The EU Data Act is live: what UK businesses need to know

By Ian Williamson
15 September 2025

UK businesses should be aware that significant new obligations under the EU Data Act came into force on 12 September 2025.

Those businesses engaging with the EU market face new compliance obligations affecting their business models and contracts, however the EU Data Act also presents a number of new opportunities.

What is the EU Data Act?

The EU Data Act (Regulation (EU) 2023/2854) establishes a framework for data access, sharing, and reuse across the EU. It complements the EU’s broader strategy to foster a competitive and fair data economy, particularly in sectors reliant on data from connected devices. Notably, around 80% of industrial data currently goes unused.

So why is it relevant to UK businesses if it is an EU regulation?

The Data Act has extra-territorial reach. UK businesses may be subject to its rules if they offer products or services in the EU or process data from EU users. In particular, non-EU entities subject to the Act must appoint a legal representative in an EU member state. This representative must be designated in writing, publicly disclosed, and addressable by national authorities.

Isn’t this already covered by GDPR?

No. While GDPR governs personal data and individual rights, the Data Act covers both personal and non-personal data. It focuses on access, sharing, and reuse, especially data generated by connected products and services. The two laws operate in parallel but intersect in areas like IoT and smart devices.

What sort of activities could bring UK business into scope for the EU Data Act?

UK companies may be subject to the EU Data Act in various ways. This includes if they:

  • place connected products (such as IoT devices, vehicles, smart appliances) on the EU market
  • provide cloud or data processing services to EU customers
  • hold or share data generated by EU users and/or
  • offer services related to connected products (for example analytics and/or maintenance).

Are there particular sectors or types of UK businesses that may be in scope?

The Act applies across all sectors. However, examples of industries which will likely be impacted include:

  • manufacturing (especially IoT, ‘smart’ devices and automotive)
  • cloud and SaaS providers (and customers who use these services)
  • telecoms and smart infrastructure
  • aviation and MedTech
  • consumer electronics and smart home products.

What do affected businesses need to do?

The EU Data Act introduces various rights and obligations for users, data holders, and third parties, including:

  • user data access rights: users must be able to access data from connected products in machine-readable formats
  • cloud portability and switching: providers must facilitate switching between services to reduce vendor lock-in
  • FRAND contractual terms: data holders must offer fair, reasonable, and non-discriminatory terms
  • public sector access: authorities may request data in emergencies. Such data must be deleted once no longer needed unless otherwise agreed. Trade secrets must be protected
  • design for data access: from 12 September 2026, connected products must be designed to enable data access
  • switching fees: from January 2027, switching and data egress fees must be eliminated, except in limited cases.

What is the new SaaS “termination” right that has been reported? Does that mean the end to fixed term and minimum term SaaS contracts in the EU?

Article 25 of the Data Act requires SaaS and data processing contracts to allow switching with a maximum notice period of two months. Switching effectively terminates the contract. Fixed-term contracts remain permitted, but providers may need to refund unused prepaid amounts depending on national law. Early termination penalties are allowed only if they are proportionate, transparent, and reflect actual losses net of any costs saved.

This is a significant change to current practices, as SaaS agreements often lock in customers for a minimum term (typically between 12 and 36 months). While this may be welcomed by customers, it may present challenges for SaaS providers, requiring a recalibration of business models.

Are there any opportunities for impacted businesses?

Yes. The EU Data Act creates opportunities for businesses including enabling broader data access for new services, increased interoperability, boosting competition by promoting fair data exchange and reducing vendor lock-in. The following are just some examples of potential upsides for affected businesses:

  • reduced lock-in – advantages for customers and providers: the EU Data Act’s provisions around data migration and fairer contracts can protect businesses (especially SMEs) from unfair data-sharing terms, which will likely lead to cost reductions by making it easier and cheaper to switch between cloud providers. This has a benefit for the businesses themselves, but also potentially makes it easier for other providers to enter the market.
  • new innovations and business models: the increased access to data can allow for new business models and ways to monetise data. For example, third-party service providers (such as analytics providers or insurers) may be able to access user data from connected devices, enabling things like predictive maintenance services or more personalised insurance. Manufacturers may also be able to obtain data from competitors’ devices (with user consent) to develop new cross-brand solutions
  • new collaboration opportunities tie-ups: increased access to data (and especially updating contracts to align with the Data Act’s fairness and transparency requirements) will create collaboration opportunities to work cross-sector – potentially bringing parties together with new joint product offerings. For example, data from connected cars could support maintenance schedules, whereas information from home IoT devices could be used to decrease insurance premiums.

How will non-compliance be enforced? Could there be fines and other consequences?

Non-compliance with the EU Data Act will be enforced by each of the 27 member states. Sanctions must be effective, proportionate, and dissuasive. Accordingly, there may be a number of different enforcement regimes that UK businesses need to be aware of. It is anticipated that national authorities will be able to issue penalties such as warnings, reprimands, temporary or definitive bans on data processing, and significant administrative fines.

The Birketts view

The EU Data Act introduces new compliance challenges, but it also unlocks strategic opportunities for innovation, data monetisation, and market expansion.

UK businesses should assess whether they fall within scope and understand how this affects their contracts, data practices, and commercial models.

More broadly, now is an ideal moment to evaluate whether your organisation is fully leveraging its data assets and exploring new routes to market in the digital economy.

At Birketts, our commercial and technology team advises clients across all sectors on data compliance, monetisation strategies, and related contractual and IP matters.

If your business is navigating the implications of the EU Data Act, or simply wants to explore how to make better use of its data, please get in touch. We’d be delighted to help.  

Key Contacts

Ian Williamson

Partner

+44 203 940 6867

[email protected]

Related Expertise

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at September 2025.

Contact Us
Contact Us
For general enquiries please call +44 (0)808 169 4320 or send a message from our Contact us page.