Regulating Data: EU Data Act & More - October Edition

Welcome to the second edition of Regulating Data: EU Data Act & More.

Auditors are already beginning to review compliance with the EU Data Act across all sectors, including financial institutions and asset managers. Given the heightened regulatory attention, this month, we provide an overview of

• the EU Commission’s updated FAQs on the Data Act (version 1.3, dated 12 September 2025), which highlight the broad applicability of the EU Data Act, including SaaS – making it highly relevant for all sectors.
• newly published guidance on vehicle data under the EU Data Act, which provides info (amongst others) on data being in-scope and out-of-scope of the Data Act.,
• the European Commission’s Call for Evidence on the “Digital Omnibus” which has the goal to get stakeholder input on how to simplify legislation on data, cybersecurity and AI.

Please also check out our webinar series on the Data Act. We have provided a link to the latest webinar on EU-member states implementing laws below.

1. FAQs on the Data Act – FAQs on the Data Act – Key Updates in Version 1.3 (12 September 2025)

The European Commission has published Version 1.3 of its FAQs on the EU Data Act (Regulation (EU) 2023/2584), introducing several updates and clarifications to support its implementation. Notably, the clarified scope of the EU Data Act as stated in the FAQs for all sectors emphasizes a strong relevance for SaaS providers. Below is a summary of the key additions compared to Version 1.2.

1.1. Scope of Data falling under the obligations of data sharing

(A) IoT data processed at the edge

Edge processing involves handling data locally on connected devices rather than relying on remote servers. The Data Act requires data holders to provide access to "readily available" data unless the product's design inherently prevents external storage or transmission. The FAQ stress that the Data Act promotes fair data-sharing practices, ensuring users and third parties benefit from edge-processed data without imposing excessive burdens on data holders, also in this situation. Proportionate mechanisms, such as dual data flows or encrypted local storage, may be used to facilitate access while maintaining compliance with the Act's objectives.

(B) Impact of anonymisation on compliance with the Data Act

Anonymisation or severing the link between data and its connected product does not exempt data holders from sharing obligations under the Data Act. Users and third parties must have a reasonable opportunity to access data before it is anonymised or encrypted, and data remains "readily available" if it can be reasonably relinked to a user or product without significant system changes or costs.

1.2. Obligations of the data holder

(A) Obligations concerning data quality requirements:

To comply with the Data Act, data holders must ensure data is:

• In a usable format: Provided in a structured, commonly used, machine-readable format (e.g. XML, JSON, CSV) to ensure interoperability and reuse.
• Of consistent quality: Shared at the same quality as used internally or within the industry.
• Timely: Delivered without undue delay, with automated and streamlined processes to minimise bottlenecks.
• Low latency: Provided in real-time or near-instantaneously where technically feasible and beneficial (e.g. IoT or industrial systems).
• Convenient: Easily accessible without unnecessary barriers or complications.
• Secure: Protected against unauthorised access, adhering to industry and legal security standards.

(B) GDPR basis for replying to a data request:

When responding to data requests under the Data Act, data holders can rely on the following GDPR legal bases:

• If the user is the data subject: Requests for self-access align with the right of the data subject to access under the GDPR, and requests for porting data to third parties align with the right to data portability under the GDPR.
• If the user is not the data subject: The Data Act does not provide a legal basis under Article 6(1) GDPR. Data holders must assess an appropriate legal basis (e.g. contract performance, legitimate interest) or provide anonymised data.

(C) Obligation of the data holder to verify legal basis under the GDPR:

When sharing data between controllers, each must independently demonstrate GDPR compliance under the accountability principle and ensure they have sufficient information to do so, cooperating to share only strictly necessary information.

(D) Possibility to use generated data by products placed on the market before application date:

From 12 September 2025, data holders must have a contract with users to use readily available data, applying to products placed on the market before and after this date. Data holders must either secure user agreement through a new or adapted contract or, if users cannot be identified despite reasonable efforts, they may continue using the data under a legitimate expectation. However, if users are later identified (e.g. via a data access request), a contract must then be concluded to secure their agreement.

1.3. Unfairness in business-to business data-sharing contracts

(A) Application of the unfairness control to contracts concerning primarily other subjects, but contain aspects of data sharing:

The provisions on unfairness control apply to contractual terms between enterprises that concern data access, use, liability, or remedies for breaches of data-related obligations, even if data is not the main subject of the contract. The unfairness control only applies to terms related to data, such as access modalities, purposes of use, or liability for breaches, and not to unrelated terms like product guarantees or service technicalities. General clauses (e.g. on liability or remedies) are subject to Chapter IV only if they cover data-related obligations. For example, in a bank loan contract requiring data sharing, Chapter IV applies to data-sharing terms but not to loan-specific terms.

(B) Application of unfairness control to contracts concluded before applicability of the Data Act:

The Data Act applies from 12 September 2025, but the unfairness control applies:

• To contracts concluded after 12 September 2025.
• From 12 September 2027 to contracts concluded on or before 12 September 2025, if they are indefinite or set to expire 10+ years after 11 January 2024, allowing time for renegotiation to address potentially unfair terms.

1.4 Switching Between Data Processing Services

(A) Application to SaaS: The Data Act defines “data processing services” roughly as digital services enabling on-demand access to scalable computing resources, covering IaaS, PaaS, and SaaS. The switching provisions apply to all SaaS types meeting this definition, requiring compliance with provisions like enabling service switching and ensuring open interfaces and interoperability. However, exemptions exist for custom-built services and testing services provided for a limited time.

(B) Obligation of the source provider to assist in the integration of the destination provider: The Data Act limits source providers' obligations to facilitate switching to their own service environment, with no requirement to rebuild services in the destination provider's infrastructure. Functional equivalence applies only to IaaS providers, while PaaS and SaaS providers must ensure open interfaces, data export in standard formats, and compatibility with harmonised standards or open interoperability specifications. The Data Act does not require source providers to assist customers in recreating services in a new environment.

1.5 Next Steps

The European Commission will continue to update the FAQs as necessary to address stakeholder concerns and ensure the effective implementation of the Data Act.

Source: European Commission - FAQs Data Act - Version 1.3 (12 September 2025)

2. Vehicle Data under the Data Act – Guidance Published by the European Commission (12 September 2025)

The European Commission has issued detailed guidance on vehicle data to support the implementation of Chapter II of the EU Data Act (Regulation (EU) 2023/2854). This guidance is tailored for automotive stakeholders, including original equipment manufacturers (OEMs), suppliers, and service providers, and focuses on the obligations related to connected vehicles and related services. Below are the key updates and clarifications:

2.1. Scope of Vehicle Data

(A) Connected Products

Vehicles that generate, collect, or communicate data via electronic means are considered “connected products” under the Data Act. OEMs or data holders must assess whether a vehicle qualifies as such.

(B) Related Services

Digital services connected to vehicles that involve bi-directional data exchange and impact vehicle functionality (e.g., remote control, predictive maintenance, or cloud-based services) fall under the scope. Traditional offline services like manual repairs are excluded.

(C) Data categories covered

1. In-scope data:

• Raw Data: Data directly generated by sensors or user actions without substantial modification (e.g., wheel speed, tyre pressure).
• Pre-Processed Data: Data that has undergone minimal processing to make it understandable and usable (e.g., vehicle speed, fuel consumption).

2. Out-of-scope data:

• Inferred or Derived Data: Data created through complex processing or proprietary algorithms (e.g., driver behaviour analysis, advanced route planning).

2.2 Access to Vehicle Data

(A) User Rights

Users have the right to access and use vehicle data, including sharing it with third parties of their choice. Data holders must provide access either directly (e.g., via onboard systems) or indirectly (e.g., through backend servers).

(B) Quality Standards

Data must be made available at the same quality level as it is accessible to the data holder, ensuring no discrimination against independent service providers.

(C) Ease of Access

Data access must be facilitated without undue barriers, costs, or procedural hurdles. For example, if data is made available via the OBD-II port, users should not be required to purchase specialised tools or possess advanced technical skills to retrieve the data.

(D) Cost of Data Access: Reasonable Compensation

Data holders may charge reasonable compensation for providing access to data in business-to-business contexts. Detailed guidance on calculating such compensation will be provided by the Commission in future guidelines.

2.3. Implementation and Enforcement

(A) Collaboration Between Authorities

• The Commission encourages collaboration between competent authorities to ensure smooth enforcement of the Data Act.
• National authorities are urged to coordinate with data protection authorities and national competent authorities under the Type Approval Regulation to address overlapping regulatory requirements.

(B) Standards Development

• The Commission supports the development of standards for data access in the automotive sector to promote interoperability, security, and fair competition.
• Stakeholders are encouraged to engage in dialogue to achieve balanced implementation of the Data Act.

Source: European Commission Guidance on Vehicle Data, accompanying Regulation 2023/2854 (Data Act) (12 September 2025)

3. EU Commission's Call for evidence on "Digital Omnibus" - impact on data

On 16 September 2025 the European Commission has opened a call for evidence to collect research and best practices on how to simplify its legislation in the upcoming Digital Omnibus, especially when it comes to data, cybersecurity and artificial intelligence (AI).

This is fully in line with the Commission’s simplification agenda and efforts to create a more favourable business environment, by lightening administrative burdens and costs on companies. The initiative also supports the Commission’s target in the Competitiveness Compass to cut administrative burden by at least 25% for all companies and at least 35% for small and medium-sized enterprises.

3.1. Overview of the scope of the effort

The “Digital Omnibus” (the Digital Package on Simplification by the EU Commission) will include measures targeting problems and seeking simplification in the following areas:

• the data acquis (Data Act, Data Governance Act, Free Flow of Non-Personal Data Regulation, Open Data Directive).
• rules on cookies and other tracking technologies laid down by the ePrivacy Directive.
• cybersecurity related incident reporting obligations.
• the smooth application of the AI Act rules.
• other aspects related to electronic identificatio

3.2. Data legislation

In the area of data legislation, the main concern relates to the outdated nature of some of the rules and the need for further coherence and predictability. The acquis is fragmented and rules that logically concern the same areas, such as the access to and re-use of public sector data are split across multiple instruments, adding unnecessary complexity for businesses, in particular for smaller and mid-cap companies that are trying to emerge on the EU market with a strong data-driven component in their innovative business models. Rules established to foster the uptake of data sharing mechanisms are often perceived as unnecessarily complex or unclear and as challenging for scaling up such mechanisms. While current legislation foresees special rules to support SMEs, small mid-caps are faced with the burden of complying with the full acquis, despite their limited resources. Addressing this “cliff edge” can create further opportunities and enhance these companies’ competitiveness.

3.3. Cybersecurity

In the area of cybersecurity, there is a significant burden for businesses stemming from incident and data breach reporting obligations regulated in different EU-level rules (either of a horizontal nature or as part of sector-specific frameworks) and their transposition at national-level. This issue is widely reported by stakeholders and immediate measures for simplifying compliance with the requirements and for the us of reporting tools are necessary while keeping a high cybersecurity protection. Further simplification measures related to the cybersecurity risk management are considered under the separate review of the Cybersecurity Act.

3.4. General objective of the initiative

The general objective of the initiative is to reduce the administrative costs for compliance for businesses, administrations and citizens in the European Union in application of several regulations of the Union’s digital acquis without compromising the objectives of the underlying rules. The specific objectives for the Digital Omnibus proposal are, amongst others, to reduce compliance costs for businesses across all sectors in relation to the access, use and sharing of data by reducing fragmentation of rules and their application and by clarifying the rules and requirements that apply and by cutting obligations where a less costly alternative exists.

3.5. Procedure

The proposal for the Digital Omnibus is informed by initial stakeholder feedback, multiple position papers and additional stakeholder interactions following throughout 2025. The initiative also draws from three calls for evidence and public consultations on related regulatory areas that will be amended through the Omnibus proposal: data acquis (including rules on cookies under ePrivacy Directive), cybersecurity, artificial intelligence. This additional call for evidence seeks to collect feedback from stakeholders on the Digital Omnibus, allowing to bring in their views, expertise and evidence on the aspects relevant to this proposal. The Commission’s services are duly assessing stakeholders positions on simplification submitted through the previous topic-specific consultations, and stakeholders do not need to resubmit those contributions in the context of this call for evidence. An additional public consultation will be organised on the details of the Digital Fitness Check.

All stakeholders concerned are invited to share their views, including companies providing digital services or other products or services with a digital component, civil society, experts and public authorities.

4. EU Data Act Webinar Series & our National Implementation Status Tracker

• Don’t forget to check out our latest EU Data Act webinar regarding the national implementation status across the EU – in particular, France, Germany, Italy and the Netherlands. Watch here.
• We have now introduced out EU Data Act National Implementation Status Tracker on our website, that we will regularly update. Read here.