Act now and review your contracts
The Data Act (Regulation (EU) 2023/ 2854, DA for short) has been in force since September 12, 2025, and establishes EU-wide rules on the access, share, and use of data from connected products and related services. It also covers non-personal data, whose use will in future require a separate data use agreement. In addition, the DA contains further requirements for contract drafting, meaning that companies will need to thoroughly review and adapt their contracts.”
New requirements for contract drafting
The DA introduces numerous new obligations regarding the access, share, and use of data. It not only regulates that such access must be enabled, but also how this is to be structured contractually – for example through requirements on contract conclusion, contract content, or pre-contractual information duties. A key innovation is the obligation to conclude separate data use agreements for previously unregulated non-personal data, both in the B2B and B2C context. While some requirements apply already at the product design stage, others take effect along the distribution chain. The aim is to ensure transparency and fairness and to prevent imbalances. Overall, the DA thus significantly intervenes in contract drafting and sets out various requirements at different levels of detail.
The DA operates alongside copyright, data protection, and trade secrets law, requiring a holistic assessment. The specific obligations that apply under the DA depend on the particular circumstances and the parties involved.
Data holder – User
Data access: If the user of a connected product or related service does not have direct access to the product or service data generated, these so-called “readily available” data must be provided upon request. This obligation is statutory and does not require a contractual agreement. In exceptional cases, however, access to, use of, or sharing of the data may be contractually restricted.
Data use: Conversely, if the data holder wishes to make use of non-personal product or service data, a data use agreement is required – a major departure from previous law. In addition to the product or service contract and any applicable data protection requirements, this creates a third contractual layer. Since user status can change dynamically, contracts must clearly reflect this in order to establish a legally secure licensing chain.
Put simply, the contractual framework for connected products and related services now rests on three pillars:
Dateninhaber – Third party
In addition to the user’s right of access, the DA requires the data holder, upon the user’s request, to make readily available data accessible to a designated third party in the same quality, format, and manner. The contractual relationship between the data holder and the third party must govern the provision of such data, with specific requirements depending on the context:
- B2C relationships: General consumer protection law applies. Contractual terms must be clear and easy to understand. Unfair contract terms are prohibited, and standard terms are subject to control under consumer law.
- B2B relationships: Contracts must meet stricter requirements: terms must be fair, reasonable, non-discriminatory, and transparent. A new feature is the prohibition of unfair contractual terms. While data must be provided to the user free of charge, the data holder and the third party may agree on compensation, including a margin, for the transfer. However, user rights cannot be restricted in B2B contracts.
Pre-contractual information obligations
Before concluding a sales, rental, or leasing contract for a connected product, or before entering into a contract for the provision of a related service, the seller, lessor, leasing provider, or service provider is subject to extensive information obligations. The user must be provided with clear and comprehensible details regarding the type, scope, format, frequency, storage, and accessibility of the data.
Standard contractual clauses (SCC) of the European Commission
On 2 April 2025, the European Commission published model contract clauses for data sharing as well as standard contractual clauses (SCC) for cloud contracts. Their purpose is to support contracting parties under the DA by providing fair, reasonable, and non-discriminatory rights and obligations.
The model clauses are designed as annexes to contracts and follow a modular, building-block approach tailored to different contractual scenarios. However, they are highly complex. While they provide important guidance for companies, they must always be adapted to the specific contractual situation. The clauses do not replace individual legal review, as they are primarily designed for B2B contexts and require adjustment for B2C relationships.
Practical implementation
Companies should take action and review their existing contractual frameworks in light of the new requirements under the DA. Going forward, even non-personal product or service data may no longer be used without a data use agreement, and data sharing must also be contractually defined. There are different options for structuring such agreements, but compliance with the statutory requirements and the specific circumstances of each case is essential. Small and medium-sized enterprises should also examine potential exemptions under the DA: under certain conditions, they are not required to comply with the obligations set out in Articles 3 to 6.
Conclusion
DA compliance poses significant challenges for companies. Those who start now with a clear roadmap for contract management will save time, avoid risks, and be able to leverage compliance with the DA as a targeted competitive advantage.
Our one-pager on the DA is available here.
back