For more information about France’s SREN law, see our update that provides five key takeaways for businesses.
Two new laws impose an array of obligations and restrictions on cloud providers in France.
First, the European Parliament passed the Data Act in December 2023, a wide-ranging law that seeks to make it easier to share and circulate data to increase competitiveness and innovation and to switch between cloud providers. The Data Act harmonized rules in Europe on fair access to and use of data. The relevant provisions take effect in September 2025.
Then, in May 2024, a law took effect in France that imposes similar obligations on data processing – before similar portions of the Data Act take effect. As a result, cloud providers that offer services in France cannot wait for the Data Act requirements to kick in – they must comply now with the French law, known as the SREN law (Loi Visant à Sécuriser et à Réguler l’Espace Numérique).
How will these laws affect cloud providers in France? What should a company do to comply? Consult the table below to find out – and peruse our Q&A section below providing further background and guidance to help companies navigate the complexities of these legal frameworks.
Checklist for Cloud Providers
- Reconsidering Commercial Practices
- Complying with Transparency Obligations
- Reviewing Contractual Terms
- Product Adaptations
- Reconsidering Obstacles to Changing Cloud Providers
A Deeper Dive: Key Questions and Answers About the Data Act and the SREN Law
- Who do the laws affect?
- What are goals of the law?
- What do we mean by “cloud providers?”
- When do relevant provisions of the laws take effect?
- What are key obligations the law imposes?
- Are any cloud providers exempt?
Checklist for Cloud Providers
The following checklist will help cloud providers assess what they need to do concerning relationships with customers under these new regulations. We have noted whether there is an obligation under the Data Act without any France-specific provision and/or SREN law provisions that are unique to the provision of services in France.
A Deeper Dive: Key Questions and Answers About the Data Act and the SREN Law
Who do the laws affect?
Both laws appear to target software providers that make products available in the cloud.
- The Data Act refers to SaaS as one of the three fundamental data processing models. The EU Commission also refers to SaaS as a data processing service in online guidance, including this one.
- The Data Act also distinguishes cloud services limited to infrastructure elements from cloud computing services that contain the provision of software, making SaaS models subject to the Data Act.
- The SREN law should also be considered as covering SaaS providers. That’s because the SREN law provisions concerning changing a cloud provider anticipates the application of the Data Act and because documentation issued as part of the legislative process refers to cloud providers, including SaaS providers.
What are goals of the law?
- The Data Act seeks to remove obstacles that prevent customers from easily switching between service providers. A key goal is to make it easier to share and circulate data to increase competitiveness and innovation. The law includes mandatory contractual provisions and transparency obligations.
- The SREN law adapts French law to broader EU laws and regulations, including the Data Act.
- The Data Act and an accompanying regulation seek to harmonize rules on fair access to and use of data. It imposes obligations and restrictions on data processing service providers.
- The SREN law implements provisions of the Data Act relating to providing data processing services before the Data Act provisions take effect.
What do we mean by “cloud providers?”
- The Data Act defines a “data processing service” as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
- The SREN law defines a “cloud computing service” the same way.
- This overview refers to “data processing services” and “cloud computing services” as “cloud providers.”
When do relevant provisions of the laws take effect?
- The relevant portions of the Data Act take effect on 12 September 2025.
- The SREN law applies as of 21 May 2024.
- Additional regulations will specify obligations related to switching charges, cloud credits and interoperability and portability. Authorities may delay enforcing these provisions pending regulations even though the law does not delay their effective date.
- Some provisions of the SREN law concerning cloud providers anticipate Data Act requirements. Those provisions will apply to companies doing business in France from now through 12 January 2027.
What are key obligations the law imposes?
- The rights and obligations under the Data Act include an obligation to inform, share data and provide data in standard formats; incentives for investing in data; a public entity’s right to access data and measures meant to facilitate data portability and rebalance micro-, small- and medium-sized enterprises.
- The SREN law contains obligations and restrictions similar to those in the Data Act plus a few others. The SREN law provisions that do not overlap with the Data Act will continue to apply after 12 January 2027.
Are any cloud providers exempt?
Cloud providers are exempt from some obligations imposed by both laws when the services provided:
- Mainly consist of features or components that are custom-built or developed for the specific needs of a customer.
- Pre-release versions.
If an exemption applies, the service provider will need to mention this in its customer agreements. These exemptions are identified in the table above.