EU Data Act: Guide for Non-EU Companies

A major EU regulation is set to take effect on 12 September 2025, and its impact will be felt far beyond the borders of the European Union. The Data Act, which entered into force earlier in 2024, will soon become enforceable across the EU, reshaping how companies collect, use, and share non-personal data. With extraterritorial scope similar to the GDPR, the regulation extends to companies based outside the EU, including in the Western Balkans, if their services involve connected devices, data-driven applications, or cloud infrastructure used by clients within the EU.

The goal of the Data Act is to ensure fair access to non-personal data, reduce dependence on large providers, and create new business opportunities in the EU data economy. It applies broadly, from manufacturers of Internet-of-Things (IoT) devices and vehicles to software platforms, SaaS providers, cloud services, and data intermediaries. For businesses in the region aiming to serve EU-based clients, it is essential to understand all of their obligations under this act.

Data Access and Third-party Sharing

One of the most consequential changes is the requirement to grant users access to the non-personal data generated through their use of connected products and related services. Companies must ensure that this access is technically feasible, provided in a structured and machine-readable format, and actually meaningful from a user standpoint.

Crucially, the user must also be allowed to authorize third parties (including competitors or independent service providers) to access this data. Any discrimination against such third parties is prohibited. Technical and legal frameworks (contracts and terms of use) must now incorporate user access and sharing rights from the outset.

FRAND terms

For companies that find themselves acting as data holders, particularly when a third party is granted access on behalf of an EU user, the Data Act mandates that such access be granted under fair, reasonable, and non-discriminatory conditions (FRAND terms). In practical terms, this means that any compensation sought for providing data must be calculated transparently and objectively, based on both the actual costs incurred and the volume of data provided.

Trade Secrets and Personal Data

While promoting openness, the Act also protects trade secrets, security, and privacy. Any sharing of mixed data (personal and non-personal) must comply with the GDPR and be subject to appropriate technical and organizational safeguards. Companies must ensure that third-party access does not expose sensitive business information or personal data.

SME protection

The regulation also draws a sharp line when it comes to the treatment of small and medium-sized enterprises (SMEs). It recognizes that such entities may act both as data holders and recipients, and companies from the Western Balkans may fall into either role depending on the nature of their commercial relationships.

If they meet the definition of an SME, they are entitled to protection against unfair contract terms when dealing with larger EU partners, particularly in data-sharing arrangements. This includes shielding them from clauses that would exclude liability for gross negligence, severely limit legal remedies, or prohibit data use after contract termination.

However, this protection does not extend to the obligations side: non-EU SMEs, unlike their EU counterparts, do not benefit from exemptions regarding data-sharing duties. If they offer connected products or services in the EU, they are expected to grant usage data access under the same conditions as large companies. In effect, they are protected when receiving data but must fully comply when providing it.

Cloud Switching

Cloud or SaaS providers from the Western Balkans offering services to EU clients must allow clients to switch providers without barriers. Data must be exportable in a usable format, and practices such as charging exit fees (so-called egress fees) will be phased out. These provisions are meant to promote competition.

Public Sector Access to Data

In certain public interest situations, such as emergencies, disasters, or crises, public authorities in the EU may request access to privately held data. Companies must be prepared to respond to such requests quickly, securely, and free of charge. This includes companies outside the EU that serve EU users or entities.

Penalties for Non-Compliance

EU Member States are required to designate national authorities and determine penalties to enforce the Data Act by 12 September 2025 at the latest. These sanctions are expected to largely mirror the scale of those imposed under the GDPR. Although countries have yet to define their specific penalty regimes, there are a few indicators.

For example, Germany has published a draft law introducing a tiered fine system: minor breaches could incur up to  EUR 50,000, moderate violations up to  EUR 100,000, and serious offenses up to EUR 500,000, while 7 gatekeeper companies (Google, Amazon, Apple, ByteDance, Meta, Microsoft, and Booking) face potentially much steeper penalties of up to EUR 5 million or 4% of their EU-wide annual turnover, whichever is higher.

Key Takeaways The Data Act introduces a fresh layer of legal and technical obligations for companies operating in the EU market, and those that adapt early will gain a clear competitive edge. Yet whether this regulatory push will genuinely foster innovation remains open to question. In most cases, valuable data emerges as a consequence of innovation, rather than being the driver of it.