services must be designed in such a way that users can access the generated data directly. This principle is referred to as ‘Access by Design’ and represents a fundamental innovation.

In addition to direct access, the Data Act also provides for indirect access. In cases where direct access is not possible, data holders must provide the data at the user’s request. This provision must be made immediately, free of charge and in a machine-readable format.

Particularly far-reaching is the user’s right to demand that their data be transferred to third parties. This creates an open data market that promotes innovation and competition. At the same time, however, new challenges arise in with regard to data protection, security and trade secrets.

 

Protective mechanisms and limits

Despite the comprehensive data access obligations, the Data Act provides for important safeguards. Trade secrets, in particular, are protected, so that companies are not forced to disclose sensitive information if this would risk causing significant economic damage.

Furthermore, data recipients are subject to strict usage requirements. They may only use the data received for the agreed purpose and are prohibited from passing it on or using it for anti-competitive purposes. These regulations serve to strike a balance between data access and protection interests.

  

Unfair contract terms

Another key focus of the Data Act lies in the area of contract law. Unfair contract terms imposed unilaterally by one party are no longer permitted. A term is considered unfair in particular if it deviates significantly from good business practice or breaches the principle of good faith.

This applies, among other things, to clauses that exclude liability or unreasonably restrict the use of data. The aim of these provisions is to ensure a balanced contractual relationship and, in particular, to protect smaller businesses from being disadvantaged.

 

Cloud switching

The Data Act also addresses the issue of switching providers for cloud services. In practice, high switching costs and a lack of interoperability often lead to so-called lock-in effects, which tie companies to specific providers.

To counteract this problem, the Data Act obliges providers to facilitate switching. Data must be transferred within specified timeframes, and in the long term, switching fees are to be completely abolished. These measures strengthen competition and increase companies’ flexibility.

 

Enforcement and sanctions

Compliance with the Data Act is monitored by national authorities. In Germany, the Federal Network Agency (Bundesnetzagentur) is specifically responsible for enforcement. It has far-reaching powers, including the right to investigate and search premises.

Violations are subject to substantial fines, which can amount to several million euros depending on the severity of the breach. Furthermore, civil law consequences may also arise, for example under warranty or competition law.

 

Actions for businesses

The Data Act creates a significant need for action within companies. They must adapt their internal processes, contracts and technical systems to the new requirements. Of particular importance is the creation of clear structures for handling data and the establishment of suitable governance mechanisms.

The implications affect almost all areas of the business, from product development and IT to the legal department and management. An interdisciplinary approach is therefore required to ensure successful implementation.

 

Recommendations for action

To implement the Data Act, companies should first carry out a comprehensive review of their data. They must then put the necessary technical infrastructure in place to enable access to and the sharing of data.

Furthermore, existing contracts must be amended to meet the new legal requirements. At the same time, internal processes must be established to regulate the handling of data requests and ensure proper documentation.

Training also plays an important role, as staff in various departments need to be familiarized with the new requirements.

 

European Commission contract clauses

To support implementation, the European Commission has developed model contracts and standard contractual clauses. These are intended to help companies enter into fair and legally compliant agreements.

The so-called Model Contractual Terms and Standard Contractual Clauses provide a framework for drafting contracts in the field of data usage and cloud computing. Although these are not mandatory, they serve as an important guide in practice.

  

Summary

In summary, the Data Act represents a fundamental shift in the way data is handled. Companies must adapt to new obligations, particularly with regard to data access, data sharing and contract drafting. At the same time, however, the Regulation also opens up new opportunities, for example through the development of data-driven business models and the promotion of innovation.

To capitalize on these opportunities and avoid risks, companies should set up a Data Act project at an early stage and systematically implement the necessary measures. This is the only way to ensure that they meet the requirements of the regulation whilst safeguarding their long-term competitiveness.

 

+ + +

The Alliuris Group
The Alliuris Group consists of 20 law firms and 400 business lawyers within Europe, Asia and America.
Contact Ulrich Herfurth
Alliuris Communication
Web www.alliuris.law
Mail info@alliuris.org
Fon +49-511-307 56-20
Fax +49-511-307 56-21
…………………………………………………………………………………………

IMPRINT
EDITORS: ALLIURIS A.S.B.L. ALLIANCE OF INTERNATIONAL
BUSINESS LAWYERS | BRUSSELS
MANAGEMENT: Luisenstr. 5, D-30159 Hannover
Fon +49-511-307 56-20, Fax +49-511-307 56-21

EDITORIAL DEPARTMENT
Ulrich Herfurth, Rechtsanwalt
All information is correct to the best of our knowledge; liability is limited to intent or gross negligence. Reproduction,
even in excerpts, requires the permission of the editors.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Beginnen Sie mit der Eingabe und drücken Sie Enter, um zu suchen