Back

Service area

Technology and Commercial Advisory

Contact

Arttu Nurro
Legal Counsel

News

The EU Data Act – key obligations for service providers

The EU Data Act (Fi. Datasäädös) entered into application on 12 September 2025. The regulation applies to providers of both IoT devices and cloud services (PaaS, SaaS). The impacts extend directly to the technical implementation of services, contracts and commercial operating models.

IoT service providers

The key obligation imposed by the Data Act is advance transparency. Before a contract is concluded, the customer must be provided with clear information on:

  • what data the connected product or related service generates;
  • how the customer can access the data; and
  • under what terms the data can be used and made available to third parties.

The customer has, in principle, control over data generated by the IoT device. For example, data must be made available to the customer upon request, free of charge, without undue delay and in a machine-readable format. The customer may also request that the data be made available to a third party of their choice.

Access to data may be restricted on the grounds of protection of trade secrets, but trade secret protection cannot be used as a general ground for preventing the making available of data. For instance, trade secrets must be capable of being identified. Protective measures may be applied to the making available of data (e.g. use and disclosure restrictions, confidentiality obligations), but these must be agreed on a case-by-case basis.

PaaS and SaaS service providers

The Data Act grants customers the right to switch service providers and to use several services in parallel without unjustified obstacles. This requires:

  • technical interoperability and functional data transfer practices;
  • open interfaces (APIs) for transferring data;
  • switching-friendly and transparent contractual terms; and
  • preparation for the fact that switching charges will be prohibited entirely from 12 January 2027 onwards.

Contracts must include clear switching terms. The notice period may be a maximum of 2 months. Service continuity must be ensured during switching. The customer must be supported during the transition.

Unfair contractual terms are not binding

The Data Act protects weaker parties (such as SMEs) from unfair contractual terms. The regulation defines terms that are always unfair or presumed to be unfair. Such terms include, for example:

  • terms that exclude or limit the service provider’s liability for intentional acts or gross negligence;
  • terms that inappropriately restrict the customer’s remedies; and
  • terms that restrict the customer’s right to access or use data.

Unfair terms do not bind the weaker party. Contracts must be fair, reasonable and non-discriminatory.

Why does this matter?

The Data Act is already being applied. The obligations imposed by the Data Act have a material impact on service providers’ day-to-day operations. It is important for service providers to ensure that:

  • the technical implementation of services supports customers’ data rights;
  • contracts concerning services and advance information provided about them comply with the regulation;
  • trade secret protection is structured in a controlled and anticipatory manner; and
  • contractual terms are not unfair contrary to the Data Act.

Well-managed regulatory compliance reduces legal risks and strengthens customer confidence.