The EU Data Act and what it means for cloud services

Instead of cloud service, the term data processing service is used in the Data Act: 

"a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction" 

The last part of this definition seems to require a high degree of self-service for the service to be covered. According to the recitals, this means that the customer can unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the provider. Incidentally, the definition is similar to that of cloud computing service in the NIS2 Directive (the EU-wide legislation on cybersecurity). 

The general concept of data processing services covers a large number of services with a very wide range of different purposes, functions and technical arrangements. Clearly, data processing services include: 

• IaaS (infrastructure as a service); 

• PaaS (platform as a service); and 

• SaaS (software as a service). 

These three basic computing delivery models are complemented by variants such as storage as a service and database as a service. Edge computing, which enables decentralised computing in a connected device closer to the place where data is generated or collected, is also included. 

For simplicity, the term cloud service is used in this article, instead of data processing service. 

Instead of cloud service, the term data processing service is used in the Data Act: 

"a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction" 

The last part of this definition seems to require a high degree of self-service for the service to be covered. According to the recitals, this means that the customer can unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the provider. Incidentally, the definition is similar to that of cloud computing service in the NIS2 Directive (the EU-wide legislation on cybersecurity). 

The general concept of data processing services covers a large number of services with a very wide range of different purposes, functions and technical arrangements. Clearly, data processing services include: 

• IaaS (infrastructure as a service); 

• PaaS (platform as a service); and 

• SaaS (software as a service). 

These three basic computing delivery models are complemented by variants such as storage as a service and database as a service. Edge computing, which enables decentralised computing in a connected device closer to the place where data is generated or collected, is also included. 

For simplicity, the term cloud service is used in this article, instead of data processing service. 

Cloud services with the majority of its main features custom-built to respond to the specific demands of an individual customer, or with all components developed for the purposes of an individual customer, are exempted from some of the switching obligations, unless they are offered at a broad commercial scale via the provider's service catalogue. However, providers of such custom-built services must still make open interfaces available and ensure that data is exported in a structured, commonly used and machine-readable format. 

Furthermore, the Data Act's switching obligations do not apply to cloud services provided for a limited period of time as a non-production version for testing and evaluation purposes. On the other hand, free-tier offerings are not exempted. Consequently, it may be relevant to clarify the question of whether it is a test version or a free-tier offering. It is explicitly stated that cloud service providers shall not inhibit customers from porting their exportable data and digital assets to a different provider, or to an on-premises ICT infrastructure, including after having benefited from a free-tier offering. 

Prior to the conclusion of a contract on the provision of cloud services, that are exempted as described above, the provider shall inform prospective customers of the Data Act’s switching obligations that do not apply. 

Unlike other parts of the Data Act, the provisions applicable to cloud services do not contain any exemptions for micro, small and medium-sized enterprises. 

Cloud services with the majority of its main features custom-built to respond to the specific demands of an individual customer, or with all components developed for the purposes of an individual customer, are exempted from some of the switching obligations, unless they are offered at a broad commercial scale via the provider's service catalogue. However, providers of such custom-built services must still make open interfaces available and ensure that data is exported in a structured, commonly used and machine-readable format. 

Furthermore, the Data Act's switching obligations do not apply to cloud services provided for a limited period of time as a non-production version for testing and evaluation purposes. On the other hand, free-tier offerings are not exempted. Consequently, it may be relevant to clarify the question of whether it is a test version or a free-tier offering. It is explicitly stated that cloud service providers shall not inhibit customers from porting their exportable data and digital assets to a different provider, or to an on-premises ICT infrastructure, including after having benefited from a free-tier offering. 

Prior to the conclusion of a contract on the provision of cloud services, that are exempted as described above, the provider shall inform prospective customers of the Data Act’s switching obligations that do not apply. 

Unlike other parts of the Data Act, the provisions applicable to cloud services do not contain any exemptions for micro, small and medium-sized enterprises. 

Cloud service providers shall not impose and shall remove obstacles which inhibit customers from switching to a cloud service covering the "same service type" provided by a different provider. 

The "same service type" seems to imply that an IaaS should be interchangeable with another equivalent IaaS, and so on for PaaS and SaaS respectively, i.e., a set of cloud services that share the same primary objective, service model and main functionalities. Services of the same service type may have different and competing characteristics, such as performance, security, resilience and quality of service. 

Cloud service providers shall not impose and shall remove obstacles which inhibit customers from switching to a cloud service covering the "same service type" provided by a different provider. 

The "same service type" seems to imply that an IaaS should be interchangeable with another equivalent IaaS, and so on for PaaS and SaaS respectively, i.e., a set of cloud services that share the same primary objective, service model and main functionalities. Services of the same service type may have different and competing characteristics, such as performance, security, resilience and quality of service. 

The cloud service provider's customer contracts must include clauses regarding: 

• the customer's right to initiate a switching process, followed by a two-month notice period; 

• the customer's right, after the notice period, to switch to another cloud service provider, port all exportable data and digital assets to an on-premises ICT infrastructure or erase such data and assets; 

• the cloud service provider's obligation to ensure a maximum transitional period of 30 calendar days (alternatively, a maximum transitional period of seven months, if the provider can duly justify within 14 working days of the customer's switching request that it is technically unfeasible), after the maximum notice period of two months; 

• the customer's right to extend the transitional period once, for a period that the customer considers more appropriate for its own purposes; 

• the cloud service provider's obligation during the switching process to provide reasonable assistance, act with due care to maintain business continuity, provide clear information concerning known risks to continuity and ensure a high level of security; 

• the cloud service provider’s obligation to support the customer’s exit strategy relevant to the contracted services, including by providing all relevant information; 

• when the contract shall be considered to be terminated, i.e., either upon the successful completion of the switching process or at the end of the notice period if the customer wishes to erase its exportable data and digital assets, and the customer shall be notified thereof; 

• exhaustive specification of all categories of data and digital assets that can be ported during the switching process, as well as of data specific to the internal functioning of the provider's service that, provided it does not impede or delay an effective switching, are to be exempted due to risk of breach of trade secrets of the provider; 

• the cloud service provider’s obligation to ensure a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the applicable transitional period; 

• the customer's right to full erasure of all exportable data and digital assets generated directly by the customer or relating to the customer directly, after the expiry of the data retrieval period; and 

• the cloud service provider’s right to impose switching charges until 12 January 2027, provided such charges do not exceed the costs directly incurred, and thereafter switching charges shall not be imposed. 

Before 12 September 2025, the European Commission shall develop and recommend non-binding standard contractual clauses to assist parties in drafting and negotiating fair, reasonable and non-discriminatory contracts. Fondia recommends that affected cloud service providers do not wait for such non-binding standard clauses, but – starting from the definition, configuration, package, contractual terms and pricing model of their own services – commence work early and thoroughly on the adaptations required to comply with the Data Act, of which mandatory switching clauses in customer contracts are one part. 

When adapting standard contracts and general terms and conditions as described above, the detailed provisions of the Data Act on unfair contractual terms unilaterally imposed on another enterprise should be considered. Without going into details, a contractual term unilaterally imposed by an enterprise on another shall not be binding on the latter if it is unfair. The Data Act sets out in detail what is unfair in this context and what shall be considered unilaterally imposed. These provisions on unfair contractual terms will apply to contracts concluded after 12 September 2025 (or from 12 September 2027 if concluded on or before 12 September 2025, provided they are either of indefinite duration or due to expire at least ten years from 11 January 2024). 

The cloud service provider's customer contracts must include clauses regarding: 

• the customer's right to initiate a switching process, followed by a two-month notice period; 

• the customer's right, after the notice period, to switch to another cloud service provider, port all exportable data and digital assets to an on-premises ICT infrastructure or erase such data and assets; 

• the cloud service provider's obligation to ensure a maximum transitional period of 30 calendar days (alternatively, a maximum transitional period of seven months, if the provider can duly justify within 14 working days of the customer's switching request that it is technically unfeasible), after the maximum notice period of two months; 

• the customer's right to extend the transitional period once, for a period that the customer considers more appropriate for its own purposes; 

• the cloud service provider's obligation during the switching process to provide reasonable assistance, act with due care to maintain business continuity, provide clear information concerning known risks to continuity and ensure a high level of security; 

• the cloud service provider’s obligation to support the customer’s exit strategy relevant to the contracted services, including by providing all relevant information; 

• when the contract shall be considered to be terminated, i.e., either upon the successful completion of the switching process or at the end of the notice period if the customer wishes to erase its exportable data and digital assets, and the customer shall be notified thereof; 

• exhaustive specification of all categories of data and digital assets that can be ported during the switching process, as well as of data specific to the internal functioning of the provider's service that, provided it does not impede or delay an effective switching, are to be exempted due to risk of breach of trade secrets of the provider; 

• the cloud service provider’s obligation to ensure a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the applicable transitional period; 

• the customer's right to full erasure of all exportable data and digital assets generated directly by the customer or relating to the customer directly, after the expiry of the data retrieval period; and 

• the cloud service provider’s right to impose switching charges until 12 January 2027, provided such charges do not exceed the costs directly incurred, and thereafter switching charges shall not be imposed. 

Before 12 September 2025, the European Commission shall develop and recommend non-binding standard contractual clauses to assist parties in drafting and negotiating fair, reasonable and non-discriminatory contracts. Fondia recommends that affected cloud service providers do not wait for such non-binding standard clauses, but – starting from the definition, configuration, package, contractual terms and pricing model of their own services – commence work early and thoroughly on the adaptations required to comply with the Data Act, of which mandatory switching clauses in customer contracts are one part. 

When adapting standard contracts and general terms and conditions as described above, the detailed provisions of the Data Act on unfair contractual terms unilaterally imposed on another enterprise should be considered. Without going into details, a contractual term unilaterally imposed by an enterprise on another shall not be binding on the latter if it is unfair. The Data Act sets out in detail what is unfair in this context and what shall be considered unilaterally imposed. These provisions on unfair contractual terms will apply to contracts concluded after 12 September 2025 (or from 12 September 2027 if concluded on or before 12 September 2025, provided they are either of indefinite duration or due to expire at least ten years from 11 January 2024). 

The Data Act does not prevent parties from agreeing on cloud service contracts of a fixed duration, including proportionate early termination penalties. Further guidance on what may be considered proportionate is not provided. It is possible that a clause in a one-year contract, saying that the unused portion of any advance payment of an annual subscription fee will not be refunded, could be considered a proportionate early termination penalty. On the other hand, it would probably not be proportionate to, for example, charge the full value of a three-year contract that is terminated year one. 

Before entering into a contract with a customer, the cloud service provider shall provide the prospective customer with clear information on the early termination penalties that might be imposed. 

The Data Act does not prevent parties from agreeing on cloud service contracts of a fixed duration, including proportionate early termination penalties. Further guidance on what may be considered proportionate is not provided. It is possible that a clause in a one-year contract, saying that the unused portion of any advance payment of an annual subscription fee will not be refunded, could be considered a proportionate early termination penalty. On the other hand, it would probably not be proportionate to, for example, charge the full value of a three-year contract that is terminated year one. 

Before entering into a contract with a customer, the cloud service provider shall provide the prospective customer with clear information on the early termination penalties that might be imposed. 

In particular, cloud service providers shall not inhibit customers from: 

• achieving functional equivalence in the use of the new cloud service in the ICT environment of a different cloud service provider covering the same service type, which does not include requiring the original provider to rebuild the service in question within the infrastructure of the destination provider; or 

• unbundling, where technically feasible, elemental infrastructure services (IaaS) from other cloud services provided by the provider. 

Furthermore, cloud service providers shall: 

• make open interfaces available to an equal extent to all their customers and the concerned destination providers, free of charge, to facilitate the switching process and enable data portability and interoperability; and 

• ensure compatibility with common specifications based on open interoperability specifications or harmonised standards for interoperability (which may be published by the European Commission), at least for PaaS and SaaS – if no such specifications or standards exist, the provider shall, at the request of the customer, export all exportable data in a structured, commonly used and machine-readable format. 

In particular, cloud service providers shall not inhibit customers from: 

• achieving functional equivalence in the use of the new cloud service in the ICT environment of a different cloud service provider covering the same service type, which does not include requiring the original provider to rebuild the service in question within the infrastructure of the destination provider; or 

• unbundling, where technically feasible, elemental infrastructure services (IaaS) from other cloud services provided by the provider. 

Furthermore, cloud service providers shall: 

• make open interfaces available to an equal extent to all their customers and the concerned destination providers, free of charge, to facilitate the switching process and enable data portability and interoperability; and 

• ensure compatibility with common specifications based on open interoperability specifications or harmonised standards for interoperability (which may be published by the European Commission), at least for PaaS and SaaS – if no such specifications or standards exist, the provider shall, at the request of the customer, export all exportable data in a structured, commonly used and machine-readable format. 

In addition to the information requirements already described, cloud service providers shall provide: 

• the customer with available procedures for switching and porting methods and formats, as well as known restrictions and technical limitations; 

• an up-to-date online register, hosted by the provider, with details of the data structures and data formats as well as the relevant standards and open interoperability specifications, in which the exportable data are available; 

• updated information on their websites, to be listed in all customer contracts, about the jurisdiction to which the ICT infrastructure deployed for their individual services is subject, and a general description of the technical, organisational and contractual measures adopted to prevent international governmental access to, or transfers of, non-personal data held in the EU, where such access or transfer would create a conflict with EU law or the national law of the relevant EU Member State; and 

• clear information, before entering into a contract with a customer and publicly available via a dedicated section of their website, on the standard service fees and any early termination penalties that might be imposed, as well as on the reduced switching charges that might be imposed until 12 January 2027. 

In addition to the information requirements already described, cloud service providers shall provide: 

• the customer with available procedures for switching and porting methods and formats, as well as known restrictions and technical limitations; 

• an up-to-date online register, hosted by the provider, with details of the data structures and data formats as well as the relevant standards and open interoperability specifications, in which the exportable data are available; 

• updated information on their websites, to be listed in all customer contracts, about the jurisdiction to which the ICT infrastructure deployed for their individual services is subject, and a general description of the technical, organisational and contractual measures adopted to prevent international governmental access to, or transfers of, non-personal data held in the EU, where such access or transfer would create a conflict with EU law or the national law of the relevant EU Member State; and 

• clear information, before entering into a contract with a customer and publicly available via a dedicated section of their website, on the standard service fees and any early termination penalties that might be imposed, as well as on the reduced switching charges that might be imposed until 12 January 2027. 

In line with the minimum requirement allowing switching between providers of cloud services, the Data Act also aims to improve interoperability for in-parallel use of multiple cloud services with complementary functionalities (multi-cloud). Therefore, the switching obligations described above also apply mutatis mutandis for cloud service providers to facilitate such interoperability. 

The egress of data from one cloud service provider to another to facilitate the in-parallel use of services can be an ongoing activity, in contrast with the one-off egress required as part of the switching process. Consequently, when a cloud service is used in parallel with another cloud service, providers may impose data egress charges, but only for the purpose of passing on egress costs incurred, without exceeding such costs. Unlike switching charges, which can only be imposed until 12 January 2027, no time limit applies to such egress charges. 

In line with the minimum requirement allowing switching between providers of cloud services, the Data Act also aims to improve interoperability for in-parallel use of multiple cloud services with complementary functionalities (multi-cloud). Therefore, the switching obligations described above also apply mutatis mutandis for cloud service providers to facilitate such interoperability. 

The egress of data from one cloud service provider to another to facilitate the in-parallel use of services can be an ongoing activity, in contrast with the one-off egress required as part of the switching process. Consequently, when a cloud service is used in parallel with another cloud service, providers may impose data egress charges, but only for the purpose of passing on egress costs incurred, without exceeding such costs. Unlike switching charges, which can only be imposed until 12 January 2027, no time limit applies to such egress charges. 

Each Member State shall designate one or more competent authorities responsible for the application and enforcement of the Data Act. If more than one is designated, a data coordinator shall be appointed from among them. 

Competent authorities should ensure that infringements of the obligations laid down in the Data Act are subject to penalties, which shall be established by each Member State. Where appropriate, competent authorities should make use of interim measures. 

The supervisory authorities responsible for monitoring the application of GDPR shall be responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. 

Entities falling within the scope of the Data Act shall be subject to the competence of the Member State where the entity is established. If it is established in more than one Member State, it shall be considered to be under the competence of the Member State in which it has its main establishment, i.e., where the entity has its head or registered office from which the principal financial functions and operational control are exercised. 

Each Member State shall designate one or more competent authorities responsible for the application and enforcement of the Data Act. If more than one is designated, a data coordinator shall be appointed from among them. 

Competent authorities should ensure that infringements of the obligations laid down in the Data Act are subject to penalties, which shall be established by each Member State. Where appropriate, competent authorities should make use of interim measures. 

The supervisory authorities responsible for monitoring the application of GDPR shall be responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. 

Entities falling within the scope of the Data Act shall be subject to the competence of the Member State where the entity is established. If it is established in more than one Member State, it shall be considered to be under the competence of the Member State in which it has its main establishment, i.e., where the entity has its head or registered office from which the principal financial functions and operational control are exercised.