Impact of New EU Data Act on U.S. Businesses: Extraterritorial Reach, Compliance Risks, Operational Challenges

This CLE webinar will provide an overview of the new EU Data Act and its implications for U.S. businesses. The panel will highlight the sections of the Act that are most relevant for U.S. companies, the implications of the Act on data processing and sharing services, compliance challenges and requirements, and immediate steps U.S. companies need to take to ensure compliance.

On Sept. 12, 2025, the new EU Data Act took effect. This new law has sweeping implications for any company offering internet-connected products, related digital services, or cloud and other data processing services in the EU and outside the EU. Even if a company does not directly serve EU customers, the scope of the Act is so broad that if a company's products or services ultimately reach EU users through any supply chain, they must comply with the Act's requirements. The extraterritorial reach of the Act means that it applies to many U.S. businesses. Thus, counsel must understand the obligations and requirements of this new legal framework to ensure their clients are in compliance.

The Act is a significant shift in the governance of data generated by connected devices, particularly the Internet of Things environment. It introduces a comprehensive legal framework geared towards enhancing data portability and interoperability and minimizing dependency on individual service providers. Under the Act, users of covered devices and services, whether businesses or individuals, have the right to switch "data processing services" and the right to the data generated by their connected products. These switching rights can also impact device manufacturers as well as providers of software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). 

In light of the Act's new requirements, companies must assess whether their services and products are governed by the Act, review and update contracts and services to ensure compliance with the new regulatory framework, develop and implement internal processes for managing and responding to data access and portability requests from users and third parties, and protect intellectual property with robust technical and contractual measures before entering into data-sharing agreements. Impacted companies should also increase transparency for users by providing clear and comprehensive information explaining how their data is generated, how it can be accessed, and their rights to such data under the Act. 

Listen as our authoritative panel provides practical considerations and guidance for companies navigating compliance with the Act's new requirements and obligations.