EU Data Act comes into force amid fears of regulation fatigue
The EU Data Act will potentially give users control of device data, and boost data sharing, cloud switching and competition while raising compliance demands
The European Union (EU) Data Act comes into force today (12 September 2025), giving, says the European Commission, citizens control over data generated by their connected devices, such as smartwatches and cars. It is also said to open up opportunities for small businesses to use this data to develop “innovative after-sale services”.
Business and consumer users of connected devices will now be able to access, use and share the raw data generated by their devices.
Among its provisions, the EU AI Act will give manufacturing or agriculture companies access to data about the performance of industrial equipment, which can improve their efficiency and operations. It also enables cloud users to switch between cloud providers or use services from several providers in parallel. It will additionally prohibit unfair contracts that could prevent data-sharing.
Chris Gow, senior director for EU public policy and head of the Brussels office for government affairs at Cisco, told Computer Weekly on the eve of the “big day” that the novelty of the act should be noted.
“I see a lot of regulations around the world, and this is pretty unique,” he said. “There are lots of types of data governance stores and they’re either looking towards organising data so they can be shared with other parties or organising it in such a way that it’s protected … But this is unique in that it is about sharing private sector data. It is really treading new ground, and I think companies and enforcement agencies are still trying to figure out how this is really going to work in practice, because there’s not an easy model where we can just say, ‘we’ve seen this before’.”
Linzi Penman, head of the UK technology practice at law firm DLA Piper, said the act was a victim of a sense of regulatory fatigue, from a UK perspective. “There’s certainly a feeling that the EU Data Act is a regulation that’s ‘slipped through the net’ for a lot of organisations, through some combination of digital regulatory fatigue and a scope that’s both complex and widely underestimated,” she said.
“The fact that no member states have yet adopted laws setting out the enforcement regime for the Data Act, despite today’s applicability deadline, is telling of how challenging the EU’s digital regulatory environment is to manage from both sides – particularly noting the delays with local transposition of NIS2 and delays of Dora RTSs [regulatory technical standards].”
Complex and nuanced scope
Penman drew attention to how “the combination of a complex and nuanced scope, a lack of technical guidance compared to the General Data Protection Regulation (GDPR) and EU AI Act, and a common underestimation of just how far-reaching the EU Data act is, is causing a headache for a lot of organisations.
“The extension of data accessibility and portability rights beyond personal data is a seismic shift,” she said. “We’ve spent years building processes around GDPR, and now in-scope companies are being asked to apply similar rigour to non-personal data, including trade secrets. And, where GDPR and Data Act enforcement will both apply in tandem, the compliance stakes are huge.”
In terms of the aspect of the act that facilitates switching cloud providers, Penman added: “The act’s ambition – to increase competition and prevent vendor lock-in – is laudable, but the unintended consequence could be a surge in complexity and cost for cloud service businesses, with potential challenges to revenue recognition. The cloud switching provisions in Chapter VI were almost overlooked initially given all the focus on the IoT provisions, so many are overlooking this bottom-line issue.”
Brenton O’Callaghan, chief product officer at Avantra, a supplier that automates SAP processes, said “it can only be a good thing to allow more cost-effective transfer of data between clouds when you choose to move cloud provider”.
“Be under no illusion, though, that this won’t necessarily make it easier or quicker – the transition services and commitments from the major cloud providers have fine print and requirements that mean it will still be a drag and will be available only if you are adhering to their requirements,” he said. “Such as the transfers must be inter-company only and be between services of the same type on different cloud platforms.
“EU regulation is helpful in forcing companies to classify and understand the risks in their AI systems. The danger is that if the scope expands too broadly, it risks slowing innovation under layers of compliance. The balance should stay risk-based and focused on high-risk use cases. If this is done right, then it will prevent regulation from becoming an administrative tax or barrier to market entry.”
Read more about the EU Data Act
- EU Data Act prompts Google to scrap data transfer fees for UK multicloud users.
- Big EU industry joins with Europhile MP to persuade obstinate government officials to join the dataspaces intended to become the bedrock of Europe’s digital single market.
- European Commission should rescind UK data adequacy.
The act does not apply directly in the UK but, as with similar EU legislation, it affects UK businesses that make products or provide services in the EU that are in scope, such as connected devices, and have EU operations, clients or data flows that fall under the act.
The UK’s Data Use and Access Act 2025, which came into force on 19 June 2025, is also aimed at simplifying organisations’ data processing and sharing.
Peter Kyle, technology secretary at the time, expressed a government ambition to capitalise on data similar to that of the European Commission with the Data Act. “For too long, previous governments have been sitting on a goldmine of data, wasting a powerful resource which can be used to help families juggle food costs, slash tedious life admin, and make our NHS and police work smarter,” he said.
“These new laws will finally unleash that power.”
