This final part of our three-part series on the Data Act focuses on the proposed enforcement framework in Ireland, which forms part of the recently published General Scheme of the Data Act.
In the first part of this three-part series, we outlined the framework for data sharing and data access in the context of Connected Products and Related Services (see article here). In the second part, we considered the cloud switching provisions and interoperability provisions pursuant to the Data Act (see article here).
Powers and functions of the competent authorities
The General Scheme of the Data Act (the “General Scheme”) was published on 4 February 2026. It sets out the enforcement framework in Ireland for the Data Act and appoints the Commission for Communications Regulation (“ComReg”) and the Competition and Consumer Protection Commission (“CCPC”) as dual competent authorities for the Data Act.
The CCPC has been designated as the “Data Coordinator” in Ireland. As Data Coordinator, the CCPC will also be responsible for facilitating coordination between competent authorities and will act as the single point of contact for the Data Act, handling requests from other Member States and EU bodies. The General Scheme also proposes to appoint ComReg to oversee the provisions of the Data Act governing cloud switching obligations and the interoperability of data processing services, which we examined in more detail in Part II of our series.
The General Scheme proposes that the Data Protection Commission (“DPC”), as the only supervisory authority for the GDPR, may (within the scope of their own competence) impose administrative fines in accordance with Article 83 of the GDPR for infringements of obligations related to data sharing and data access including by public sector bodies as discussed in greater detail in the first part of this series.
What entities are in scope of the General Scheme
Entities which come within the scope of the Data Act will be subject to the enforcement framework of the EU member state in which they are established. Where an entity is established in more than one member state, they will fall under the competence of the member state where they have their head or registered office from which the entity is controlled. Consideration should therefore be given to the location where decisions are made within the EU. Any entity with a main establishment in Ireland will be subject to the Irish enforcement framework.
Entities who do not have an office in the EU, but who still fall within the scope of the Data Act due to selling connected products or making related services available in the EU, are required to designate a legal representative in a member state. This legal representative will then be the contact point for the competent authorities under the Data Act, rather than the entity itself. Such an entity will be subject to the jurisdiction of the member state where the legal representative is based. This allows such entities to choose which enforcement framework is most favourable to them.
It is important that any entity that is selling connected products or making related services available in the EU, but which does not have an establishment in the EU, nominates a legal representative without delay. Where an entity should appoint a legal representative under the Data Act but has not yet done so, they will be subject to enforcement from any member state in which they sell goods or services.
What are the penalties for non-compliance?
Fines under the Data Act will be determined by the competent authorities and must be “effective, proportionate and dissuasive”. The General Scheme proposes to impose the following penalties:
- an administrative fine not exceeding 4% of the infringing party’s annual turnover in the preceding financial year in the Union; and
- an administrative fine on an individual or natural person for breach of a contravention notice issued by the CCPC, not exceeding €500,000 and / or 10 years imprisonment on indictment, or a fine of €5,000 and / or 12 months imprisonment on summary conviction.
Article 40(4) notes that for infringements related to data sharing and data access under the Data Act, the DPC may impose administrative fines in accordance with the GDPR ie the higher of €20 million or 4% of worldwide annual turnover.
Enforcement powers of the CCPC
The General Scheme proposes to give certain powers of enforcement to the CCPC, including powers to:
- appoint an authorised officer to conduct investigations and make decisions on their findings;
- issue Compliance Notices to undertakings that infringe their obligations under the Data Act;
- initiate an investigation on their own accord if they suspect an infringement has occurred, in addition to being able to conduct an investigation solely on foot of receiving a complaint; and
- make decisions based on reports received from the authorised officer.
Enforcement powers of ComReg
The General Scheme further proposes to provide a number of powers to ComReg, including powers to:
- appoint an authorised officer for the purposes of implementation and enforcement of provisions of the Data Act that are within ComReg’s remit. These officers are empowered, among other things, to conduct on-premises investigations, demand documents be provided to them and demand assistance from employees and on-site personnel;
- direct an entity or individual suspected to be in breach of the Data Act to take interim measures to remedy the breach. Further, the High Court may, by order, require that, on the expiry of any specified urgent interim measure imposed by ComReg, the breach or conduct cease immediately or within a reasonable time period, and that specified measures be taken to remedy the breach or the effects of the conduct concerned;
- decide written agreements to resolve a suspected breach of a regulatory obligation within their remit;
- issue a notice of objection to a person / entity where ComReg has formed the preliminary view that a breach has occurred or has evidence that the person / entity has breached their obligations under the Data Act;
- refer a suspected breach of the Data Act for adjudication by independent adjudicators; and
- engage with other regulators, third party enforcement agencies and expert consultants in relation to enforcement with third parties – this is intended to be other regulators, any third parties affected by the enforcement or for consultation with experts.
Next steps
Following on from the publication of the General Scheme, the Joint Committee on Enterprise, Tourism and Employment sought written submissions from interested parties as part of its pre-legislative scrutiny. This feedback period has now closed, and the General Scheme will continue to undergo pre-legislative scrutiny, followed by drafting of the Data Bill and its passage through Dáil Éireann and Seanad Éireann. We will continue to monitor the progress of the Data Bill and provide relevant updates as it progresses.
Contact us
If you have any questions on anything contained in this article or on the Data Act in general, please feel free to reach out to a member of the Technology and Innovation Group or your usual Matheson contact.