The EU Data Act and Generative AI: Why Infrastructure Matters More Than Labels

A widely held assumption among generative AI providers, and among the lawyers who advise them, is that the EU Data Act does not materially regulate generative AI. The Act is described as a regime for connected products, industrial telematics and cloud switching. Generative AI, on this view, is governed by the AI Act and sits outside Regulation (EU) 2023/2854. That assumption is becoming difficult to sustain.

The Data Act does not regulate ‘AI’ as a category. It regulates what a system does, and how it is sold. A foundation model exposed to enterprise customers as a metered application programming interface (API) behaves, in legal terms, like a cloud service. A large language model wired into a connected vehicle behaves like a related service. A model running in a European region of a United States large cloud provider is, before anything else, a layer holding non-personal data in the EU. Each of those configurations triggers a different part of the Data Act, and none of them turns on whether the system is described as ‘AI’ in the marketing material. The work is done by the architecture of the service and the terms on which it is sold, not by the label on the box.

AI as a data processing service

Article 1(3)(f) of the Data Act extends the Regulation to ‘providers of data processing services, irrespective of their place of establishment, providing such services to customers in the Union’. Article 2(8) defines such a service as a digital service enabling on-demand network access to a shared pool of configurable, scalable and elastic computing resources, rapidly provisioned and released with minimal management effort. Recital 81 confirms that Infrastructure as a Service, Platform as a Service and Software as a Service, alongside Storage as a Service and Database as a Service, fall within the concept.

The Commission FAQ on the Data Act, in version 1.4 of 22 January 2026, suggests that not every Software as a Service offering qualifies; the hallmarks of the definition must be present cumulatively. Its illustrative carve-out is a music streaming platform, said to be outside Article 2(8) because the customer contracts to receive music rather than to use configurable computing resources.

Applied to generative AI, that test produces a graduated picture. A foundation-model inference API sold to enterprise customers, with token-metered consumption, self-service provisioning and elastic scaling, is difficult to reconcile with an interpretation that excludes it from Chapter VI. The customer is, in substance, buying compute. Hyperscaler-hosted model platforms such as Azure OpenAI Service or Amazon Bedrock sit a fortiori within the chapter, as the underlying cloud is already a data processing service.

Consumer-facing chat products in their default configuration present the closest analogue to the music streaming example. The user contracts for answers, not for compute, and on the Commission’s reasoning probably falls outside Article 2(8). At the enterprise tier the position narrows: where customer-administered workspaces, retention controls, role-based provisioning and the deployment of fine-tuned models are exposed, the functional characteristics begin to resemble the configurable computing environment contemplated by Article 2(8).

Legal-technology offerings call for product-by-product analysis. A vertical legal assistant where the customer contracts for research or drafting outputs, with no ability to provision compute, looks like the streaming case. Multi-tenant platforms with configurable retrieval-augmented generation pipelines and bring-your-own-model options drift towards Article 2(8). And where the wrapper sits on a hyperscaler’s hosted-model service, the underlying data processing service is in scope.

Article 31(1) preserves a carve-out for services ‘of which the majority of main features has been custom-built to accommodate the specific needs of an individual customer’. A bespoke generative AI engagement for one client may qualify. A commercial product offered through a service catalogue will not. The consequences are substantive, including switching obligations, mandatory contractual terms, transparency over infrastructure jurisdiction, and the phased removal of switching charges.

AI as a virtual assistant within connected products

Article 2(6) defines a related service as a digital service connected with a product in such a way that its absence would prevent the product from performing one or more of its functions, or that is connected by the manufacturer or a third party to add to, update or adapt those functions. Article 1(4) extends references to connected products and related services to include ‘virtual assistants insofar as they interact with a connected product or related service’, and Recital 23 confirms that data generated when a user interacts with a connected product via a virtual assistant provided by an entity other than the manufacturer fall within the user’s data access rights.

This raises a more difficult question for generative AI deployments embedded within connected environments. Consider a large language model functioning as the conversational interface of a connected vehicle, a chat assistant integrated into a smart home hub, or a multimodal assistant operating connected industrial equipment. Each places the provider somewhere in the Chapter II data chain, as a data holder or as a third party acting at the user’s direction. The user’s access rights under Articles 3 to 5, the Chapter III obligations to make data available on fair, reasonable and non-discriminatory terms, and the prohibition in Article 6(2)(e) on using accessed data to develop a competing connected product, are then engaged.

AI and third country access obligations

The third route is shorter but no less consequential. Article 32(1) requires providers of data processing services to take ‘all adequate technical, organisational and legal measures, including contracts, in order to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with Union law or with the national law of the relevant Member State’. For United States headquartered foundation model providers operating European regions, and for European customers relying on United States hyperscalers to run inference, Article 32 adds a Data Act obligation in respect of non-personal data that operates alongside Schrems II for personal data and, for financial entities, alongside the third-country access controls of the Digital Operational Resilience Act 

The Data Act’s outer limits

The Regulation provides no route into training data, model weights, or model outputs as such. Recital 15 expressly excludes information inferred or derived by means of ‘proprietary, complex algorithms’. Article 1(5) preserves the primacy of the GDPR and the ePrivacy Directive in case of conflict, and Article 1(8) preserves the intellectual property regime, including Directive (EU) 2019/790 on copyright in the Digital Single Market.

The Data Act framework is itself in motion. The Digital Omnibus Regulation, proposed by the Commission on 19 November 2025 and still in negotiation at the time of writing, would strengthen the trade-secret refusal ground in Article 30(5) and consolidate the broader data acquis into the Data Act. Adoption would tighten, rather than relax, the boundary explored in this post. The Commission FAQ remains non-binding in any event, and the eventual boundary will depend less on sectoral labels than on how expansively the Court of Justice interprets ‘configurable’ and ‘elastic’ computing resources under Article 2(8).

A broader observation

What the analysis discloses is a broader feature of EU digital regulation. The Data Act does not follow industry labels. It follows technical function. The harder question for generative AI providers is therefore no longer whether the Data Act applies in principle, but at what point technical architecture and enterprise functionality bring them within its operational scope.

Ian Gauci is Managing and Founding Partner of GTG Legal.