The EU Data Act Has Taken Effect: Focus on Automotive and Cloud Providers

The EU Data Act came into effect on September 12, 2025. The European Commission has announced that further tools are in progress to assist with implementation of the EU Data Act, such as setting up a “Data Act Legal Helpdesk,” providing guidance on the application of provisions in the EU Data Act intended to protect trade secrets, and publishing model terms in relation to data sharing, as well as standard contractual clauses for cloud services. On September 12, the European Commission published Guidance relating to data sharing obligations in the automotive industry; the European Commission’s FAQs about the Data Act have also been updated.

Focus of the EU Data Act

There are two main areas of focus of the EU Data Act:

• Data access and sharing obligations imposed on manufacturers of connected products and providers of related services; and
• Switching rights for customers of cloud services.

Cutting across these two categories are the EU Data Act’s unfair terms provisions, which will apply whenever a business-to-business contract contemplates data access and use.

In our previous Legal Update, we provided an overview of the main obligations relating to connected products, related services and cloud services. In this piece, we focus specifically on the impact of the EU Data Act in the automotive sector and on cloud providers.

How Does the Data Act Affect the Automotive Industry?

Extent of Guidance

The European Commission states that the newly released Guidance only concerns the automative sector—for example, original equipment manufacturers (OEMs), suppliers, insurance providers and aftermarket service providers—so it should not be automatically extrapolated to other industries. It only relates to vehicles classified as connected products under the EU Data Act, and related services connected with those vehicles.

Related Services

With regard to the types of services related to connected vehicles that are intended to be subject to the requirements of the EU Data Act, the Guidance explains that services which do not affect the functioning of the vehicle are not to be considered in scope as related services. For example, an app that analyzes an electric car’s charging history, but does not transmit any commands to the car, would be out of scope. Similarly, insurance services that analyze vehicle data and create a profile of drivers based on their behavior would also not be subject to the EU Data Act.

On the other hand, the following services are cited in the Guidance as examples of services that may be in scope:

• Remote control services that can activate or perform functions of the vehicle (such as locking or unlocking the door, or managing the charging of an electric vehicle);
• Repair and maintenance services that are deemed “non-regular” because they involve a bi-directional exchange of data, such as services that predict an individual driver’s maintenance needs;
• Cloud services that apply existing driver preferences to a vehicle automatically; and
• Dynamic route services that use vehicle data to recommend routes.

Types of In-Scope Data

The EU Data Act does not require all data relating to the use of connected products and related services to be made available to users—for example, information that is inferred or derived from raw data is excluded from scope.

The Guidance seeks to further clarify this point, stating that inferred or derived information that represents entirely new information is intended to be out of scope, such as data that represents predictions of future events, values or conditions, or data processed from multiple sources leading to entirely new insights.

Against this context, the Guidance then sets out an extensive list of data generated from the use of connected vehicles and related services that are intended to be in and out of scope. Sensor signals, raw image data, vehicle speed, battery level, and liquid levels are just a few examples of in-scope data, as compared to advanced driver-assistance systems data and analysis of crash severity data, which are deemed out of scope.

Overall, the Guidance will assist OEMs, suppliers, and relevant service providers in better defining the extent of their obligations under the EU Data Act. It also demonstrates the complexities of data-mapping processes under the EU Data Act.

What Is the Impact on Cloud Providers?

Requirements to ensure switching rights will impact providers of many types of cloud and edge services, delivered via different service models, such as Internet-as-a-Service, Platform-as-a-Service, and Software-as-a-Service (defined as “data processing services”). Obligations apply where a provider delivers services to customers in the European Union, regardless of whether the provider is based in the European Union or not.

The headline obligation is that providers must enable customers to switch to a different data processing service or bring the service on-premise. In particular, providers are obliged to include specific clauses in their customer contracts relating to switching rights. Providers are also required to provide reasonable assistance in the switching process, and support the customer’s exit strategy. Importantly, switching charges applied by providers must be phased out and are ultimately prohibited from January 12, 2027. However, this does not prevent providers from charging standard service fees, or early termination penalties.

Unfair Terms

The EU Data Act also establishes that some contractual terms relating to the access and use of data, and liability and remedies for breach or termination of data-related obligations, will be deemed unfair, and therefore non-binding, if unilaterally imposed by one business on another business. One example would be terms that seek to exclude or limit liability for intentional acts or gross negligence in relation to data. Other terms, such as a term allowing the imposing party to access and use data in a manner that is significantly detrimental to the other party’s commercial interests, are presumed to be unfair (for example, if a service provider imposed a contractual term allowing it to share a customer’s commercially sensitive data with the customer’s competitors). However, the imposing party can rebut the presumption if it can demonstrate that the provision is not unfair given in the specific circumstance.

Cloud providers will need to carefully assess their contract terms and negotiation practices to ensure compliance with the switching requirements, and minimize the risk that terms are deemed unfair and therefore non-binding.

***

If you would like to discuss how your business can tackle these challenges, please reach out to the authors or your usual Mayer Brown contact.