---
title: "EU Data Act and AI Training/Inference Data Access (2026) | Impetora"
description: "How Regulation (EU) 2023/2854 (the EU Data Act) governs data sharing, IoT-generated data and AI training, with the contract clauses enterprises need by 2026."
url: https://impetora.com/answers/eu-data-act-ai-implications
locale: en
datePublished: 2026-04-28
dateModified: 2026-04-28
author: Impetora
---

# EU Data Act and the AI implications: training, inference, cloud switching

> The EU Data Act, Regulation (EU) 2023/2854, became applicable on 12 September 2025. It establishes harmonised rules on access to and use of data generated by connected products, restricts unfair B2B contractual terms on data, opens public-sector access to private-sector data in exceptional circumstances, and forces interoperability and switching between cloud and edge data-processing services. AI training and inference workloads sit squarely inside the regulation's scope: training data sourcing, B2B data licensing, IoT data feeds and cloud portability all change in 2025-2026 [1].

*Updated 2026-04-28. By Impetora.*

## What does the EU Data Act cover and why does it matter for AI?

The Data Act is structured into eleven chapters. Chapter II (Articles 3-7) creates a right for users of connected products to access the data those products generate and to share it with third parties of their choice. Chapter III (Article 8) imposes fairness obligations on data-sharing arrangements. Chapter IV restricts unfair contractual terms in B2B data contracts. Chapter V (Articles 14-22) creates a public-sector data access regime in cases of exceptional need. Chapter VI (Articles 23-31) imposes cloud and edge switching obligations on data-processing service providers. Chapter VII restricts international government access to non-personal data held in the EU. Chapter VIII covers interoperability standards. The remaining chapters cover smart contracts, enforcement and final provisions [1]. For AI, the headline impacts are concentrated in Chapters II, IV, V and VI. Training data sourced from connected products in the EU is now subject to user-driven access rights and third-party-sharing obligations. B2B data licensing for AI training cannot include unfair terms as defined in Article 13. The B2G regime opens limited public-sector access to AI training datasets in defined exceptional circumstances. The cloud-switching regime forces hyperscale and other data-processing providers (including hosted AI inference services) to enable functional equivalence and data portability when customers switch providers. The European Commission's Q&A on the Data Act and the European Data Innovation Board's emerging guidance flesh out the operative interpretation. National enforcement authorities began publishing supervisory expectations in late 2025.

## How do Articles 4 and 5 affect AI training data sourced from IoT?

Article 4 grants the user of a connected product access to "readily available data" generated by the product. Article 5 grants the user the right to require the data holder to make that data available to a third party of the user's choice. The "data holder" is typically the manufacturer or the entity that owns or controls the data generated by the product. The third party can be an AI vendor, an application developer or any other recipient the user designates. For AI training data programmes, this changes the supply side. An AI vendor that previously had to negotiate exclusive bilateral deals with manufacturers to access fleet data (vehicles, industrial equipment, smart-building telemetry) can now, where the user designates the AI vendor as the recipient, receive the data directly. The data holder must comply within a reasonable period and on FRAND-like terms. Data sharing for the purposes of competing with the data holder's own product is restricted (Article 4(10) and Article 5(10)), but training a downstream AI service that does not compete with the connected product itself is not prohibited. The practical effect: AI vendors should structure their commercial onboarding to make it easy for end-users to designate them as the third-party recipient. Manufacturers must build the technical interfaces and processes to handle Article 4 / 5 requests at scale. Both sides should document the criteria for "readily available data" and the FRAND terms applied [2].

## What does Article 13 mean for AI training data licensing contracts?

Article 13 prohibits unfair contractual terms unilaterally imposed on a smaller party in a B2B data-sharing arrangement. Terms that exclude or limit liability for gross negligence, that allow unilateral access or use of the other party's data without notice, that let the imposing party determine compliance unilaterally, or that exclude termination rights without proportionate notice are deemed unfair as a matter of law. The Commission has published a model contractual term annex to support compliance. For AI training data licensing, this matters in two directions. AI vendors licensing training data from smaller data holders cannot impose terms that, for example, grant unlimited reuse rights without the data holder's continuing oversight, or exclude liability for misuse of sensitive datasets. Conversely, AI vendors that are the smaller party (a startup licensing data from a large platform) gain a baseline of protection against unfair contractual practice. National courts can declare individual clauses void where they conflict with Article 13 [3]. Article 8 (general principles for data sharing) and the Article 9 compensation framework apply alongside Article 13. Compensation must be reasonable and may not be set so as to discourage exercise of the data-access rights.

## How does the cloud-switching regime affect hosted AI services?

Chapter VI imposes obligations on providers of data-processing services - explicitly defined to include IaaS, PaaS, SaaS and edge services. Hosted AI inference services, AI development platforms and managed AI infrastructure all fall in. The headline obligations are: (a) remove commercial, technical, contractual and organisational obstacles to switching; (b) reduce egress charges progressively to zero by January 2027; (c) maintain functional equivalence after switching for IaaS and equivalent services; (d) cooperate in good faith with the destination provider during the switching process; (e) make available a switching interface and the contractual right to retrieve all the customer's exportable data. For AI customers, the practical effect is that hosted AI services are no longer locked-in by economic friction. Customers can move training data, fine-tuned model artefacts (where exportable), inference traffic and operational telemetry to alternative providers without facing prohibitive egress fees. The switching obligations explicitly cover dependencies on proprietary APIs, which historically have been the strongest lock-in mechanism for hosted AI inference. Providers are not forced to expose their proprietary training algorithms or model weights, but they are required to make customer data and customer-configured artefacts portable. The compliance deadline structure is staged: switching obligations have applied since 12 September 2025, full elimination of egress charges is required by 12 January 2027 (Article 29). Providers have been adjusting commercial terms and technical interfaces through 2025 to comply.

## How does the Data Act interact with the EU AI Act, GDPR and the Data Governance Act?

The Data Act is horizontal: it applies regardless of whether the data is personal or non-personal. GDPR continues to apply where the data is personal data, and where the two regimes intersect, GDPR rights and protections apply on top. The Data Governance Act (Regulation 2022/868), in force since 2023, governs voluntary data-sharing intermediaries, data altruism and public-sector data reuse; the Data Act adds the mandatory access rights for IoT-generated data and the cloud-switching framework on top of the DGA's voluntary architecture. For the EU AI Act, the connection is on training data. AI Act Article 10 imposes data-governance obligations on high-risk AI systems including data quality, bias examination and provenance documentation. Where training data is sourced under Data Act Articles 4-5, the AI provider must document the lineage from the data-holder through the user and into the training pipeline. AI Act Article 53 (general-purpose AI model providers) imposes a public summary of training data used; Data Act sourcing must be traceable in that summary at the level of detail the AI Office's template requires. The Cyber Resilience Act and NIS2 layer additional obligations on the systems that generate, transmit and process the data. Mature AI training programmes treat the four regimes as one integrated data-supply governance programme rather than four parallel ones.

## How does Impetora support EU Data Act AI engagements?

Impetora's TRACE methodology was built around AI systems that depend on auditable, contractually clean data supply, and the Data Act tightens exactly those expectations. Trust covers the contractual layer including Article 13-compliant data licensing, Articles 4-5 third-party recipient onboarding flows, and cloud-switching exit plans for hosted AI services. Readiness covers the data and workflow audit that becomes the input to the data-governance documentation required under both AI Act Article 10 and Data Act Articles 4-5 sourcing. Architecture covers production-grade design with portability hooks, clean data-lineage instrumentation and switching readiness baked in. Citations and Evidence covers the audit trail that supervisors and customers exercise. The practical path for a Data Act-aware AI engagement: scope the data supply chain explicitly (which data is IoT-sourced, who is the data holder, who is the user, who is the third-party recipient), structure licensing contracts against the Article 13 fairness baseline, build the cloud-portability artefacts (model formats, data exports, switching runbooks) as part of the architecture rather than as an afterthought, and integrate the Data Act sourcing documentation into the AI Act technical documentation pack.

## Frequently asked questions

### When did the EU Data Act become applicable?

Regulation (EU) 2023/2854 entered into force on 11 January 2024 and became applicable on 12 September 2025. The cloud-switching obligations have applied from that date, with the staged elimination of egress charges required by 12 January 2027 under Article 29. The connected-product data-access provisions of Articles 3-7 apply to products placed on the market 32 months after entry into force.

### Does the Data Act apply to AI training data sourced from outside the EU?

The connected-product data-access regime applies to products and services placed on the EU market. The cloud-switching regime applies to data-processing service providers offering services to customers in the EU. The B2B fairness regime applies where one of the parties is established in the EU. AI vendors operating cross-border must therefore map their training data sources and hosting arrangements against the EU-touch points and apply Data Act compliance at those points.

### Are hosted AI providers obligated to make model weights portable?

No. Article 23 covers exportable data and customer-configured digital assets. Proprietary model weights developed by the provider are not customer data. Customer-configured fine-tunes, prompts, embeddings of customer data, training datasets uploaded by the customer and operational logs are exportable. Customers should clarify in the contract which artefacts are classified as exportable, and providers should expose interfaces that surface the full set the regulation requires.

### Can AI training data sourcing rely on Articles 4 and 5?

Yes, but the user (the natural or legal person owning, renting or leasing the connected product) must designate the AI vendor as the third-party recipient under Article 5. The AI vendor cannot demand access from the data holder directly. The vendor must therefore build user-facing onboarding flows that capture the designation cleanly. Article 4(10) and 5(10) also restrict use that would compete with the data holder's own product, which limits some downstream training applications.

### What are the penalties for Data Act non-compliance?

Article 40 leaves penalty levels to member states subject to a requirement that the penalties be effective, proportionate and dissuasive. National implementing legislation (in some member states) sets administrative fines that can run into tens of millions of euros for serious breaches, particularly for cloud-switching obstruction or contractual fairness violations. National competent authorities also have powers to require compliance and to issue binding orders.

### Where can I find the official Data Act text and Commission guidance?

The regulation is published as Regulation (EU) 2023/2854 on EUR-Lex. The European Commission maintains the Data Act policy landing page with Q&A documents, model contractual terms annexes and FAQ updates. The European Data Innovation Board issues guidance on cross-cutting questions. National competent authority Q&As are emerging through 2025-2026 and are the operative source for jurisdiction-specific interpretation.

## Sources cited

1. Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (Data Act). European Union, Official Journal, 2023-12-13. https://eur-lex.europa.eu/eli/reg/2023/2854/oj
2. Data Act - policy landing page and Q&A. European Commission - DG CONNECT, 2025. https://digital-strategy.ec.europa.eu/en/policies/data-act
3. Model contractual terms for data sharing (Article 41 Data Act). European Commission, 2025. https://digital-strategy.ec.europa.eu/en/library/model-contractual-terms-and-standard-contractual-clauses-data-sharing
4. Regulation (EU) 2022/868 (Data Governance Act). European Union, Official Journal, 2022-05-30. https://eur-lex.europa.eu/eli/reg/2022/868/oj
5. Regulation (EU) 2024/1689 (Artificial Intelligence Act). European Union, Official Journal, 2024-07-12. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
6. Regulation (EU) 2016/679 (General Data Protection Regulation). European Union, Official Journal, 2016-04-27. https://eur-lex.europa.eu/eli/reg/2016/679/oj