Data Act Article 37 establishes the public-authority infrastructure for enforcing Regulation (EU) 2023/2854. It requires every Member State to designate one or more competent authorities responsible for the application and enforcement of the Regulation, mandates a coordinator role where designation is plural, and gives those authorities concrete powers to investigate, handle complaints, and impose penalties. The article does not record a calendar deadline at the obligation-row level — the duties bind from the dates set elsewhere in the Regulation.
Who Article 37 obligates
The article distributes duties between two layers: Member States, who must build the institutional setup; and the competent authorities themselves, once designated. Under Article 37 there are no obligations on private companies — those sit in the Data Act's substantive chapters. Article 37 is the enforcement scaffolding around them.
Obligation breakdown
Designation of competent authorities
"Each Member State shall designate one or more competent authorities to be responsible for the application and enforcement of this Regulation." Where a Member State designates more than one authority, it must also "designate a data coordinator from among them to facilitate cooperation and assist entities." The action verb the row records is designate — a structural act, not a periodic one.
Resourcing and clarity of mandate
"Member States shall ensure that the tasks and powers of the competent authorities are clearly defined and include promoting data literacy and awareness." The action verb is ensure, and the obligation reads as a continuing one: a Member State that strips a competent authority of resources mid-stream falls out of compliance even if the original designation was clean.
Cooperation between authorities
Once designated, "competent authorities shall cooperate with each other in the exercise of the tasks and powers assigned to them." This is the cross-border duty that lets a complaint filed in one Member State move to the authority that actually has the operator in scope.
Complaint handling
"Competent authorities shall handle complaints arising from alleged infringements, investigate them, and regularly inform complainants of progress and outcome within a reasonable period." The deadline the row records is "reasonable period" — the Regulation does not fix a specific number of days at this level.
Investigations
"Competent authorities shall conduct investigations into matters that concern the application of this Regulation." The text is unrestricted: investigations can be opened on the authority's own initiative as well as in response to complaints.
Penalties
"Competent authorities shall impose effective, proportionate and dissuasive financial penalties or initiate legal proceedings for the imposition of fines." Penalty levels are not specified at the Article 37 row level; the wider penalty regime sits elsewhere in the Regulation, with national law filling in the detail.
What this means in practice
Cross-border data sharing operators should expect a fragmented enforcement map: each Member State picks its own authority (or authorities), and a coordinator only emerges where designation is plural. The single information point referenced elsewhere in the Regulation does not eliminate the need to track which national authority leads on a given complaint. For multinational legal teams, the practical work is mapping each Member State's designation list — together with each authority's complaints procedure — before relying on any single contact. The cooperation duty is real but slow: it does not collapse twenty-seven authorities into one front door.
Article 37 also has a literacy clause that is easy to overlook. The duty to "include promoting data literacy and awareness" in the competent authority's mandate signals that Member States cannot reduce the authority to a complaints desk; outreach and education are part of the role. For operators, this means competent authorities are expected to publish guidance and engage with industry, not only adjudicate. The investigation power is similarly broad — own-initiative investigations sit alongside complaint-driven ones — so an operator's risk picture should account for the possibility that an authority opens a file without any external trigger, and the financial-penalty power closes the loop with concrete consequences.
Related Fontvera pages
- AI Act fines and penalties by country — the cross-border enforcement-authority pattern Article 37 codifies for the Data Act mirrors the AI Act's national-authority structure.