The implementation of the Data Act has contractual consequences for organisations that fall within its scope. This means that organisations should review their contracts so that they are aligned with the new rules regarding data sharing or cloud computing services.
To facilitate the implementation of the Data Act, the Data Act provides that the European Commission will develop model contractual terms (MCTs) for B2B data sharing and standard contractual clauses (SCCs) for cloud computing contracts (and related rules regarding switching to another service provider, namely “cloud switching”) in order to help small and medium-sized organisations comply with the Data Act.
But what are these model contractual terms and standard contractual clauses, and is it advisable for organisations to use them to implement the Data Act?
In this post we answer this question.
Wat is the Data Act?
The Data Act (Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data) aims to create a fairer data economy by imposing obligations for the sharing of data generated by the use of connected products and related services between businesses and, in certain cases, with the public sector.
To achieve this objective, the Data Act introduces, among other things:
- data access rights for users of connected products,
- business-to-business (B2B) data sharing obligations under fair, reasonable and non-discriminatory (FRAND) conditions,
- rules on cloud switching, and
- controls on unfair contractual terms in B2B contracts.
Are the model contractual terms and standard contractual clauses relevant for your organisation?
Before going further into which MCTs and SCCs exist, it is important to first know how the Data Act applies to your organisation. Since there are different sets of MCTs and SCCs, you must know the role of your organisation under the Data Act in order to determine which set you should apply.
If you do not know how the Data Act applies to your organisation, it is useful to examine this first. This allows you to avoid applying the wrong set.
For example, in order to determine whether the rules on cloud switching apply, you must first know whether you provide a so-called data processing service under the Data Act (regardless of whether you provide PaaS, IaaS or SaaS). If you do not provide a data processing service, you do not need to apply the SCCs.
But when do you provide a data processing service? For a data processing service, four key characteristics must be present. These characteristics are the following:
- The service provides access to computing resources, including networks, servers, storage, applications and services;
- The service enables on-demand network access: a customer can unilaterally configure these computing resources that are available via the network and through standard mechanisms, for example via mobile phones, laptops or workstations;
- The service can be rapidly provisioned and released with minimal management effort or interaction from service providers, meaning that unilateral provisioning without significant intervention from the service provider can be performed and quickly deployed, allowing organisations to start using the resources almost immediately;
- The service is flexible and can be rapidly configured; in other words, the solutions can easily scale to meet changing needs and users can upgrade or downgrade demand based on their needs.
What are the model contractual terms and standard contractual clauses?
Article 41 of the Data Act provides the following:
“Before 12 September 2025, the Commission shall develop and recommend non-binding model contractual terms on access to and use of data, including terms on reasonable compensation and the protection of trade secrets, as well as non-binding standard contractual clauses for cloud computing agreements in order to assist parties in drafting and negotiating agreements with fair, reasonable and non-discriminatory contractual rights and obligations.”
Article 41 of the Data Act therefore obliges the European Commission to do two things:
- Draft model contractual terms (MCTs) for data access and use, including provisions on reasonable compensation and the protection of trade secrets.
- Draft standard contractual clauses (SCCs) for cloud computing agreements to help draft and negotiate agreements with fair, reasonable and non-discriminatory contractual rights and obligations.
The European Commission must not only draft these model contractual terms and standard contractual clauses but must also recommend them. The Commission had to do this before 12 September 2025.
The Commission published a draft version of both documents on 19 November 2025. We explain them further below.
What model contractual terms exist?
The Commission has developed three sets of MCTs. Each set is intended to be used in a situation where data sharing is mandatory under the Data Act. These sets are the following:
- Set between the data holder and the user
This set covers the rights and obligations of both parties with regard to access, use, and sharing of data generated by the user through the use of a connected product or related service.
- Set between the user and the data recipient
This set covers the conditions that the recipient chosen by the user must comply with when receiving or using the data.
- Set between the data holder and the data recipient
This set covers the conditions for data sharing by the holder with the chosen recipient and the possible compensation that the data holder receives for sharing the data.
In addition, the Commission has developed an extra set of MCTs for voluntary data sharing for use between the data sharer and the data recipient. This additional set can be used regardless of which entities share the data.
What standard contractual clauses exist?
The Commission has developed three sets of SCCs that translate the cloud switching obligations from the Data Act into contractual clauses that organisations can include in their data processing contracts. These sets are the following:
- SCC Switching & Exit
These standard contractual clauses concern the right to switch, deadlines, and assistance obligations.
- SCC Termination
These standard contractual clauses concern termination conditions and the effects of termination on data.
- SCC Security & Business Continuity
These standard contractual clauses concern the security and continuity of data during migration and the notification of significant incidents.
In addition, the Commission drafted three extra sets of SCCs that strengthen the FRAND principles in order to prevent contractual imbalances from undermining the rights and obligations established under Chapter IV of the Data Act. These sets are the following:
- SCC Non-Dispersion
These ensure contractual transparency by preventing the dispersion of rights and obligations that are difficult for customers to identify and assess.
- SCC Non-Amendment
These avoid unjustified unilateral changes that would allow a cloud provider to circumvent or weaken switching rights after the conclusion of the contract.
- SCC Liability
These help ensure a more balanced allocation of liability between parties, including limiting the unfounded liability of cloud providers.
Is the use of the model contractual terms or standard contractual clauses mandatory?
No, the use of the templates for the model contractual terms or standard contractual clauses is not mandatory.
Organisations may therefore voluntarily choose to use and adapt the model contractual terms and standard contractual clauses. Unlike the standard contractual clauses under the GDPR, the standard contractual clauses under the Data Act may therefore be modified. They therefore serve as templates for organisations.
It is also possible not to use the templates and instead adapt existing contracts to the requirements set out in Chapters II, III and IV of the Data Act.
May I modify the model contractual terms?
You can use the MCTs as a contract, but the parties may also deviate from these clauses if they are not applicable (for example protection of trade secrets).
However, it is important not to use the model contractual terms “blindly”. The European Commission encourages parties to carefully consider several elements when concluding the MCTs, such as the relationship (user or third party), the business need, and the business interest in the data.
For whom are the model contractual terms or standard contractual clauses intended?
In principle, the model contractual terms and standard contractual clauses can be used by all organisations.
However, the main objective of developing the MCTs and SCCs is to support SMEs in implementing the provisions of the Data Act. The MCTs and SCCs are designed to reduce the imbalance between smaller and larger organisations.
Can you use the MCTs and SCCs to easily implement the Data Act?
Yes, provided that you have examined how the Data Act applies to your organisation. Otherwise, you risk using the MCTs and SCCs blindly, which may lead to using them when they are not applicable or to using the wrong set.
Step-by-step plan to determine whether the MCTs and SCCs are useful for your organisation
- Determine whether and how the Data Act applies to your organisation
- Determine which Data Act obligations apply to you
- Determine whether you provide a data processing service
- Examine which set of MCTs or SCCs applies to your situation
- Assess whether applying the MCTs and SCCs is the best choice in your situation
- If you decide to apply the MCTs and SCCs, determine whether and how they fit within your current contracts (e.g. through an amendment or by adding an annex)
- If they do not fit within your current contracts, draft new contracts
- Determine how you can make the new or amended contracts enforceable
