EU Data Act Bulgaria 2026 | Innovires Legal

Q: What is the compliance deadline?

The main date of application is 12 September 2025. The access by design requirement for new connected products enters into force on 12 September 2026. The full prohibition of switching charges for cloud providers applies from 12 January 2027.

Q: What are the sanctions for a violation?

Sanctions are determined at national level. The example of Malta shows a maximum amount of up to 5% of annual turnover. Bulgaria has not yet established a sanctions regime.

What Is the EU Data Act

Regulation (EU) 2023/2854 of the European Parliament and of the Council on harmonised rules on fair access to and use of data (EU Data Act) was adopted on 13 December 2023 and entered into force on 11 January 2024. The Regulation is directly applicable — it does not require transposition into national law.

The Data Act applies in full from 12 September 2025, but contains phased deadlines for individual obligations:

12 September 2025 — the main date of full application. From this date, users have the right to access data from their connected products, and data holders are obliged to provide such data.
12 September 2026 — the “access by design” requirement enters into force. New connected products placed on the market after this date must be designed so that data generated by them is easily, securely and directly accessible to the user or to third parties at the user’s request.
12 January 2027 — full prohibition of switching charges for cloud providers. Until this date, providers may charge reduced fees, but after it all switching charges are prohibited.

The Regulation complements the existing legal framework, including GDPR, the Open Data Directive (2019/1024), and the Data Governance Act. It does not affect rights and obligations under GDPR — the protection of personal data remains under the regime of Regulation (EU) 2016/679.

Who Is Affected

The Data Act has a broad personal scope. It affects multiple categories of economic operators, regardless of their size, albeit with a lighter regime for micro and small enterprises in certain cases.

Category	Examples	Key Obligations
IoT Manufacturers	Smart home devices, wearables, industrial sensors	Access by design, providing information to users
Connected Cars	Automotive manufacturers, telematics	Access to data from vehicle sensors and on-board electronics
Industrial IoT	Smart manufacturing, predictive maintenance	Sharing machine-generated data with users
Cloud / SaaS Providers	IaaS, PaaS, SaaS platforms	Switching, data porting, functional equivalence
Data-Driven Businesses	Companies processing or receiving IoT data	Fair B2B data sharing, trade secret protection
Public Administration	State and municipal authorities	Right of access to data in cases of exceptional need

The Regulation explicitly excludes micro and small enterprises from data sharing obligations in their capacity as data holders (Art. 7(1)), but they may be affected as manufacturers of connected products or as data recipients.

Rights of Access to IoT Data (Chapters II–III)

Chapters II and III of the Data Act establish the right of users — both natural persons and enterprises — to access data generated by the connected products they use.

Core User Rights

Free access — the user has the right to access data from their connected devices free of charge, without undue delay, and in the same quality as available to the data holder.
Machine-readable format — data must be provided in a structured, commonly used and machine-readable format. Where technically feasible — continuously and in real time.
Sharing with third parties — the user may request that data be shared directly with a third party of their choice. The third party must process the data only for the agreed purposes and may not use it to develop a competing connected product.

Obligations of the Data Holder

Providing data upon request, without undue delay.
Prohibition on using data to undermine the competitive position of the user — for example, by analysing data to derive commercial insights about a competitor.
Prohibition on using data to develop a competing connected product.
Obligation to provide sufficient pre-purchase information — the user must be informed what data will be generated, how and for what purposes it will be processed.

These rights will have a particularly significant impact in the sectors of connected vehicles, smart home devices and industrial IoT, where substantial volumes of data are generated but have until now remained locked within manufacturers’ ecosystems.

Fair B2B Data Sharing (Chapter IV)

Chapter IV of the Data Act introduces rules on the fairness of contractual terms for data sharing between enterprises. The aim is to prevent the abuse of bargaining power by larger market participants.

Requirements for Contractual Terms

Fairness and reasonableness — contractual terms for access to and use of data must be fair, reasonable and non-discriminatory.
Compensation — the data holder may request reasonable compensation for providing data to third parties. For SMEs, compensation may not exceed the direct costs of making the data available.

Blacklist and Greylist of Unfair Clauses

The Regulation introduces a system of blacklisted and greylisted unilaterally imposed contractual clauses, similar to that in consumer law:

Blacklist (Art. 13(3)) — clauses that are always unfair: excluding or limiting liability of the party imposing the clause for intentional acts or gross negligence; excluding remedies for non-performance of contractual obligations.
Greylist (Art. 13(4)) — clauses presumed to be unfair until proven otherwise: granting a unilateral right to interpret the terms; restricting the recipient’s right to use the data.

This protection is particularly important for small and medium-sized enterprises in Bulgaria, which often find themselves in an unequal bargaining position when negotiating with large technology companies for access to data.

Cloud Switching — The End of Vendor Lock-In (Chapter VI)

Chapter VI of the Data Act addresses one of the most significant problems in the cloud services market — the difficulty of switching providers (vendor lock-in). The Regulation introduces specific obligations for providers of data processing services (cloud, edge, SaaS).

Key Requirements

Maximum notice period — the customer must be able to terminate the contract with a maximum of 2 months’ notice.
Transition period — the provider must ensure a 30-day transition period during which the customer can migrate their data and applications.
Elimination of switching charges — from 12 January 2027, all charges for switching providers are prohibited. Until that date, charges are gradually reduced (from 12 September 2025 they may not exceed direct costs).
Data porting — the provider must ensure the possibility of exporting all customer data in a structured, commonly used and machine-readable format.
Functional equivalence — for IaaS services, the Regulation requires ensuring functional equivalence, i.e. a minimum level of functionality in the target environment after migration.

These rules will directly affect all cloud and SaaS providers in Bulgaria, as well as their clients, who will gain significantly greater freedom in choosing and switching providers.

Trade Secret Protection

One of the legitimate concerns of businesses is whether the data sharing obligations under the Data Act could lead to the disclosure of trade secrets. The Regulation explicitly addresses this issue in Art. 4(6)–(8) and Art. 8(6).

Protection Safeguards

Data sharing obligations do not require disclosure of trade secrets — the data holder and data recipient may agree on proportionate technical and organisational measures to preserve the confidentiality of trade secrets.
NDA and technical measures — the data holder may require the recipient to enter into a non-disclosure agreement (NDA), implement technical protection measures (encryption, access control, audit trails) and limit the circle of persons with access.
Right to refuse — the data holder may refuse to share data if it demonstrates that it is “highly likely” that sharing would cause serious economic damage through disclosure of trade secrets, regardless of the protective measures taken.

In the event of a dispute regarding the refusal, the parties may refer the matter to the competent dispute resolution body. This balance is crucial for protecting business innovation and investment while not allowing unjustified restriction of access to data.

Implementation in Bulgaria

As of April 2026, Bulgaria has not adopted national legislation for the implementation of the Data Act. No competent authority within the meaning of Art. 37 of the Regulation has been designated to be responsible for oversight and enforcement at national level.

This does not mean that the Regulation does not apply. As an EU Regulation, the Data Act is directly applicable in all Member States, including Bulgaria. Businesses are obliged to comply with its provisions regardless of the absence of national implementing measures.

Analogy with DSA Implementation

A useful analogy is the implementation of the Digital Services Act (DSA) in Bulgaria. In November 2025, three competent authorities were designated: the Communications Regulation Commission (CRC), the Commission for Personal Data Protection (CPDP), and the Council for Electronic Media (CEM) — each with competence over different aspects of the Regulation. A similar distributed competence model is likely for the Data Act.

Digital Omnibus

In November 2025, the European Commission presented a proposal for the so-called “Digital Omnibus” — a package of amendments to the Data Act, Data Governance Act, Digital Markets Act and AI Act. The proposal aims to simplify obligations, particularly for SMEs, and improve coordination between the individual regulations. These changes are still in the legislative process and will affect the final scope of obligations under the Data Act.

For businesses in Bulgaria, the practical takeaway is clear: preparation for Data Act compliance should not be delayed, even in the absence of national legislation. The Regulation is in force and its obligations are binding.

Sanctions

The Data Act provides that sanctions for violations are to be determined at national level by each Member State. Art. 40 requires that sanctions be effective, proportionate and dissuasive.

Examples from Other Member States

Country	Competent Authority	Maximum Sanction
Malta	MDIA	Up to 5 % of annual turnover
Germany	BNetzA (Bundesnetzagentur)	Under sectoral regulations
Netherlands	ACM (Autoriteit Consument & Markt)	Under sectoral regulations
Bulgaria	Not designated	No regime established

At European level, the European Data Innovation Board (EDIB) coordinates the approach of Member States to enforcement and sanctions. EDIB issues guidelines and recommendations which, while non-binding, shape the general framework for interpreting the Regulation.

The absence of a designated sanctions regime in Bulgaria at present does not mean that violations will not be pursued. Affected parties may bring civil claims before the national courts for breach of the directly applicable Regulation. Moreover, after the designation of a competent authority, an administrative penalty regime is likely to be established, similar to that under GDPR.

Frequently Asked Questions

Do I need a licence to comply with the Data Act?

No. The Data Act does not introduce a licensing regime. The Regulation establishes rights and obligations for certain categories of entities (manufacturers, data holders, cloud providers), but does not require obtaining a special licence or permit. Obligations arise directly from the Regulation based on the activity you carry out.

What is the compliance deadline?

The main date of application is 12 September 2025. From that date, most obligations under the Regulation are in force. The “access by design” requirement for new connected products enters into force on 12 September 2026. The full prohibition of switching charges for cloud providers applies from 12 January 2027.

Does the Data Act affect GDPR?

The Data Act does not repeal or amend GDPR. The two Regulations operate in parallel. Where data from connected products includes personal data, its processing remains under the GDPR regime — including the principles of lawfulness, data minimisation and the rights of data subjects. The data holder must ensure compliance with both Regulations.

Can I refuse to share trade secrets?

Yes, under certain conditions. If the data holder demonstrates that sharing specific data is “highly likely” to cause serious economic damage through the disclosure of trade secrets, it may refuse to share. Before refusing, however, proportionate technical and organisational protective measures must be considered. The decision to refuse is subject to challenge before the competent authority.

What are the sanctions for a violation?

Sanctions are determined at national level by each Member State. The example of Malta shows a maximum amount of up to 5% of annual turnover. Bulgaria has not yet established a sanctions regime, but the Regulation is directly applicable and violations can be pursued by way of civil claims before the national courts.

Does the Data Act affect SaaS businesses?

Yes. SaaS providers fall under the obligations of Chapter VI on cloud switching — including the obligation for data porting, ensuring a 30-day transition period, a maximum notice period of 2 months, and the prohibition of switching charges from 12 January 2027. If the SaaS product generates data from connected devices, obligations under Chapters II–III may also arise.

Has Bulgaria designated a competent authority under the Data Act?

No. As of April 2026, Bulgaria has not designated a competent authority within the meaning of Art. 37 of the Data Act. No specific law for the implementation of the Regulation has been adopted either. The Regulation is, however, directly applicable and the obligations under it are binding, regardless of the absence of national measures.

EU Data Act — What It Means for Business in Bulgaria (2026)