EU Data Act Compliance Pack
EU Data Act (Sept 2025) pack for SaaS providers. Switching templates, portability guide, contract clauses.
🇪🇺 NIS2 & EU DATA ACT — DUAL COMPLIANCE
The EU Data Act works alongside NIS2 Directive requirements. Organisations in scope for NIS2 must also consider Data Act obligations on data sharing, cloud switching, and interoperability. First NIS2 compliance audit deadline: 30 June 2026. NIS2 fine: €10M or 2% of global turnover. The UK Cyber Security & Resilience Bill extends similar requirements to UK organisations.
📊 EU DATA ACT: IN FORCE SEPTEMBER 2025 — IoT DATA SHARING MANDATORY
The EU Data Act applies from 12 September 2025. IoT device manufacturers must allow users to access and share the data their devices generate. Cloud switching must be possible within 30 days without charges from 2027. B2G data sharing in emergencies becomes mandatory. UK companies selling IoT products or cloud services to EU customers are in scope.
EU Data Act Compliance — IoT Data Sharing and Cloud Switching Obligations
The Data Act creates unprecedented data access and portability rights. If your product generates data (IoT sensors, connected vehicles, smart appliances, industrial machinery) or you provide cloud services to EU customers, you have new obligations. This pack covers them all.
- Scope Assessment: Does the Data Act apply to your products or services? IoT devices, cloud services, and data processing services in scope
- User Data Access Rights: What data must be made accessible to users and third parties — and in what format (Chapter II)
- Data Sharing Agreements: Templates for B2B data sharing under the Data Act — fair, reasonable, and non-discriminatory terms
- Trade Secret Protection: How to share data while protecting confidential business information and trade secrets
- Cloud Switching Compliance: 30-day switching requirement, data portability, and interoperability obligations (Chapter VI)
- B2G Data Sharing: When public authorities can request your data in emergencies — process and safeguards
- Contract Review: Existing contracts that may conflict with Data Act obligations — amendment guidance
- Technical Implementation: API design, data format standards, and authentication for mandatory data access endpoints
💷 THE MATHS
£199 one-time. Data Act non-compliance: regulatory enforcement with potential EU market access restrictions. IoT product redesign for data access: €10,000–100,000 if not planned from the start. Cloud switching non-compliance: customer attrition and regulatory scrutiny. This pack ensures compliance is designed in, not bolted on.
📅 NIS2 — FIRST UK AUDIT CYCLE: 30 JUNE 2026
For groups operating across the UK and EU, this pack also pairs with the UK Cyber Security and Resilience (CS&R) Bill: where the EU Data Act governs data sharing and portability, CS&R governs the resilience of the systems holding that data. Use them together for a unified compliance posture.
📦 Delivery & deliverables
- Turnaround: assessment delivery within 36 business hours after intake completion. Multi-jurisdiction packages: up to 5 business days.
- Sample output: a redacted sample deliverable (report + appendices) is available on request — email [email protected] with the product name.
- Revision & satisfaction: one round of revisions included; if the deliverable does not meet the agreed brief, full money-back refund within the 14-day window.
NIS2 Annex I Overlap with EU Data Act
EU Data Act overlaps with NIS2 Directive 2022/2555 in several areas — particularly where data sharing contracts, cloud switching, and IoT data access intersect with cybersecurity risk management. This pack covers the overlap zones explicitly:
- (a) Risk analysis + information system security policy — Data Act risk register template covering data sharing arrangements, third-party access, and contractual liability
- (b) Incident handling — Joint incident protocol covering both NIS2 cyber incidents and Data Act data-sharing breaches (overlapping notification windows)
- (c) Business continuity + crisis management — Cloud-switching continuity plan (Data Act Article 25), data portability runbook
- (d) Supply chain security — Data Act-aligned supplier contract clauses for ICT supply chain (Article 21(d) cross-mapping)
- (e) Network + information system security — Secure data sharing architecture patterns, API security baseline
- (g) Cyber hygiene + training — Staff training module on Data Act + NIS2 dual obligations
- (h) Cryptography + encryption — Encryption-in-transit and at-rest baselines for shared data flows (TLS 1.3, AES-256)
- (i) Access control — Role-based data access policy template, data subject access request (DSAR) workflow
- (j) Multi-factor authentication — MFA enforcement requirements for data sharing platform access
Article 21 governance: Management body accountability matrix mapping Data Act compliance ownership to NIS2 board liability requirements (director personal liability under both regimes).
Article 23 reporting: 24-hour early warning template + 72-hour formal notification template covering cyber incidents that involve data sharing arrangements (dual-regime notification to national CSIRT and data protection authority).
£149.00
One-time payment · No VAT (not registered)
Trust & Delivery
ICO registered ZC112810
UK Information Commissioner's Office data controller registration.
Companies House 16419201
SummitBridge Horizon Ltd — registered 30 April 2025, London.
14-day satisfaction guarantee
See refund policy for full terms.
Sample materials available
Compare with the market
4 direct and adjacent competitors tracked.
| Vendor | Their price | Threat | vs SBH | Their advantages | Our advantages |
|---|---|---|---|---|---|
| Securiti.ai US | — | MEDIUM | — | — | — |
| OneTrust US | $25,000+ /yr | MEDIUM | pricier | — | — |
| IT Governance UK GB | £800+ per assessment | LOW | — | — | — |
| Didomi FR | €400+ /mo | LOW | — | — | — |
Compliance Snapshot
Regulatory posture for this product — for procurement and security teams.
Conformity scaffold in place — formal record not yet published