EU Data Act 2025: Compliance & Employer Actions in the Netherlands.

By Marieke Agatha StoopEuropean Union Law
The EU Data Act Netherlands takes effect September 2025. Learn how it grants businesses & governments fair access to IoT and cloud data.

The EU Data Act takes effect in the Netherlands on September 12,  2025. Learn how it grants citizens, businesses & governments fair access to IoT and cloud data, enabling portability, emergency use, and stronger competition.

☰ Table of Contents

What Is the EU Data Act 2025?

The EU Data Act (Regulation (EU) 2023/2854) creates a legal framework that ensures fair access to, and use of data generated by connected devices and related services. It gives users, including individuals, businesses, and public authorities, the right to access, control, and share data from their devices, ending the exclusive control that manufacturers previously held.

Why the EU Data Act Matters

1. User Control and Data Sharing Rights

Users gain the right to access and share data from their IoT-enabled products (e.g., connected vehicles, smart home devices) with third parties, such as service centres or analytics providers

2. Emergency Data Access for Public Authorities

In emergencies, like natural disasters or cyberattacks, public authorities may access privately held data to ensure public safety and crisis response

3. Facilitating Switching of Cloud Services that Drives Competition

Cloud providers must support data interoperability and multi-use options. Switching between cloud providers would be posisble with reduced friction and no unfair exit fees.

4. Promoting Clear Contractual Terms

The regulation shields users from predatory clauses in data-sharing agreements and protects their rights in the emerging data economy. There will be more transparency and fairness in data-sharing terms across industries.

The EU Data Act 2025 Takes Effect in the Netherlands

The EU Data Act entered into force on January 11, 2024. Most provisions become legally binding in the Netherlands on September 12, 2025, introducing major regulatory changes.

Legal & Business Implications Netherlands

Under the EU Data Act, businesses operating in the Netherlands must:

  • Review and revise contracts involving IoT and cloud data to comply with access, portability, and interoperability obligations.
  • Implement secure and efficient data-sharing frameworks for users and third parties.
  • Ensure compliance with GDPR and related national laws on data protection.
  • Prepare for potential regulatory enforcement and penalties for non-compliance.

Actions for Employers in the Netherlands

The EU Data Act marks a significant shift toward user-centric data governance, promoting fairness, transparency, and market dynamism in the data economy. Most provisions apply from September 12, 2025 in the Netherlands, preparing early ensures that the business:

  • Is compliant with new data access and sharing obligations.
  • Avoids contractual pitfalls with suppliers and cloud providers.
  • Handles employee data responsibly and transparently.
  • Maintains operational continuity during audits or emergencies.

1. Data Mapping & Audit

  • It is key to identify all devices, products, and services used in the organisation in the Netherlands that generate data (e.g., company vehicles, machinery, IoT devices, smart office tools).
  • Map ownership, storage locations, and third-party access to this data.

2. Contractual Agreements Review

Review all contracts with cloud service providers to:

  • Ensure they allow data portability and interoperability.
  • Confirm timelines and costs for switching providers.

Update terms with IoT device suppliers and service providers to reflect the new data access and sharing framework.

 3. Policy Development

Draft or update internal policies on:

  • Handling data access requests from clients/customers, employees, and third parties.
  • Processes for government authority requests in emergencies.

4. Suppliers and Contractors

If the organisation in the Netherlands provides services or goods to companies in regulated sectors, prepare to demonstrate that the data handling meets cybersecurity and data-sharing standards under the EU Data Act.

5. HR and/or IT Policy Updates

Review and amend HR and/or IT policies, employee handbooks to clarify data generated by employer-provided devices (e.g., company laptops, phones, vehicles). Specify how employees may request access to or share data from such devices.

6. Consultation with the Works Council Netherlands

Engage with the Works Council as early, as possible. The changes stem from mandatory legal obligations under the EU Data Act which the Works Council should be informed about accordingly.

However, the implementation of these obligations in internal employee-related company policies, such as revisions to employee privacy statements or internal employee data handling rules, remains subject to Article 27 WOR. Therefore, Works Council consent is required where such policies directly affect employees’ privacy rights.

More Information

Further action may be required depending on sector-specific rules and whether your business also falls under related frameworks like GDPR, or the Cybersecurity Act Implementation NIS2.

 

By Marieke Agatha Stoop

Marieke Agatha Stoop, founder of Human in Progress, is a seasoned expert in Human Resources with over 15 years of expertise in employment law, international people strategy, and process management.

Renowned for her HR services, efficiency, and practical approach, she excels in resolving complex human capital matters. Marieke actively keeps track of the latest international HR strategies, labour law relations, and Works Councils matters.

Marieke contributes to the community with an eye for People & Culture in today’s workplace.

Discover more insights in our HR Blog ↓

EU Pay Transparency Directive 2026: Legal Overview.

EU Law: Frequently Asked Questions European Union Law.

Cybersecurity Act Netherlands: EU NIS2 Implementation in 2026.