The Data Act – Important obligations for cloud and edge services

Overview

The Data Act became fully applicable on 12 September 2025 and will be consolidated with the Data Governance Act based on the proposal for a Digital Omnibus Package (read more on this here). 

The Data Act focuses on the right to access data generated by connected products and so-called providers of data processing services (“DPS”) such as cloud and edge services. Regarding the latter, customers now have a right to easily switch between different services and to terminate their contracts. Main obligations for providers refer to a variety of new mandatory contractual terms, information obligations, exit and transition support as well as harmonized interoperability standards.

Who is the addressee?

• The Data Act stipulates far-reaching requirements for DPS providers – covering cloud service providers with a “shared pool of configurable, scalable and elastic computing resources such as storage, applications and services that can be rapidly provisioned and released with minimal interaction”.
• This rather technical definition requires a case-by-case assessment. If scaling only occurs at the platform level or requires manual interaction by the provider, there may be arguments that your service is out of scope.
• However, if the tenant/customer can unilaterally provide and release the computing resources, you should have a closer look. There is a high risk that you are covered regardless of whether your service is provided as an Infrastructure as a Service (IaaS), Platform as a service (PaaS), Software as a Service (SaaS) or as an emerging variation such as Storage as a Service and Database as a Service.
  

  ⚠️ Therefore, DPS provider do not solely cover the major “hyperscalers”. Even if you rely on a third party for scalability and elasticity you may be covered. 

• For individual, custom-built DPS or for mere testing and evaluation purposes the scope of the Data Act’s obligations is limited.

What obligations apply?

Switching and exit rights 

• Customers have the right to easily switch between DPS providers and exit the agreement.
• Customers have the right to switch between DPS or port all of their exportable data generally free of charge.
• Upon completion, the DPS contract is considered to be terminated. This generally means that the customer will not have to pay service fees anymore. From 11 January 2024, only reduced switching charges can be imposed and switching providers shall generally be free of charge from 12 January 2027 on.
• However, the Data Act allows for early termination penalties. In addition, the Data Act leaves room to argue that specific costs related to additional services to the DPS will not be affected by the termination.

Remove obstacles and support the customer

• DPS providers must remove any form of obstacles that inhibit customers – among others – from

• terminating their contracts,
• concluding new contracts with different providers and
• porting customer’s exportable data.

• In this regard, the DPS provider has to support customers with their exit strategy. After a notice period of max. 2 months, switching shall generally be completed.
• Even after completion of the switching, the DPS customer can retrieve all data from the provider for at least 30 additional days. After that, the provider has to guarantee full erasure of all exportable data relating to the customer.

Inform the customer

• DPS providers must specify all categories of data and digital assets that can be ported to facilitate the switching process.
• The provider’s information obligations relate to

• switching and porting methods, formats, restrictions and technical limitations,
• an online register with details of the exportable data and
• standard service fees and early termination penalties.

Ensure technical interoperability and implement security measures

• DPS providers must ensure technical interoperability between different DPS, based on harmonized standards.
• In this regard, the ISO/IEC 19941:2017 standard is already named by the Data Act.
• Specific future standards will be published by the EU Commission in a central repository.
• DPS providers must implement security measures to protect the switching process and prevent unlawful governmental data access. This requires safeguards such as encryption of data, frequent submission to audits and modification of corporate policies.

Update of contracts

• The above measures come with a variety of requirements for contractual terms.
• ⚠️ Not addressing the new rights of customers is considered a violation against the Data Act. Also, introducing early penalty fees that provide appropriate compensation requires corresponding clauses in the contract.
• Note: To facilitate the switching process the EU Commission has developed standard contractual clauses (SCCs). These SCCs are rather complex and extensive. They require adaptation to your respective contract.

From when do these measures apply?

• In general, the Data Act applies from 12 September 2025 and according to the EU Commission also applies to legacy contracts.
• Reduced switching charges already apply from 11 January 2024.

Enforcement of Data Act obligations

• Data Act obligations can be enforced contractually by customers and by regulators. Penalties will likely be calculated on methods already known from GDPR – e.g. the infringing party’s annual turnover.
• For example in Germany, the (soon-to-be-announced) authority has already set up a complaints portal, which will be live soon.
• For completeness: The Data Act encompasses many challenges and opportunities related to data use in the European Union but also brings uncertainty for the data industry. We assist with guidance on all of these issues, find more information on our Global Data Hub here.