Access to data in the automotive sector: Practices contrary to Regulation (EU) 2023/2854 (Data Act)

In recent years, multiple industries have experienced a progressive consolidation in the provision of critical digital services through SaaS models. This concentration has led to the emergence of ecosystems in which certain data processing service providers effectively act as gatekeepers to third parties’ operational information, imposing commercial, contractual, and organisational barriers on complementary providers seeking to interoperate with their platforms.

The pricing structures, usage restrictions, and intellectual property clauses identified in the integration agreements imposed on complementary providers follow remarkably consistent patterns: API access fees, multipliers linked to the customer’s activity volume, royalties calculated on the complementary tool’s turnover, non-compete obligations, audit rights over the provider’s accounts, and restrictions on the reuse of previously certified integrations.

The automotive sector provides a particularly clear illustration of this dynamic. The Dealer Management System (DMS) constitutes the operational backbone of a dealership, managing customers, vehicles, workshop operations, invoicing, and inventory. Every complementary solution that a dealership chooses to implement — including CRM systems, stock management tools, marketing platforms, business intelligence solutions, AI conversational agents, workshop software, among others — requires integration with the DMS in order to access operational data. It is precisely at this point of connection that the practices described above materialise, structured through so-called Partner Programs: if the complementary provider does not sign, it cannot gain access; and the customer remains restricted to the tools approved by its primary provider, under whatever conditions that provider chooses to impose.

This contractual model is not an isolated issue. In the United States, substantially identical conduct gave rise to the CDK/Reynolds litigation, which was ultimately resolved through settlement agreements exceeding USD 730 million. Spread across the claimant dealerships, that figure represented more than USD 100,000 per affected establishment. In the European Union, Regulation (EU) 2023/2854 (the Data Act) has applied since 12 September 2025, and its scope specifically encompasses these types of arrangements. After eight months of application, the first contractual, regulatory, and litigation trends are beginning to emerge, and the position adopted by each market participant in the coming months will directly affect its ability either to recover amounts paid in excess or, conversely, to adapt before the associated risks materialise.

Applicable Regulatory Framework

Regulation (EU) 2023/2854 (the Data Act) applies directly to the relationship between data processing service providers and complementary providers that connect to them in order to operate for the benefit of a shared customer. The Regulation subjects B2B data access agreements to an unfairness control mechanism, the principal consequence of which is that clauses unilaterally imposed in deviation from good commercial practice are non-binding (Article 13), without the need for prior judicial declaration. It also expressly regulates situations involving the simultaneous use of several data processing services by the same customer (Article 34), imposing obligations on the primary provider not to hinder interoperability, to limit charges to actual technical costs, and to provide open interfaces on fair and equal terms.

In addition to the Data Act, two further legal avenues are particularly relevant in the context described above. The practices implemented by DMS providers, together with the highly concentrated structure of these markets, may amount to an abuse of dominant position under Article 102 TFEU and/or Article 2 of the Spanish Competition Act (Ley de Defensa de la Competencia). Furthermore, certain practices carried out by DMS providers could also qualify as acts of unfair competition insofar as they may unduly distort competitive conditions in the market.

Where such infringements are established, affected dealerships may, where appropriate, bring damages actions against DMS providers in respect of the economic harm arising from those practices.

Implications for Market Participants

The new regulatory framework affects each participant in the ecosystem differently, with distinct consequences that should be anticipated.

• Dealerships and other end users. The additional costs resulting from the restrictions imposed by software providers on data access are ultimately passed on to the end customer and, depending on the level of activity and the number of integrations involved, may amount to tens of thousands of euros per establishment each year. The Regulation expressly recognises the customer’s right to ensure that its data can flow to the tools of its choosing under reasonable conditions, thereby opening the door to reviewing excessive amounts previously paid and renegotiating future contractual terms.
• Complementary solution providers. Partner Programs involving percentage-based royalties on turnover, audit rights over accounts, or non-compete clauses raise clear concerns under the regime established by Article 13 of the Data Act. The consequences may include the non-binding nature of the affected clauses and the possibility of recovering amounts improperly charged pursuant to them. There is also a second dimension to consider: market foreclosure resulting from discriminatory certified-partner practices may give rise to damages claims and to competition law proceedings before the CNMC.
• Primary service providers. Operators acting as the entry point to the ecosystem are now exposed to systematic scrutiny of their integration agreements, together with a significantly higher regulatory and litigation risk than existed prior to the application of the Regulation. Voluntarily adapting Partner Programs to the requirements of the Data Act, before the first claims or complaints succeed, may help to limit exposure and preserve relationships within the partner ecosystem.

The choice between pursuing contractual remedies under the Data Act, filing a complaint before the CNMC, bringing an unfair competition action, or combining several of these avenues will depend on the profile of the operator, the content of the agreements entered into, and the market position of the counterparty. There is no single solution, but the Regulation clearly creates, for the first time, a genuine window of opportunity for action.

The Digital Law & Intellectual Property and Competition Law Departments at EJASO have conducted an in-depth analysis of how Regulation (EU) 2023/2854 applies within these ecosystems and are already advising affected market participants. We assist companies in assessing the compatibility of their integration agreements with the Data Act, identifying potentially unfair clauses, quantifying economic impact, designing contractual renegotiation strategies, evaluating the prospects for damages claims under Directive 2014/104/EU, preparing complaints before the CNMC, and pursuing unfair competition actions before the civil courts. EJASO remains available to support operators across the sector in assessing their position and defining the strategy best suited to their interests.