If your business sells smart devices or cloud-based services into the EU, the EU Data Act is no longer something to watch from a distance.
Now in force, it introduces new contractual, technical and commercial obligations alongside maximum fines aligned with the EU GDPR’s headline-catching figures. For some UK exporters, the impact will be limited. For others, it could require meaningful change to product designs and service models well before enforcement activity gathers pace.
Despite this, reactions to the Data Act in the UK have been relatively muted. This is probably because:
- the UK is no longer in the EU, so the new act will only apply to UK businesses that are selling into the EU;
- both the UK GDPR and EU GDPR are of almost universal application to businesses, while the Data Act applies only to companies selling a narrow range of products and services; and
- looking back at how the EU GDPR has been enforced during the past eight years, it seems clear the threat of widespread and potentially crippling fines was overstated.
However, this does not mean UK business can ignore the Data Act. If you export smart devices or cloud-based services to the EU, the Data Act could require significant changes. Even if we assume enforcement will be lax and penalties rare, non-compliance could invalidate key contractual terms, shifting risk and expense from the buyer back onto the seller in some cases.
Cloud service agreements made with EU customers after 12 September 2025 must make it easier for customers either to switch to a new service provider or move data to their own servers. Among the key requirements:
- reasonable assistance in switching to the new provider or to their own equipment;
- acting with due care to provide business continuity for the customer during the switch;
- no more switching fees or data egress fees from 12 January 2027 (early contract termination fees and penalties will still be allowed); and
- access to data must be on fair, reasonable and non-discriminatory contract terms.
Sellers of connected products must now provide EU customers with clear and comprehensible information about data generated by connected products and related services, and how the user can access and share that data. From 12 September 2026, manufacturers must design connected products to allow direct access for users to data that’s retrievable from the product itself or that’s found in a “related service” (such as an app needed to operate or access information on the connected product).
Consequences of non-compliance
In theory, breaches of the Data Act can attract significant administrative fines. Some provisions carry the same maximum penalties as the EU GDPR: up to €20 million or 4 per cent of global annual turnover, whichever is higher.
In practice, enforcement is likely to vary across the 27 EU member states. Experience under the GDPR shows significant differences between regulators, with some more willing to impose fines than others. It is also notable that many EU member states missed the deadline to appoint a Data Act regulator, suggesting enforcement may not be an immediate priority everywhere.
That said, even where fines are unlikely, non-compliant contract terms may be unenforceable, exposing suppliers to additional risk, cost and delay. Sales cycles may also lengthen as EU customers scrutinise compliance more closely.
For UK exporters, the sensible approach is to treat the Data Act as a commercial and contractual issue now, rather than waiting for enforcement to drive change. Early review can help avoid disruption later and provide reassurance to EU customers as expectations evolve.