LIVE · v1.3 STABLE
BUILD 2026.05.27
REG. 2023/2854
AGPL-3.0 · 8 EVAL CASES · 0 ASSERTIONS

DATA ACT
ANALYSIS
by ROLE
× CHAPTER.

Practitioner-grade analysis and drafting on Regulation (EU) 2023/2854. Positions every matter on a role × chapter × stage anchor, then runs a seven-step cognitive method with gate checks for GDPR overlay, trade secrets, DMA gatekeeper exclusion, and sectoral lex specialis — for output the lawyer adopts with minimal edit.

REG. 2023/2854   ·   CHAPTERS II-VIII   ·   ART. 4(1)   ·   ART. 5(1)   ·   ART. 13 UNFAIR TERMS   ·   ART. 25 SWITCHING   ·   ART. 32 THIRD-COUNTRY   ·   TSD 2016/943   ·   GDPR 2016/679   ·   DMA 2022/1925   ·   ePRIVACY 2002/58/EC   ·   COM(2025) 833 FINAL   ·   REG. 2023/2854   ·   CHAPTERS II-VIII   ·   ART. 4(1)   ·   ART. 5(1)   ·   ART. 13 UNFAIR TERMS   ·   ART. 25 SWITCHING   ·   ART. 32 THIRD-COUNTRY   ·   TSD 2016/943   ·   GDPR 2016/679   ·   DMA 2022/1925   ·   ePRIVACY 2002/58/EC   ·   COM(2025) 833 FINAL
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
ROLE × CHAPTER × STAGE
Positions every matter on the anchor: which Data Act roles the parties play, which chapter (II-VIII) governs, which stage the matter is at. The anchor determines which references and templates load.
02
SEVEN-STEP METHOD
A seven-step cognitive flow applied to every substantive matter. Role mapping is the most consequential step; output that hides the mapping is treated as unreliable.
03
CROSS-REGIME GATES
Five gates: GDPR/ePrivacy overlay, Trade Secrets Directive, DMA gatekeeper exclusion, sectoral lex specialis (warn-only), and Member State implementing law (warn-only).
04
VERBATIM SOURCING
Quotes the Data Act and Commission FAQ from local source files in Art. N(M) / Recital N notation. Never paraphrases the regulation from training data.
05
SCENARIO ROUTING
24 pre-walked scenario cards mapped to common role × chapter × stage anchors. Cards are accelerators, not gatekeepers; unmapped prompts fall back to the seven-step method.
06
OMNIBUS DISCIPLINE
States current law first, then flags the Digital Omnibus proposal (COM(2025) 833 final) where it affects Arts. 4(8), 5(11), 15, 25, 31, with status: co-legislator negotiation, not adopted.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Nine structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Infer the anchor
Read the prompt for chapter (topic), stage (verb), and any named roles. Ask only for unresolved fields that change the analysis — one question at a time, not checklists.
02
Load method and house-style
Read analysis-method.md (seven-step flow) and house-style.md (citation and output conventions) before any substantive work.
03
Map the roles
For every entity, identify Data Act role(s) and any concurrent GDPR role(s). Roles can be concurrent and can shift across phases. The mapping is made explicit in the output.
04
Fix chapter and stage
Identify which chapter(s) govern (II-VIII). Cross-chapter matters get separate analyses per chapter, not blended. Pin the stage: design, request, response, refusal, enforcement.
05
Run the gates
Fire GDPR overlay, Trade Secrets Directive, DMA gatekeeper, sectoral lex specialis, and Member State gates as the facts trigger them. State each result in the output, not a footnote.
06
Apply the test, limb by limb
Work multi-limb tests one limb at a time. For Art. 4(8)/5(11) refusal, the serious AND irreparable damage conjunction must be shown — trade-secret status alone is refused.
07
State temporal applicability
Anchor the answer to contract-conclusion and product-placement dates where applicability turns on them. Flag the Digital Omnibus on any affected provision.
08
Lead with the answer
No preamble, no restating the prompt. Practitioner voice: no em dashes, no Furthermore/Moreover, no CYA padding.
09
Lint before delivery
Run check_house_style.py against the generated deliverable (path argument required). Fix every finding before the output ships.
§ 03 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof.

eu-data-act/
├── evals  # Test cases + assertions
│   ├── evals.json  # 8 cases, 0 assertions
│   └── grading.md
├── references  # Reference corpus
│   ├── gates
│   │   ├── dma-gatekeeper.md
│   │   ├── gdpr-overlay.md
│   │   ├── member-state.md
│   │   ├── sectoral-lex-specialis.md
│   │   └── trade-secrets-directive.md
│   ├── method
│   │   ├── analysis-method.md
│   │   └── house-style.md
│   ├── scenarios
│   │   ├── ch2-data-holder-response.md
│   │   ├── ch2-pre-contract-transparency.md
│   │   ├── ch2-safety-security-handbrake.md
│   │   ├── ch2-third-party-permitted-use.md
│   │   ├── ch2-trade-secret-stage-3-refusal.md
│   │   ├── ch2-trade-secret-stages-1-2.md
│   │   ├── ch2-user-direct-request.md
│   │   ├── ch2-user-third-party-request.md
│   │   ├── ch3-compensation-challenge.md
│   │   ├── ch3-frand-terms.md
│   │   ├── ch4-contract-drafting.md
│   │   ├── ch4-unfairness-challenge.md
│   │   ├── ch5-cross-border-cooperation.md
│   │   ├── ch5-decline-or-modify.md
│   │   ├── ch5-request-preparation.md
│   │   ├── ch6-charges.md
│   │   ├── ch6-custom-built-carve-out.md
│   │   ├── ch6-customer-contract-review.md
│   │   ├── ch6-provider-compliance.md
│   │   ├── ch6-switching-execution.md
│   │   ├── ch7-third-country-request.md
│   │   ├── cross-gap-analysis.md
│   │   ├── cross-gdpr-boundary.md
│   │   └── cross-omnibus-impact.md
│   └── gotchas.md
├── scripts
│   ├── check_house_style.py
│   └── validate_sources.py
├── sources
│   ├── _archive
│   ├── _manifest.sha256
│   ├── _versions.json
│   ├── digital-omnibus-amendments-tracker.md
│   ├── faq-v1-4.md
│   ├── mcts-sccs-recommendation-pointer.md
│   ├── regulation-2023-2854.md
│   └── vehicle-data-guidance-pointer.md
├── styles
├── templates
│   ├── _drafter-notes
│   │   ├── art13-unfairness-challenge.md
│   │   ├── art17-public-sector-request.md
│   │   ├── art18-decline-letter.md
│   │   ├── art25-customer-side-clauses.md
│   │   ├── art31-custom-built-assessment.md
│   │   ├── art32-third-country-assessment.md
│   │   ├── art4-1-data-holder-response.md
│   │   ├── art4-1-user-request.md
│   │   ├── art4-2-safety-handbrake-notice.md
│   │   ├── art4-6-trade-secret-safeguards-agreement.md
│   │   ├── art4-7-withholding-notice.md
│   │   ├── art4-8-refusal-letter.md
│   │   ├── art5-1-third-party-request.md
│   │   ├── art6-third-party-recipient-contract.md
│   │   └── art9-compensation-statement.md
│   ├── art13-unfairness-challenge.md
│   ├── art17-public-sector-request.md
│   ├── art18-decline-letter.md
│   ├── art25-customer-side-clauses.md
│   ├── art31-custom-built-assessment.md
│   ├── art32-third-country-assessment.md
│   ├── art4-1-data-holder-response.md
│   ├── art4-1-user-request.md
│   ├── art4-2-safety-handbrake-notice.md
│   ├── art4-6-trade-secret-safeguards-agreement.md
│   ├── art4-7-withholding-notice.md
│   ├── art4-8-refusal-letter.md
│   ├── art5-1-third-party-request.md
│   ├── art6-third-party-recipient-contract.md
│   └── art9-compensation-statement.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 04 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire eu-data-act/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r eu-data-act/ \
   ~/.claude/skills/user/
§ 05 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Practitioner memo
Role mapping by phase, chapter and stage fixed, gate results stated inline, multi-limb tests applied one limb at a time, assumptions flagged.
Data Act notice or letter
Drafting from 15 templates routed by scenario card. The Art. 4(8) refusal letter uses the eight-step TSD-gate structure with irreparability standing alone.
Contract review
Data-sharing, FRAND (Ch III), unfair-term (Art. 13), or cloud-switching (Art. 25) contract reviewed against the mandatory terms and three-test structures.
Gap analysis
Multi-chapter compliance review across the governing chapters, with the GDPR/Data-Act boundary allocated (Case A/B) and Omnibus impact flagged.
Refusal with redirect
Where the analysis as posed would be wrong (weak Art. 4(8) facts, sectoral specifics, unverified MS law), the skill explains why and states what to do instead.
§ 06 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

08
Test Cases
0
Assertions
100%
Coverage Required
00
I'm general counsel at a German automotive Tier-1 supplier (mid-cap, c
0 ASSERTS
01
I'm legal counsel at an Italian automotive aftermarket diagnostics company
0 ASSERTS
02
I'm in-house counsel at a German Mittelstand engineering firm
0 ASSERTS
03
I'm legal counsel at a German SaaS vendor (40 employees, EUR 7m ARR)
0 ASSERTS
04
I'm in-house counsel at a large EU-based industrial enterprise (c
0 ASSERTS
05
I'm in-house counsel at a logistics company
0 ASSERTS
06
I'm legal counsel at a large EU logistics group
0 ASSERTS
07
I'm general counsel at an EU-headquartered cloud provider
0 ASSERTS
§ 07 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

EU Data Act
Regulation (EU) 2023/2854 — 119 recitals, 50 articles, Chapters II-VIII.
Commission FAQ on the Data Act
v1.4 (22 January 2026), CC BY 4.0 — framed as Commission interpretation, non-authoritative.
Digital Omnibus proposal
COM(2025) 833 final, 19 November 2025 — co-legislator negotiation, not adopted.
Trade Secrets Directive
Directive (EU) 2016/943 — three-stage ladder, serious AND irreparable conjunction.
GDPR / ePrivacy
Regulation (EU) 2016/679 and Directive 2002/58/EC — overlay gate, Art. 1(5) bridge.
Digital Markets Act
Regulation (EU) 2022/1925 — gatekeeper exclusion on Art. 5 requests and Art. 6(2)(d) sharing.
§ 08 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored output.
Every Art. N(M) and Recital quote traces to local source files validated by validate_sources.py. The regulation is never paraphrased from training data.
VERIFIED
Reproducible decisions.
The role × chapter × stage anchor and seven-step method produce the same analysis from the same facts, for audit or second-counsel review.
IMMUTABLE
Lint before delivery.
check_house_style.py runs against every generated deliverable; the conjunction discipline blocks an Art. 4(8) refusal drafted on trade-secret status alone.
ENFORCED
**
EU-native.
Built around the Data Act chapters, the Commission FAQ, the Digital Omnibus tracker, and Member State implementation. Not retrofitted.
NATIVE

EU Data Act Practitioner Skill — Deployment Guide

📄 View the interactive skill page →

See CHANGELOG.md for version history.

Overview

Practitioner-grade analysis and drafting on Regulation (EU) 2023/2854 (the Data Act). Calibrated for senior legal counsel, compliance officers, and product counsel working with the Data Act in client-facing or in-house contexts.

The skill's architectural anchor is role × chapter × stage. Every matter is positioned by identifying:

  • which Data Act roles the parties play (user, data holder, data recipient, third party, customer, provider, public sector body, plus any concurrent GDPR roles);
  • which chapter(s) of the regulation govern (II–VIII);
  • which stage of that chapter's process the matter is at.

The anchor determines which references load and which scenario card the skill applies.

Coverage

Chapter Articles Operative depth
Ch II 3–7 Full — IoT product and related service data; B2C and B2B sharing
Ch III 8–12 Full — mandatory B2B sharing under other Union law (FRAND, compensation)
Ch IV 13 Full — unfair contract terms unilaterally imposed in B2B data contracts
Ch V 14–22 Full — public sector exceptional-need access
Ch VI 23–31 Full — switching between data processing services
Ch VII 32 Full — third-country governmental access
Ch VIII 33–36 Gate-only, except Arts. 34–35 where they serve Ch VI

Cross-regime gates

Gate Reference file Posture
GDPR + ePrivacy references/gates/gdpr-overlay.md Operative when personal data or terminal-equipment access is in scope
Trade Secrets Directive (EU) 2016/943 references/gates/trade-secrets-directive.md Operative when trade-secret protection is claimed or asserted
DMA gatekeeper exclusion references/gates/dma-gatekeeper.md Operative on Art. 5 third-party requests and Art. 6(2)(d) onward sharing
Sectoral lex specialis references/gates/sectoral-lex-specialis.md Warn-only (vehicles, medical devices, DORA, NIS2, CRA, AI Act, eIDAS, energy, agriculture, telecoms)
Member State implementing law references/gates/member-state.md Warn-only (competent authorities, dispute settlement, penalties)

File structure

eu-data-act/
├── SKILL.md                              # Entry point and router
├── CHANGELOG.md                          # Version history
├── references/
│   ├── method/
│   │   ├── analysis-method.md            # The seven-step cognitive flow
│   │   └── house-style.md                # Voice, length, citation, structure
│   ├── gates/
│   │   ├── gdpr-overlay.md               # Art. 1(5) bridge, Case A/B, ePrivacy
│   │   ├── trade-secrets-directive.md    # TSD ladder, serious-AND-irreparable
│   │   ├── dma-gatekeeper.md             # Art. 5(3) exclusion, Art. 6(2)(d)
│   │   ├── sectoral-lex-specialis.md     # Warn-only sectoral catalogue
│   │   └── member-state.md               # Warn-only MS implementing law
│   ├── gotchas.md                        # 20 numbered failure-mode entries
│   └── scenarios/                        # Pre-walked role × chapter × stage cards
├── sources/
│   ├── regulation-2023-2854.md           # Verbatim Data Act (119 recitals + 50 articles)
│   ├── faq-v1-4.md                       # Commission FAQ v1.4 (22 Jan 2026, CC BY 4.0)
│   ├── digital-omnibus-amendments-tracker.md
│   ├── mcts-sccs-recommendation-pointer.md
│   ├── vehicle-data-guidance-pointer.md
│   ├── _versions.json                    # Source provenance
│   └── _manifest.sha256                  # Source checksums
├── scripts/
│   └── validate_sources.py               # Source layer validator (20/20 checks)
├── templates/                            # Drafting templates
└── evals/                                # Eval fixtures + grading

Deployment

Claude Code (recommended)

Symlink the skill folder into ~/.claude/skills/:

ln -s ~/CLAUDE_PROJECTS/SKILLS/claude-skills/skills/eu-data-act ~/.claude/skills/eu-data-act

Claude.ai (User Skills)

Upload the entire eu-data-act/ folder structure under Settings → Profile → Custom Skills.

Trigger phrases

  • "Data Act" / "Datengesetz" / "Regulation (EU) 2023/2854"
  • "Art. 4(1) request" / "Art. 5(1) third-party request" / "trade-secret handbrake"
  • "cloud switching obligations" / "Chapter VI" / "Art. 25 mandatory terms"
  • "Chapter V exceptional need" / "Art. 17 public-sector request"
  • "Art. 13 unfair contract terms" / "Art. 32 third-country access"
  • References to specific Data Act articles or recitals.

Source layer validator

Run before any release or downstream symlink:

python3 scripts/validate_sources.py --verbose

Checks heading taxonomy (every expected recital, article, and FAQ question), pointer-file presence, manifest checksums, and _versions.json structure. Exit 0 means all checks pass. Current state: 20/20.

Regulatory basis

Document Reference
EU Data Act Regulation (EU) 2023/2854
Commission FAQ on the Data Act v1.4 (22 January 2026), CC BY 4.0
Digital Omnibus proposal COM(2025) 833 final, 19 November 2025 (co-legislator negotiation, not adopted)
Trade Secrets Directive Directive (EU) 2016/943
GDPR Regulation (EU) 2016/679
ePrivacy Directive Directive 2002/58/EC
Digital Markets Act Regulation (EU) 2022/1925

License and disclaimer

Licensed under AGPL-3.0 — see LICENSE at the repo root.

This skill provides structured guidance based on the EU Data Act, the Commission's FAQ, and adjacent EU law. It does not constitute legal advice. Substantive deliverables produced with the skill should be reviewed by qualified legal counsel with Data Act expertise.


Created by Oliver Schmidt-Prietz — OneZero Legal