The European Commission describes the new EU Data Act (the “Data Act”), which became effective on September 12, 2025, as representing a significant step in the EU's digital strategy to promote fair data access, sharing, and innovation [ https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained]. This regulation primarily targets non-personal data generated by connected products (such as IoT devices) and related services, aiming to prevent data monopolies and facilitate seamless data portability.

A question many American companies are asking, assuming they are even aware of the new law, is whether this EU law extends to U.S.-located businesses. The answer may very well be, yes, due to its extraterritorial scope. The Data Act applies to non-EU entities, including those in the United States, if they offer connected products, digital services, or data processing solutions (hello software-as-a-service or more generally, cloud computing) within the EU market. For example, manufacturers of smart devices sold in the EU must enable users to access and share product-generated data in real-time, where feasible. This includes redesigning products by September 2026 to support easy data retrieval. Cloud service providers must allow for freedom to switch between providers, interoperability standards, and protections against unlawful data access by non-EU governments. Related contracts must incorporate fair terms, with unfair clauses deemed unenforceable, potentially disrupting long-term SaaS agreements.

Even U.S. companies without operations in the EU, but who are processing EU-derived data, may still be subject to compliance under the Data Act to avoid fines and/or lawsuits. U.S. companies who process EU-derived data should consult with legal or other trusted professionals to conduct audits, update contracts, and invest in data infrastructure to ensure alignment with the Data Act.