If you think you do not need to worry about the EU's new Data Act and rules around data sovereignty - think again. It is easy to assume that because this legislation applies to EU countries, UK organizations can continue to process and store data in the same way as before. But by ignoring changes in the rules surrounding geographical data location, organizations could find themselves in hot water.
And now, with global politics in flux, data sovereignty is under more scrutiny than ever. This new legislation aims to ensure EU organizations and governments have control over critical data, regulating its collection, processing, and storage. It will reduce reliance on non-EU cloud providers and enable secure data sharing between organizations while maintaining EU oversight.
Chief Information Security Officer at Keepit.
Crucially, the regulation applies to organizations wherever they are based; and UK companies that process EU citizens’ data must also follow these rules. This is not the first time that EU data regulations have impacted the UK. Perhaps the biggest data privacy law in history, the General Data Protection Regulation (GDPR), came into force in 2018 and applies to every organization that processes data on the 448 million citizens of the EU.
To date, several established brands, including British Airways, Marriott International, and TikTok for example, have fallen foul of GDPR fines, and have been ordered to pay penalties as high as £183 million.
But although UK organizations will be impacted by the new EU legislation, and complying will both carry a financial burden and require investing additional time from staff, it is less difficult than it may seem.
You can stay one step ahead of this legislation by properly governing the data you are generating and processing.
You need to account for whose data is being collected, choose a storage vendor that will allow you to move your data easily, and ensure this data is stored in geographical locations that follow relevant legislation.
We will take a look at this in more detail.
1. Changes to data transfer and storage rules
The EU's new data sovereignty legislation includes stricter rules on where data can be transferred and stored. This means you will need to know where you are storing data you hold on your customers and users, and therefore what national laws apply in that jurisdiction.
You’ll also need to clearly communicate this information, with more granular policies controlling the migration of data, especially if that data involves sensitive or personal information.
2. Increased compliance requirements
EU citizens and organizations must be able to access and view data concerning them, free of charge. They can also authorize a third party to access this data.
Additionally, EU departments and public sector bodies will also have authority to access the data but only if there is an “exceptional need”, for example during a public emergency on the scale of Covid-19, or a natural disaster. Organizations must offer a way to share that data if requested.
3. Cloud and hosting restrictions
Data stored in the cloud must be easy to transfer to and from its location in a way that complies with the Data Act. If your cloud provider does not offer the ability to choose a jurisdiction for your data and is not completely transparent about where it is held at all times, then it may be wise to opt for alternatives that do offer this.
Additionally, for cloud providers, the legislation states they must not make it difficult for their clients to switch company and transfer their data across to a different cloud service.
4. Dual regulatory frameworks
In addition to the EU legislation, the UK has its own laws governing data use, and UK organisations will need to consider both. The Data (Use and Access) Bill was introduced to UK Parliament in October 2024, regulating “the way consumers, businesses and asset owners can safely share data”.
This means UK organizations must navigate a dual regulatory framework: complying with both EU and UK-specific data regulations.
The good news is that UK regulations often align with EU laws, making it easier to meet both sets of requirements. This was evident when the UK adopted its own version of GDPR after Brexit, ensuring regulatory continuity and avoiding major disruptions for cross-border trade.
5. Sanctions for non-compliance
The EU Data Act will be enforced from 12 September 2025, so from this date penalties are expected to be issued for non-compliance. Fines are likely to be dissuasive - aiming to encourage compliance - so they are likely to be hefty.
The legislation says that fines will be set by the nominated data protection authority in the EU member state that raises a claim, so it will vary depending on the member state. Additionally, fines of up to 4% of the organization's worldwide turnover could be imposed, matching the maximum penalty for a breach of GDPR.
Conclusion: meet data governance head on to strengthen your business
Solid data governance has always been a business strength that gives a competitive edge. Now, however, it is no longer optional but mandatory for UK organizations who do business with the EU.
Ultimately, it’s important to remember that, rather than being a new source of regulatory burden, these rules are intended to open up new markets, and organizations may well be able to capitalize on this. The new laws may well encourage controlled, safe data sharing and processing, as well as more competitive cloud hosting.
Organizations with a firm grip on their data will find complying with the new legislation less of an issue than those who leave their data governance to chance. So now is a great time to assess your data storage policies, review your cloud providers, update any relevant agreements, and ensure compliance - before the rules are enforced.
We've featured the best data loss prevention service.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.