The EU Data Act: What It Means for Your Business

The EU Data Act, which entered into force in January 2024 and becomes applicable from September 2025, represents one of the most significant pieces of data legislation since the GDPR. While much of the public discussion has focused on its implications for IoT manufacturers and cloud switching rights, the Act has profound consequences for how European businesses select and govern their collaboration infrastructure.

What the Data Act actually requires

At its core, the Data Act establishes rules about who can access and use data generated by connected products and related services. For enterprise collaboration platforms, several provisions are particularly relevant.

First, the Act enshrines the right to switch between cloud service providers without undue delay, excessive fees, or data loss. This means that organisations must be able to extract their data — messages, files, call recordings, metadata — from one platform and migrate it to another. Vendors that lock customers in through proprietary data formats or artificial export barriers will find themselves on the wrong side of the regulation.

Second, the Act introduces safeguards against unlawful international data transfers. Article 27 explicitly requires cloud service providers to take reasonable technical, legal, and organisational measures to prevent government access to non-personal data held in the EU where such access would conflict with EU law. This provision directly addresses the tension created by the US CLOUD Act, which allows American authorities to demand data from US companies regardless of where it is stored.

Third, the Act mandates interoperability requirements for data processing services, laying the groundwork for customers to use multiple services in combination without artificial barriers.

Why this matters for collaboration tools

Consider the typical enterprise collaboration stack: video conferencing, messaging, file sharing, and increasingly, AI-powered features like transcription and summarisation. These tools process enormous volumes of sensitive data — strategic discussions, personnel matters, financial deliberations, legal counsel, intellectual property.

Under the Data Act, organisations bear responsibility for ensuring that their collaboration vendors can demonstrably comply with the data protection safeguards. This goes beyond checking a box on a vendor assessment form. It requires understanding the vendor’s legal jurisdiction, their technical architecture for data isolation, and their ability to resist foreign government access requests.

For many European organisations, this creates an uncomfortable reckoning. The dominant collaboration platforms are operated by US-headquartered companies. Regardless of where they locate their data centres, these companies remain subject to the CLOUD Act and other US legal instruments that can compel disclosure.

The practical compliance checklist

Based on our reading of the Act and conversations with compliance teams across European enterprises, here is what organisations should be evaluating in their collaboration tools.

Data portability. Can you export all your data — messages, files, metadata, user directories, call recordings — in standard, documented formats? Is there an API for automated extraction? What happens to your data if you terminate the contract?

Jurisdictional clarity. Where is the vendor incorporated? What legal jurisdiction governs the service? Could a foreign government compel the vendor to hand over your data? Is there a subsidiary structure that might create indirect foreign jurisdiction?

Technical safeguards. Does the platform offer end-to-end encryption? If so, who holds the keys? Can you bring your own encryption keys? Is the encryption architecture documented and auditable?

Infrastructure sovereignty. Where does the data physically reside? Who operates the underlying cloud infrastructure? Is the cloud provider itself subject to foreign jurisdiction?

Switching costs. What would it take to migrate to an alternative platform? Are there contractual penalties? Does the vendor support standard protocols and formats?

Interoperability. Can the platform integrate with other tools in your stack without proprietary lock-in? Does it support open standards?

How Mandraki addresses these requirements

We built Mandraki with the Data Act’s principles in mind from the beginning, not as a retrofit.

All data resides on a European-owned hyperscaler subject exclusively to EU jurisdiction. Mandraki itself is a European company with no US parent or subsidiary. Our three-layer encryption architecture, including Bring Your Own Key support, ensures that organisations retain cryptographic control over their data. Full data export is available through documented APIs. And our cross-organisation federation protocol is built on open, documented standards.

We do not claim that compliance is ever simple. The regulatory landscape is complex and evolving. But we do believe that starting with the right architectural and jurisdictional foundations makes compliance achievable rather than aspirational.

Looking ahead

The Data Act is part of a broader European digital strategy that includes the AI Act, the Digital Markets Act, the Digital Services Act, NIS2, and DORA. Together, these regulations are reshaping the expectations placed on technology vendors operating in Europe.

For European organisations, the message is clear: the tools you use for daily collaboration are no longer just an IT procurement decision. They are a compliance decision, a risk management decision, and increasingly, a strategic decision about digital autonomy.

The good news is that the European technology ecosystem is maturing rapidly. Sovereign cloud infrastructure is available. Compliant collaboration tools exist. The path forward does not require waiting for American vendors to adapt to European rules. It requires choosing European solutions that were built for them from the start.