Products
© Fiskil 2026. All rights reserved.
Products
© Fiskil 2026. All rights reserved.
The regulation became applicable September 12, 2025, with additional requirements phasing in through 2027.
September 12, 2025: Main obligations applied (data access, cloud switching)
September 12, 2026: "Data by design" requirements for new products
January 12, 2027: Complete ban on cloud switching charges
Understanding the phased implementation timeline helps organisations plan their compliance approach and allocate resources effectively.
Regulatory Context
Key Obligations
Main obligations applied September 12, 2025 (Articles 4-5: data access and third-party sharing)
Cloud switching provisions applied September 12, 2025 (customer switching rights)
September 12, 2026: "Data by design" obligations for connected products placed on market after this date
September 12, 2026: Enhanced interoperability requirements for cloud services
January 12, 2027: Complete ban on charges for switching between data processing services
September 12, 2027: Full implementation of data portability standards and unfair terms rules extend to pre-2025 contracts
November 22, 2023
EU Data Act published (Regulation 2023/2854)
January 11, 2024
Regulation entered into force
September 12, 2025
Main obligations applied - compliance now required
September 12, 2026
"Data by design" for new products; enhanced cloud interoperability
January 12, 2027
Complete ban on cloud switching charges
September 12, 2027
Full data portability standards; unfair terms rules extend to existing contracts
Implementation Reality
Challenges
Traditional implementation: 18-24 months for full compliance (scoping, architecture, build, testing)
Accelerated approach: 8-12 weeks using pre-built infrastructure and standardized patterns
Member States are establishing enforcement frameworks and designating competent authorities
Germany and France have specified penalty structures (up to 4-5% of global turnover)
Organizations benefit from documented compliance efforts when engaging with regulators
Phased approach allows organisations to prioritise highest-impact obligations first
Solution
Accelerated Timeline
Pre-built infrastructure reduces implementation from 18-24 months to 8-12 weeks through standardized patterns and proven architectures.
Compliance Documentation
Automated audit trails and compliance reports provide evidence of implementation efforts for regulatory discussions.
Operational Readiness
Begin handling data access requests with consent management, recipient onboarding, and secure API infrastructure.
Phased Requirements
Platform architecture supports upcoming 2026 and 2027 requirements, allowing single integration across all implementation phases.
Trust & Proof
Built by teams who implemented GDPR compliance in 2017-2018
Experience with post-deadline compliance acceleration
Proven rapid deployment under regulatory pressure
Track record with enterprise catch-up implementation
Catch-up implementation: 8-12 weeks (vs. 18+ months in-house)
Organizations made compliant after September 2025 deadline
Deployed across automotive, manufacturing, energy, cloud sectors
Proven at scale with millions of data access requests monthly
The EU Data Act entered into force on January 11, 2024, and became applicable on September 12, 2025. Main obligations (Articles 4-5 for data access and third-party sharing, cloud switching provisions) are now in force and must be complied with.
No. The Data Act only applies to connected products placed on the EU market after September 12, 2025. Products placed on the market before this date are grandfathered. However, significant updates (major firmware releases, new features) may constitute a "new product" subject to the regulation.
September 12, 2026: "Data by design" obligations apply to new connected products (products must be designed from the start to enable easy data access). Enhanced interoperability requirements for cloud services also take effect. January 12, 2027: Complete ban on cloud switching charges. September 12, 2027: Full data portability standards implementation.
Organizations can implement compliance through in-house development (typically 18-24 months) or by leveraging pre-built platforms like Fiskil (8-12 weeks). The approach depends on technical resources, timeline requirements, and existing infrastructure. Documenting implementation efforts is valuable for regulatory discussions.
Member States are establishing enforcement frameworks. Germany and France have already designated authorities and specified penalties (up to 4-5% of global annual turnover). Enforcement is ramping up in 2026, with focus expected on large manufacturers and high-profile violations. Customer complaints can trigger investigations immediately.
No official grace periods exist. However, enforcement is being phased in as Member States designate authorities and establish frameworks. Organizations demonstrating good-faith compliance efforts and rapid implementation may face more lenient treatment than those ignoring obligations entirely.
Penalties are set by Member States but must be "effective, proportionate, and dissuasive." Germany permits fines up to €5 million or 4% of global annual turnover. France allows up to 5% for repeat violations. If personal data is involved, GDPR penalties (up to €20 million or 4%) may also apply.
Yes. The Commission continues to publish implementing acts and guidance documents. Fiskil monitors these developments and updates our platform automatically to reflect new guidance and evolving regulatory interpretations.
Talk to our team about your EU Data Act compliance needs.