New requirements for cloud portability in the EU Data Act – practical implications for cloud service providers

Background

The EU Data Act (Regulation (EU) 2023/2854, which entered into force on 11 January 2024 and applies from 12 September 2025) will begin to apply this autumn. The Regulation aims to promote sharing and use of all types of data within the EU and serves as a complement to the GDPR, which continues to apply in parallel for personal data.

In this article, we focus on rules in the Data Act that are intended to promote data portability and counteract customer lock-in in the market for data processing services, which includes cloud services such as IaaS, SaaS and PaaS, as well as services using computing capacity close to the end user, known as edge computing. For the sake of simplicity, we will use the term “cloud services” instead of “data processing services”. The regulations in Chapter VI of the Data Act could have a significant impact on the EU market for cloud services. The Regulation applies to all providers offering cloud services to customers within the EU, regardless of where the provider is established.

To sum up, the new rules mean that:

• cloud service providers are required to remove all barriers making it difficult to switch between cloud services of the same type,

• fees for switching providers, including data egress charges, must be removed by January 2027,

• portability of customer data becomes a mandatory right that must be explicitly stated in customer agreements, and

• interoperability between cloud services must be defined through common technical standards.

Certain services are excluded from the scope of the Data Act:

• Non-production versions of cloud services used for testing or evaluation for a limited period of time, and

• Tailored services that are adapted according to the customer’s needs and that are not offered on a large commercial scale are exempt from some of the obligations under the Data Act.

Removing obstacles to cloud portability

The Data Act requires cloud service providers to remove all “pre-commercial, commercial, technical, contractual, and organisational” obstacles that make it difficult for customers to switch to or use another service of the same service type in parallel or transfer to on-premises infrastructure. That may mean that a conversion in terms of both technical infrastructure and business model is required at the provider. A key requirement in this context is for the customer to be able to transfer its exportable data and digital assets, if the customer is entitled to use them, to the new environment. However, exceptions apply in the case of data protected by intellectual property rights or that constitutes trade secrets such as software code or business-critical algorithms. Data that is critical to the integrity and security of the service may also be exempt.

The requirement to remove obstacles to switching services also means that a provider offering both infrastructure services (IaaS) and platform services (PaaS) or software services (SaaS) must, on request, be able to separate its IaaS service from the other services in order to prevent customer lock-in, provided that it is technically feasible. IaaS providers must also take all “reasonable steps” to ensure that the service offers functional equivalence in the new environment.

Definitions

“Same service type” means an equivalent service in the same category, e.g. SaaS, PaaS or IaaS. Also, in order to constitute the same type of service, the services must have the same overall functions or area of use.

The customer’s “exportable data” means input and output data, i.e. data that the customer sends to and receives from the service during use, as well as metadata generated during use such as times, logs or other contextual information relating to the data.

The customer’s “digital assets” means elements in digital format, including various forms of metadata, such as configuration settings and access rights, as well as applications that a customer has a right to use independently from the contractual relationship with the cloud service provider.

“Functional equivalence” means that the customer’s exportable data and digital assets are used to restore a minimum level of functionality in the new cloud service after a switch. The destination service must deliver a substantially comparable result for the functions shared between the services under the agreement.

Phasing out of switching fees

The Data Act introduces a gradual abolition of switching fees that cloud service providers are able to charge when switching services. Charging switching fees is completely forbidden from 12 January 2027. From 11 January 2024 to 12 January 2027, switching fees may be charged but must be limited to the actual direct costs incurred by the provider for assisting the customer, which includes data egress charges and costs for specific support during the transition.

Switching fees charged during the transition period must be clearly specified before the agreement is entered into.

Exit agreement

To ensure that the customer is able to switch supplier, the Data Act requires the customer’s rights and the provider’s obligations to be clearly set out in a written agreement between the parties. The agreement must include the following:

• Maximum notice period. A maximum notice period for the start of the switching process, which may not exceed two months.
  
  

• Maximum transition period. A maximum transition period of 30 days begins after the notice period has expired. If it is technically impossible to complete the switch within 30 days, the transition period can be extended up to a maximum of seven months. The customer is entitled to extend the transition period on one occasion by a period that the customer itself sees fit.
  
  

• Support and assistance from the provider. The provider is required to provide reasonable assistance during the switching process, including: (i) ensuring that the service works uninterruptedly throughout the the transition period, (ii) providing clear information about known risks to the continuity of the service, and (iii) protecting the customer’s data throughout the switching process.
  
  

• Specification of data and digital assets. The agreement must include an exhaustive specification of exportable data and digital assets that may be transferred, as well as data necessary for the internal functioning of the service that cannot be transferred because it consists of trade secrets, provided that this does not hinder or delay the switching process.
  
  

• Data retrieval and deletion. The customer must have a minimum period of 30 days to retrieve its data after the end of the switching period. The provider must then delete all exportable data and digital assets generated by or directly relating to the customer, unless an alternative period has been agreed.

Information requirements. The Data Act also requires providers to provide customers with the information needed to switch services, including technical specifications. Providers must publish an online register containing information on data formats and interoperability for exportable data.

Standards and specifications for interoperability

The Data Protection Regulation requires the EU to establish open interoperability specifications and harmonise standards for cloud services. PaaS and SaaS providers must open up their interfaces free of charge to both the customer and the new service provider to ensure data portability and system compatibility. The aim is to ensure that old and new systems are able to communicate effectively so that data transfer and interoperability work smoothly.

To support this, the European Commission intends in the long run to create a common online platform where cloud service providers can see which harmonised standards and specifications apply to their services. Providers must ensure that their interfaces comply with these guidelines so that customers are able to switch providers without losing functionality. If a customer wishes to switch providers before the standards have been published, the cloud service provider must export all customer data in a structured, standardised format.

There is reason to believe that the requirements for portability will require significant technical investments from cloud service providers. At the same time, the Data Act establishes that providers are not required to develop new technologies or services or share or transfer data that is subject to intellectual property rights or that constitutes trade secrets. In practice, this may make it difficult for the EU to ensure effective compliance with the technical requirements for switching services.

What happens if we fail to meet the requirements under the Data Act?

The Member States are responsible for designating one or more public authorities to monitor and ensure compliance with the Data Act. Sweden has not yet determined which public authority will be responsible, but it is likely that Post- och telestyrelsen [the Swedish Post and Telecom Agency] (PTS) will have a role.

In the event of certain violations of the Data Act, the same penalty fees as those applying under the GDPR, i.e. up to a maximum of 4% of a company’s global annual turnover, may be imposed. However, there are still no specific guidelines regarding penalty fees for violations of the rules on switching cloud services. The Member States have until 12 September 2025 to establish these. However, the factors affecting the amount of the penalty fees, such as the seriousness of the violation, previous violations, financial benefits and mitigating circumstances, correspond to those applying under the GDPR.

Recommended actions

Cloud service providers can adopt the following measures immediately to ensure compliance with Chapter VI of the Data Act and minimise business risks associated with the new rules:

• Review and update agreement terms
  Ensure that agreement terms comply with the requirements under the Data Act, e.g. with regard to notice periods and transition periods, as well as terms on porting and deleting data.

• Develop clear exit strategies
  Draw up a plan for how customers can seamlessly switch to another service or to on-premises infrastructure, including details on how data and digital assets are ported and deleted. Ensure that the process is clear and that there is support from the provider throughout the transition.

• Map and specify exportable data and digital assets
  Identify and document which data and digital assets can be transferred and ensure that there is clear information available to the customer on how they can be moved or deleted.

• Adapt technical infrastructure
  Ensure that technical infrastructure is able to deal with interoperability and portability requirements.

• Evaluate the business model
  Cloud service providers should carefully analyse how the requirements under the Data Act affect their business model, particularly in terms of pricing, bundling of services and competitive advantages. Consider changes that can improve competitiveness without creating unreasonable ties for customers.

You are welcome to contact us if you have any questions or require further information on how the Data Act could affect your business.