Close
Close
Linkedin
Close
Close

EU DataAct’s impact on data sharing

We spoke with Huub de Jong, partner and legal expert in European data legislation. In this interview he shares his views on the legal impact of the Data Act, the challenges for organizations as well as the role of technology in the demonstrably secure sharing of data.
EU Data Act explained- from protecting to exploiting

The EU DataAct is one of the most sweeping laws of recent years on data use, access and control. The law is intended to pave the way for a European data economy in which information can flow freely, without compromising privacy, ownership or security.

Yet this ambition also raises many questions.

  • What does the Data Act mean in practice for organizations that generate, share or manage data?
  • Who is legally responsible in case of abuse or data breaches within complex chains?
  • And how can companies meet the requirements of demonstrability and transparency without getting bogged down in new layers of bureaucracy?

To answer those questions, we spoke with Huub de Jong, partner and legal expert in European data legislation.
In this interview, he shares his views on the legal impact of the Data Act, the challenges for organizations as well as the role of technology in the demonstrably secure sharing of data.

“This is really about stimulating market forces.” said Huub de Jong – Turing lawyers

About Turing Lawyers

Turing lawyers (turing law) is an independent boutique firm that focuses entirely on the legal aspects of data and digitization, from IT contracts and cloud to privacy (AVG), AI and intellectual property, for (inter)national companies and (semi)public organizations.

The team regularly publishes on new EU regulations such as the Data Act and the implications for cloud contracts and data sharing.

At a glance

Applicable since Sept. 12, 2025, the Data Act moves from “sitting on data” to conditional access and sharing.

Manufacturers and service providers of connected products (IoT) must offer accessbydesign; that design requirement applies to new products and services entering the EU market after Sept. 12, 2026.

Cloud lockin is broken: customers get switching rights and by Jan. 12, 2027, egress/switching fees disappear (after a transition period with cost-based charges).

In exceptional need, public agencies can request data, quickly and for free in cases of acute need, in other cases with compensation and strict safeguards.

Unfair B2B clauses are addressed (black/grey list); data sharing must be on FRAND terms and with reasonable (sometimes cost recovery) compensation.

“Organizing, not throwing it over the fence.”

Huub de Jong is clear about the intent of the law: “We need to throw that market open. We will have to be less frenetic on that data,” he says. “You don’t have to release everything: you have to provide it, but with conditions. You have to organize it.” In his words, the debate is shifting from ownership to access: the classic “this is mine” is giving way to regulated sharing.

That line fits seamlessly with the European Commission’s policy framework, in which the Data Act provides a horizontal set of ground rules for who may use what data and under what conditions, from IoT data through cloud migrations to government requests.

What specifically does the EU DataAct regulate?

1. IoT/connected products: access as standard

Users (companies or consumers) of connected products and related services will have control over the data created during use. Manufacturers/service providers must provide “access by design”: data available simply, securely, free of charge and where relevant (near) real time. This design obligation applies to new products/services placed on the EU market after Sept. 12, 2026; transparency on what data the product generates is mandatory before purchase.

“You are not allowed to develop a competitive product with it,” says Huub de Jong about the limits on third parties getting data. That prohibition is also in the regulations: use is purpose-bound and product cloning is excluded.”

Trade secrets (trade secrets). Data sharing can be done despite secrecy, provided there are proportionate measures (NDAs, access restrictions, logging). Only if the data holder demonstrates that disclosure is highly likely to result in serious economic harm may he refuse.

No ‘gatekeeper route’. In practice, the current reading of the CommissionFAQs means that DMA gatekeepers cannot act as “beneficial third parties” under these IoT rights; moreover, recipients must be located in the EU.

2. Fair B2B terms, FRAND and compensation

Where law or Data Act imposes B2B duty to share, terms must be fair, reasonable and nondiscriminatory (FRAND). Reasonable compensation is allowed (sometimes cost recovery for SMEs/research). In addition, the Data Act polices unfair terms with a black/gray list of prohibited or presumptively unfair clauses in data contracts.

3. B2G: data sharing at exceptional need

Public agencies can request data in exceptional situations (e.g. pandemic, natural disaster or to recover from an emergency). In acute emergency: free of charge and without undue delay (guideline period: days). In non-acute cases, compensation rules, tight proportionality and paper trails apply (written justification, deadlines).

4. Cloud switching and interoperability: end of lockin

The Data Act addresses vendor lockin:

  • Switch right: customers may migrate to another provider or onprem. Requiring more than two months’ notice is not allowed.
  • Transition window: a 30-day migration phase (extendable to up to 7 months in case of objective complexity) with continuity assurance.
  • Charges: until Jan. 12, 2027, only cost-based switching/egress charges are allowed; after that, completely prohibited.
  • Interoperability: PaaS/SaaS should provide open interfaces & common formats; IaaS should pursue functional equivalence after switching.

5. Illegal requests from outside the EU (nonpersonal data).

The Data Act does not prohibit cross-border data flows, but introduces safeguards when third countries request access to non-personal data in the EU (especially in the case of cloud). Providers must test for conflict with EU law and can oppose.

How does this fit into the broader compliance landscape?

  • AVG (GDPR) remains leading for personal data; mixed datasets often require a legal basis (e.g., consent) and “GDPRfirst” applies.
  • NIS2 mandates essential/key entities to cyber risk management & incident reporting – critical because DataAct access must occur securely within the chain.
  • DORA has been applicable in the financial sector since Jan. 17, 2025, supplementing DataActexits with exit/continuity requirements towards critical ICT suppliers.
  • AI Act has a phased timeline (prohibited practices and AI literacy since Feb 2, 2025; GPAI model rules since Aug 2, 2025; highrisk core obligations since Aug 2, 2026). The Data Act is thus a supply route for more accessible training data; the AI Act regulates accountability & security.
  • Common European Data Spaces (such as the European Health Data Space, in operation since March 2025) provide sectoral infrastructure for trusted data sharing.

Oversight & penalties. Member States appoint competent authorities and – if several – a data coordinator; penalties are determined nationally (effective, proportionate, dissuasive). Commission publishes a register.

Case study from the interview: “mechanic vs. supplier”

Huub de Jong outlines the scenario of a local mechanic gaining access to PLC software or sensor data: “You can no longer say: everything is mine; no one is allowed to repair. But you also don’t have to say: here is everything, good luck with it.”

What you arrange legally and technically:

  1. Purpose limitation & scope in the contract (what data, what purpose, for how long, through what channel).
  1. Tradesecret protection (NDA, needtoknow, APIfilters, throttling). Only in cases of probable serious harm may you refuse.
  1. Liability & burden of proof: make irrefutable audit trails (WORM logs, hashes, timestamps) part of the agreements.
  1. AVG compliant (minimization, pseudonymization where possible).
  1. Exit paragraph consistent with DataActswitching rules (notice period ≤ 2 months; transition 30 days, extendable in case of objective complexity; no egress fees after 1212027).

Real-world example: sharing documents securely with Msafe Secure File Transfer

The EU DataAct is often about telemetry and machine data, but in practice you also exchange documents that allow access or interpretation (config backups, firmware release notes, maintenance reports, safety instructions, data dictionaries/metadata). A secure document transfer solution such as Msafe is then the workhorse in your access and accountability chain:

How this helps to work DataActproof

  • Strong authentication & timeboxed access
  • Provide documents via time-based and one-time links, with multifactor authentication or identity verification.
  • Role and target-based policies
  • Link each file to purpose limitation and retention; avoid reuse beyond the intended maintenance purpose (prohibition of competitive product development fits seamlessly with this).
  • Irrefutable logging
  • Every download, preview or forwarding action is cryptographically logged for audit & forensics purposes – exactly what you need in the “assembler vs. supplier” scenario.
  • Data minimization & classification
  • Share only what is necessary (e.g., a specific configuration, not the entire factory topology), and label files (personal data/non-personal data/trade secrets) so that the correct legal route applies (AVG vs. Data Act).
  • Metadata delivery
  • The Data Act requires that recipients be given relevant metadata to interpret data; link manuals, data dictionaries and changelogs to the data set transfer.
  • Exit and portability
  • Msafe-like tooling can provide export packages (formats, mapping tables) that support your cloudexit, appropriate to the switching windows and the upcoming egress ban.

In short: with secure document transfer, you bring legal agreements to the operations floor: who was allowed to see which file when and why, and you can prove it tomorrow.”

Checklist: here’s how to get your organization DataAct ready

Legal

  • Model clauses: FRAND terms, reasonable/cost recovery (for SMEs/research), anti-kickback clause, tradesecret measures, right of suspension in case of breach.
  • Unfair terms scan: check your standard terms for the black and gray list (liability exclusions, unilateral interpretation rights, unbalanced exit).
  • B2Gplaybook: process for exceptional need requests (who reviews, deadlines: urgency vs. 30 days, compensation, documentation).

Technology & security

  • Accessbydesign for IoT (for products/services after 1292026).
  • APIs/portals for users and third-party access + metadata.
  • Cloudexitkit (export formats, mappings, test data, roadmap) i.c.w. notice ≤ 2 months, transition 30 days (max. 7 months), no egress fees after 1212027.

Governance

  • Roles & RACI for IoT access, B2Grequests, disputes; route to data coordinator and competent authorities.
  • Training: distinguish AVG vs. Data Act; link to NIS2 and (if relevant) DORA and AI Act.

Timeline (what when?)

  • Sep 12, 2025 – Application Data Act (most provisions).
  • Sep 12, 2026 – Accessbydesign mandatory for new connected products/related services in EU market.
  • Jan 12, 2027 – Ban on switching/egress fees; only cost-based charges allowed until that date.

Why this requires probability thinking

Whereas the AVG secures the lower limit of protection, the Data Act creates upper space for new services (aftermarket, predictive maintenance, data-based optimization).

Huub de Jong: “Without good compliance, you are vulnerable. But the real value is on the other side: what does responsible sharing deliver?

Msafe positions itself in that practice: secure document transfer as an enabler for controlled access, demonstrability and switch-ready cloud contracts. That’s how to turn compliance into a competitive advantage.

Resources

This article is based on an interview with Huub de Jong of turning lawyers in conjunction with the sources below.

  • Data Act explained (European Commission): application date 1292025; chapters, FRAND, tradesecret safeguards, B2G, cloud switching (transition 2024-2027), international access, oversight/data coordinator. Digital Strategy
  • Alston & Bird: accessbydesign for new connected products/services from 1292026; transparency duties; examples. Alston & Bird
  • Taylor Wessing (ECFAQs summarized): recipients in the EU; gatekeepers no recipient; FRAND/compensation; B2Gdeadlines (urgency vs. 30 days); switching: 30 days (max. 7 months) and notice ≤ 2 months. Taylor Wessing
  • DLA Piper: cloud switching, notice ≤ 2 mnd, ban switchingcharges/egress per 1212027. DLA Piper
  • Common European Data Spaces & EHDS (Commission): sectoral data spaces; EHDS in operation since March 2025. Digital Strategy+1
  • NIS2 (Commission) & DORA (EIOPA): cyber obligations (NIS2) and digital resilience financial sector (DORA, application 1712025). Digital Strategy+1

Share:

More Posts

Alternative to Zivver?
Blog

Alternative to Zivver?

Msafe Secure File Transfer is especially a logical alternative to Zivver
when you want to standardize file exchange with externals with strong governance and EU hosting as an explicit starting point.

Read More »
05/02/2026
Msafe - Secure file sharing is simple when designed correctly
Blog

Secure file sharing is simple when designed correctly

“Secure file sharing is simple when designed correctly” sounds like a slogan, but it is primarily a design principle. In practice, secure file sharing only becomes “complicated” when organizations try to fix an insecure process with extra steps, exceptions and loose tools.

Read More »
17/12/2025
Trends in secure file sharing for 2026
Blog

Trends in secure file sharing for 2026

Secure file sharing in 2026 is not just about secure transfer, but about demonstrable control of risk. In this article, we list seven trends and show how Msafe Secure File Transfer helps organizations lead the way.

Read More »
27/11/2025