Data Act 2025 and enterprises: what changes for data sharing

Data Act 2025

Summary

Summary

In 2026, the Data Act is no longer something “coming soon,” but a reality that Italian companies are already experiencing: as of September 12, 2025, EU Regulation 2023/2854 is fully applicable, with concrete effects on access, portability, and sharing of data generated by connected products and digital services. Some obligations continue to unfold in 2026 and beyond (particularly those related to the design of connected products and unfair contract terms), but for most companies 2025 was the “switch on” year and 2026 is the year when the consequences of the new data sharing rules are really seen in contracts and IT processes.

In summary, in this in-depth study you will find:

  • A clear overview of the Data Act, when it became operational between 2025 and 2026, and the actors involved.
  • What “data” means for businesses in 2026: from IoT machines to ERP management to cloud services and data generated by customers and suppliers.
  • The concrete impacts on enterprise data sharing, portability to third parties, and the relationship with cloud providers, software houses, and IT partners.
  • The news on unfair terms in B2B contracts and review of existing contracts in 2026-2027.
  • An operational plan updated to 2026 to map data, review contracts, set internal rules, and integrate the Data Act with GDPR, NIS2, and enterprise cybersecurity.
  • Lanpartners' role as a bridge between law, technology, infrastructure, and IT services, including support for customized IT services, backup & business continuity technologies, cybersecurity, and digital transformation projects.

Data Act in brief: the framework that is in place in 2026

The Data Act is the European regulation on fair access to and use of data, designed to increase data availability in the EU, reduce vendor lock-in, and simplify data sharing among users, businesses, and PAs. It entered into force on Jan. 11, 2024, and is fully applicable as of Sept. 12, 2025, with a phased-in regime for some obligations extending to 2026 and 2027.

The essential points affecting businesses in 2026:

  • Right of users (including companies) to access data generated from the use of related products and services, and to share them with third parties of their choosing, in a timely manner and in machine-readable format.
  • Obligations for producers and data holders to provide for “by design” access, interoperability, and fair, reasonable, and nondiscriminatory conditions for sharing, including fair compensation when provided.
  • Discipline of unfair terms in B2B contracts governing data access and use, especially protecting SMEs and those in weaker bargaining positions.
  • Measures to facilitate portability and switching between data processing services (cloud, data centers, platforms), reducing technical and contractual barriers.

In 2026, businesses are no longer asking “whether” the Data Act applies, but “how” to revise contracts and IT infrastructure to comply with it and make better use of it, consistent with GDPR, NIS2 and other European regulations on data, security and artificial intelligence.

What “data” means for enterprises in 2026 (even if they don't develop software)

The Data Act is not a rule for a few cloud bigwigs: it affects all businesses that use connected products or digital services that generate data in the normal course of business. In 2026 that means, concretely, most companies in manufacturing, services, logistics, energy, and many other sectors.

Typical examples of “data sources” involved:

  • Industrial machinery, enterprise vehicles, IoT devices, manufacturing plants and sensors that collect data on operation, maintenance, energy consumption, downtime, and alarms.
  • Management ERP (SAP Business One, Microsoft ERP, vertical solutions), CRM, HR management software, attendance software and ticketing systems that generate logs, KPIs, process tracking and usage data.
  • Services cloud and data processing platforms: data warehouse, BI tools such as Power BI, cloud/VOIP switchboards, remote monitoring platforms, and predictive maintenance solutions.

Many companies, until 2025, considered this data “in the belly of the suppliers,” accessible only through proprietary portals or through ad hoc exports, often for a fee. With the Data Act, the user of the product or service now has a structural right to access and share with third parties, which changes the way IT processes and infrastructure are designed.

For Lanpartners, in 2026, the first step is often to help companies recognize where the data are (ERP, machinery, cloud switchboard, managed IT services), what rights they can exercise, and how to link these rights to network architectures, cloud migration projects, and advanced business continuity solutions.

Business-to-business data sharing: rights, obligations and limits after 2025

As of Sept. 12, 2025, the discipline of data sharing between holders and recipients is fully operational, and in 2026 the question becomes how to incorporate it into contracts and daily practices.

For enterprises using connected products and digital services:

  • The data generated must be made available promptly.and, in machine-readable format, with quality and granularity comparable to those held by the manufacturer or supplier.
  • At the request of the user, the holder must transmit the data directly to a third party (e.g., another maintenance provider, an IT partner, a new cloud provider), without undue delays or artificial obstacles.
  • The economic conditions for making data available must be fair; the regulations provide criteria for determining fees and for the protection of know-how and trade secrets.

For data holders (manufacturers, platform providers, cloud providers):

  • They must adapt, between 2025 and 2026, contracts, systems and interfaces To allow access and sharing in compliance with the Data Act.
  • They must implement technical and organizational measures to protect trade secrets, the security of systems and the rights of third parties, even when data is shared with new actors.

This directly affects relationships with software houses, ERP and CRM vendors, IoT equipment manufacturers, companies that provide IT services for enterprises, and cloud service providers, with whom Lanpartners is already in dialogue for IT management, networking, and security, as part of projects of Corporate information security and identity theft prevention.

Portability, interoperability and vendor lock-in in 2026

One of the most concrete promises of the Data Act is the reduction of vendor lock-in, especially in the cloud world and in data processing services. From 2025, providers must facilitate switching between services, and in 2026 many enterprises begin planning migrations that previously seemed impossible or too risky.

For data processing service providers (clouds, data centers, platforms):

  • It is required to ensure portability of data, applications, and, to some extent, configurations, according to common technical standards and without unjustified contractual obstacles.
  • Certain provisions on the design of related products and related services, which simplify access to the data generated, take effect for products placed on the market after September 12, 2026.

For user enterprises:

  • It becomes more realistic to negotiate exit clauses (exit) from cloud, data center and managed services contracts, defining migration timing, formats and responsibilities.
  • You can build data lake, business intelligence and predictive maintenance projects based on data from multiple sources, without remaining tied to a single proprietary ecosystem.

Not only policy but also technical choices become central on this front: Lanpartners works on technologies of backup & business continuity and on hybrid architectures that allow enterprises to move loads, data, and applications between different environments without losing control or security.

Unfair terms and B2B contracts: what to review in 2026

The Data Act contains specific discipline on unfair contractual terms related to data access and use in business-to-business relationships, with a focus on the protection of SMEs. The relevant provisions have a gradual logic, but in 2026 it is already clear that unbalanced clauses are under observation and may be declared void.

Examples of critical clauses:

  • Total and unjustified exclusion of data access generated by the user's use of the related product or digital service.
  • Manifestly disproportionate costs For making data available or switching to other providers.
  • Unilateral changes in data conditions (access, format, frequency, sharing rights) without notice and without the possibility for the user to withdraw.

In 2026, many enterprises are:

  • Initiating systematic audits of contracts with IT vendors, software houses, cloud providers, and related equipment maintainers to identify clauses inconsistent with the Data Act;
  • Defining standard templates for “Data Act compliant” clauses.” to be used in new contracts or renewals, in line with future model clauses being prepared by the EU Commission.

Here the experience gained on the issues of artificial intelligence and law and AI Act: Lanpartners is accustomed to having the legal department, internal IT, and external vendors talk to each other, relating contract terms and the technical realities of the infrastructure (logs, APIs, data exports, replication, service levels).

Data Act, GDPR, NIS2 and enterprise cybersecurity in 2026

In 2026, businesses can no longer afford to treat Data Act, GDPR, NIS2, AI Act and other digital regulations as separate “silos”: data shared, moved, exported and aggregated are often the same, and obligations overlap.

Three perspectives to be integrated:

  • Data protection (GDPR): any data sharing that includes personal information must comply with the principles of lawfulness, minimization and purpose limitation, as well as appropriate technical and organizational measures for security and privacy by design.
  • Cybersecurity and continuity (NIS2): many enterprises fall within the NIS2 perimeter and must ensure a minimum level of network and system security; openings of data flows to third parties, new integrations, and increased portability must be designed with appropriate firewalls, network segmentation, backup systems, and incident response plans.
  • Access and Sharing (Data Act): the increased circulation of data should not turn into a larger attack surface; we need access controls, logging, strong authentication, audits of partners and technical ways of transferring data.

In this light, the issues discussed in the article on the cybersecurity for law firms in 2026 and on digital identity theft incidents-the same logic of prevention, continuous monitoring, and coordinated response applies to the Data Act scenario. Lanpartners can propose integrated paths that start with a snapshot of the existing (management, cloud, networking, PEC, data center) and arrive at a governance model in which Data Act, GDPR, NIS2 and AI Act are translated into IT rules, contracts and training.

How to prepare (or catch up) in 2026: operational plan for businesses

For companies that started working on the Data Act in 2025, 2026 is the year of consolidation; for those who have fallen behind, it is the time to catch up with a pragmatic plan.

1. Update the mapping of systems and data.

  • Don't limit yourself to a static list: in 2026, many companies introduced new cloud services, ERP modules, sensors or analytics tools; it's time to update the map of connected products, digital services and data flows.
  • Link each system to its contracts: understand where access rights already exist, where clauses are silent or potentially abusive, where renegotiation is needed.

2. Define a prioritization strategy.

  • Start with “core” systems: critical production machinery, ERP, CRM, cloud platforms with strategic or sensitive data.
  • Focus on contracts that expire or renew between 2026 and 2027 to include clauses in line with the Data Act, GDPR and NIS2 from now on.

3. Review contracts and governance of supplier relationships.

  • Prepare a Data Act checklist for IT contracts: data access, formats, timelines, costs, third-party sharing rights, security measures, switching and exit rules.
  • Introduce, when possible, technical annexes (e.g., tabs on APIs, logs, export modes) that reflect the reality of infrastructure and IT environments managed by external partners, as described in the page on the customized IT services

4. Adapt IT infrastructure to portability and security

  • Verify that the infrastructure (enterprise routers, firewalls, networking, replication and storage systems) allows for secure and traceable receipt, consolidation and sharing of data.
  • Integrate the Data Act theme into business continuity strategies, referring to the best practices outlined in the guide on disaster recovery and business continuity

5. Formalizing internal policies and training paths

  • Define who in the company can request data from suppliers, who can share it with third parties, with what legal and technical reviews, and how to document these decisions.
  • Training management and operations staff on the new rights and obligations: what Data Act means for those working with ERP, CRM, connected machinery, cloud services, and VOIP switchboards, linking it to the paths already started on AI Act, artificial intelligence in studies, and the AI models in legal tech.

Lanpartners can support the enterprise in each of these steps, complementing work on the Data Act with projects already underway on the AI Act 2026, cybersecurity, process digitization, and managed IT services.

Lanpartners' role in 2026: data, law, infrastructure

In 2026 Lanpartners continues to position itself as the “technology concierge” for businesses and firms that want to govern their data, not just protect it. Experience in IT infrastructure, cloud services, enterprise networking, backup and continuity solutions is complemented by expertise in regulations such as AI Act 2026, NIS2 and the Data Act, creating a practical bridge between law and technology.

In concrete terms, Lanpartners can:

  • Helping businesses build a reasoned map of connected devices, management, cloud services and data flows, identifying where the Data Act opens up new opportunities for access and sharing.
  • Support the review of IT contracts and agreements with software houses, cloud providers, and enterprise IT service providers, including clauses that reflect both regulatory requirements and the actual technical characteristics of the systems.
  • Design and implement networking, security, backup, data center, and virtual desktop solutions that make portability, interoperability and switching feasible, without compromising digital security and business continuity.
  • Structuring paths of training and coaching for entrepreneurs, top management and operations staff, so that Data Act, GDPR, NIS2, and AI Act do not remain “convention matters,” but are translated into consistent day-to-day decisions.

Contact us For any further information. 

FAQ 2026 on the Data Act and data sharing.

1. In 2026, is the Data Act already fully operational?

Yes: EU Regulation 2023/2854 is fully applicable from September 12, 2025, although some technical provisions on the design of related new products and some rules on unfair terms have different deadlines between 2026 and 2027.

2. What has changed for businesses after September 12, 2025?

As of September 12, 2025, enterprises have enhanced rights to access and share on data generated by connected products and digital services and must review contracts and IT infrastructure to ensure portability, interoperability, and fair, reasonable, and nondiscriminatory terms.

3. If I haven't done anything on the Data Act yet, am I late?

In 2026, you are no longer “early”: those who have not yet mapped systems and contracts are behind schedule, but can still set up a catch-up plan by focusing on core systems and expiring contracts, and then gradually extend compliance.

4. Does the Data Act also apply to data containing trade secrets?

Yes, but with cautions: the regulation expressly protects trade secrets and requires that data sharing does not compromise know-how and intellectual property; technical, contractual and organizational measures are possible to mitigate risks.

5. How can Lanpartners help me in 2026?

Lanpartners can combine IT consulting services, infrastructure design (network, cloud, backup, security), technical review of IT contracts, and data governance support, building with the company a Data Act compliance path consistent with GDPR, NIS2, and AI Act and integrated into the overall digitization strategy.

Related articles

Learn about our IT consulting and support services

We want to offer you a different technology experience. You can have premium IT support from a trusted partner at your fingertips whenever you need it. Whether you want one person or an entire project team, for short-term or long-term commitments, make your life easier and rely on us.

Contact us