The EU Data Act will come into effect on 12 September 2025, officially introducing one of the most significant regulatory changes to Europe’s digital landscape in recent years. The Act aims to unlock the value of data generated by connected products and services, foster fair competition, and create a more transparent and interoperable data economy across the European Union.

For businesses operating within the EU, or providing connected products or services into the EU, this regulation will have a direct impact.

What the EU Data Act Means for Your Business

The regulation focuses on improving access to, and the sharing of, data generated by connected devices and related services, including both personal and non-personal data. Its goal is to give users, whether consumers or businesses, greater control over their data, while ensuring providers compete on a level playing field.

Key areas to note include:

1. User Rights Over Connected Device Data

Users must be able to access the data generated by their connected products and, where requested, transfer this data directly to third parties. This is designed to encourage competition and open up new opportunities for innovation.

2. Fair and Transparent Contracts

From 12 September 2025, all business-to-business data-sharing agreements must comply with fair, reasonable, and non-discriminatory (FRAND) terms. The Act also bans certain unfair contractual clauses, placing the burden on data holders to prove their agreements are compliant.

3. Switching Between Data Service Providers

Cloud and data processing providers must make it easier for customers to switch to alternative services. Barriers such as technical restrictions and excessive fees are being removed, with switching charges set to be completely banned from January 2027.

4. Safeguarding European Data

The Act introduces stronger measures to prevent unlawful access to data by authorities outside the EU, reinforcing Europe’s focus on digital sovereignty and security.

5. Product Design Obligations

From 12 September 2026, connected products must be designed to enable data access by default, requiring manufacturers to build user-friendly mechanisms for sharing and portability directly into their devices and systems.

6. Emergency Access for Public Authorities

In rare cases, public authorities will be able to request access to privately held non-personal data in emergencies, such as natural disasters or public health crises, under strict safeguards.

Cyber Exposure under the EU Data Act

The act expands user rights and data-sharing obligations, meaning more parties gain access to company-held data. These increased data flows and interoperability raise the risk of breaches, whether through cyberattacks, accidental disclosure or misuse of transferred data. Businesses must enable portability and switching between providers creates new vulnerabilities if security measures are inadequate.

Potential claims and costs covered by Cyber policies include:

• Third party claims from customers, partners or other data holders whose information is compromised.

• Incident response costs including legal advice, crisis communications and customer notifications.

• Business interruption losses arising from system downtime or breaches linked to increased data-sharing obligations.

Directors’ & Officers’ Insurance

Company directors and senior management hold responsibility for implementing compliance measures under the Act and failing to ensure proper policies, systems, and contracts are in place could expose directors to claims from shareholders, regulators, or business partners. If a data breach occurs, or the business fails to comply with switching and access obligations, directors may be accused of negligence, mismanagement, or breach of duty.

Potential claims covered by a D&O policy include:

• Shareholder actions alleging management failed to mitigate known regulatory risks

• Regulatory investigations into leadership’s role in non-compliance or insufficient controls.

• Claims from business partners affected by delays, failures, or losses tied to data-sharing obligations.

How We Can Help Your Business

W Denis brokers understand the regulatory challenges facing businesses across Europe. The EU Data Act introduces complex new obligations that will affect a wide range of sectors, from manufacturing and automotive to technology and cloud services.

For a quotation please contact:

Eastern Europe

Vida.Jarasiunaite@wdenis.eu

Southern Europe

Christos.Hadjisotiris@wdenis.com

Western Europe &/or elsewhere worldwide

Mark.Dutton@wdenis.com