What is the EU Data Act?
The EU Data Act is a landmark European Union regulation designed to enhance the EU’s data economy and foster a competitive data market by promoting data sharing and innovation, and preventing contractual and technical lock-ins that prevent users from switching service providers. It complements the Data Governance Act and fits into the EU’s broader Digital Strategy.
The Data Act ensures fairness in the allocation of the value of data amongst the actors in the data economy. It clarifies who can use what data and under which conditions.
Key points of the EU Data Act:
- Data sharing obligations: Manufacturers of connected devices (IoT, cars, appliances, etc.) must make the data generated by those devices accessible to users and, if requested, shareable with third parties.
- Fairness rules for cloud services: Cloud and data processing providers must make it easier for customers to switch services, without unfair fees or technical barriers.
- Fairness rules for Business-to-Business (B2B) Data Sharing: Contracts must be fair and transparent, with no more one-sided terms where small companies are forced to give up data for free
- Safeguards for sensitive data: Public authorities can request access to privately held data in cases of public emergencies (e.g., pandemics, disasters).
- Safeguards for Trade Secrets and GDPR Alignment: Companies can refuse data sharing if it would reveal trade secrets, unless adequate safeguards are in place.
The Data Act was published in the Official Journal of the EU on December 22, 2023, and it will become applicable on September 12, 2025.
Who does the EU Data Act affect?
This month, the Data Act is moving from “adopted law” into real-world enforcement. This means that the impact is starting to bite for companies, governments, and users alike.
- Manufacturers & IoT Producers: Companies making connected devices (cars, smart appliances, industrial machines, wearables, etc.) are among the most affected by the EU Data Act. They will likely need to rethink product design, customer interfaces, and contractual terms ahead of September 12.
- Cloud & Data Processing Providers: Providers of cloud, edge, and other data services will also be heavily affected. They’ll need to review and update contracts, technical systems, and business models to allow fair switching, ensure interoperability, and protect customers’ rights.
- Public Sector Authorities: While not the primary targets of the EU Data Act, Public Authorities gain new rights and responsibilities once the Act goes into effect, so they’ll need to prepare by setting up legal frameworks, secure infrastructure, skilled teams, and transparent processes for using their new data-access powers responsibly.
- SMEs & Startups: One of the main beneficiaries of the EU Data Act, they gain new rights to access and use data. However, they also have prep work to do. SMEs and startups should review contracts, strengthen technical infrastructure for data access, protect sensitive information, and prepare to seize new business opportunities the Data Act unlocks.
- Businesses: While the obligations vary, the EU Data Act affects every organization that either produces, uses, or processes data in the EU. Businesses need to map their data, update contracts, build technical access/sharing capabilities, ensure security, and prepare for regulatory interactions. Non-EU companies need to appoint a representative in the EU, just like under the GDPR.
- Consumers: Consumers are the end beneficiaries of the EU Data Act, so unlike companies, they don’t face heavy compliance obligations, but they should learn about their rights, explore how their data could benefit them, and be prepared to exercise choice once companies roll out compliance mechanisms in 2025.
Who Enforces the Data Act and What Are the Penalties?
The EU Data Act comes with clear enforcement rules and penalties, much like the GDPR, though they’re structured a bit differently. Here’s what you need to know:
Enforcement
- National authorities: Each EU Member State must designate one or more competent authorities to oversee compliance with the Data Act.
- Coordination: These authorities will cooperate across borders through a new European Data Innovation Board to ensure consistency.
- Scope: Enforcement encompasses all obligations, from ensuring fair contract terms to user access to IoT data and cloud portability.
Fines
- Breaches of the Data Act can lead to administrative fines imposed by national authorities.
- The regulation sets maximum fines similar to GDPR but leaves exact levels to Member States. Typically:
- Up to €20 million, or 4% of global annual turnover (whichever is higher) for the most serious infringements (e.g., refusing to give users access to their IoT data, or discriminatory data sharing practices).
- Lower fines for less serious breaches, like administrative failures or delays in data access.
- Cloud service providers that fail to enable switching/portability can also face penalties.
Private Enforcement
- Businesses harmed by unfair contract terms or refusal to share data may also have remedies under national contract and competition law, in addition to regulatory fines.
Still have questions? Check out the European Commission’s Frequently Asked Questions (FAQs) on the Data Act.
Protecting Data Integrity, Privacy, and Value: Black Tiger’s Commitment to Our Customers
At Black Tiger, we see the EU Data Act not just as a compliance obligation but as an opportunity to strengthen trust with our customers. Our role is to act as a true data custodian—ensuring you can exercise your rights while safeguarding data integrity, privacy, and business value.
What this means for you as a Black Tiger client:
Access & Control
- You will always have easy access to the data generated by your systems.
- Your contracts will remain fair, transparent, and free of “gatekeeping.”
Protection & Privacy
- We safeguard sensitive information and trade secrets when data is shared.
- GDPR-grade protections (consent, minimization, user rights) apply by default.
Security & Support
- Strong security measures are built in: encryption, role-based access, and clear audit trails.
- Our experts will support you if public authorities make lawful requests during emergencies.
In short: you stay in control, your data remains protected, and your business retains its value.
How Can My Organization Get Ready for the EU Data Act?
Stay Compliant and Maximize Value: The Black Tiger Checklist
Use this checklist to help your organization stay compliant with the EU Data Act and GDPR while continuing to get the most out of Black Tiger’s MDM platform.
1. Data Governance
- Define a clear data ownership model (who owns customer, product, and IoT data).
- Align policies with Black Tiger’s MDM framework.
2. Integration
- Map out all data sources (CRM, ERP, IoT devices, marketing platforms) that connect to Black Tiger.
- Verify interoperability and data portability.
4. Compliance & Legal Alignment
- Confirm GDPR alignment (lawful basis, contracts).
- Update agreements to ensure fair, transparent data-sharing terms.
5. Security
- Apply role-based access controls and audit logs.
- Ensure Black Tiger’s certifications match internal IT policies.
6. Operational Readiness
- Train teams to manage, cleanse, and share data effectively.
- Monitor key KPIs (accuracy, duplication) with dashboards.
- Plan exit/portability processes to avoid lock-in.
