Data Act Update: EU Expert Report provides Templates for Data and Cloud Contracts as Guidance

The European Commission published the final report of the Expert Group on B2B data exchange and cloud computing contracts on April 2, 2025 (available at: Register of Commission expert groups and other similar entities).

The report addresses the model contractual terms (MCTs) for data access and usage, as well as standard contractual clauses (SCCs) for cloud computing contracts, created by the expert group. These templates aim to facilitate the practical implementation of the EU Data Act (see also: https://www.ypog.law/insight/countdown-data-act), whose extensive new rules on data access and usage (especially from connected products - IoT) and cloud contracts will largely apply from September 12, 2025. 

The report offers an important and particularly practical tool for all companies that use data from connected products, share data, or use cloud services. 

Who created the report and why is it relevant? 

The expert group was established by the EU Commission in 2022 to develop non-binding MCTs and SCCs in accordance with Article 41 of the Data Act. The group consists of 17 independent experts (mainly lawyers, but also practitioners and academics), whose drafts were intensively discussed and revised in (partly public) consultations and webinars. 

The aim of the clauses is to support the negotiation and conclusion of fair, reasonable, non-discriminatory, and balanced contracts – especially for small and medium-sized enterprises (SMEs) that may not have the resources to develop their own contractual frameworks. 

Although the clauses are voluntary and non-binding, they provide valuable guidance to meet the complex requirements of the Data Act. They are primarily designed for B2B relationships but can also be used in B2C contexts with additional provisions. 

Who is the guideline particularly aimed at? 

The guideline (and the underlying report) is aimed at a broad target group, particularly: 

• Manufacturers of IoT devices: As they need to regulate access to the data generated by their devices.
• Cloud service providers: To adapt their contracts to the requirements of the Data Act.
• Companies that use data: To make fair and legally secure agreements on data usage (e.g., in the context of Industry 4.0 or Smart Home).
• Legal departments: Involved in drafting and reviewing data and cloud contracts. 

Engaging with these templates is essential for these target groups to minimize compliance risks and create fair business relationships. 

Overview of the Model Contractual Terms (MCTs) for Data Exchange 

The MCTs are intended to help implement the rules of the Data Act on data access and usage (Chapters II-IV) contractually. They are designed as complete contract templates for specific data exchange scenarios. 

• Purpose and Nature: The MCTs are voluntary, non-binding templates. They aim to ensure fair, reasonable, and non-discriminatory rights and obligations, including provisions on remuneration and the protection of trade secrets. Companies can use them as a guide and adapt them to their specific needs – for example, gray-shaded fields in the annexes indicate customization needs, while gray boxes contain additional information and definitions from the Data Act. 
• Different MCT Sets for Typical Scenarios: The report includes four different sets of MCTs covering various constellations:  

• Annex I: Contracts between data holders (e.g., manufacturers) and users of connected products/connected services. Regulates, among other things, the use of data by the data holder and data access for the user upon request (according to Art. 4 Data Act). 
• Annex II: Contracts between users and data recipients (third parties) when the user requests the data holder to share data with the third party (according to Art. 5 Data Act). 
• Annex III: Contracts between data holders and data recipients when the data holder must provide data to the third party upon the user's request (according to Art. 5 Data Act). 
• Annex IV: Contracts for voluntary data sharing between a data provider ("Data Sharer") and a data recipient, regardless of a user request. 

• Core Contents (Examples):  The MCTs typically cover the following aspects (varies by annex): 

• Definition of the parties (manufacturer/data holder, user, data recipient) and their roles/duties, as well as the affected products/services. 
• Specification of the affected data. 
• Provisions on data usage and sharing by the data holder and the user/data recipient. 
• Provisions for data access upon request (quality, format, metadata, timeframe). 
• Protection of trade secrets (identification, protective measures, refusal rights under strict conditions). 
• General provisions such as (1) rules on (reasonable) remuneration; (2) liability and remedies for breach of contract; and (3) term and termination. 

• Relation to the Data Act: The MCTs are designed to facilitate the implementation of the requirements from Chapters II-IV of the Data Act and support compliance with the rights and obligations established therein. 

Overview of the Standard Contractual Clauses (SCCs) for Data Processing Services and Cloud Computing 

The SCCs aim to promote fair, reasonable, and non-discriminatory conditions in cloud contracts and particularly facilitate provider switching ("Switching"), as provided in Chapters VI and VIII of the Data Act. Unlike the MCTs, the SCCs are designed as individual, modular clauses that can be inserted into existing or new data processing contracts (e.g., Cloud Service Agreements). 

• Purpose and Nature: The SCCs are also voluntary and non-binding. They are intended to serve as best practice guidelines for customers and providers. Detailed explanations are included both in the introductions and in the concluding information points of the respective SCCs. 
• SCC-Modules: The report proposes provisions for the following areas: 

• General: Contains general provisions and definitions relevant to all SCCs. 
• Switching & Exit: Regulates the process of switching to another provider or to an on-premise infrastructure in detail, including timelines (max. 30 days transition period), support obligations of the provider, and rules on export data. Includes options for a detailed switching plan or the use of automated tools. 
• Security & Business Continuity: Focuses on maintaining a high level of security and business continuity during the switch. 
• Non-Dispersion: Aims at transparency and easy access to all relevant contract documents and information to reduce information asymmetries. 
• Termination: Addresses contract termination in connection with the switching process. 
• Liability: Provides building blocks for balanced liability provisions. 
• Contract Adjustment: Regulates the conditions under which unilateral contract changes (exceptionally) are permissible to ensure legal certainty. 

• Practical Significance: These clauses address key challenges in cloud contracts. They strengthen the position of customers, especially in provider switching (a core right in the Data Act), promote fair contract conditions, and increase transparency. They thus contribute to legal certainty in cloud computing contracts. 
• Relation to the Data Act: The SCCs help implement the requirements from Chapters VI (especially Switching) and VIII (Interoperability of data processing services) of the Data Act. 

Practical Significance – Your Next Steps 

The Data Act will fundamentally change how companies access, use, and share data, as well as how they procure cloud services. The application date of September 12, 2025, is approaching. Companies should therefore act now: 

1. Review and adjust contracts: Existing contracts (supply contracts for connected products, service contracts related to connected services, IoT contracts, cloud contracts, data usage agreements) must be reviewed for compliance with the Data Act and adjusted if necessary. The MCTs and SCCs provide valuable guidance for this. 
2. Design new contracts: When concluding new contracts, the requirements of the Data Act should be considered from the outset. The model clauses can serve as a basis for negotiation and formulation. 
3. Adjust internal processes: Companies must ensure that they can handle data access requests (from users or third parties on behalf of users) in accordance with the Data Act. 
4. Recognize opportunities: The Data Act also opens up new opportunities to use data and develop innovative, data-driven services. Fair contract conditions, as promoted by the MCTs/SCCs, are an important foundation for this. 

The newly presented MCTs and SCCs are recommendations from the expert group to the Commission. The final recommendation of the EU Commission is expected by September 12, 2025, but is anticipated by summer 2025. Until then, the expert group's report provides detailed guidance for revising and drafting contracts. However, it should be noted that the clauses must be adapted to the respective product, usage behavior, and interests of the parties – the expert group's goal was to create a broad framework for orientation, not individual case regulations. Their practical success will depend on how widely they are adopted by the market and whether they become a de facto standard, or whether large providers continue to rely on their own amended provisions. 

Your Next Steps 

The implementation of the Data Act and the use of the new model clauses raise complex legal questions in software law, IP law, and contract law. We are happy to support you on the path to Data Act compliance and the opportunities it presents for your company: 

• Analysis of your existing contracts in relation to the Data Act. 
• Adjustment and design of Data Act-compliant contracts considering the MCTs and SCCs. 
• Advice on data licensing and protection of trade secrets in the context of the Data Act. 
• Support in negotiations with business partners and suppliers. 
  
  

Feel free to contact us for a non-binding initial consultation!

Download YPOG Briefing: Data Act Update: EU Expert Report Provides Templates for Data and Cloud Contracts as Guidance