The EU Data Act, which became effective on September 12, 2025, imposes new requirements on providers of “data processing services”, a category that includes Infrastructure as a Service (IaaS), Platform as a service (PaaS), and Software as a Service (SaaS) solutions, along with emerging variations such as “Storage as a Service” and “Database as a Service.” Most off-the-shelf cloud services appear to fall within the scope of the Act, which provides only a handful of narrow exemptions for specific types of services, such as cloud services that are custom-built for a particular customer and not offered by the provider at broad commercial scale.
Like other data-related EU regulations, the EU Data Act is extraterritorial, and applies to data processing services that are marketed or provided to customers located in the EU, even if the provider is established outside of the EU.
Termination Requirements
For many cloud providers, the Act’s switching rules will be among the most impactful provisions of the Act. The Act aims to increase competition and technical innovation in the EU, and dismantle vendor “lock-in”, by making it easier for customers to terminate a contract for data processing services and move their data to a different provider or the customer’s own infrastructure.
Under Chapter VI of the Data Act, providers must enable customers to switch services without undue technical, contractual, or commercial obstacles, and providers must include statutorily-mandated switching terms in their contracts with customers.
A customer must be contractually permitted to transfer its data and digital assets to another provider of the “same service type” (or the customer’s own infrastructure) – and terminate the cloud service agreement – with no more than two months’ prior notice to the provider. In other words, the Act affords a customer the right to terminate its contract for convenience, notwithstanding the agreed-upon term or fixed subscription period specified in the contract.
When a customer elects to terminate its agreement and switch to another service, the cloud service provider must reasonably assist the customer and the new vendor with the migration, and ensure that a “high level” of data security is maintained throughout the switching process. All exportable data must be provided by the incumbent provider in a structured, commonly used, and machine-readable format.
Providers may charge “proportionate early termination penalties” to deal with the early termination of contracts with a fixed duration, but the Act does not clearly define the degree of permissible penalties. Additionally, until January 12, 2027, providers may impose “switching charges” (e.g., data transfer costs) on customers for the switching process; after this date, switching charges (but not early termination penalties) are prohibited. All early termination penalties and switching charges must be specified in the customer’s contract prior to execution. The European Commission plans to issue a set of non-mandatory standard contractual clauses for cloud computing contracts which providers can use to implement the switching and other requirements of the Act in their contracts.
Enforcement and Penalties.
Enforcement of the Act is delegated to the EU Member States, which are instructed to implement penalties that are “effective, proportionate, and dissuasive”. Cloud service customers can lodge complaints with the relevant Member State supervisory authority, and customers also have the right to pursue an effective judicial remedy before a court or tribunal if the relevant supervisory authority fails to act on the customer’s complaint.
Next Steps and Recommendations
Providers should evaluate whether their cloud service offerings fall within the scope of the Act. Providers of in-scope cloud services should:
- Review and Update Contract Terms: Incorporate mandatory switching and termination rights, in addition to the other requirements of the Act.
- Decouple Multinational Engagements: Providers may wish to handle cloud service deployments that cover both EU and non-EU jurisdictions under separate contract documents (such as separate order forms), so that the Act’s termination requirements do not apply to customer divisions located outside of the EU.
- Invest in Interoperability: Align technical architectures with portability requirements, including standardized APIs and export formats.
- Develop Migration Toolkits: Provide customers with self-service tools and clear guidance for data transfer.
- Establish Compliance Governance: Appoint a Data Act compliance lead, update internal policies, and train staff on new obligations.
For more information, please contact the author.