Data Act: Part 4 – The Data Act regulates cloud switching and influences the contractual relationship between customers and cloud service providers

As part of the European data strategy, the Data Act aims to break down so-called data silos, improve the interoperability of software and the general use of data. The new rules should make it possible to fully utilise the potential of data-driven business models to promote innovation within the EU. The Data Act will apply directly within the EU from 12 September 2025.

Chapter VI of the Data Act (Art. 23 to 31) provides for mandatory regulations for contractual relationships between so-called data processing services (i.e. primarily providers of cloud services) and their customers. Among other things, this is intended to make it easier to switch between data processing services, thereby preventing a so-called “vendor lock-in” of customers. In the following, we present which changes this Regulation specifically entails for cloud providers and how the Regulation (at least according to the legislator) aims to help customers of cloud services. The European Commission has also published a first draft of standard contractual clauses in accordance with Art. 41 Data Act, which provide an indication of how the Commission envisages the implementation of Chapter VI. The Commission intends to publish the final version of the standard contractual clauses by 12 September 2025.

What is cloud switching all about?

The Data Act requires providers of cloud services to offer them in such a way that it is possible for customers to switch to another cloud provider or to switch to an “on-premise” solution at any time and without any problems. This is to be achieved through numerous legal obligations relating to the contractual provisions of cloud services. For example, a two-month cancellation period and a thirty-day switching period must be contractually agreed. The possibility of charging a switching fee for support when switching to a new provider is severely restricted and far-reaching termination and support obligations are required. Art. 30 et seq. Data Act also contain technical requirements for interoperability and oblige, for example, the provision of interfaces for switching tools.

Central obligations

Art. 23 Data Act is the central provision and starting point for the obligations of providers of so-called data processing services. They must take extensive measures to remove obstacles when customers switch to another provider or to a company's internal IT infrastructure (“on-premise”). At the same time, the use of several data processing services in parallel operation via a standardised user interface is also to be guaranteed (the so-called interoperability of data processing services, see Art. 23 in conjunction with Art. 31 Data Act).

Art. 23 creates minimum obligations for data processing services and stipulates that all commercial, industrial, technical, contractual and organisational obstacles that prevent the implementation of switching between cloud providers must be removed. Here, the legislator had in mind the occasionally high switching costs and technical-factual barriers to switching on the provider side, which could prevent users of cloud services from actually making a (commercially viable) switch.

Data processing services as addressees

The Data Act obliges so-called “data processing services”. According to the definition in Art. 2 No. 8 Data Act, these are a “digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction”.

Recital 81 of the Data Act includes the term data processing services in particular Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), but also “Storage as a Service” and “Database as a Service”.

Providers of data processing services within the meaning of the Data Act are both the original provider with whom a customer has an existing contractual relationship and the acquiring provider to whom a customer wishes to switch. How exactly the individual characteristics are to be interpreted is unfortunately still unclear. The provision of individual, clearly defined hardware resources that are only used by one customer certainly does not fall within term provider of data processing services. However, as soon as a database or storage space provider offers a certain degree of flexibility, each service must be analysed individually to determine whether it constitutes a data processing service.

Exceptions for customised solutions

Art. 31 Data Act makes exceptions from the aforementioned obligations. For example, processing services in which most of the majority of main features have been custom-built (Art. 31 para. 1 alternative 1 Data Act), individual software (Art. 31 para. 1 alternative 2 Data Act) and software provided temporarily for testing or evaluation purposes (Art. 31 para. 2 Data Act) are excluded from the scope. The provisions of Art. 23 et seq. Data Act only apply to so-called “one-to-many” solutions due to the scope exceptions, the exact definition and delimitation of which can be challenging.

It is conceivable, for example, that a SaaS solution could fall outside the scope of the Data Act due to a customised implementation of software. In practice, this could give rise to the following difficulty: The provider must inform the user of such an existing scope exception before the contract is concluded (see Art. 31 para. 3 Data Act). However, if the scope of the implementation to be carried out – as is typically the case – is not yet known before the contract is concluded, it is hardly possible to make a prior legally certain statement covering this issue.

The switching provisions of Art. 23 Data Act also only apply if the “same type of service” exists for the initial and target or switching provider. According to the definition in Art. 2 No. 9 Data Act, this means that the data processing service must have “the same primary objective”, “main functionalities” and the same service model for data processing cumulatively (see also Recital 81 Data Act).

Further obligations according to Art. 23 et seq. Data Act

The obligations set out in Art. 23 et seq. Data Act also apply if the user only wishes to remove a specific service from a larger contract and transfer it to another provider. Providers of IaaS data processing services (i.e. the original provider) are also obliged to take “all reasonable measures” to ensure that functional equivalence is achieved in the customer's use of the same type of service after the customer has switched to a new service provider (see also Recital 92 Data Act). According to Art. 30 para. 1 Data Act, this specifically means that the original provider must provide appropriate information, technical documentation, but also technical support as well as capacities and, if necessary, the necessary instruments.

Other providers of PaaS or SaaS must in future provide both their customers and the new providers to which a customer wishes to switch to with an open interface to the services operated free of charge. This interface is required to “facilitate the switching process” (see Art. 30 para. 2 Data Act). In order to enable the customer and the new provider to implement the interface, the previous PaaS/SaaS provider must also provide the necessary documentation.

For all service providers covered, it remains to be seen whether, in exceptional cases, action is owed even after the change of provider has been completed. The legal text at least does not rule this out, however, does not impose an obligation to bring about the success of functional equivalence, but merely considers “facilitation” to be owed. In any case, such activity would no longer be covered by the switching fees, which are to be gradually reduced to zero, once the switch has been completed, meaning that fees are likely to continue to be charged for this in the future.

However, these obligations also have limits: Providers of data processing services are not obliged to disclose their intellectual property or trade secrets to a customer or another provider or even to develop new technologies or services.

Art. 25 Data Act: specific contractual provisions are now mandatory

Art. 25 Data Act regulates which specific minimum provisions a contract must contain and thus specifies the obligations outlined in Art. 23 Data Act (see above). Firstly, the rights and obligations of the customer and the obligations of the provider in relation to the change of provider must be set out in a written contract (Art. 25 para. 1 sentence 1 Data Act).

Right of exchange and continuity of business operations

The contract must contain clauses according to which the customer has the option of switching to another data processing service (Art. 25 para. 2 lit. a Data Act). In addition to the possibility of switching, the data processing provider must ensure that business operations are maintained in the event of a switch (Art. 25 para. 2 lit. a (ii) Data Act), i.e. the customer's request to switch and extract data must be fulfilled and must not lead to interruptions. If interruptions do occur, there is an obligation to provide information in this respect (Art. 25 para. 2 lit. a (iii) Data Act).

Cancellation period

Art. 25 para. 2 lit. d Data Act also expressly stipulates a notice period of the user of a maximum of two (2) months for such a change of provider. This notice period begins when the user informs the provider of their request to switch. While ordinary notice periods are excluded for cloud services in many cases, this significantly strengthens the rights of customers.

Fees and transition period

However, it should be noted that it is also possible to agree cancellation fees or contractual penalties in the event of early termination of the contract, Art. 29 para. 4 Data Act, Recital 89 Data Act. These must be in line with national and EU law, proportionate (see Recital 89) and accordingly cannot constitute a commercial obstacle to switching (see Art. 23 Data Act). Providers are therefore faced here with the difficult task of agreeing appropriate models that protect them against the emerging risk of customer cancellation at any time with two months' notice and at the same time do not impose unreasonably high penalties. The draft version of the SCCs provides limited guidance on this matter. The background to this is that the actual switching circumstances can vary and the SCCs therefore only contain generalised obligations.

The respective contract must also provide for a binding transition period of a maximum of thirty (30) days, Art. 25 para. 2 lit. a Data Act. If the provider is unable to comply with the transition period for technical reasons, an extension of the transition period to a maximum of seven (7) months is possible in individual cases if the requirements in Art. 25 para. 4 Data Act are met.

Extension and transition period

The customer must also be given the opportunity to extend the transitional period once for a period that the customer considers more appropriate for its own purposes, Art. 25, para. 5 Data Act. The contract is deemed to be terminated in accordance with Art. 25 para. 2 lit. c Data Act after successful completion of the change. The data must continue to be accessible for at least thirty (30) days – calculated from the end of the transition period – in accordance with Art. 25 para. 2 lit. g Data Act. In addition, the provider must guarantee that it will delete the customer's exportable data and digital assets after the change has been successfully completed (Art. 25 para. 2 lit. h Data Act).

Furthermore, according to Art. 27 Data Act, all parties involved are obliged to act in good faith. This includes, for example, that the parties involved transfer the data securely and in a timely manner and use a common machine-readable format, see Recital 97 Data Act.

Art. 26 Data Act provides for further information obligations for providers of data processing services with regard to the implementation of the change and Art. 30 Data Act contains obligations for the technical implementation of the change.

Finally, switching fees, i.e. fees charged by providers for carrying out a switch, are to be gradually abolished by 2027. In future, cloud service providers will therefore bear the financial risk of costly and technically complex switching projects. These should therefore already be taken into account when developing cloud products (even more so than is already the case in practice). Additional services that go beyond the switching support prescribed in the Data Act can be provided for a fee. However, these fees also must not constitute a commercial obstacle to switching within the meaning of Art. 23 Data Act.

Consequences of an infringement of Art. 25 Data Act

In addition to public law enforcement by the authorities, civil law enforcement by customers or competitors is also to be expected, for example via competition law or via the effectiveness control of the law on general terms and conditions. The reference to the fine regime of the GDPR explicitly does not cover the rules of Chapter VI, which this article deals with. It therefore remains to be seen how national legislators and supervisory authorities will proceed here.

If individual contractual clauses infringe against Data Act provisions, the applicable (general terms and conditions) law must be applied. In the case of cloud contracts with consumers, it should be noted in particular that the obligations under the Data Act may overlap with the obligations for cloud providers under the Digital Contracts Directive (2019/770) and the Sales of Goods Directive (2019/771), both of which have been transposed into the German Civil Code (BGB).

Draft standard contractual clauses (SCCs)

With regard to switching requirements (Chapter VI Data Act), the EU Commission will publish various sets of SCCs, which should largely complement each other, but can also be used separately.

In contrast to the familiar data protection law related SCCs, the SCCs resulting from Art. 41 Data Act will be non-binding. The parties can therefore use them and explicitly adapt them to their own services and wishes with regard to the change scenario in accordance with their contractual requirements. This is initially to be welcomed, as it eliminates the need for processes to adapt to a rigid set of rules and allows Data Act compliance to be organised more flexibly.

However, the following point should be taken into consideration when revising the SCCs: The SCCs are designed taking into consideration the rights and obligations provided for in the Data Act and should also be consistent with each other. The respective parties should therefore critically review the SCC texts to determine the extent to which they can be adapted to the specific individual case and at the same time sufficiently reflect the obligations under the Data Act.

The SCCs provided serve as a model for what the Commission considers to be best practice for implementing the Data Act obligations in contracts. The clauses are relatively clearly formulated and regulate what happens when and who is subject to the corresponding contractual obligations.

As of November 2024, the standard contractual clauses will cover the following issues: Termination; General; Switching & Exit; Security and Business Continuity; Liability; Non-Dispersion; Non-Amendment.

The SCCs are a highly complex set of contractual clauses that contain clauses for several scenarios (such as the use of self-service switching tools). However, one thing has become clear: In addition to clauses that are partially identical in wording to the obligations of the Data Act, the SCCs contain detailed exit plans that include placeholders for all the information that must be provided.

Current handling of the major providers

Many of the requirements of the Data Act go far beyond current practice. Customers could consider the extent to which they are more flexible in future. We also expect a change in negotiating positions in procurement procedures and the associated contract negotiations. Cloud providers should definitely have revised their general terms and conditions by the time the Data Act comes into force and carefully check where they actually fall within the scope of application and how they deal with the areas where the Data Act is unclear and offers room for manoeuvre.

In addition, the technical implementation of the requirements of Art. 25 para. 2 Data Act will still pose challenges for cloud providers until it comes into force in September 2025. For example, it remains unclear how the required “reasonable support” for the change on the part of the data processing services pursuant to Art. 25 para. 2 lit. a (i) Data Act is to be implemented technically: What is “reasonable”? What are the minimum technical services that must be provided in order for the change to be “adequately” supported?

Outlook

Even if there are certainly still some question marks regarding the obligations set out in Art. 23 et seq. Data Act, the changes for users and providers of cloud services are significant. The now mandatory interoperability and the legally binding option to change a data processing service will increase the negotiating power of user companies vis-à-vis the large cloud providers.

Providers of cloud services face considerable challenges as a result of the implementation of the Data Act. In addition to organisational and contractual adjustments, far-reaching technical changes must also be made to the products offered. In view of the short implementation period, which expires on 12 September 2025, capacities and resources should be made available for the implementation projects at short notice.

Timeline

The Data Act was passed on 13 December 2023 and came into force on 11 January 2024.

The obligations discussed in this article apply to all contracts from 12 September 2025 (Art. 50 para. 2 Data Act). All contracts for data processing services concluded before this date are subject to the Data Act and should therefore be amended by 12 September 2025.

There will be a gradual abolition of switching fees for the execution of provider changes by 12 January 2027 (Art. 29 para. 1, 2 Data Act).