Everything you need to know about the Data Act

In this article, you will read

• what the Data Act is,
• what opportunities it creates
• and how cloud providers need to respond.

New regulatory changes are reshaping the digital space in 2025. The EU Data Act, which took effect on September 12, 2025, aims to enable “barrier-free” data sharing and support the development of data-driven business models. It seeks to eliminate data monopolies, which introduces specific requirements for cloud providers. This article offers a brief overview and outlines the current status of the EU Data Act.

In a digitalized society, data is constantly being generated. The higher the level of connectivity, the more data is produced, stored, and processed. This abundance of data creates significant opportunities for innovative, data-driven business models. But where should this data be stored? That often depends on the volume. Some companies keep data on their own infrastructure (on-premises), while others rely on external IT providers or cloud services.

The cloud, in particular, enables convenient storage, analysis, and processing of large and growing data volumes. However, different storage environments and differing levels of data control often lead to silos, where individual companies maintain exclusive control over the data, whether they are original service providers or cloud providers. The EU Data Act establishes a framework to simplify and regulate access to this data.

The EU Data Act should not be confused with the Data Governance Act (DGA), even though both are central components of the European data strategy. The DGA provides a trusted framework for voluntary data sharing and supports data use in the public interest and in innovation.

The EU Data Act, by contrast, strengthens the availability and use of data. It sets rules for accessing and using data, particularly in the Internet of Things (IoT) sector. Its purpose is to make data more easily accessible to businesses, consumers, and public authorities. Together, the two laws create a sustainable and fairly regulated data ecosystem for European companies, consumers, and the public sector.

The Data Act aims to unlock the business potential of data for European companies and to reduce legal uncertainties surrounding data sharing. Its objective is to ensure that businesses and individuals can share data wherever possible, making it accessible to all participants in the digital value chain. Although the primary focus is on data generated by the Internet of Things (IoT), the regulation can also include personal data. In cases of uncertainty or overlap, the EU GDPR takes precedence.

The Data Act applies to manufacturers of products, providers of connected services, data holders, data recipients, public authorities, public bodies, institutions and other entities of the European Union, as well as providers of data processing services. In practical terms, it covers nearly all participants involved in digital value chains.

As with other regulations, European lawmakers have exempted small and micro enterprises with less than €10 million in revenue and fewer than 50 employees. This exemption still leaves a significant number of companies subject to the requirements. For more detailed information on the EU Data Act, the guide published by Vereinigung der Bayerischen Wirtschaft e. V. (vbw) provides a comprehensive resource.

The EU Data Act was published in the EU Official Journal on December 22, 2023, and came into force on January 11, 2024. No penalties for non-compliance were imposed initially because the EU granted companies a 20-month transition period.

This changed on September 12, 2025, when the EU Data Act became directly applicable law across all member states. Companies that have not yet established the necessary requirements for easy data portability, among other obligations, should act now and update their systems and processes to ensure compliance.

Chapters II to V of the Data Act define who must provide which data to whom and under what circumstances. Chapters VI and VIII focus on technical requirements. They address the management of data spaces and ensure that data users can switch their data processors as easily as possible. The goal is to prevent vendor lock-in under the EU Data Act.

Chapter overview:

• Chapter I: General provisions.
• Chapter II: Data sharing from businesses to consumers and between businesses.
• Chapter III: Obligations of data holders when sharing data.
• Chapter IV: Prohibition of abusive contractual clauses related to data access and use between businesses.
• Chapter V: Provision of data to public authorities in cases of exceptional necessity.
• Chapter VI: Switching between data processing services.
• Chapter VII: Unlawful access to non-personal data in an international context.
• Chapter VIII: Interoperability.

The final Chapters IX to XI cover general topics such as application and enforcement, along with closing provisions. They also specify the entry into force date, September 12, 2025, and the applicable sanctions.

As of November 2025, it is still unclear which authority in Germany will be responsible for applying and enforcing this regulation, as outlined in Article 37. Since February 2025, an official draft of a national implementation law, the Data Act Implementation Act (DADG), has been available. This draft designates the Federal Network Agency as the central enforcement authority, with the Federal Data Protection Commissioner providing support on data protection matters. It remains uncertain whether the DADG will come into force as planned.

For legal experts, terms such as “connected services,” “data holders,” and “data recipients” may be familiar. For ordinary users, however, the vocabulary of the Data Act can be confusing. The situation becomes even more complex when trying to assign the different roles within connected services to the various actors. The following example illustrates how the regulation works in everyday life.

The Vogt family has installed a smart heating system in their home. They chose a solution from the company ABCHeating. The ABCHeating system regularly measures energy consumption, indoor and outdoor temperatures, heating patterns, and other parameters. For data storage, ABCHeating, acting as the data holder, uses a cloud provider, in this case, the Open Telekom Cloud. Under the EU Data Act, the Vogt family, as end users, has the right to access the data generated by the IoT devices in their home at any time. This access is provided through the ABCHeating app, where they can view their energy consumption and related information.

The family wants to reduce energy use and lower heating costs. However, the analysis features provided by ABCHeating offer limited insight. While searching online, they discover a solution from XYZEnergy, offered through the IVLConnect platform. XYZEnergy, acting as the data recipient, needs access to the family’s data for its analysis. This data is stored in the Open Telekom Cloud, functioning as the data processor, and remains under the control of the data holder, ABCHeating. This arrangement creates a connected service that is provided by one company, XYZEnergy, using data controlled by another company, ABCHeating.

As the data holder, ABCHeating must provide the requested data in a machine-readable format and may charge a fee, although the fee cannot be excessive. ABCHeating must deliver the data completely and without delay, which requires close coordination with the cloud provider. In this scenario, XYZEnergy becomes the data recipient. IVLConnect, acting as the data intermediary, ensures the secure transfer of data to XYZEnergy. XYZEnergy uses the data only for the agreed analyses and provides the Vogt family with detailed recommendations for reducing energy consumption. The company is not permitted to use the data for any other purpose or to sell it to third parties.

All of these processes, along with the rights and obligations of the parties involved, are regulated by the EU Data Act.

The regulation goes even further. If the city administration wants to use anonymized and aggregated heating data to improve regional energy efficiency, it can request this data from ABCHeating. ABCHeating is required to provide the data in the public interest, provided that no trade secrets or privacy rights are violated. The Data Act ensures that data is shared transparently and fairly to promote innovation, while ABCHeating remains responsible for meeting all legal obligations under the EU Data Act.

For the cloud provider, in this case, the Open Telekom Cloud, the regulation requires the following:

• Enable data accessibility, for example through APIs.
• Ensure data integrity.
• Guarantee data portability, even for large data volumes, so that data can be transferred easily, quickly, and cost-effectively to another storage solution, which reduces the risk of vendor lock-in.
• Avoid exploiting any potential market power to block access to data or impose additional fees.

Article 26 is particularly important. It sets out the information obligations for providers of data processing services, which includes cloud providers. They must give their customers clear information about the available procedures for switching providers and transferring content. This includes details on transfer methods and formats, along with any limitations or technical restrictions. They must also provide a link to an up-to-date online registry of data processing service providers. This registry contains information on all data structures and formats, along with the relevant standards and open interoperability specifications in which exportable data is available.

The EU Data Act places stricter requirements on cloud service providers to ensure they do not use data for their own purposes or exploit their position by controlling access to data. The aim is to create fair, transparent, and interoperable data ecosystems.

Companies that offer IoT services or connected devices have been required, since September 2025, to work with their IT providers to implement mechanisms that allow data to be shared easily and cost-effectively. Full data transfers or deletions must also be possible at low cost within 30 days.

For the Open Telekom Cloud, meeting the requirements of the Data Act has been straightforward. Because the platform is built on OpenStack open-source software, open interfaces for data transfer already exist. As a result, sharing and exporting data is simple and transparent, and vendor lock-in is minimal. Additional information on export options is available in the Open Telekom Cloud Docs. Customers can also request a free data transfer through an online form.