The EU Data Act: What Businesses in Bulgaria Need to Know

/in /by
Warning: count(): Parameter must be an array or an object that implements Countable in /home/seelegal/public_html/wp-content/plugins/team-showcase/tshowcase.php on line 3993
EU Data Act

The EU Data Act: What Businesses in Bulgaria Need to Know

October 2025

Nikolay Zisov, Partner, and Deyan Terziev, Senior Associate

BOYANOV & Co.

The EU Data Act (Regulation (EU) 2023/2854 on fair access to and use of data) became fully applicable on 12 September 2025.

For many companies in the EU, including in Bulgaria, this regulation brings new obligations and opportunities. The Data Act’s scope reaches far beyond traditional tech companies, potentially affecting any organisation that handles, generates or benefits from data. Affected organisations must act promptly to map their data flows (focused data audit), review related processes, assess exposure and prepare for compliance. Such preparation could comprise review and update of internal data governance rules, general terms and conditions, and contracts with relevant customers, partners and vendors.

Bulgaria has not yet taken active legislative steps towards facilitating the local application of the Data Act. Even though this regulation has direct effect in Bulgaria, legal amendments would be necessary to allow for its enforcement in practice. Currently, Bulgaria has not determined the competent authority responsible for enforcement and has not implemented the relevant procedural and administrative-penal provisions for the Data Act’s proper application.

This article aims to provide a practical overview of the Data Act, focusing on the most impactful obligations for businesses that may affect relationships with their customers.

What Is the EU Data Act?

The EU Data Act is a regulation designed to create a common framework for data access and use. The Data Act covers all types of data – personal and non-personal, focusing on data generated by connected products and related services.

Who Is Affected?

The Data Act has a wide reach. It affects:

  • Manufacturers, sellers and lessors of connected products (e.g. smart home appliances, vehicles).
  • Providers of digital services related to the usage of those products (e.g. apps, platforms, IoT services).
  • Cloud and other data processing service providers.
  • Businesses that receive or share data in the course of their commercial activities.

Even if a company does not create “smart” products or provide related services, it may still be affected if it relies on cloud services or uses data shared by partners.

Micro, small, and medium-sized enterprises (SMEs) benefit from partial exemptions under the Data Act regarding certain obligations, particularly around data sharing and access. However, when acting as users or data recipients, they retain the same rights as larger companies.

Key Obligations for Businesses

1. Making Data Accessible to Users

Companies that manufacture connected devices or provide related services must ensure that users can access the data generated through their use. The data must be made available easily, securely, and free of charge, in a structured and commonly used format, and, where technically possible, in real time. This design obligation applies to connected products and related services placed on the market after 12 September 2026.

Still, from 12 September 2025, where data cannot be directly accessed, users already have the right to request access to their data, and data holders must provide it without undue delay.

Companies that sell or lease such products have an obligation to clearly inform users about what data will be generated, how it is stored, how long it is kept, and how it can be accessed, retrieved, or erased, as appropriate. Providers of related services have similar information obligations.

Example: A company providing a connected car service must ensure that the driver can access the data generated during use — such as fuel consumption, performance, or GPS information. From September 2026, the car itself must also be designed by the manufacturer so that this access is possible by default.

2. Using Non-Personal Data Responsibly

Any company acting as a data holder may only use readily available non-personal data generated by a connected product or related service on the basis of a contract with the user. Such data cannot be used to gain insights into the user’s economic situation, assets, or production methods in ways that could harm their competitive position.

Data holders must also ensure that available non-personal product data is not shared with third parties for other purposes beyond fulfilling the contract with the user. Where sharing is necessary, contractual safeguards must be put in place to prohibit those third parties from further passing on the data.

3. Sharing Data with Third Parties at the User’s Request

Users have the right to instruct a data holder to share their product or service data with a third party of their choice, such as a competitor, a repair company or an analytics provider. The data holder must provide the data without undue delay, free of charge, securely, in a structured and commonly used format, and, where technically feasible, in real time.

Third parties may only use the data for the agreed purpose and for as long as the data is needed. They cannot use the data to build competing products or to profile the user, unless profiling is strictly necessary to provide the service requested by the user. They must also respect trade secrets and confidentiality safeguards and must not make it unduly difficult for the user to exercise their rights.

Example: A logistics company uses connected vehicles that generate route and fuel efficiency data. At the user’s request, the vehicle provider must share this data with an independent fleet management service. That service may use the data to optimise routes for the company but cannot resell the information or use it to design a competing vehicle system.

4. Fairness in B2B Data Contracts

In business-to-business (B2B) data-sharing, contracts must respect fairness on two levels.

a) FRAND terms

Where a data holder is obliged to make data available (under the Data Act or under another applicable EU or national legislation), it must do so under fair, reasonable, non-discriminatory, and transparent terms and conditions agreed with the user. Comparable data recipients must be treated alike.

b) Unfair terms rules

Any contractual term concerning access to and the use of data, or liability and remedies, unilaterally imposed by one enterprise on another is not binding if it is deemed unfair. The Data Act introduces a “blacklist” of clauses automatically unfair, as well as a “greylist” of clauses presumed unfair unless proven otherwise.

The new rules on unfair terms mostly mirror the consumer protection regime (B2C) under the Unfair Contract Terms Directive, but apply in the B2B context, ensuring companies — especially those with less bargaining power — are shielded from one-sided contract terms.

The new fairness rules would apply to contracts concluded after 12 September 2025.

Example: A cloud platform imposes a standard data-sharing contract on a smaller business. If the contract lets the platform unilaterally substantially change prices without a valid reason and without allowing termination, that clause would be presumed unfair and unenforceable under the Data Act, unless proven otherwise.

5. Switching Between Cloud and other Data Processing Services

The Data Act introduces rules to make switching between cloud and other data processing services easier, cheaper, and safer. Service providers must remove contractual, technical, organisational and commercial barriers that lock customers in and provide reasonable assistance to their customers and, where relevant, their chosen third parties. Specifically:

  • Contracts must allow termination and switching with clear notice periods not exceeding two months.
  • Portability of data and digital assets (including applications) must be supported. Providers must not prevent switching and must give reasonable assistance so that customers can move to another service or to an on-premises infrastructure, within a maximum transitional period of 30 days. Infrastructure cloud providers must take reasonable measures to ensure customers achieve functional equivalence in the destination service.
  • Charges for switching must be transparent and gradually reduced to zero by January 2027.

Overall, the Data Act provides a general framework of interoperability between data processing service providers. More specific obligations are to be introduced by delegated acts of the European Commission and harmonised standards.

Example: A company wants to move its file management system from one cloud provider to another. Under the Data Act, the current provider must assist with the transfer, cannot impose unfair penalties, and after January 2027 cannot charge extra fees for switching.

6. Public Sector Access in Emergencies

In cases of public emergencies (natural disasters, pandemics, etc.), businesses may be required to share certain data with public authorities. While this is expected to be rare, companies should prepare for such obligations.

7. Sanctions

The Data Act leaves penalties largely to the EU Member States, which must set effective and dissuasive rules in their national law. This means the exact fines for non-compliance would likely vary across the EU.

Still, the Data Act provides that for certain infringements which involve personal data, national data protection authorities may also impose GDPR-style fines of up to €20 million or 4% of global turnover. In practice, businesses could face a dual regime: national penalties for non-personal data and GDPR sanctions where personal data is affected.

8. Conclusion

The EU Data Act is a transformational law that changes how businesses in Europe collect, share, and use data.

It will likely increase compliance costs, especially for manufacturers of connected products and providers of related services who must redesign data access processes

While it introduces new obligations – particularly around user access, third-party sharing, and cloud portability – it also promotes innovation and fairer competition.

Affected organisations should act quickly and engage their legal and technical teams to assess and map their products and data flows, review their public notices and template contracts, and plan for enabling data access and portability. By preparing for compliance now, Bulgarian businesses would position themselves ahead of the curve, ready for when enforcement inevitably ramps up.

Our team has already acquired practical experience in advising clients on the legal implications of the new regulation across diverse industries, such as automotive, logistics, and e-commerce. This positions us strongly to support our clients in addressing the legal challenges introduced by the EU Data Act.

October 2025

Nikolay Zisov, Partner, and Deyan Terziev, Senior Associate

BOYANOV & Co.

The EU Data Act (Regulation (EU) 2023/2854 on fair access to and use of data) became fully applicable on 12 September 2025.

For many companies in the EU, including in Bulgaria, this regulation brings new obligations and opportunities. The Data Act’s scope reaches far beyond traditional tech companies, potentially affecting any organisation that handles, generates or benefits from data. Affected organisations must act promptly to map their data flows (focused data audit), review related processes, assess exposure and prepare for compliance. Such preparation could comprise review and update of internal data governance rules, general terms and conditions, and contracts with relevant customers, partners and vendors.

Bulgaria has not yet taken active legislative steps towards facilitating the local application of the Data Act. Even though this regulation has direct effect in Bulgaria, legal amendments would be necessary to allow for its enforcement in practice. Currently, Bulgaria has not determined the competent authority responsible for enforcement and has not implemented the relevant procedural and administrative-penal provisions for the Data Act’s proper application.

This article aims to provide a practical overview of the Data Act, focusing on the most impactful obligations for businesses that may affect relationships with their customers.

What Is the EU Data Act?

The EU Data Act is a regulation designed to create a common framework for data access and use. The Data Act covers all types of data – personal and non-personal, focusing on data generated by connected products and related services.

Who Is Affected?

The Data Act has a wide reach. It affects:

  • Manufacturers, sellers and lessors of connected products (e.g. smart home appliances, vehicles).
  • Providers of digital services related to the usage of those products (e.g. apps, platforms, IoT services).
  • Cloud and other data processing service providers.
  • Businesses that receive or share data in the course of their commercial activities.

Even if a company does not create “smart” products or provide related services, it may still be affected if it relies on cloud services or uses data shared by partners.

Micro, small, and medium-sized enterprises (SMEs) benefit from partial exemptions under the Data Act regarding certain obligations, particularly around data sharing and access. However, when acting as users or data recipients, they retain the same rights as larger companies.

Key Obligations for Businesses

1. Making Data Accessible to Users

Companies that manufacture connected devices or provide related services must ensure that users can access the data generated through their use. The data must be made available easily, securely, and free of charge, in a structured and commonly used format, and, where technically possible, in real time. This design obligation applies to connected products and related services placed on the market after 12 September 2026.

Still, from 12 September 2025, where data cannot be directly accessed, users already have the right to request access to their data, and data holders must provide it without undue delay.

Companies that sell or lease such products have an obligation to clearly inform users about what data will be generated, how it is stored, how long it is kept, and how it can be accessed, retrieved, or erased, as appropriate. Providers of related services have similar information obligations.

Example: A company providing a connected car service must ensure that the driver can access the data generated during use — such as fuel consumption, performance, or GPS information. From September 2026, the car itself must also be designed by the manufacturer so that this access is possible by default.

2. Using Non-Personal Data Responsibly

Any company acting as a data holder may only use readily available non-personal data generated by a connected product or related service on the basis of a contract with the user. Such data cannot be used to gain insights into the user’s economic situation, assets, or production methods in ways that could harm their competitive position.

Data holders must also ensure that available non-personal product data is not shared with third parties for other purposes beyond fulfilling the contract with the user. Where sharing is necessary, contractual safeguards must be put in place to prohibit those third parties from further passing on the data.

3. Sharing Data with Third Parties at the User’s Request

Users have the right to instruct a data holder to share their product or service data with a third party of their choice, such as a competitor, a repair company or an analytics provider. The data holder must provide the data without undue delay, free of charge, securely, in a structured and commonly used format, and, where technically feasible, in real time.

Third parties may only use the data for the agreed purpose and for as long as the data is needed. They cannot use the data to build competing products or to profile the user, unless profiling is strictly necessary to provide the service requested by the user. They must also respect trade secrets and confidentiality safeguards and must not make it unduly difficult for the user to exercise their rights.

Example: A logistics company uses connected vehicles that generate route and fuel efficiency data. At the user’s request, the vehicle provider must share this data with an independent fleet management service. That service may use the data to optimise routes for the company but cannot resell the information or use it to design a competing vehicle system.

4. Fairness in B2B Data Contracts

In business-to-business (B2B) data-sharing, contracts must respect fairness on two levels.

a) FRAND terms

Where a data holder is obliged to make data available (under the Data Act or under another applicable EU or national legislation), it must do so under fair, reasonable, non-discriminatory, and transparent terms and conditions agreed with the user. Comparable data recipients must be treated alike.

b) Unfair terms rules

Any contractual term concerning access to and the use of data, or liability and remedies, unilaterally imposed by one enterprise on another is not binding if it is deemed unfair. The Data Act introduces a “blacklist” of clauses automatically unfair, as well as a “greylist” of clauses presumed unfair unless proven otherwise.

The new rules on unfair terms mostly mirror the consumer protection regime (B2C) under the Unfair Contract Terms Directive, but apply in the B2B context, ensuring companies — especially those with less bargaining power — are shielded from one-sided contract terms.

The new fairness rules would apply to contracts concluded after 12 September 2025.

Example: A cloud platform imposes a standard data-sharing contract on a smaller business. If the contract lets the platform unilaterally substantially change prices without a valid reason and without allowing termination, that clause would be presumed unfair and unenforceable under the Data Act, unless proven otherwise.

5. Switching Between Cloud and other Data Processing Services

The Data Act introduces rules to make switching between cloud and other data processing services easier, cheaper, and safer. Service providers must remove contractual, technical, organisational and commercial barriers that lock customers in and provide reasonable assistance to their customers and, where relevant, their chosen third parties. Specifically:

  • Contracts must allow termination and switching with clear notice periods not exceeding two months.
  • Portability of data and digital assets (including applications) must be supported. Providers must not prevent switching and must give reasonable assistance so that customers can move to another service or to an on-premises infrastructure, within a maximum transitional period of 30 days. Infrastructure cloud providers must take reasonable measures to ensure customers achieve functional equivalence in the destination service.
  • Charges for switching must be transparent and gradually reduced to zero by January 2027.

Overall, the Data Act provides a general framework of interoperability between data processing service providers. More specific obligations are to be introduced by delegated acts of the European Commission and harmonised standards.

Example: A company wants to move its file management system from one cloud provider to another. Under the Data Act, the current provider must assist with the transfer, cannot impose unfair penalties, and after January 2027 cannot charge extra fees for switching.

6. Public Sector Access in Emergencies

In cases of public emergencies (natural disasters, pandemics, etc.), businesses may be required to share certain data with public authorities. While this is expected to be rare, companies should prepare for such obligations.

7. Sanctions

The Data Act leaves penalties largely to the EU Member States, which must set effective and dissuasive rules in their national law. This means the exact fines for non-compliance would likely vary across the EU.

Still, the Data Act provides that for certain infringements which involve personal data, national data protection authorities may also impose GDPR-style fines of up to €20 million or 4% of global turnover. In practice, businesses could face a dual regime: national penalties for non-personal data and GDPR sanctions where personal data is affected.

8. Conclusion

The EU Data Act is a transformational law that changes how businesses in Europe collect, share, and use data.

It will likely increase compliance costs, especially for manufacturers of connected products and providers of related services who must redesign data access processes

While it introduces new obligations – particularly around user access, third-party sharing, and cloud portability – it also promotes innovation and fairer competition.

Affected organisations should act quickly and engage their legal and technical teams to assess and map their products and data flows, review their public notices and template contracts, and plan for enabling data access and portability. By preparing for compliance now, Bulgarian businesses would position themselves ahead of the curve, ready for when enforcement inevitably ramps up.

Our team has already acquired practical experience in advising clients on the legal implications of the new regulation across diverse industries, such as automotive, logistics, and e-commerce. This positions us strongly to support our clients in addressing the legal challenges introduced by the EU Data Act.