Why cloud service providers should review their contracts: a guide to the EU Data Act and switching rights

Regulation (EU) 2023/2854 (EU Data Act) is changing the rules for cloud services. Providers of cloud-based solutions (whether infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), or another type of data processing service) should act now.

What is the EU Data Act?

The EU Data Act is part of the EU’s digital strategy. It entered into force on 11 January 2024 with most provisions applying from 12 September 2025. Amongst other aims, it sets out to make it easier for users of data processing services (cloud services) to switch to another provider of equivalent services, move to a multi-cloud solution (ie use multiple providers simultaneously), or bring functionality in house (ie to move to on-premise infrastructure). It is hoped that it will prevent vendor lock-in and create a more competitive market across the EU.

The EU Data Act does not just apply to providers of data processing services established in the EU. It also applies to non-EU providers (irrespective of where they are based) if they provide services to EU customers, due to its extra-territorial effect. There is no carve-out of the provisions on switching for small, micro or medium-sized enterprises, so it will affect cloud service providers of all sizes (although see below on the impact of the Digital Omnibus).

Why this matters for cloud service providers

The EU Data Act introduces obligations on data processing service providers. The headline changes are that it introduces new mandatory switching rights. It also adds transparency requirements and will prohibit switching charges from 12 January 2027.

Key obligations

Article 23 of the EU Data Act means that providers of data processing services must not impose (and must remove) any pre-commercial, commercial, technical, contractual and organisational obstacles which inhibit customers from:

• terminating a contract for data processing services after the maximum notice period and successful completion of the switching process;
• concluding new contracts with a different provider covering the same type of service;
• porting exportable data and digital assets to a different provider, or to an on-premise ICT infrastructure;
• achieving functional equivalence; or
• unbundling services.

There are some exceptions from certain provisions in chapter VI of the EU Data Act, for custom-built solutions (it is recommended that these are assessed on a case by case basis) and for non-production versions provided for testing and evaluation purposes and for a limited period of time.

Contractual obligations for data processors:

• Rights and obligations must be clearly set out in a written contract which must be made available to the customer before they sign (article 25(1)).
• The contract must include the following: (article 25(2))
  • The right to switch – the customer has the right to begin the switch after providing a maximum notice period of two months. Once the notice period has ended the customer has the right to switch to a different provider or migrate to an on-premise solution. Providers must ensure a transitional phase of no more than 30 calendar days starting after the end of the two months’ notice period. The contract must address service continuity obligations during the switching process, including that the provider must provide reasonable assistance to the customer and authorised service providers, act with due care to maintain business continuity, provide information about known risks to continuity, and ensure that a high level of security is maintained throughout the switching process. It is worth noting that thecustomer can extend the transitional period once for a period that it deems appropriate.
  • An obligation on the data service provider to support the customer’s exit strategy – including by providing all relevant information.
  • A clause specifying that the contract will be terminated and that the customer will be notified of termination on successful completion of the switching process, or at the end of the maximum notice period where the customer chooses to erase its exportable data and digital assets.
  • A maximum notice period of two months for initiating the switch.
  • An exhaustive specification of all categories of data and digital assets that can be ported (at a minimum all exportable data).
  • An exhaustive specification of all categories of data specific to the internal functioning of the service that are exempt from the exportable data where there is a risk of breach of trade secrets of the data processing service provider.
  • A minimum data retrieval period of at least 30 calendar days starting after the termination of the transitional period.
  • A clause guaranteeing that all exportable data and digital assets will be erased – after the expiry of the retrieval period or an alternative agreed period, provided that switching has been completed successfully.
  • Any switching charges – switching charges will be gradually phased out and from 12 January 2027 they will be prohibited. Prior to 12 January 2027, reduced switching charges may still be charged, provided they do not exceed the costs incurred by the data processing service provider directly linked to the switch. Data processing service providers may still be able to charge for things like multi-cloud deployment strategies (this is addressed in Recital 99), additional support needed by the customer outside the switching scope of the EU Data Act, standard service fees, and proportionate early termination penalties for ending fixed-term contracts early (provided that all such charges have been agreed in advance and that clear information has been provided to the customer). However, care should be taken to ensure that any proportionate early termination penalties are not characterised as switching charges. It is recommended that any such charges are assessed on a case-by-case basis.
  • A clause providing that the customer may notify the data processing service provider of its decision to switch to a different provider, switch to an on-premise ICT infrastructure, or to erase its exportable data and digital assets after the termination of the maximum notice period.

Information obligations:

• There are several information obligations on data processing service providers. Providers must give customers information on available procedures for switching and porting, including any limitations. They must provide reference to an up-to-date online register they host which sets out details of data structures, formats, relevant standards and open interoperability specifications in which exportable data are available (article 26).

Obligation of good faith:

• There is a requirement for all parties involved in the switching process to cooperate in good faith to ensure that the switching process is effective and to enable timely transfer of data whilst maintaining continuity of the data processing service (article 27).

Technical requirements:

• Technical requirements depend on the service provided:
  • IaaS providers must take all reasonable measures to help customers achieve functional equivalence.
  • SaaS and PaaS providers must provide open interfaces to customers and destination data processing service providers free of charge to facilitate the switching process. They must ensure compatibility with common specifications based on open interoperability specifications or harmonised standards for interoperability (at least 12 months after such common specifications are published in the central Union standards repository).

Standard contractual clauses

In November 2025, the EU Commission published modular standard contractual clauses (SCCs) for cloud computing and other data processing services contracts, which are ready-to-use contractual terms that can be inserted into data processing contracts. The SCCs cover switching and exit, termination, security and business continuity, non-dispersion, non-amendment and liability. They are voluntary, non-binding and open to users’ possible amendments. However, they do not constitute the entire agreement for data processing services that would apply between a customer and a provider, and additional rules and requirements may need to be considered.

Impact of the Digital Omnibus

Cloud service providers should keep up to date with changes that the Digital Omnibus may bring. The Digital Omnibus aims to streamline and consolidate existing (and sometimes overlapping) European digital legislation. The EU Commission published its draft Digital Omnibus Regulation Proposal in November 2025, which amongst other proposals contains amendments to the EU Data Act designed to enhance legal clarity, make compliance easier, and reduce administrative burden.

Examples of such changes include reducing the burden of the cloud-switching rules in chapter VI of the EU Data Act for providers of data processing services that are custom-made and for small and medium-sized enterprises and small mid-cap companies, where contracts were concluded before 12 September 2025.

Why act now?

The majority of obligations in the EU Data Act already apply, so cloud service providers should review their contracts now (if they have not done so already). Existing contracts are likely to be non-compliant and regulatory enforcement and customer scrutiny are expected to increase in 2026.

Practical steps to take

• Audit existing contracts: identify services in scope and check switching terms. Remove any barriers to switching.
• Assess pricing models and remove switching penalties.
• Revise contract templates to include new mandatory switching rights and time periods. Clarify early termination penalties. Consider using SCCs.
• Ensure upfront transparency, including on the data processing service provider’s website in relation to the switching process, fees, and early termination penalties.
• Prepare technically to ensure interoperability and secure migration processes.
• Train staff so they can address customer queries on the new rights.
• Monitor legislative changes and regulatory guidance. The EU Commission has  launched a legal helpdesk to help support compliance.

The EU Data Act is already reshaping the cloud services market. Switching rights are mandatory, not optional. Cloud service providers who act now will reduce risk and build trust with their customers.