EU Data Act: New rules for data access, contract fairness and cloud portability in the financial sector

RegCORE Client Alert | EU Digital Single Market

QuickTake

The EU Data Act (Regulation (EU) 2023/2084) entered into force on 11 January 2024 and has been fully applicable since 12 September 2025.https://digital-strategy.ec.europa.eu/en/policies/data-actShow Footnote It supplements the existing EU Data Governance Act (DGA, Regulation (EU) 2022/868) and, alongside the General Data Protection Regulation (GDPR), the Digital Markets Act (DMA) and the Digital Services Act (DAS), forms a central component of the European data strategy.

The EU Data Act comprehensively regulates access to and use of data and establishes a horizontal, EU-wide legal framework for fair access to and use of data across sectors in order to promote fair competition between actors. The key points of the EU Data Act are to strengthen data portability, in particular by making it easier to switch between cloud and edge services, to improve data access for businesses, and to promote open and fair data ecosystems that benefit businesses, public authorities and consumers alike.

Users will have the right to access, use and share the raw data generated by connected products or services. Data owners must provide this data in a timely manner, in common and machine-readable formats, and on fair, reasonable and non-discriminatory (FRAND) terms. Favorable treatment for gatekeepers within the meaning of the Digital Markets Act is excluded.

An implementation period until 12 September 2027 is provided for the adaptation of existing contracts (open-ended or with a term of more than ten years as of 11 January 2024).

Key takeaways on the EU Data Act for the financial market

Target audience

The scope of the EU Data Act includes manufacturers of connected products, providers of connected services, users and data recipients (in both the B2C and B2B sectors), cloud and edge service providers, and public authorities, which are granted access to data under strict conditions in exceptional cases.

Key regulatory content

Access rights to data: Users of connected devices or services are granted the right to access the data they generate, including the option to have this data transferred to third parties (data portability).

Contract fairness (B2B): In certain situations, companies must grant other companies access to data – on FRAND terms. The protection of small and medium-sized enterprises (SMEs) from power imbalances is expressly emphasised.https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=OJ:L_202302854Show Footnote

Obligations for cloud and edge services: Providers must remove barriers to switching, ensure the portability and interoperability of data, and enable migration and exit processes contractually and technically. Switching fees must be gradually reduced and will no longer be permitted from 12 January 2027. Where standards are lacking, a fallback export in a structured, commonly used and machine-readable format must be provided.

B2G data sharing: Under certain conditions, authorities may request access to data from companies. However, the requirements for authorities wishing to access data are strict. Official data requests must be purpose-specific, proportionate, time-limited and well-founded. Outside of genuine emergencies, access is regularly restricted to non-personal data. The Data Act does not create its own legal basis for the processing of personal data. The GDPR and the ePrivacy Regulation take precedence, and trade secrets and intellectual property rights must also be protected.https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ%3AL_202302854Show Footnote

Interfaces with existing financial market regulation

The EU Data Act does not operate in isolation, but in conjunction with existing and future financial market regulations. The following interfaces are particularly relevant:

PSD2 (prospective PSD3/PSR): Today, banks must give third-party providers (TPPs) access to payment and account data via standardised interfaces (APIs) if their customers authorise this (‘open banking’). The EU Data Act significantly expands the scope, as it covers all user-generated data, in particular IoT and machine data.

DORA: While the EU Data Act calls for interoperability and portability, DORA sets higher security and resilience standards. In future, financial service providers will have to reconcile these requirements and strike the regulatory balance between openness (EU Data Act) and protection against cyber risks (DORA).

FIDAR: With its proposal for Financial Data Access Regulation (FIDAR), the EU is creating a specific framework for access to financial data that goes beyond PSD2 and aims to establish an open finance ecosystem. FIDA obliges financial institutions to provide financial data via standardised interfaces, provided the customer agrees, thus supplementing the cross-sector approach of the Data Act with an industry-specific component.

Key considerations from …

Connected products/IoT: The principles of ‘access by design’ and ‘security/privacy by design’ must be consistently implemented in product development and contract design – access to data and its protection must be planned for from the outset, both technically and organisationally:

• Technical requirements: Above all, robust interfaces, consistent data models, defined export formats and fixed export frequencies are required. 
• Role and rights concepts: Responsibilities and access rights must be clearly defined and regularly reviewed in accordance with the principle of least privilege.
• Traceable logging and secure data paths: Access and data movements must be comprehensively (and tamper-proof) logged; data retrieval and transfer may only take place via encrypted and authenticated channels.
• Trade secrets and intellectual property: Trade secrets and IP must be adequately protected, in particular through pseudonymisation, encryption and strict access restrictions.

Exit capability for cloud and edge solutions: Contracts must guarantee the portability and interoperability of data. This includes the obligation to support open, standardised interfaces and formats. In particular, appropriate deadlines for changing providers or terminating the service must be specified in the contract to enable orderly migration.

At the operational level, suitable, tried-and-tested tools and procedures for migrating data and workloads should be provided. Regular test exports and migration trials, as well as rollback and contingency plans, are necessary to minimise migration risks and ensure business continuity.

Contract design and old contracts: New contracts from 12 September 2025 onwards must be drawn up in accordance with the Data Act. By 12 September 2027, existing cloud or data contracts with a remaining term of at least ten years (starting point: 11 January 2024) must be reviewed and adjusted if necessary.

Switching fees: Fees for switching providers (switching fees) must be reviewed, gradually reduced and eliminated by 10 September 2027 at the latest.

Governance: Guidelines for data use, access rights and internal processes must be adjusted. Responsibilities, approval processes and documentation requirements must be defined in a binding manner.

Monitoring: Continuous monitoring of regulatory developments and technical standards is essential.

Outlook

The core provisions of the Data Act have been in force since 12 September 2025. Contract templates, exit playbooks and technical interfaces should be adapted to the new requirements, if this has not already been done. Without a clean data architecture and FRAND-compliant conditions, there is a risk of delays, compliance gaps and loss of trust.

There is still time until 12 September 2027 to adapt old contracts (open-ended or with a term of more than ten years from 11 January 2024).
On the one hand, the changes open up considerable opportunities, as external data sources such as smart car or smart home data can be incorporated into product and condition design with the consent of customers. On the other hand, proprietary data models, API architectures and contracts must be designed in such a way that requirements for data access, interoperability and portability are met. This requires technical standardisation, robust export paths and FRAND-compatible conditions in contractual practice

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.