In the rapidly evolving landscape of European tech regulation, the Data Act introduces changes with the potential to reshape established market dynamics, presenting significant challenges and opportunities for affected organisations. The Data Act is a wide-ranging law that seeks to promote competition and new product and service development in the technology and data markets by removing lock-in barriers, whereby existing providers or holders of data are perceived to be unduly advantaged (and their customers disadvantaged) by access to and control over that data.
One key aspect of the Data Act is the introduction of significant new service-switching requirements on providers of “data processing services”, the majority of which take effect on 12 September 2025. This article examines these new switching requirements, provides key takeaways for data processing service providers and their customers, and analyses the broader implications of the changes.
Scope
Material Scope
The definition of “data processing services” is broad. In particular, it covers three main categories of computing services:
- infrastructure-as-a-service (IaaS), i.e., infrastructure resources such as storage or rented servers;
- platform-as-a-service (PaaS), i.e., infrastructure and core software, on top of which customers can build, deploy, and manage their applications; and
- software-as-a-service (SaaS), i.e., software applications, fully provisioned and hosted by the service provider.
Notably, the recitals also reference emerging delivery models such as database-as-a-service (DaaS) as examples of in-scope services.
The broad approach in the recitals — bringing all “as-a-service” models into scope — when combined with the more specific, but still quite vague, definitions in the body of the text, is likely to result in questions of interpretation as to exactly which services are in scope and, inevitably, whether AI (which is often delivered using an “as-a-service” model) is subject to the Data Act obligations. Notably, the service-switching provisions in the Data Act do not provide carveouts for small-scale or emerging providers, and there is no general limitation to commodity or off-the-shelf services. However, more specific exceptions do exist, such as covering services that are heavily customised for specific customers or provided for testing purposes.
Territorial Scope
In line with other EU legislation in the digital and technology field, the Data Act’s scope is extraterritorial and encompasses providers of data processing services, regardless of where they are established, that provide services to customers within the EU or that are placed on the EU market. As a result, several providers based outside of the EU will be subject to the Data Act.
In short, a wide range of providers, from hyperscalers to providers of niche SaaS solutions, often established outside the EU, will be affected. On the other hand, customers of in-scope services stand to potentially benefit from new rights and protections against existing and new providers.
What Should In-Scope Data Processing Service Providers Do?
The central obligations in the Data Act on providers of data processing services — which come into effect on 12 September 2025 — relate to removing obstacles to effective switching by customers, whether from one provider to another or to internal on-premise models. In practice, switching can encompass several steps, including, even in low-complexity cases, data extraction (e.g., the downloading of data from the source data processing service provider), data transformation (where data is structured in a way that does not match the target location’s schema), and uploading data to a new destination.
Core Obligations Regarding Switching
Provider obligations include a general requirement not to impose, and to remove, pre-commercial, commercial, technical, contractual, and other barriers that inhibit customers from terminating contracts, porting data and digital assets, and (where technically feasible) unbundling infrastructure services from other types of data processing services, among other activities.
These obligations are supported by a series of more granular requirements, including implementing and adhering to mandatory contractual terms such as:
- terms permitting customers to, on a maximum of two months’ notice, initiate the process of switching provider or porting data and digital assets on-premise, with such activities to be performed without undue delay and within a maximum of 30 days from the end of the notice period (subject to potential extension where “technically unfeasible”);
- provisions specifying all data and digital assets that can be ported, and the existence of certain exceptions to the same (with a more tailored list to be provided to the relevant customer once it has notified its intention to switch); and
- requirements for the provider to take certain other steps to facilitate switching, including by providing reasonable assistance to the customer and third parties and by supporting the customer’s exit strategy.
The European Commission is due to publish non-mandatory standard contractual clauses for data processing service contracts by 12 September 2025 (a draft developed by an EU expert group is accessible here). How useful parties will find these extensive clauses to be in practice — and the extent to which major data processing service providers will adopt them — remains to be seen.
Transparency Requirements
Beyond contract terms and their resulting operational implications, transparency requirements mandate providers to avail customers of certain information, either online or before the contracting stage. This includes providing details of procedures for switching and porting data and digital assets, as well as maintaining an online, up-to-date register of data structures and formats and interoperability specifications.
Charges
At a commercial level, charges for switching are being phased out. Specifically, since 11 January 2024, providers have only been entitled to levy such charges on a pass-through basis (without markup), and all switching charges will be prohibited beginning 12 January 2027.
Functional Equivalence
From a technical perspective, the Data Act introduces potentially challenging requirements regarding interoperability. IaaS providers must take all reasonable measures to ensure customers achieve “functional equivalence” when transitioning to an alternative service of the same type (including by providing documentation, capabilities, and technical support), while providers of other data processing services must make available free, open interfaces to facilitate switching.
Multi-Service Environments
Many of the above requirements apply not just where customers fully transition out of existing arrangements, but also where they wish to parallel run services between existing and new providers. In essence, there is effectively a requirement to facilitate multi-service environments.
Are There Penalties for Non-Compliance?
While there are likely to be significant fines for non-compliance with the above provisions, these will be set at Member State level and are due to be published by 12 September 2025. As with the EU GDPR, these fines must be effective, proportionate and dissuasive. The European Commission will maintain a publicly available register of penalties for this purpose. Designated national supervisory bodies will bear responsibility for enforcement, and penalties may include (in addition to fines) warnings, reprimands, and orders for compliance.
For example, in France, the SREN Law (Loi Visant à Sécuriser et à Réguler l’Espace Numérique), which took effect on 21 May 2024, incorporates some service-switching provisions from the Data Act and includes fines of up to 3% of annual global turnover (increased to 5% for certain repeat breaches). In Germany, the draft implementation act identifies the German Federal Net Agency (Bundesnetzagentur) as the competent authority and permits fines of up to 4% of annual global turnover or €5 million, whichever is higher.
This approach contrasts with the consequences for breaches of other obligations under the Data Act (e.g., provisions applicable to connected products), whereby data protection authorities are expressly permitted — by the Data Act, rather than national implementing legislation — to apply fines up to maximum levels that align with GDPR thresholds (up to €20 million or 4% of annual global turnover, whichever is higher) for violations involving personal data.
How Should Organisations Be Preparing?
The upcoming implementation of the Data Act brings significant challenges for data processing service providers. To achieve compliance, and to potentially seize new commercial opportunities arising as a result of the changes, providers should consider taking the following actions:
- Determine the extent to which the Data Act applies to the provider’s existing services, particularly in the context of more complex service offerings such as hybrid cloud and on-premise solutions, or multiple native data processing services.
- Update existing and future contract terms, as well as related documentation and web information sources, to meet the relevant requirements.
- From a technical perspective, map and structure data and digital assets to align with portability requirements, build new interfaces to facilitate switching, and implement components such as APIs to enable interoperability.
- Develop a commercial strategy to secure investments and revenue (e.g., the Data Act does not prohibit charging early termination fees or using fixed contract terms, so providers can still leverage these) and manage compliance costs (e.g., the potential loss of switching fees and other financial implications) within the provider’s fee structure.
- Identify opportunities to benefit from the changes, including by potentially attracting new customers that can transition from incumbent providers or providing compliance mechanisms to sell to other providers, such as switching interfaces.
For customers, the changes may provide significant opportunities to recalibrate their suite of IT and digital solutions. For example, customers are likely to have greater freedom — both contractually and in practical terms — to explore the implementation of multi-service environments (e.g., to achieve enhanced resilience or scalability) and/or to transition away from incumbent providers on accelerated timescales (e.g., where customers are dissatisfied with levels of service or pricing). This may be a good opportunity for customers to revisit their IT procurement strategies.
Broader Implications of the Data Act
The Data Act will likely significantly affect the dynamics of the EU data processing services market. In one sense, the changes empower customers and present commercial opportunities to providers. On the other hand, in-scope providers face reduced control over customer relationships and increased risk of customer attrition, among other commercial and practical challenges.
These and other dynamics extend to the operational implementation of the changes. For example, the strict timelines and obligations for data portability and service-switching appear to rest uneasily with the significant real-world complexities involved in changing providers in a multifaceted IT environment, potentially reducing the practical relevance of these provisions for customers and increasing the risk of incidents and disputes. Additionally, the rights for customers to switch providers at any time and on short notice may prompt providers to adjust established pricing/contract term models in order to disincentivise customers from doing so. Whether the service-switching provisions in the Data Act will therefore achieve their intended pro-competitive effects remains to be seen.
More broadly, while the Data Act aims to promote competition, the compliance burden placed on emerging providers risks having the opposite effect, including by deterring market entry. The Data Act is one component of an ever-expanding framework of legal requirements affecting digital services across the EU, which increasingly places obligations directly or indirectly on service providers. The Data Act’s complex interaction with other laws — such as the EU Digital Operational Resilience Act (DORA), the GDPR, and the NIS 2 Directive — presents a compliance challenge even for large-scale providers.
How the Data Act will be enforced in practice at a national level remains to be seen. However, current regulatory trends in Member States such as Germany — regarding the related laws referred to above — may be indicative of an appetite for strict enforcement. We expect that organisations will pay close attention to developments as they continue to adapt to the changes.
