The EU Data Act is already in force
Most internal AI use sits outside it. Where it does apply, the design choices are made now.
It has applied across the EU since 12 September 2025. The risk for most businesses is not knowing which side of the line their AI builds sit on and finding out only after they are in production.
The Data Act is live now. More obligations land in 2026 and 2027.
The Data Act entered into force.
Core obligations apply: data access, third-party data sharing, cloud switching rights and interoperability requirements.*
Data-by-design obligation applies to connected products and related services placed on the market after this date.
Coming upSwitching charges between data-processing services fully banned.
Unfair contractual terms rules extend to qualifying pre-existing contracts.**
The Data Act applies now. Further obligations follow in September 2026, January 2027 and September 2027. Where it reaches your AI, the architecture is decided before those dates, not after.
* Interoperability obligations applied from 12 September 2025. The detailed technical specifications are set by European Commission acts and standards, some of which are still being finalised.
** Applies only to contracts signed on or before 12 September 2025 that are open-ended or run until at least 11 January 2034. Shorter fixed-term contracts are not caught.
The Data Act dates are firm. The related AI Act dates are not.
The Digital Omnibus, proposed in November 2025, also covers the Data Act. For now the Data Act track is moving slowly and contains no proposals to shift its application or enforcement dates, so the dates above stand. The AI Act track is moving faster, and defers some high-risk obligations that were due from 2 August 2026.
Three questions decide whether the Data Act reaches your AI
The Data Act is not an AI law, but it reaches AI through the data that feeds it, the providers that host it and the tools that automate it. These three questions decide whether it applies to a given AI build. Most internal tools sit outside it.
Connected products
Does the AI train on or otherwise use data from connected products? IoT devices, vehicles, industrial machinery, health and agricultural equipment all produce data caught by the Act. That changes who can use it, what can be built with it and which providers can receive it.
User or provider
Is the AI offered to EU clients as a product or service, rather than used internally to deliver your own work? Moving from user to provider engages obligations on switching, portability and egress, and reshapes the commercial position with EU customers.
Built for others
Are automated data-sharing tools or smart contracts being built for others? Internal-only tools sit outside. Anything productised for others carries a conformity obligation.
These are design decisions, not retrofits
Where the Act applies, the obligations are architectural. They shape how data is accessed, how a service is built and how a provider is engaged. Made early they are routine. Discovered late they mean reworking a system that is already in production.
Exposure is mapped before the build. Data access, portability and provider terms are designed in, and the commercial position with EU customers is clear.
Obligations surface after launch, through a connected-data dependency or a provider contract that no one read against the Act.
Attercop scopes the exposure
We work through the three tests build by build, identify where the Data Act applies and support proportionate governance where it bites. You get a clear position on scope, role and obligations, ready for investors, customers and your board.
Scope your exposure →Get a clear position before it is asked of you
We scope your portfolio against the EU Data Act and the EU AI Act, and hand you the position you need for investors, customers, auditors and your board.