The Data Act will regulate how companies throughout the EU are allowed to use data in the future. 

This article presents the effects of the Data Act on cloud service providers, in particular the change of cloud service providers regulated in Chapter 6 (so-called "cloud switching"). 

You can find the previous newsletters and blog posts from our "Data Act" series here:

• Newsletter with an overview of new regulations; 
• Blog post on the scope of application and affected companies;
• Blog post on the use of product data by manufacturers of IoT products; 

For which services does the Data Act bring new regulations?

Chapter VI of the Data Act manages the options for switching between data processing services. Data processing services are defined more precisely in Art. 2 No. 8 of the Data Act. According to this, a data processing service is "a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction." The definition is very broad and applies to almost all cloud services as well as edge services.

Typical examples of this are: A customer relationship management (CRM) system offered via a cloud platform or an enterprise resource planning (ERP) system that can be accessed online by a company's employees.

Removal of barriers to switching data processing services

One aim of the Data Act is to enable easy switching between data processing services in the future. To achieve this goal, the Data Act imposes obligations on the providers of data processing services that relate to the contract design on the one hand and the technical design of the data processing services on the other.

Contracts for data processing services

The Data Act strongly interferes with the contractual freedom of providers of data processing services to ensure a simple change of provider. They are obliged to include clear regulations on switching between providers in their contracts with their customers. This includes the following provisions, among others:

• Maximum notice period of two months, Art. 25(2)(d) Data Act
• Transfer of all exportable data without delay, no later than 30 calendar days after the end of the contract, including the obligation to provide support and ensure the security of the data when switching, Art. 25(2)(a) Data Act
• Clear list of all data categories that can be exported, Art. 25(2)(e) Data Act, as well as all data categories that are specific to the service and cannot be exported, Art. 25(2)(f) Data Act
• A regulation on switching fees during a transitional period, Art. 25(2)(i) Data Act. Until January 12, 2027, reduced switching fees may still be charged, which may not exceed the costs incurred by the provider. From January 12, 2027, switching must be carried out free of charge.

Technical standards

The technical aspects of a change are regulated in Art. 30 Data Act. According to this, providers of data processing services must enable their customers to switch by providing appropriate information and documentation, technical support and any necessary tools. Specifically, they must provide an interface that also contains sufficient information about the service so that data transfer software can communicate with the service. The details also depend on the type of service offered (Infrastructure-as-a-Service "IaaS", Platform-as-a-Service "PaaS" or Software-as-a-Service "SaaS"). In addition, data processing services must meet interoperability requirements in accordance with Art. 35 Data Act. These requirements are still being specified by the EU and published in a public database.

Information obligations

Furthermore, providers must in future provide customers with information on available procedures for switching and transferring processed data (Art. 26 Data Act). This includes information on possible restrictions and technical limitations, in particular. International providers must also provide information on their website about the competent jurisdiction as well as a description of the measures they take to prevent state access to the data.

Outlook and practical tips

Going forward, the Data Act will put users of cloud services in a much better position. It particularly prevents users from being tied to individual providers in the long term. In the future, providers will no longer be able to contractually enforce regulations on minimum terms or early termination fees. In the future, providers of cloud services will be able to use the standard contractual clauses yet to be published in accordance with Art. 41 Data Act as a guide when drafting contracts. However, we recommend adapting long-term contracts especially now and preparing the steps for implementing the technical requirements.

If you have any questions about the Data Act or would like support, please do not hesitate to contact our experts in the field of intellectual property, media and information technology. We will help you to check whether and to what extent the Data Act applies to your company and how you as a company can best respond to it. For example, a short workshop is a good way to start the implementation process, in which we work with you to identify the specific requirements for your company and agree on the necessary steps.