How EU data sovereignty rules could impact UK organizations: what you need to know – 1v1 Video Chat & LIve Streaming & Influencer Subscription

By Kim Larsen

Tech Radar Pro

Tech Radar Gaming

Tech Radar Pro

TechRadar the business technology experts

Search TechRadar

View Profile

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

Expert Insights

Website builders

Web hosting

Best website builder
Best web hosting
Best office chairs
Best antivirus
Expert Insights

You may like

Data sovereignty is now a strategic priority

Data streaming: protecting consumers in the AI era

I am a data security expert and here are 5 lessons on cyber security from the Legal Aid Agency cyberattack

To date, several established brands, including British Airways, Marriott International, and TikTok for example, have fallen foul of GDPR fines, and have been ordered to pay penalties as high as £183 million.

But although UK organizations will be impacted by the new EU legislation, and complying will both carry a financial burden and require investing additional time from staff, it is less difficult than it may seem.
You can stay one step ahead of this legislation by properly governing the data you are generating and processing.
You need to account for whose data is being collected, choose a storage vendor that will allow you to move your data easily, and ensure this data is stored in geographical locations that follow relevant legislation.
We will take a look at this in more detail.
1. Changes to data transfer and storage rules
The EU’s new data sovereignty legislation includes stricter rules on where data can be transferred and stored. This means you will need to know where you are storing data you hold on your customers and users, and therefore what national laws apply in that jurisdiction.
You’ll also need to clearly communicate this information, with more granular policies controlling the migration of data, especially if that data involves sensitive or personal information.
2. Increased compliance requirements
EU citizens and organizations must be able to access and view data concerning them, free of charge. They can also authorize a third party to access this data.
Additionally, EU departments and public sector bodies will also have authority to access the data but only if there is an “exceptional need”, for example during a public emergency on the scale of Covid-19, or a natural disaster. Organizations must offer a way to share that data if requested.
3. Cloud and hosting restrictions
Data stored in the cloud must be easy to transfer to and from its location in a way that complies with the Data Act. If your cloud provider does not offer the ability to choose a jurisdiction for your data and is not completely transparent about where it is held at all times, then it may be wise to opt for alternatives that do offer this.
Additionally, for cloud providers, the legislation states they must not make it difficult for their clients to switch company and transfer their data across to a different cloud service.
4. Dual regulatory frameworks
In addition to the EU legislation, the UK has its own laws governing data use, and UK organisations will need to consider both. The Data (Use and Access) Bill was introduced to UK Parliament in October 2024, regulating “the way consumers, businesses and asset owners can safely share data”.
This means UK organizations must navigate a dual regulatory framework: complying with both EU and UK-specific data regulations.
The good news is that UK regulations often align with EU laws, making it easier to meet both sets of requirements. This was evident when the UK adopted its own version of GDPR after Brexit, ensuring regulatory continuity and avoiding major disruptions for cross-border trade.
5. Sanctions for non-compliance
The EU Data Act will be enforced from 12 September 2025, so from this date penalties are expected to be issued for non-compliance. Fines are likely to be dissuasive – aiming to encourage compliance – so they are likely to be hefty.
The legislation says that fines will be set by the nominated data protection authority in the EU member state that raises a claim, so it will vary depending on the member state. Additionally, fines of up to 4% of the organization’s worldwide turnover could be imposed, matching the maximum penalty for a breach of GDPR.
Conclusion: meet data governance head on to strengthen your business
Solid data governance has always been a business strength that gives a competitive edge. Now, however, it is no longer optional but mandatory for UK organizations who do business with the EU.
Ultimately, it’s important to remember that, rather than being a new source of regulatory burden, these rules are intended to open up new markets, and organizations may well be able to capitalize on this. The new laws may well encourage controlled, safe data sharing and processing, as well as more competitive cloud hosting.
Organizations with a firm grip on their data will find complying with the new legislation less of an issue than those who leave their data governance to chance. So now is a great time to assess your data storage policies, review your cloud providers, update any relevant agreements, and ensure compliance – before the rules are enforced.
We’ve featured the best data loss prevention service.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Social Links Navigation

Kim Larsen is Chief Information Security Officer at Keepit.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Data sovereignty is now a strategic priority

Data streaming: protecting consumers in the AI era

I am a data security expert and here are 5 lessons on cyber security from the Legal Aid Agency cyberattack

DORA: reshaping UK’s financial ecosystem through cyber resilience

How to defend your cloud environments: 7 major rules

Non-US businesses want to cut back on using US cloud systems

Latest in Pro

International Criminal Court says it was hit by sophisticated cyberattack

Even Donald Trump can’t get a good connection for a work video call

Swiss government warns data stolen in third-party ransomware attack

Amazon CEO says AI will mean ‘fewer people doing some of the jobs’ – but will make other jobs more interesting

Amazon now has a million robots on its floors – and they’re now close to outnumbering human workers

Google issues official internal guidance on using AI for coding – and its devs might not be best pleased

Latest in Opinion

Accelerating live sports broadcasting to the speed of light with All-Photonics Networks (APNs)

How business leaders can manage integration of AI

This touching viral AI video of Reddit co-founder Alexis Ohanian’s mom hugging him is also sparking a fiery debate

Apple could launch a cut-price MacBook powered by an iPhone chip, new report claims – here’s why that would be a massive hit

Why 95% of phishing attacks go unreported in healthcare

Beyond backup: why cyber-resilient storage needs AI-powered intelligence