EU Data Act: New rules on data sharing and cloud services that Norwegian businesses must prepare for

The EU Data Act is a new regulation that grants users — both businesses and consumers — the right to access data generated by connected products and IoT devices, ensures free switching between cloud service providers without unreasonable barriers, and prohibits unfair contractual terms in data sharing agreements. The regulation entered into force in September 2025 and introduces new product requirements from 12 September 2026.

For Norwegian businesses, this is directly relevant. Through the EEA Agreement, the EU Data Act will become applicable in Norway, and companies that manufacture connected products, provide cloud services, or handle large volumes of user data must prepare now. The European Commission estimates that the regulation will generate EUR 270 billion in additional GDP for the EU by 2028 — underscoring the enormous potential of a more open data economy.

In this article, we provide a thorough review of what the EU Data Act entails, who is affected, and concrete steps your business should take.

What is the EU Data Act?

The EU Data Act — formally Regulation (EU) 2023/2854 — is a comprehensive regulation of data sharing and data access in Europe. While the GDPR regulates personal data, the EU Data Act also covers non-personal data, thereby creating a complete framework for the data economy. The regulation addresses three main areas: access to data from connected products (IoT), portability between cloud service providers, and fair terms in data sharing agreements.

The core principle of the law is simple: data generated by users through connected products and services shall be accessible to the users themselves — not locked in by the manufacturer or service provider. In addition, it must be possible to switch cloud service providers without being trapped by technical or economic barriers.

The EU Data Act is part of the European Data Strategy, alongside the Data Governance Act, and complements existing legislation such as the GDPR and the ePrivacy Directive.

Background: Why a data act?

Europe's data economy is enormous — but its potential is far from realised. According to the European Commission, approximately 80 per cent of industrial data remains unused. Valuable data from smart factories, connected cars, medical equipment, and agricultural technology is collected and stored, but rarely shared further.

The reasons are multifaceted:

Data silos. Manufacturers of connected products have historically retained exclusive access to the data their products generate. A farmer who buys a smart tractor often does not have access to the operational data it produces — that access belongs to the tractor manufacturer.

Vendor lock-in. Cloud service providers have made it costly and technically demanding to move data and services to a competing platform. High exit costs, proprietary data formats, and lack of interoperability have kept customers locked in.

Imbalanced agreements. Large data holders have in practice been able to dictate the terms of data sharing, often to the disadvantage of smaller businesses and users.

The EU Data Act addresses all of these problems through a comprehensive framework of rights, obligations, and technical requirements.

Timeline: From adoption to full effect

The EU Data Act has a phased entry into force with different deadlines for different requirements:

• December 2023: EU adopts the Data Act (Regulation 2023/2854)
• 11 January 2024: The regulation is published in the Official Journal of the EU
• 12 September 2025: Core provisions enter into force in the EU — including rights to data access, prohibition of unfair contractual terms, and public sector access to data
• 12 September 2026: New product requirements — connected products and related services placed on the market after this date must be designed to make data accessible to users
• 12 September 2027: Cloud portability and interoperability requirements enter into full force — including the elimination of switching charges
• 2025--2026: Expected incorporation into the EEA Agreement and thus Norwegian law

For Norwegian businesses, this means that preparations should already be well under way, particularly for those that manufacture connected products or provide cloud services.

Who is affected by the EU Data Act?

The EU Data Act affects a wide range of actors in the digital value chain. Here is an overview of who is impacted and how:

Actor	Description	Key obligations
IoT manufacturers	Manufacturers of connected products (smart household appliances, industrial machinery, vehicles, medical devices)	Must design products so that data is accessible to users; provide information about what data is generated
Cloud service providers	Providers of IaaS, PaaS, and SaaS	Must facilitate free switching between providers; remove unreasonable switching costs; ensure data portability
SaaS providers	Providers of software as a service	Must facilitate data export and provider switching; avoid unfair contractual terms
Data holders	Businesses that collect or generate data through products/services	Must grant users access to data upon request, in a structured and machine-readable format
Data recipients	Third parties that receive data from users	Must use data only for agreed purposes; may not use data to develop competing products
Data intermediaries	Intermediaries that facilitate data sharing	Must meet requirements for neutrality and transparency
Public sector	Authorities and public bodies	May require access to private data in extraordinary situations (emergencies, pandemics)

Does this apply to my business?

In short: if your business manufactures or sells connected products, offers cloud services or SaaS solutions, or handles large volumes of data from users or devices, the EU Data Act is relevant to you.

Key rights and obligations

The EU Data Act introduces a range of new rights and obligations that change the rules of the game for data sharing in Europe. Here are the most important:

Access to data from connected products

Users of connected products — from smart washing machines to industrial sensors — gain the right to access data generated by their products. This includes both raw data and metadata. The data holder (typically the manufacturer) is obligated to make the data available:

• Without undue delay following a request
• In a structured, commonly used, and machine-readable format
• Continuously and in real time where technically feasible
• Free of charge to the user, or with compensation that does not exceed the cost of making the data available

Manufacturers must also inform users about what data is generated, how it can be accessed, and whether the manufacturer intends to use the data itself.

Right to share data with third parties

Users may require the data holder to share data directly with a third party of the user's choice. This opens up an entirely new ecosystem of services — for example, independent workshops that can diagnose connected cars, or third-party providers that offer maintenance services for industrial equipment.

However, the third party may not use the data to develop a competing product, or share it further without the user's consent.

Switching cloud service providers

The EU Data Act gives cloud service customers an explicit right to switch providers without unreasonable barriers. This includes:

• The right to take all data with you — including metadata, configurations, and digital assets
• Prohibition of technical barriers that make switching unnecessarily difficult
• Gradual elimination of switching charges — from September 2027, it will no longer be permissible to charge for the switching process itself
• Minimum functionality ensuring the service remains operational during the transition period
• Maximum transition period of 30 calendar days to complete the switch

Prohibition of unfair contractual terms

The regulation introduces an explicit prohibition of unfair contractual terms in data sharing agreements between businesses. A contractual term is considered unfair if it significantly deviates from good commercial practice and is detrimental to the weaker party. Examples include:

• Terms that exclude or limit a party's liability for intentional acts or gross negligence
• Terms that give one party a unilateral right to interpret the contract
• Terms that unreasonably restrict a party's rights to data
• Terms that give one party the right to unilaterally alter the contract without justifiable grounds

What does this mean for SaaS providers?

For businesses that provide software as a service (SaaS), the EU Data Act introduces several concrete requirements that will affect both product development and business models:

Data portability becomes mandatory. SaaS providers must ensure that customers can export all their data in a structured and machine-readable format. It is no longer sufficient to offer a simple CSV export of selected data — the export must cover all data the customer has generated or stored in the service, including configurations and metadata.

Switching costs must be eliminated. Many SaaS providers have historically used complex data migration tasks as a lock-in mechanism. The EU Data Act sets a clear limit: from September 2027, it will no longer be permissible to charge for the process of migrating to another provider.

APIs and interoperability. To meet the requirements for data sharing and portability, most SaaS providers will need to offer robust APIs that enable data export and integration with other systems.

Contract review. Existing agreements with customers must be reviewed to ensure they do not contain unfair terms that contravene the regulation. In particular, clauses relating to data ownership, export capabilities, and termination conditions should be examined.

For Norwegian SaaS companies that already deliver good APIs and export capabilities, the EU Data Act can actually become a competitive advantage. It forces the entire market up to a level that serious players are already operating at.

What does this mean for IoT and connected products?

For manufacturers of connected products and IoT devices, the changes are perhaps the most far-reaching. From 12 September 2026, the following applies to all new products placed on the market:

Design for data access. Connected products must be designed and manufactured so that data generated by the user is easily accessible — directly from the product or through a related service. This is a "by design" requirement that affects product development from the outset.

Disclosure obligation. Before purchase, the user must be informed about:

• What types of data the product generates
• How the user can access the data
• Whether the manufacturer intends to use the data, and if so, for what purposes
• Whether data is transferred to third parties, and the identity of those parties

Data quality and format. Data must be made available in a format that is structured, commonly used, and machine-readable. This means that proprietary binary formats that only work with the manufacturer's own software are no longer acceptable.

Smart contracts. The EU Data Act also sets requirements for the use of smart contracts for automated data sharing. These must meet requirements for access control, continuity mechanisms, and the ability to terminate or reset.

For Norwegian IoT manufacturers, this represents a significant change in the product development process. Data access and sharing can no longer be an afterthought — it must be built in from the start.

Cloud portability: The right to switch providers

One of the most concrete and transformative elements of the EU Data Act is the cloud portability rules. Many businesses have experienced being "locked in" with a cloud service provider because the costs and complexity of switching are insurmountable.

The EU Data Act addresses this systematically:

Functional equivalence. Cloud service providers must ensure that customers can achieve functional equivalence in the new service. This does not mean that services must be identical, but that the customer must be able to achieve comparable functionality after switching.

Transition period. The customer has the right to a transition period of up to 30 days during which both services run in parallel, allowing migration to proceed safely and in a controlled manner.

Gradual elimination of costs. Switching costs shall be gradually reduced and eliminated entirely from 12 September 2027. After this, the provider may only charge for actual data storage and processing costs during the transition period — not for migration work.

Interoperability requirements. The regulation sets requirements for open interfaces and standards that make it easier to move data and applications between providers. The European Commission has the mandate to adopt harmonised standards for interoperability.

For businesses that are currently dependent on a single cloud service provider, this creates new opportunities to negotiate better terms and realise a genuine multi-cloud strategy.

The Data Act and GDPR: How do they relate?

A common question is how the EU Data Act relates to the GDPR. The two regulations are complementary — not overlapping — and regulate different aspects of the data economy:

Aspect	GDPR	EU Data Act
Data type	Personal data	Both personal and non-personal data
Purpose	Protect individuals' privacy	Promote data sharing and data access in the data economy
Rights holder	Data subjects (individuals)	Users of products and services (businesses and consumers)
Primary duty bearer	Data controller and data processor	Data holder, manufacturer, cloud service provider
Data access	Right of access to one's own personal data	Right of access to all data generated by connected products
Portability	Right to data portability (Art. 20) — limited to data provided by the data subject	Extended portability — all data, including machine-generated data
Contract regulation	Limited	Explicit prohibition of unfair contractual terms
Cloud switching	Not regulated	Detailed rules for provider switching and interoperability
Enforcement in Norway	Norwegian Data Protection Authority (Datatilsynet)	Not yet finally determined — likely sector-specific supervisory authorities
Entry into force	2018	2025 (core rules), 2026--2027 (product requirements and cloud portability)

Important: When data covered by the EU Data Act also constitutes personal data, the GDPR applies in addition. The Data Act therefore does not provide a basis for circumventing GDPR requirements — it adds new rights and obligations on top of the existing privacy framework.

In practice, this means that businesses must take an integrated approach where both GDPR and Data Act compliance are managed in a coordinated manner. A data sharing process that involves personal data must meet the requirements of both regulations.

Public sector access to data in extraordinary situations

One element of the EU Data Act that has attracted considerable attention is the ability for public authorities to require access to private businesses' data in extraordinary situations. The provision applies only in clearly defined cases:

• Public emergencies — such as pandemics, natural disasters, or major cyber incidents
• Prevention or recovery from a public emergency
• When data is necessary to carry out a statutory task and cannot be obtained by other means

The authority must document the need, and the data shall be used exclusively for the stated purpose. Businesses have the right to be compensated for the costs of making data available. The provision is therefore not a general surveillance power, but a safety valve for genuinely extraordinary situations.

Practical steps: How to prepare your business

The EU Data Act has a phased entry into force, and it is wise to prepare in stages. Here is a practical checklist:

Phase 1: Mapping and analysis (now -- Q2 2026)

• Determine whether your business is affected by the EU Data Act (manufactures connected products, provides cloud services, handles user data)
• Map all data flows in the business — what data is generated, by whom, and who has access
• Identify which connected products and IoT devices are covered
• Review existing contracts and data sharing agreements — identify potentially unfair terms
• Assess current capacity for data export and portability in your own services
• Map the relationship with cloud service providers — assess lock-in risk and switching costs

Phase 2: Adaptation and implementation (Q2 2026 -- Q3 2026)

• Update product design for connected products so that data is accessible to users by design
• Implement APIs and data export functionality in your own services
• Update terms of service and data sharing agreements in line with the regulation's requirements
• Establish processes for handling data access requests from users
• Develop information materials for users about data rights and access options
• Ensure that smart contracts for data sharing meet the requirements for access control and continuity

Phase 3: Cloud portability and interoperability (Q3 2026 -- Q3 2027)

• Implement full cloud portability in your own services — including metadata, configurations, and digital assets
• Remove unreasonable switching costs in existing customer contracts
• Facilitate transition periods for provider switching
• Implement open interfaces and standards for interoperability
• Test data migration tools and processes with real-world scenarios

Phase 4: Maintenance and optimisation (ongoing)

• Monitor the development of harmonised standards and European Commission guidelines
• Update processes and systems in line with new guidelines and interpretations
• Conduct periodic reviews of data sharing agreements and contractual terms
• Maintain training for employees on new rights and obligations
• Follow case law and supervisory authority guidance

How we can help

At UNOS SOFTWARE AS, we have extensive experience helping Norwegian businesses navigate technological and regulatory changes. Together with our partner Unos IT AS, we offer a complete range of services from development to operations. The EU Data Act touches the core of what we work with — software, cloud services, integrations, and data management — and we are well positioned to help your business become compliant.

• System integration and API development — through our system integration service, we help you build robust APIs and data exchange solutions that meet the EU Data Act's requirements for data access and portability
• Cloud and infrastructure services — our cloud and infrastructure service helps you build a cloud architecture that avoids vendor lock-in and facilitates seamless switching between providers
• Technical consulting — through our consulting service, we map your business's exposure to the EU Data Act, identify gaps in current solutions, and develop a concrete action plan
• Software development — our development service builds solutions with data access, portability, and interoperability built in from the start — so that compliance does not become an afterthought, but an integrated part of the product

The EU Data Act is part of a broader regulatory wave from the EU. Norwegian businesses should also be aware of the Cyber Resilience Act (CRA), which sets security requirements for digital products, NIS2 for businesses in critical sectors, and DORA for suppliers to the financial sector.

The EU Data Act is not merely a regulatory burden — it is an opportunity to build better products, strengthen customer trust, and position yourself in a data economy where openness and interoperability are competitive advantages.

Unsure how the EU Data Act affects your business? Get in touch for an informal conversation about data sharing, cloud portability, and compliance preparations.

Frequently asked questions about the EU Data Act

Does the EU Data Act apply in Norway?

Yes — the EU Data Act will apply in Norway through the EEA Agreement. Incorporation is expected in 2025--2026, and Norwegian businesses should prepare as if the regulation is already in effect.

Does the EU Data Act replace the GDPR?

No — the two regulations are complementary. The GDPR regulates personal data, while the EU Data Act also covers non-personal data. When data constitutes personal data, both sets of rules apply simultaneously.

What does cloud portability mean in practice?

Cloud portability means that you should be able to switch cloud service providers without unreasonable technical or economic barriers. From September 2027, the provider may no longer charge for the switching process itself, and you have the right to a transition period of up to 30 days.

Who enforces the EU Data Act in Norway?

The supervisory authority has not yet been finally determined. It is likely that various sector-specific supervisory authorities will be responsible for enforcement within their respective areas, in cooperation with the Norwegian Data Protection Authority (Datatilsynet) for matters involving personal data.

Can public authorities require access to my data?

Only in extraordinary situations such as pandemics, natural disasters, or major cyber incidents — and only when the data is necessary for a statutory task and cannot be obtained by other means. The business has the right to compensation for the costs involved.

---

Sources and further reading

• European Parliament (2023). "Regulation (EU) 2023/2854 — Data Act." eur-lex.europa.eu
• European Commission (2025). "Data Act — New Rules on Data Sharing." digital-strategy.ec.europa.eu
• European Commission (2022). "Impact Assessment: Data Act." ec.europa.eu
• EFTA Surveillance Authority (2025). "EEA Relevance of the Data Act." eftasurv.int
• Ministry of Trade, Industry and Fisheries (2025). "The EU Data Act and Norwegian Business." regjeringen.no
• Norwegian Data Protection Authority (2025). "The Relationship between GDPR and the Data Act." datatilsynet.no
• European Data Protection Board (2024). "Guidelines on the Interplay between the Data Act and the GDPR." edpb.europa.eu

---

Get in touch

Need help with data sharing, API development, or cloud portability in line with the EU Data Act? UNOS SOFTWARE AS — in partnership with Unos IT AS — helps Norwegian businesses build solutions that meet the new requirements. Send us an enquiry through the contact form — we will have an informal conversation about how we can help your business.