Navigating The EU Data Act: Key Obligations And A Spotlight On Switching Rights

Regulation (EU) 2023/2854 (the Data Act) entered into force across the EU on 12 September 2025. It forms a key part of the EU's broader data strategy and establishes a comprehensive framework for how data is accessed, used, and shared across connected products, digital services, and data processing services, including cloud and edge computing services. It applies to a wide range of businesses, such as connected product manufacturers, software as a service (SaaS), and infrastructure service providers, as well as third-party data recipients and public bodies.

The EU Data Act aims to make data more accessible and usable across the data ecosystem by removing the barriers to switching between service providers, improving access to product usage data, and promoting a more competitive and interoperable data environment. While the General Data Protection Regulation (GDPR) introduced a limited right to data portability for personal data, the Data Act goes further. It covers both personal and nonpersonal data and applies across the full data value chain.

Noncompliance can carry significant consequences. Enforcement will be led by national authorities, with sanctions ranging from warnings and compliance orders to administrative fines. While the level of fines is still being determined in several member states, the Data Act allows national regulators to set their own thresholds. In some cases, these may be set at levels similar to those under the GDPR, in which fines can reach up to 4% of global annual turnover.

What Is in the EU Data Act?

The Data Act introduces a broad set of rights and obligations aimed at unlocking greater value from data while protecting commercial and strategic interests. Key areas include:

1. Wider access to usage data. Manufacturers of connected products and providers of related digital services placed on the EU market (e.g., a smart appliance, connected vehicle, or medical device and any companion app used to interact with or support its core functionality) must ensure that users can access the usage data generated, either directly from the product or via request. Users are also entitled to have this data shared with a third party of their choosing, subject to appropriate protections. In limited circumstances — for example, when urgently needed to respond to a public emergency — public sector bodies may also request access to usage data.
2. Fairness in business-to-business (B2B) data-sharing contracts. When a data holder shares data with third-party recipients at the request of a user, the associated contracts must avoid certain terms considered unfair under the Data Act. Examples include unilateral interpretation of contract terms and unilateral rights to terminate without valid reason. Data holders are allowed to charge fees for B2B data access, but only if the charges are fair, reasonable, and nondiscriminatory.
3. Restrictions on use of shared data. The Data Act protects against the misuse of shared data by prohibiting data holders and third-party recipients from using it to develop competing products or services or to gain insight into the operations of others. Data holders may also limit access when the data qualifies as a trade secret and disclosure would cause serious harm or introduce additional safeguards to protect trade secrets. When these protections are not respected, or data is obtained through deceptive means, the Data Act allows data holders to require deletion, suspension of further use, and compensation.
4. Switching rights for cloud and edge services. The Data Act introduces a right for customers to switch between cloud or edge service providers offering the same type of service. Cloud and edge service providers are required to remove contractual and technical barriers to switching and allow termination on two months' notice as part of a switching request. Switching-related fees charged by providers must also be phased out by January 2027, with limited exceptions. These provisions have attracted particular attention because they effectively operate as a termination for convenience right for customers. We explore them in more detail in the Spotlight on the New Switching Rights section.
5. Smart contracts in data sharing. When smart contracts are used to automate access to data, the Data Act imposes specific obligations on the vendor of the smart contract application or, in the absence of a vendor, the party deploying the contract. These include safeguards such as access controls, clear termination functions, and mechanisms to prevent unintended execution. The aim is to ensure that smart contracts support trust, accountability, and control in automated data-sharing arrangements.
6. Interoperability and future technical standards. The Data Act empowers the European Commission to adopt mandatory interoperability requirements and common specifications to support switching and data portability, particularly when existing harmonised standards are lacking. While these are not in force yet, alignment with emerging standards will be expected as the data ecosystem evolves.
7. Representative obligations for non-EU businesses. Similar to the representative obligations under the GDPR and other recent EU digital laws, businesses that are not established in the EU but make connected products or relevant services available to users in the EU must appoint a legal representative based in an EU member state as a point of contact for national regulators.

Spotlight on the New Switching Rights

The switching rights in the EU Data Act have already triggered a significant market response, particularly from affected businesses assessing the impact on long-term contracts and revenue models. These rights apply when a provider offers a data processing service to customers in the EU. This term broadly covers services that enable on-demand access to scalable and elastic computing resources, including cloud and edge computing services such as infrastructure (IaaS), platform (PaaS) and certain software (SaaS) offerings, depending on how the service operates and the role data plays in its delivery.

Under the Data Act, providers must remove contractual and technical barriers to switching and allow customers to terminate on no more than two months' notice as part of a switching request. While the Data Act does not prohibit fixed-term contracts and early termination fees, it raises questions around the proportionality of early termination fees, discount clawbacks, and other mechanisms that could be seen as discouraging switching. Enforcement is expected to focus on terms that discourage the exercise of these new switching rights.

Some providers have already published addenda or updated their standard terms to reflect their interpretation of the rules. For example, some larger enterprise vendors are taking the position that customers must continue to pay subscription fees for the remainder of a fixed term if they exit early. Others are approaching the issue differently by shifting to up-front annual billing models, aiming to secure payment earlier and reduce the risk of having to enforce payment after a customer switches. Although these early interpretations are likely to shape market practice in the short term, particularly those adopted by large enterprise vendors, whether they comply with the Data Act's proportionality requirement remains to be seen. This will ultimately depend on how national regulators interpret the rules in practice.

Beginning January 2027, most switching-related charges such as fees for data transfer or reformatting must be phased out entirely, except in limited multicloud scenarios. This does not affect other permitted charges, including contractually agreed early termination penalties. Businesses should now review their service definitions, switching pathways and commercial terms in light of these changes.

What Should Businesses Do Now?

The EU Data Act introduces complex and wide-ranging obligations, particularly for businesses involved in connected products, digital services, or cloud infrastructure. As a starting point, organisations should check whether they fall within scope and begin mapping how usage data is generated, stored, and accessed across their operations. From there, commercial, legal, and technical teams will need to assess what changes, if any, need to be made to existing contracts, data-sharing arrangements, and internal processes. Many of these questions will depend on how the business interacts with data in practice and how the new rules apply to specific products or services.

The European Commission has issued a list of FAQs and explanatory materials to support implementation, but they are high level and leave significant room for interpretation. Much will depend on how national regulators choose to apply the rules in practice. Businesses navigating grey areas or sector-specific issues should consider seeking tailored advice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.