EU Data Act: New Model Contract Terms and Standard Clauses to Facilitate Data Sharing and Cloud Switching

Why this matters

The MCTs and SCCs were developed to help parties implement the Data Act's provisions, to address commercial challenges around ensuring fair data access arrangements and preventing cloud vendor lock-in. For technology lawyers and their clients, these templates provide not only more legal certainty, but also a practical starting point for compliance with the Data Act.

How should you use the terms? 

The MCTs and SCCs are non-binding, voluntary tools aligned with the Data Act and are designed to be adapted by parties. They do not constitute a complete agreement and should therefore form part of the parties’ broader contractual arrangement. Importantly, using the MCTs and/or SCCs does not alter or waive parties' statutory obligations under the Data Act, GDPR or ePrivacy, competition and consumer law, and national mandatory rules, nor do they prevent courts or authorities from setting aside non-compliant terms.

Importantly, the Data Act SCCs do not incorporate GDPR requirements; parties must therefore also add appropriate GDPR controller-processor clauses and international transfer SCCs where needed. GDPR SCCs cannot be modified, but can sit within a broader agreement. MCTs condition any personal-data sharing on a valid GDPR legal basis (and, where relevant, EU ePrivacy or Article 9 GDPR conditions). Use of the Data Act SCCs will therefore not of itself ensure GDPR compliance.

Structure of the MCTs

For mandatory data sharing under Chapters II and III of the Data Act

Chapter II of the Data Act covers business to consumer and business to business data sharing. It establishes obligations for manufacturers to make product data and related service data accessible to users of connected products and related services.

Chapter III of the Data Act addresses obligations for data holders obliged to make data available to data recipients. It establishes that where a data holder is obliged to make data available, it must do so under fair, reasonable and non-discriminatory terms and conditions in a transparent manner.

Three sets of MCTs cover the key relationships between data holders, users, and data recipients of data generated by connected products:

1. Data Holder to User MCTs cover both parties' rights and obligations for accessing, using, and sharing data generated by the user's use of a connected product or related service. Parties can agree monetary or non-monetary compensation for the holder's uses (e.g., developing products or selling aggregated/derived data), and proportionate compensation if the user accepts limitations on rights or allows third-party sales;
2. User to Data Recipient MCTs set out the conditions of data use by the data recipient chosen by the user; and
3. Data Holder to Data Recipient MCTs cover the terms for the data holder's sharing of data with the data recipient chosen by the user and the potential compensation for this. Compensation must be reasonable and itemised, and may include costs of making data available and, except for SMEs/not-for-profits, a margin. For SME/not-for-profit recipients, compensation is capped at direct costs (reproduction, electronic dissemination, storage), with evidence provided.

All three sets are compliant with the Data Act’s rules on unfair contract terms, which stipulate that contractual terms imposed unilaterally on an enterprise are non-binding if unfair.

An additional fourth set of MCTs has been drafted for voluntary data sharing (i.e., sharing any kind of data between any type of entities) to provide a set of contractual terms which meet the fair terms test.

The MCTs all include robust protections for commercially sensitive data, to meet concerns of businesses sharing proprietary information. Data holders cannot refuse access solely because the relevant data comprises trade secrets; they must identify trade-secret data upfront (including in metadata) and in an appendix. If agreed measures are insufficient, the holder may request additional measures and withhold/suspend specific items with substantiated notice (and notify the competent authority).  In very exceptional cases (where there is a risk of serious economic damage or user breach of measures), the data holder may suspend or terminate sharing of specific secrets subject to conditions. Remedies for breach of the safeguards include the right to seek rasure, cessation of infringing goods/services, and compensation.

Structure of the SCCs

Three sets of SCCs translate the Data Act’s cloud switching provisions into ready-to-use contractual terms for data processing contracts to tackle cloud vendor lock-in:

1. SCC Switching & Exit provisions on switching; 
2. SCC Termination provisions on contract termination; and
3. SCC Security & Business continuity provisions on security and business continuity during switching, including provider notification of significant incidents.

Three additional SCCs set out fair, reasonable, and non-discriminatory contractual rights and obligations to ensure the rights to switch are not undermined by contractual imbalances:

1. SCC Non-Dispersion ensuring a transparent contractual environment;
2. SCC Non-Amendment avoiding unjustified unilateral changes; and
3. SCC Liability sets out amore balanced liability distribution, including by avoiding unjustified liability limitations by cloud providers.

The SCCs apply to IaaS, PaaS and SaaS offerings that include 'on-demand network access' to shared 'configurable, scalable and elastic' computing resources that can be 'rapidly provisioned and released with minimal management effort or service provider interaction'. Functional-equivalence duties focus on IaaS, whilst PaaS/SaaS providers must provide open interfaces and comply with open interoperability specifications and standards.

What are the practical implications?

• For technology lawyers (in private practice and in-house): The use of the SCCs is entirely voluntary, but they offer pre-vetted language addressing key obligations around data access rights, compensation, trade secret protection, and unfair terms, providing a solid starting point for drafting Data Act-compliant agreements. The templates do of course require careful adaptation to specific commercial contexts. Notably, the SCCs do not specify the calculation methodology for switching fees applicable during the transitional period before January 2027. Similarly, they remain silent on early termination penalties that may be incurred by customers exercising switching rights. These omissions leave scope for parties to negotiate and complete these commercial terms within the framework provided by the SCCs. While the SCCs are mainly drafted for business-to-business contracts, they can also be used in arrangements between businesses and consumers if the relevant consumer protection rules are also observed.
• For businesses subject to the Data Act: The MCTs and SCCs reduce the need to negotiate complex data-sharing and cloud terms from scratch, which is particularly valuable for businesses with lean in-house legal teams. They also provide a benchmark for fairness, helping to avoid unilateral terms that could be challenged under Chapter IV of the Data Act.
• For cloud service negotiations: The SCCs directly address vendor lock-in concerns by standardising switching, exit, and termination provisions, which is critical for businesses seeking flexibility and business continuity.

Development Process and Next Steps

The recommended MCTs and SCCs are based on the report of an expert group, which received regular industry feedback, with 12 public webinars conducted to collect stakeholder feedback and ensure the model contracts were adapted to real-life situations.

The Recommendation published on 20 November 2025 currently contains the MCTs and SCCs in English, with translation into all EU languages expected to take three to four months.

The Commission is also developing:

• guidelines on reasonable compensation to clarify what can be charged to data recipients for data sharing under Article 5 of the Data Act
• a Data Act legal helpdesk to assist companies with concrete questions on how to apply the new rules

Taken together, these measures will make the Data Act easier to navigate, reduce costs, and boost legal certainty.

What now?

The Draft Recommendation represents a significant step towards operationalising the Data Act. Technology and data practitioners will need to get familiar with these templates to guide clients on compliance and commercial strategy.

• Consider incorporating these templates into your standard documentation, adapting as necessary for specific client needs
• Monitor the forthcoming compensation guidelines and legal helpdesk for additional practical guidance
• For clients with existing data-sharing or cloud arrangements, consider assessing whether contractual amendments may be advisable to align with these standards

Read more on the topic: The impact of the EU Data Act on data processing services agreements