The EU Data Act is intended to harmonise rules on fair access to and use of data in the EU. While the volume of data being collected has increased exponentially across all sectors, much of its value is captured by a small number of big corporations. In 2020 the Commission noted that only 8% of SMEs were successfully capturing value from data. The Data Act is part of a broader EU legislative package aimed at unlocking data-driven innovation and rebalancing control between data holders and users.
The Data Act entered into force on 11 January 2024 and will apply from 12 September 2025. However, a two-stage transition period applies to cloud switching rules:
- From 12 September 2025: providers must begin aligning with transparency and switching process obligations.
- From 12 January 2027: providers will generally be prohibited from charging switching or data extraction fees, subject to limited cost-based exceptions.
The Act applies to a wide range of actors, including:
- Manufacturers and providers of ‘connected products’ (such as smart devices);
- Data holders making data available to users in the EU;
- Providers of data processing services, including cloud service providers, to EU clients.
This article analyses the key obligations of the EU Data Act relating to cloud service portability and switching, (Section 1) and outlines the regulatory and commercial impact for service providers and business users (Section 2).
1. Legal framework for switching and portability in cloud service contracts
The Data Act builds upon an earlier attempt to enable data mobility: the 2018 Free Flow of Non-Personal Data Regulation which proposed voluntary codes of conduct to make it easier to transfer data when switching between cloud services. Dissatisfied with the slow uptake of this industry self-regulatory approach, EU policy-makers introduced a mandatory set of rules with enforceable rights and obligations.
The Act introduces not only new portability rights and contractual restrictions but also imposes corresponding transparency and governance obligations on service providers.
1.1. Data portability and limits on lock-in
The Data Act will make it easier for business customers to access their data and to transfer their data between different providers of data processing services, by introducing a set of minimum mandatory requirements.
The Data Act aims to eliminate 'vendor lock-in' by establishing minimum contractual obligations to facilitate switching:
• Customers must be able to transfer their data between providers without facing undue technical, contractual, or commercial barriers.
• The switch must enable functional equivalence, and data must be provided in a structured, commonly used and machine-readable format.
The rules do not apply to services that are not “interoperable” including:
- Hosting services and shared hosting services.
- Application service provisioning (ASP).
- Non-production versions of services provided for evaluation or testing for a limited period of time (beta versions).
- Bespoke versions of services customised for the customer.
- These types of services cannot be easily exchanged for another service.
From 12 January 2027, service providers must offer switching services and data export free of charge. Some exceptions apply, for example if third party vendor support is required to facilitate the transfer, then providers must cap the charges at the costs they directly incurred in assisting the customer to switch services and/or to extract their data.
This does not affect the provider’s right to charge for its standard service fees during the exit period. While some providers may respond by increasing baseline service fees to recover costs in advance, the goal is to encourage more efficient customer-friendly and cost-effective switching mechanisms.
1.2. Transparency and pre-contractual information
To support switching and regulatory compliance, providers will be required to provide information on their websites including:
- Applicable switching fees (if applicable),
- Details of contractual and technical switching arrangements,
- Measures employed to prevent international governmental access to data held in the EU, and
- The legal jurisdiction governing the ICT infrastructure used for data processing.
In addition, providers will also be obliged to provide pre-contractual information to customers, clearly setting out details of the process for switching and porting to the data processing service.
These measures are hoped to benefit SMEs which are unable to negotiate effectively with stronger market players, and are more impacted by high switching costs and technical barriers.
The Data Act also introduces mandatory safeguards to ensure that non-EU/EEA governments cannot access data stored on EU-based cloud infrastructures. Cloud service providers must implement appropriate technical and organisational measures to prevent non-EU/EEA governments from accessing data held in the EU. This obligation reflects increasing concern over data sovereignty and extraterritorial surveillance. The subtext is that data held on cloud infrastructures must not leave the EEA, unless valid international data transfer mechanisms (such as SCCs or adequacy decisions) are in place.
2. Regulatory response and commercial impact
The implementation of the EU Data Act is expected to trigger wide-ranging regulatory, commercial, and contractual shifts across the cloud services landscape. We take a look at how EU institutions are supporting the market transition and assess the operational and contractual impact on cloud providers.
2.1. The EU Commission proposed model contractual terms
The EU Commission will issue non-binding model contractual terms to guide providers and customers in developing compliant and fair data processing agreements. Although not mandatory, these templates will likely influence market practice and serve as a benchmark for compliance across the EU.
These model clauses aim to balance the contractual power dynamic between large-scale providers and smaller customers, and will assist regulators, trade bodies, and in-house legal teams in shaping fair market standards. Their use may also mitigate enforcement risks, particularly for SMEs with limited resources.
The Commission’s guidance will also be relevant when Member States begin implementing enforcement frameworks into national law, including the designation of competent authorities and definition of effective, proportionate, and dissuasive penalties under Article 40.
Failure to meet the Data Act’s requirements will be punishable by fines, which each Member State must set by 12 September 2025. Where personal data is involved, non-compliance may also lead to GDPR-based sanctions. However, unlike under the GDPR, business customers do not have a direct right of action against providers. Enforcement will rest with competent supervisory authorities designated under Article 40.
2.2. Impact on cloud providers and customers
Cloud providers offering services to EU-based customers, particularly those headquartered outside the EU, will need to:
- Redraft contractual terms to comply with switching and portability requirements;
- Cease charging for data export or switching from January 2027, with limited exceptions;
- Update transparency statements and pre-contractual documentation;
- Ensure security and compliance measures are in place to prevent unauthorised international access.
Some providers may front-load costs into service fees, while others may invest in APIs or tooling to streamline data extraction. Early compliance can offer competitive advantage, particularly for providers that prioritise user experience, transparency, service reversibility, and portability support.
On the customer side, the Data Act is particularly significant for SMEs and other business users who often lack the leverage to negotiate favourable exit terms. For these users, the Act:
- Reduces cost and contractual barriers to switching;
- Enhances transparency around data access and migration;
- Empowers informed decision-making through clearer pre-contractual disclosures;
- Provides indirect enforcement protection via regulatory oversight.
By codifying minimum switching rights, the Act promotes a more dynamic and competitive market for cloud services. Business users should begin reviewing existing cloud contracts to identify legacy provisions that may soon become non-compliant.
Key takeaways for providers and business users
- Review and amend cloud contracts to remove unlawful lock-in clauses and ensure minimum switching rights (e.g. termination notice, structured export, functional equivalence) are contractually embedded.
- Insert compliant data export obligations requiring provision of customer data in a structured, commonly used, machine-readable format, and commit to functional equivalence post-switch (Article 23(3)).
- Draft and publish legally required pre-contractual disclosures, including switching timelines, technical migration terms, applicable jurisdictions, and any transitional fees (Article 23(4)).
- Eliminate or cap switching and data extraction fees in accordance with Article 24 — by 12 Jan 2027, these must be free except for limited, direct third-party support costs.
- Track and incorporate forthcoming EU model clauses into service agreements once published, to align with expected enforcement standards and reduce risk of penalties or regulatory challenge.