Regulating Data: EU Data Act & More - May 2026 Edition

Welcome to the ninth edition of Regulating Data: EU Data Act & More.

The EU Data Act's enforcement landscape is beginning to take shape and is no longer solely relevant in Europe. While national authorities and Member State legislators are now actively building the operational infrastructure for the Data Act, parallel developments in other jurisdictions signal that data access regulation is becoming a global theme. In particular:

• In the Netherlands, the Authority for Consumers and Markets (ACM) has published comprehensive national authority guidance on data sharing under the Data Act, offering detailed practical interpretations of the Regulation's transparency, access and contractual provisions.
• In Japan, the Cabinet has approved a new certification-based framework for government-to-business data sharing, expressly modelled on the EU's data regulatory architecture, raising the question of whether mandatory B2B data sharing obligations will follow.
• In Germany, the Data Governance Act implementation law has entered into force, marking an important step in Germany’s implementation of the EU's broader data strategy.
• Also in Germany, the federal government has published a dedicated communication reaffirming its commitment to operationalising the Data Act, signalling that the Regulation remains a political priority.
• At EU level, the E-Evidence Regulation will become fully applicable on 18 August 2026, introducing a new category of cross-border data production and preservation orders that will require in-scope service providers to have robust internal response processes in place.

This edition covers these developments and highlights where businesses should review their data sharing arrangements, internal compliance frameworks and readiness planning.

1. ACM Publishes Draft Guidance on Data Sharing under the Data Act

On 15 May 2026, the Dutch Authority for Consumers and Markets (ACM) has published a provisional version of guidelines on data sharing obligations arising from Chapters II and III of the EU Data Act (Regulation (EU) 2023/2854). The ACM has been designated as the competent authority and national data coordinator for the Netherlands under the Dutch Data Act Implementation Act (Uitvoeringswet dataverordening), adopted in October 2025. A final version of the guidelines will follow later this year, once the European Commission has published its own supplementary guidelines.

1.1 Key Content

The guidelines are structured around the three central pillars of the Data Act's data sharing framework.

• First, the ACM sets out the pre-contractual information obligations under Article 3(2)-(3) of the Data Act, detailing the information that sellers, renters, lessors and service providers must furnish to users before concluding a contract for a connected product or related service, including the type, format and estimated volume of data generated, how users can access or delete data, and the identity of the data holder.
• Second, the guidelines provide extensive practical guidance on the data access obligations under the Data Act. The ACM distinguishes between direct access (access by design), where products must be designed to allow the user to retrieve data without the data holder's involvement, and indirect access on request, where the data holder must make readily available data accessible upon the user's request: immediately, continuously and in real time, where technically feasible. The guidelines explain the scope of these obligations, including which data categories fall within scope (product data, related service data and metadata), and explain the exceptions for security risks and trade secrets. Notably, the ACM has set up dedicated notification forms on its website for data holders that refuse to share data on either ground.
• Third, the guidelines address the contractual framework governing data sharing relationships, including the FRAND principles (fair, reasonable, non-discriminatory and transparent terms), the rules on reasonable compensation in b2b constellations (limited to technical costs and data collection investments, with a possible margin), the prohibition of unfair unilaterally imposed contract terms, and the role of the European Commission's Model Contractual Terms (MCTs).

Throughout the document, the ACM illustrates the covered Data Act provisions with practical examples, making the guidelines particularly accessible for businesses seeking to operationalise their compliance efforts. The guidelines also address the interplay with the GDPR and other EU legislation, noting that the ACM and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) plan to publish a joint document on the interaction between the Data Act and the GDPR in the course of 2026.

1.2 Assessment: Consolidation with Added Practical Value

The ACM's guidelines do not introduce a fundamentally novel interpretation of the Data Act. Their primary value lies in consolidating the various interpretive sources, i.e. the Regulation itself, the Commission's FAQ, the Vehicle Data Guidance and the draft guidelines on reasonable compensation, into a single, structured and practically oriented reference document. By doing so, the ACM provides a coherent reading of the Data Act's data sharing provisions that is easier to navigate than the patchwork of EU-level sources currently available. The inclusion of concrete examples, clear definitions and step-by-step explanations of procedural requirements adds genuine operational value for compliance teams, particularly in sectors where connected products and related services are widespread. The document may also serve as a reference point for competent authorities in other Member States as they develop their own enforcement approaches.

2. Japan follows the EU: New Government Data Sharing Framework

On 7 April 2026, the Japanese Cabinet approved a bill to amend the Digital Procedure Act, introducing a new certification-based framework for government-to-business data sharing. The reform is part of Japan's broader Basic Policy on Data Utilisation, which expressly draws on a comparative analysis of the EU's Open Data Directive, Data Governance Act and Data Act.
Under the new regime, businesses may submit a project plan to the competent minister for certification. Once certified, they gain two key benefits:

• a right to request access to government-held data necessary for their project, and
• the ability to obtain an upfront compliance assessment from the Personal Information Protection Commission and other relevant authorities.

These measures aim to effectively clear legal uncertainties before the project begins. Notably, the framework also covers projects that combine government data with privately held data, which could indirectly promote B2B data sharing as well.

However, unlike the EU Data Act (Chapter II), Japan's approach does not impose mandatory data sharing obligations on private parties but instead focuses on unlocking government-held data for commercial use through a structured certification process. It will be interesting to observe whether Japan's model proves to be an effective complement, or ultimately an alternative, to the EU's more prescriptive approach, and whether further legislative steps towards mandatory B2B data sharing will follow.

3. Germany's Data Governance Act Implementation Law Enters into Force

On 19 May 2026, Germany's national implementation law for the EU Data Governance Act (DGA) – the Daten-Governance-Gesetz (DGG) – officially entered into force. The DGA, which has been directly applicable across the EU since September 2023, required Member States to adopt supplementary national rules designating competent authorities, establishing procedural frameworks and setting out sanctions.

Under the new framework,

• the Federal Network Agency (Bundesnetzagentur) assumes the role of competent national authority responsible for the notification and registration of data intermediation services and data altruism organisations, as well as for monitoring their compliance with the DGA's requirements. It will also maintain the public register of recognised data altruism organisations in Germany.
• In parallel, the Federal Statistical Office (Statistisches Bundesamt) has been designated as the central body under Articles 7(1) and 8(1) of the DGA, tasked with supporting public sector bodies in making protected data, such as personal or commercially sensitive data, available for re-use through pseudonymisation and secure processing environments.
• The enforcement regime provides for a graduated approach, ranging from formal notices and cease-and-desist orders to fines of up to EUR 500,000, depending on the nature and severity of the infringement.

The DGG marks one pillar of Germany's national data regulation framework. The Data Act implementing law adopted by the German Parliament (Bundestag) in March 2026, has not entered into force yet (we covered the adoption in the previous edition of our newsletter).

This approach is broadly consistent with the EU’s overarching data strategy and its gradual, layered build-up of the regulatory framework for data sharing – at least until the rules of the DGA on data altruism and data intermediation services will be merged into the Data Act as a main change of EU’s Digital Omnibus.

4. Germany Reaffirms Commitment to Data Act Enforcement Framework

Germany is signalling continued momentum on the implementation of the EU Data Act, underlining that the topic remains firmly on the federal government’s agenda. In a recent update dated 8 May 2026, the federal government (Bundesregierung) reiterates the core objectives of the Regulation: --- fair access to and use of data, increased data availability for businesses, and stronger user control over data generated by connected devices – while also pointing to the ongoing establishment of a national enforcement framework, including the designation of the Federal Network Agency (Bundesnetzagentur) as the competent authority.

While the communication does not introduce substantively new elements, it provides a clear political and regulatory signal: Germany is actively progressing the operationalisation and enforcement architecture of the Data Act and will not leave its implementation unattended.

5. Reminder: E-Evidence Regulation Becomes Fully Applicable on 18 August 2026

On 18 August 2026, the E-Evidence Regulation (Regulation (EU) 2023/1543) will become fully applicable, enabling law enforcement authorities in any EU Member State to issue European Production Orders and European Preservation Orders directly to service providers in other Member States. This procedure will bypass the traditional lengthy mutual legal assistance channels.

5.1 Scope

The Regulation applies to service providers as defined in Article 3(3) of the Regulation offering services within the EU: this includes providers of electronic communications services (e.g. internet telephony, instant messaging and email) as well as providers of information society services that enable communication between users or store or process data on their behalf, covering, for example, cloud providers, online marketplaces and gaming platforms.

Importantly, a provider does not need to be established in the EU to fall within scope. it is sufficient that the provider has a substantial connection to the EU, which may arise from having an establishment in a Member State, but also from a significant user base in one or more Member States or from targeting of activities towards one or more Member States.

5.2 Key provisions

The key provisions of the E-Evidence Regulation can be summarised as follows:

• European Production Order Certificate (EPOC): The competent authority in one Member State may directly order a service provider in another Member State to produce electronic evidence, including subscriber data, traffic data and content data, without prior involvement of the authorities in the provider's country. Service providers must comply within 10 days, or within 8 hours in emergency cases (Article 10 of the Regulation).
• European Preservation Order Certificate (EPOC-PR): Where a subsequent production request is anticipated, authorities may order a service provider to preserve specific data for up to 60 days, ensuring that volatile electronic evidence is not deleted in the meantime (Article 11 of the Regulation).
• Sanctions: Non-compliance with a European Production or Preservation Order may result in pecuniary penalties. Member States must establish their own sanctions regimes but are required to ensure that penalties of at least up to 2 % of the service provider's worldwide annual turnover can be imposed (Art. 15(1) of the Regulation). This is without prejudice to national laws providing for criminal penalties.

With the application date now less than three months away, in-scope service providers should ensure that their internal processes, designated contact points and escalation frameworks are in place.