EU Data Act 2026: What SME owners must know when choosing systems

TLDR
– EU Data Act entered into force January 11, 2024; the transition period ends September 12, 2025 — enforcement starts 2026
– The law applies to all companies producing, collecting or processing data in the EU — including SMEs
– Core requirement: users and companies must be able to export their data in machine-readable format
– Three common mistakes: vendor lock-in contracts, binary export structures, not knowing where your cloud data lives
– Resappi supports Data Act requirements: data exportable in JSON/CSV, all data on EU servers

EU Data Act in brief — what it is, when it applies to you

The EU Data Act (officially Regulation (EU) 2023/2854) is European Commission legislation designed to ensure that data — especially data generated by IoT devices, cloud services and industrial systems — can be used fairly and in a user-centric way.

The regulation was published in the Official Journal in December 2023, entered into force in January 2024, and its transition period ends on September 12, 2025. In practice, 2026 is the first year when requirements are fully enforceable.

Who does the law apply to?

  • Companies of all sizes producing or processing data in the EU
  • Cloud service providers and SaaS companies selling services in the EU
  • Micro and SMEs have some lighter rules in specific areas — but the core data portability requirements apply to everyone

What does the law actually require?

Three core requirements for SMEs:

  1. Data portability: Users and companies have the right to receive their data in machine-readable format and transfer it to another system
  2. No excessive vendor lock-in: Contract terms cannot practically prevent data transfer
  3. Cloud switchability: Customers must be able to switch cloud providers at reasonable cost and on a reasonable timeline

Source: European Commission, Data Act implementation documentation: digital-strategy.ec.europa.eu

The three most common SME mistakes in Data Act readiness

Having reviewed system setups with hundreds of SMEs, these three problems come up repeatedly:

Mistake 1: Vendor lock-in contracts that nobody read

A typical SaaS contract includes a clause saying data will be exported upon termination “within a reasonable time” or “upon request.” What does this mean in practice? Often: 30–90 days, a €500–€2,000 export fee, and data delivered in a format a competitor can’t easily read.

The Data Act changes this situation. Data export must be possible in real-time or within an agreed reasonable timeframe, at reasonable cost, and in a machine-readable standard format (JSON, CSV, XML).

What to do: Review current SaaS contracts for data export clauses. Ask your vendor directly: “In what format can I get my data out, and at what cost?”

Mistake 2: Not knowing where your data actually lives

GDPR forced companies to think about data location earlier. The Data Act reinforces this requirement further. Specifically: is your company’s data on a server outside the EU?

This is not a theoretical concern. Many international SaaS services store data on US servers by default unless an EU location is specifically requested or an additional fee is paid. The Schrems II ruling and its implications remain relevant — EU–US data transfers still require appropriate safeguards.

What to do: Find out the physical location of data for every SaaS service you use. Search the terms of service for “data residency” or “data location.” If unclear, ask the vendor directly and in writing.

Mistake 3: “Export” means PDF, not raw data

In many systems, “data export” means downloading PDF reports or Excel spreadsheets that have lost their structure. That doesn’t fulfill the Data Act’s intent.

Machine-readable data means data can be fed into another system automatically without manual re-entry. JSON or CSV from the customer registry, project data, invoices. Not PDF clippings.

What to do: Ask your vendor for a technical list of available export formats. If the answer mentions only PDF or reports — that’s incomplete portability.

What Data Act requires from the systems you use

The Data Act sets four practical requirements that are worth checking before purchasing a system or renewing contracts:

1. Data export function in standard format

The system must be able to export all relevant data (customers, transactions, contracts, projects) in machine-readable format. Best case: an API from which data can be fetched automatically.

2. No excessive export fees

The Data Act doesn’t ban all fees, but “excessive” fees may be seen as anti-competitive. In practice: the fee must be proportionate to the actual delivery cost.

3. Contract terms support switching

Contracts cannot include clauses that practically prevent a system switch or make it unreasonably expensive. For example: “3-year notice period + 12-month data export freeze” would be problematic.

4. Cloud provider switching

Switching between cloud providers must be possible within a reasonable timeframe and at reasonable cost. This particularly applies to IaaS/PaaS level, but it also flows through to SaaS services.

Examples: which systems are ready and which aren’t?

An honest assessment of commonly used systems in the Finnish SME market. Note: the situation changes constantly as vendors update their products. Always verify the current state with your vendor.

Good Data Act readiness:
– Procountor: API-based data export, JSON/CSV formats available, EU data location (Finland)
– HubSpot: comprehensive export functions, EU data location available, clear APIs
– Google Workspace: EU data location selectable, Takeout function is comprehensive

Room for improvement:
– Many traditional ERP solutions: export often only PDF or Excel, API support limited or subject to additional fees
– Finnish ERP systems vary — some have invested in API development, others haven’t

Resappi: Data exportable in JSON/CSV format from all modules, all data on EU servers (Hetzner, Frankfurt), API documentation openly available. Data Act requirements have been built into the system architecture from the start.

Action checklist for SME owners

Do these five things before 2026:

1. Inventory the systems you use
List all SaaS services and software. Where does your company’s critical data live? Customers, contracts, financial data, projects.

2. Check data location for each system
EU or non-EU? If non-EU, are Standard Contractual Clauses (SCC) or another compliant mechanism in place?

3. Test data export in practice
Download your customer registry from a system. What format is the data in? Can it be opened and read programmatically? Is all relevant data included?

4. Read the contract clauses on data
Search for: “data portability,” “data export,” “termination data,” “migration.” Note any fees or time delays.

5. Ask vendors for a written response
“How have you addressed Data Act requirements in your product?” A good vendor answers directly. A vague answer is itself informative.

Summary: your data is your business asset

The EU Data Act isn’t bureaucracy for its own sake. It’s a response to a real problem: companies have handed control over their own data to external providers who have an incentive to keep customers locked into their system.

The law’s purpose is to return data ownership to you. Use it: choose systems that support data portability, not systems that restrict it.

See how Resappi meets Data Act requirements — or book a 15-minute assessment call to discuss your situation.

Sources
– European Commission, EU Data Act: digital-strategy.ec.europa.eu
– EUR-Lex, Regulation (EU) 2023/2854: eur-lex.europa.eu
– European Data Protection Board: edpb.europa.eu

Related articles
ERP comparison 2026 — what to demand from a system
Procountor + CRM integration and data management fundamentals

Data privacy EU Data Act Regulation SME
Olli Junes
Kirjoittaja
Olli Junes

Resacon perustaja ja CEO. Rakennetaan suomalaisille pk-yrityksille parempaa liiketoimintateknologiaa.

Seuraa LinkedInissä