EU Data Act: Impact on existing customer contracts

The EU Data Act (Regulation (EU) 2023/2854) has been applicable since 12 September 2025. As organisations move from implementation planning into day-to-day execution, one practical issue is increasingly coming to the fore: many pre-September 2025 contracts were not drafted with the Data Act’s access, use, and sharing logic in mind. 

For most organisations, the objective is not a wholesale renegotiation of the contract landscape. Instead, the focus should be on identifying where legacy contracts create avoidable regulatory, operational, or commercial friction, and then applying proportionate remediation measures based on the organisation’s role (manufacturer, provider of related services, data holder, data recipient, platform operator, etc.) and the data flows at stake.

This article highlights three scenarios in which existing contracts concluded before September 2025 should be reviewed and, where necessary, amended - particularly where the organisation’s exposure is material. It also addresses a frequently overlooked point: the Data Act’s unfair terms regime has staged application rules for older contracts, which affects remediation timelines and prioritisation. 

Before turning to contract language, it is advisable to build a structured fact base addressing: 

• which connected products and related services are in scope; 
• what data sets are generated, which of them are readily available, and whether they contain personal data, non-personal data, or a mix; 
• which entity qualifies as the data holder and which contracting party is the user (these roles are not always aligned with who pays the invoice); and 
• which agreements actually govern (i) user access, (ii) onward sharing to a third party of the user’s choice, and (iii) the data holder’s own continued use. 

A focused scoping exercise typically reduces remediation volume substantially: in practice, only a subset of products, data categories, and contractual relationships drive the majority of risk and delivery effort. 

1) Protection of trade secrets: contractual safeguards as an operational control

Where user access (or third-party access at the user’s request) may expose information that qualifies as a trade secret, contract remediation should be treated as a matter of risk management and operational enablement, not merely legal “tidying up”.

The Data Act requires that trade secrets be preserved, and it links disclosure to the adoption of “all necessary measures” prior to disclosure to preserve confidentiality, including measures relevant to third parties. It also provides a framework for identifying trade-secret data and agreeing proportionate technical and organisational measures, and it allows the data holder to withhold or suspend sharing where necessary measures are not agreed or implemented. 

In legacy contracts, trade-secret safeguards are often either (i) too generic to be operationally effective, or (ii) misaligned with real-world data flows (e.g., API access, dashboards, interoperability interfaces, or data export functionality). A targeted uplift commonly includes: 

• Identification and classification: mechanisms to identify trade-secret data (including via metadata where practicable) and to manage changes to classification over time. 

• Confidentiality and purpose limitations: clearer restrictions on use and disclosure for users and (where relevant) third parties receiving data at the user’s request, aligned to the agreed purpose. 

• Security and access protocols: contractual commitments reflecting how data is actually shared (e.g., authentication, audit logging, access control, incident handling) and the roles responsible for implementation. 

• Enforcement and remedies: proportionate audit rights, escalation and cure mechanisms, and remedies that support rapid containment where confidentiality is at risk. 

Notably, the Regulation explicitly recognises tools such as model contractual terms, confidentiality agreements, strict access protocols, technical standards, and codes of conduct as potential measures to preserve confidentiality. In November 2025, the Commission also published non-binding Model Contractual Terms (MCTs) intended to support implementation of Data Act data-sharing relationships, which can be used as a reference point when updating contractual protections. 

2) Data holder’s continued use of non-personal data: documenting the contractual basis

A second scenario with relevance concerns the data holder’s continued use of readily available non-personal data generated by the user’s connected product or related service.

The Data Act is explicit: a data holder may only use readily available non-personal data on the basis of a contract with the user. It also states that the data holder must not use such data to derive insights about the user’s economic situation, assets, production methods, or use in a manner that could undermine the user’s commercial position on its markets. 

For many organisations, the commercial reality is that such data underpins legitimate activities (e.g., performance monitoring, preventive maintenance, product safety, service improvement, benchmarking, and analytics). However, legacy contracts frequently do not document these rights and restrictions with sufficient clarity. 

From a remediation perspective, the typical aim is not to “add more text”, but to ensure the agreement contains an enforceable and operationally workable rights-of-use structure that addresses at least:

• Scope of data: which data sets are covered (including whether “readily available” data is the focus) and whether aggregation/anonymisation is contemplated;

• Permitted purposes: clearly defined, business-justified purposes for the data holder’s use;

• Restrictions and safeguards: express limitations reflecting the Regulation’s intent, including avoiding uses that could undermine the user’s commercial position;  

• Governance mechanics: transparency, documentation of user agreement, and procedures for managing changes in use cases over time.

In practice, the most durable outcomes are achieved where the contractual position is aligned with product and service design (e.g., consent flows, user communications, data access management, and internal control frameworks), rather than relying solely on legal drafting.

3) Unfair “black/grey list” clauses: remediation requires clause-level analysis (and timing discipline)

The Data Act introduces a framework on unfair contractual terms in certain B2B data access/use arrangements, focused on terms that are unilaterally imposed. It provides:

• a general standard (gross deviation from good commercial practice in data access and use, contrary to good faith and fair dealing); 

• a list of terms that are unfair, including clauses that exclude/limit liability for intentional acts or gross negligence, exclude remedies for non-performance, or grant one party exclusive interpretive power;  

• a list of terms presumed to be unfair, including inappropriate remedy limitations, significantly detrimental access/use of the other party’s data (particularly where trade secrets or IP are involved), restrictions preventing a party from using data it provided or generated, and certain termination/price-change clauses. 

Two practical implications are particularly relevant for January 2026:

(a) The “unfair terms” chapter does not apply uniformly to all legacy contracts

The Regulation states that Chapter IV applies to contracts concluded after 12 September 2025. For contracts concluded on or before 12 September 2025, Chapter IV will apply from 12 September 2027 provided that the contract is of indefinite duration or is due to expire at least 10 years from 11 January 2024. 

Accordingly, remediation programmes should be sequenced carefully: 

• Immediate focus: post-September 2025 contracts and templates, plus any pre-September 2025 deals where commercial or operational risk justifies early remediation (e.g., core strategic partnerships, high-value data-sharing arrangements, or disputes/renewals on the horizon).

• Forward planning (2026–2027): long-term and indefinite legacy agreements that will fall into scope in September 2027. 

(b) Generic addenda are rarely sufficient

Even where organisations decide to address legacy agreements ahead of the statutory application date, a generic addendum may not address the actual risk drivers. The analysis is typically clause-specific, and the impact depends on whether a term was unilaterally imposed and whether it concerns access/use of data or related liability/remedies.  

A defensible remediation approach therefore tends to involve:

• identifying clauses that map directly to the “unfair” or “presumed unfair” categories; 

• assessing whether the term is within scope (data access/use; liability/remedies for data-related obligations); 

• determining whether the term was unilaterally imposed (including evidence of negotiation history, where available); and 

• designing a contract position that is commercially workable and operationally implementable, rather than purely theoretical.

For buy-side arrangements (e.g., component sourcing), there is typically more flexibility in how compliance is achieved. In many cases, product manufacturers can meet Data Act requirements through product design, technical integration, and governance measures without requiring extensive contractual back-to-back clauses in every supplier agreement.

That said, buy-side contractual provisions can be valuable to ensure practical support for compliance—particularly where suppliers control interfaces, diagnostic data, documentation, cybersecurity measures, or elements that affect data accessibility and trade-secret protections. A pragmatic approach is to add targeted clauses to high-impact supplier relationships, rather than applying uniform amendments across the supply base.

In our current work with clients, we typically begin with a structured critical assessment designed to answer three questions:

1. Are we in scope, and where? Mapping products/services, roles, and data categories.

1. Which contracts are potentially impacted? Building an inventory linked to the underlying data flows and business model.

1. What remediation is proportionate? Prioritising the agreements and clauses that matter most, then implementing amendments, template updates, and supporting operational controls. 

This approach results in a documented fact base and an implementation roadmap that enables remediation to be focused, defensible, and aligned with commercial priorities.

Relevant articles:

Understanding the EU Data Act: A new era of data sharing and innovation

EU Data Act: a Swiss manufacturer’s guide