The EU Data Act – cloud services – amending cloud contracts

Cloud service providers are now obliged to facilitate their customers’ transition to another provider. If you are a cloud service provider, you must check whether your contracts, technical infrastructure and information obligations comply with the Data Act (EU Regulation 2023/2854). This came into force on 12 September 2025 with

Cloud services are widely used by both business users and consumers. The Data Act has serious consequences. Think of cloud services such as Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service, but also providers connected to the Internet of Things (IoT) products. More specifically, think of sea locks, bridges or, closer to home, your car, energy, gas/water meters, lamps that you control via an app or voice (Alexa), smart watches, refrigerators, doorbells and security cameras.

Switching

The aim of the Data Act is to make this dynamic data market more transparent and competitive in the EU. This means that it should be easy for customers to switch to another provider. In legal terms, this means that cloud services must not only review their contracts but also their technical infrastructure and information obligations to ensure that they comply with the Data Act.

Vendor lock-in

A classic feature of contracts is the so-called “vendor lock-in” clause; you are contractually unable to “opt out”. As a customer, you must now be able to easily move your data and applications from one cloud service to another or restore them to your own systems. The Data Act stipulates that such a migration must, in principle, be completed within 30 days. The notice period is now also capped (Art. 25). If the technology makes it truly impossible to deviate from this, only a “very good story” can help you as a provider. I would like to point out a few contractual points in this regard.

Notice period

The agreement of cloud service providers may stipulate a maximum notice period of two months. Clear conditions must be set out regarding the specifications of non-exportable and exportable data and the associated costs (Articles 25 and 34). During the initial period, “reasonable costs” may still be charged, but later – in 2027 – cloud service providers will be obliged to scrap their transfer costs (Art. 29). So in 2027, the “exit” of the “exit fees” will apply.

Interoperability

EU law allows you to switch mobile phone providers without having to buy a new phone. However, this required EU legislation to standardise the process. In line with this, the Data Act also facilitates data migration. Cloud services must adapt their services so that customer data is transferable and can therefore be used operationally by other cloud service providers (Articles 26 and 27). In this context, the EU Commission will be able to set binding standards (Article 35) that providers must comply with.

Transparency and duty to provide information

Naturally, customers must be properly informed of the transfer procedures prior to such a migration (Art. 26). This includes, among other things, indicating which data are transferable and whether any functionalities will be lost, as well as how the migration will proceed procedurally. Any costs will also have to be stated. And to prevent the unlawful transfer of data outside the EU, the customer must also be informed about the measures taken to this end (Art. 29).

Government requests for data

Our government is granted powers under this Data Act. In exceptional circumstances, the government may request data from cloud service providers. This could be in an emergency situation or when it is highly (e.g. acutely) necessary for the performance of public tasks. Of course, such requests must be specific, transparent and proportionate, and must not lead to the migration of more data than is really necessary. One risk here is, for example, the loss of trade secrets. Data that is no longer needed must also be deleted. It must also be prevented that the same data is requested multiple times by different government agencies. That would lead to overload.

Action required

Compliance with the requirements of the Data Act means revising contracts. To this end, on 2 April 2025, the European Commission published the Standard Contractual Clauses (SCCs) for cloud contracts. This report contains model provisions for those contracts. These are not binding, but they provide guidance on how to become Data Act compliant.

We can assist you with this.