This Essential Guide to the European Data Act is part of Orrick's Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.

In this guide, we answer these five pressing questions about the European Data Act for providers of cloud-based services:

1. Does the Data Act Apply to cloud service providers?
2. What do affected companies need to do to comply?
3. Should companies amend current agreements?
4. What about adapting technical aspects of the services?
5. What is the timeline for implementation? What are risks of non-compliance?

1. Does the Data Act Apply to cloud service providers?

Yes, cloud services providers are very likely subject to the Data Act. 

The Act does not explicitly refer to "cloud service providers" and instead employs the less well-known phrase "data processing services." This term refers to any digital service provided to a customer that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature, that can be rapidly provisioned and released with minimal management effort or service provider interaction. 

This is virtually the same definition of " cloud computing service” in the Network Information Security (NIS 2) Directive.

The term "data processing services" encompasses companies that provide typical cloud service distribution models such as Infrastructure as a Service, Platform as a service or Software as a Service. 

In contrast, online platforms and online search engines within the meaning of the EU Digital Services Act and telecommunications services typically do not qualify as "data processing services."

Whether a service qualifies as a "data processing service" depends on its specific functions and properties.

The Data Act sets out a series of obligations for providers of data processing services. Unlike other chapters of the Data Act, the provisions addressing data processing services do not include exceptions for micro, small and medium-sized enterprises.

2. What do affected companies need to do to comply? 

The Data Act primarily affects manufacturers of connected products and related services, but numerous obligations apply to "data processing service" providers as well. Those obligations support the Data Act's goal of preventing vendor lock-in effects and freeing up the movement of data. 

The law requires data processing providers to:

• Include mandatory contractual terms in their customer agreements ensuring customers' rights to switch providers.
• Comply with technical obligations to enable switching.
• Fulfill accompanying information obligations vis-à-vis customers.

The Data Act imposes these requirements to remove commercial, technical, contractual and organizational obstacles that prevent customers from switching to other cloud services providers (or from simultaneously using services of several providers).

3. Should companies amend current agreements?

Yes, companies should update agreements covering cloud services to comply with the Data Act. To ensure customers can switch services, the Data Act requires providers to include certain rights and obligations in their agreements, including:

• Customer rights to initiate the switching process following a two-month notice period.
• Customer rights after the notice period to switch to a different data processing services provider, switch to an on-premises IT infrastructure or erase its data.
• A provider's obligation to ensure a maximum transitional period of 30 calendar days, only extendable under certain circumstances, after the two-months maximum notice period for switching to another data processing service (or for porting the customer's data to a on-premises infrastructure).
• A provider's obligation to assist during the transitional period, including acting with due care to maintain business continuity (including continuing to provide data processing services) and ensuring a high level of security throughout the switching process.
• Description of the legal effects of the switching, leading to the termination of the agreement upon completion of the switching process (or upon expiry of the maximum switching notice period in case of mere erasure of data without switching).
• Provider's obligation to ensure a minimum data retrieval period for the customer of at least 30 calendar days upon termination of the applicable transitional period.
• Customer rights to request full erasure of the customer's data after the data retrieval period (or a longer period agreed).
• Provider's right to request switching charges to be paid by customers (until 12 January 2027, providers may impose charges for the switching process, which may not exceed the costs incurred by the provider that are directly linked to the switching process and from 12 January 2027 on, provider may not impose any such switching charges, however, this does not apply to early termination penalties).

From a commercial perspective, it is important to understand that proactively addressing the Data Act in the customers agreements is a significant advantage for SaaS-Providers. They can define the migration services from their perspective and also include clauses ensuring that the initially agreed remuneration is paid for the agreed contract term should a customer request an early termination. 

The Data Act also sets out a series of information obligations to ensure that companies provide customers with the information necessary to switch, including:

• Information on procedures for switching and porting to a new data processing service.
• An online register with technical details on the exportable data (e.g., data formats, interoperability specifications).
• Pre-contractual information on standard service fees, early termination penalties, and switching charges.
• Information on data processing services with highly complex or costly switching.

4. What about adapting technical aspects of the services?

Most providers will likely have to implement at least some minor technical changes. The Data Act distinguishes two groups of providers:

• Providers of data processing services concerning computing resources limited to infrastructural elements (servers, networks, virtual resources etc.) without providing operating services, software and applications (typically IaaS providers). 
  • These providers must take all reasonable measures to help customers achieve functional equivalence after switching to a service of the same type.
• All other providers, i.e., in particular, SaaS and PaaS providers, have to:
  • Provide open interfaces to all customers and the destination providers of data processing services to facilitate switching. 
  • Comply with common specifications based on open interoperability specifications or harmonized standards for interoperability (that may be published by EU Commission) or if no applicable common specifications exist, export all exportable data in a structured, commonly used and machine-readable format.

Exemptions apply to data processing services custom-built for an individual customer without being offered at broad commercial scale. Providers of these services only need to export all exportable data in a structured, commonly used and machine-readable format.

5. What is the timeline for implementation? What are the risks of non-compliance?

The Data Act applies from 12 September 2025 – so, while there's no need to panic yet, businesses are best advised to take steps addressing the Data Act sooner rather than later. 

Based on our experience helping companies comply with new regulations, especially those touching on technical requirements, organizations typically require some lead time to do such things as ensure alignment across departments.

Companies that fail to comply with the Data Act face fines, although the amounts are yet to be defined and may vary by member state. The Data Act says that, by 12 September 2025, EU member states shall lay down effective, proportionate and dissuasive penalties for violating the Data Act. 

National data protection authorities will levy fines in cases involving personal data. In case involving other types of data, each EU member state will designate authorities to enforce the law.