.png?width=1816&height=566&name=brandmark-design%20(83).png "Tech Channels - IT News, Resources & Insights")
Two years after it was enacted, the European Union’s Data Act came into force on September 12 as one of the most comprehensive pieces of legislation ever passed around data management.
The law seeks to create a fair and competitive single market for data by making Industrial Internet-of-Things (IIoT) data more accessible while clarifying who can use it and under what conditions.
The new rules build on earlier frameworks such as the Data Governance Act, which together aim to further the bloc’s digital sovereignty initiatives by ensuring that a handful of powerful firms don’t lock it away. The law’s various provisions, including cloud portability, interoperability, and cracking down on unfair terms, is a direct response to market power dynamics where US Big Tech remains dominant.
Europe’s data sovereignty push clashes with US legal reach
The Data Act has extraterritorial reach in that any company, even if they operate outside the EU, but still offer connected products or cloud services to EU customers, must comply. The regulation applies to manufacturers of connected products, cloud providers, and data processing services among others. As such, the law is effectively sector-agnostic. For instance, an automotive manufacturer is obligated to enable vehicle owners to obtain sensor data, while cloud providers must make it easy for clients to exit their platforms, and IoT manufacturers must design products with data extraction abilities built in.
Fairness in contracts and data sharing is one of the key provisions of the Act, which seeks to protect businesses from unfair contractual terms like vendor lock-in or excessive egress fees in the case of cloud services. The law explicitly prohibits contractual clauses that allow one party to unilaterally terminate a contract or refuse interoperability. Specifically, the cloud portability requirement is one of the most disruptive elements of the legislation, since it forces many cloud computing providers to change their contracts and provide the technical functionality allowing clients to switch providers and move data without “significant downtime or costs.”
Despite the Data Act’s stringent provisions and obligations, major obstacles remain. Amazon, Google, and Microsoft still hold a 70% market share in the EU, while EU providers only hold around 15 percent of the market. However, given that the Big Tech companies are all headquartered in the US, the Data Act—along with GDPR—are in direct conflict with US corporate structures and legislation, namely the 2018 CLOUD Act and 2001 Patriot Act. In other words, US legal frameworks effectively override European sovereignty. From a technology perspective, measures like encryption, technical isolation, confidential computing, and zero-knowledge architectures alone cannot prevent legal compulsion in the name of the CLOUD Act.
While the Data Act’s impact will depend on how it’s implemented and enforced in the coming years, companies that move early—by mapping data flows, updating contracts, and building reliable export interfaces and exit plans—will reduce their compliance risk and also boost operational resilience.
