The Digital Decade and Its Transformative Impact on Cloud

[co-author: Susan McKiernan]

The EU is advancing toward its Digital Decade goal of digital transformation by 2030, which includes at least 75% of EU business using cloud-edge technologies for their activities. Meanwhile, one of the cornerstone regulations is promising to reshape the legal and operational landscape for cloud service providers (CSPs) and their customers.

The Data Act takes effect from 12 September 2025, and is designed to unlock the value of data across sectors and foster a competitive digital economy. Slightly overshadowed by the EU AI Act with similar phased implementation timescales, CSPs should be aware that it introduces significant changes that will impact contract terms, technical infrastructure, and commercial market dynamics.

Implications of the Data Act for CSPs

Key objectives of the Data Act are to promote interoperability, portability, and multi-cloud strategies to foster a more competitive EU cloud services market. It looks to achieve this by legislating for cloud switching; creating a framework that will facilitate customers moving their data and services freely between providers of data processing services or to bring them in house.

The main elements of this framework encompass:

• an obligation on providers to ‘remove pre-commercial, commercial, technical, contractual and organisational obstacles‘ to switching services of the same type. This extends to any measures that would inhibit the unbundling of services, where technically feasible

• new contractual obligations to support frictionless switching and data portability
• the elimination of switching charges by January 2027 (with limited exceptions). This does not prevent early termination penalties being imposed if they are proportionate (e.g. where the customer switches 6 months into a 1-year fixed term contract, since successful switching triggers termination) and standard service fees are not caught. Also, in its FAQs on the Data Act, the European Commission clarifies that the provider can charge the customer for data egress costs where the customer requests in-parallel services, such as in a multi-cloud deployment model
• a duty on all parties involved in the switching process to act in good faith to make the process effective (akin to the direct debit switch process that people may be familiar with). The Data Act does not elaborate on the apportionment of responsibility and risk between them
• mandatory online registers in which CSPs must set out (and keep up to date) all of the data formats and interoperability standards in which exportable data are available. The registers must be accessible to customers and detail any restrictions and technical limitations which are known to the provider.

These measures apply to a provider of ‘data processing services’, which is defined as a service enabling ‘ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction’. This is designed to capture the main cloud service models (IaaS, PaaS and SaaS) while remaining open to technological innovation. It is unclear at this point whether emerging service lines, such as AI as a Service, will be caught.

Article 31(1) disapplies certain provisions for services where the main features have been custom built for a customer and are not offered at broad commercial sale, but this highlights that bespoke set-ups are intended to be caught by the definition and, from the customer’s perspective, will benefit from the switching rights.

Contract implications

The Data Act sets out the minimum terms that a cloud contract must contain to facilitate customer switching. Amongst others, these include:

• the right for the customer to trigger the switch at any time on a maximum of 2 months’ notice
• a default maximum 30 calendar day transitional period for switching to another provider or porting all exportable data and digital assets to on-premises ICT infrastructure. Where this is ‘technically unfeasible‘, the period is extendable to 7 months. Industry experts have raised concerns about the feasibility of compliance with the 30-day switching period, particularly for large, complex estates and for migration projects in highly regulated sectors, such as financial services
• an obligation to:
  • provide reasonable assistance (both to the customer and any third parties authorised by the customer in the switching process), to maintain business continuity, to provide clear information on known risks to continuity, and to ensure that a high level of security is maintained during the switching process
  • guarantee of full data erasure following successful switching
  • provide an exhaustive specification of all categories of data and digital assets that can be ported, plus any exemptions (categories of data specific to the provider’s internal processes that are protected by trade secrets), and a minimum period for data retrieval

Given the multi-party dependencies in cloud switching, it will be interesting to see what positions parties take on liability and risk allocation, particularly around security, data errors or loss during migration, and the ability to achieve migration within the timescales (with potential downtime implications). As ever, it will be important for the customer to consider carefully the exclusions from a CSP’s liability and the scope of its own responsibilities to understand the level of risk that it will be bearing for the switching process. The Data Act states that a provider must not impose contractual obstacles to inhibit customers from switching, but customers will have different needs and risk appetites, and what might be an unacceptable level of risk in one scenario could be a reasonable risk allocation in another.

The European Commission has been developing non-binding standard contractual clauses for cloud computing contracts that are expected to be finalised before September. These are designed to assist parties in negotiating contracts with ‘fair, reasonable and non-discriminatory contractual rights and obligations‘. It could provide a standard position for the industry (although it largely didn’t for GDPR).

Challenges

Each provider will have to determine how it can implement the Data Act’s requirements for its model, and there will be technical and operational challenges associated with the new switching regime.

• IaaS: An IaaS provider will have to facilitate the functional equivalence of the service in the ICT environment of a different provider of the same service (a service that delivers a materially comparable outcome in response to the same input for shared features supplied). The source provider is not expected to rebuild, but they will need to take all reasonable measures within their power to facilitate the process of achieving functional equivalence through the provision of capabilities, adequate information, technical support and, where appropriate, the necessary tools. While the cloud industry will need to get to grips with what actually is needed to meet this requirement, the provision and corresponding definitions – such as ‘all reasonable measures‘ and ‘materially comparable outcome‘ – set parameters around what providers will be expected to do.
• Interoperability: The European Commission will create an EU repository of applicable open interoperability specifications and harmonised standards. PaaS and SaaS providers must use open interfaces and ensure compatibility with any specifications / standards for their type of service (but, as a minimum, must export data in a commonly used and machine-readable format). The Commission expects the technology sector to develop the standards needed for interoperability, and as a first step it will map existing standards. However, where suitable standards do not exist, the Commission can request that European standardisation bodies develop them. Given the many proprietary solutions that have been built for specific infrastructure in the market, it will be interesting to see how this develops and how the Commission enforces the use of particular standards. Particularly in light of those that are adopted under other Digital Decade legislation, including the EU AI Act, the Network and Information Systems Directive 2 (NIS2) and the Data Governance Act.
• Innovation risk: The new regime raises questions about potential innovation stagnation if providers prioritise portability and functional equivalence over advanced features to comply with the Data Act, and there is a risk of a ‘lowest common denominator’ approach in the EU.
• Competition: While ease of switching should benefit customers through increased competition and reduced costs, there is a risk that only hyperscalers will be capable of enabling seamless switching, potentially disadvantaging smaller providers and itself raising competition concerns if the dominant market players are working together to enable switching between them.

The bigger picture

The backdrop to the new regulations is the EU’s strategy to enhance its competitiveness and to safeguard the sovereignty of its data and cloud infrastructure. A European Commission report on the Digital Decade from June 2025 noted that the main US cloud providers account for 70% of the EU market, while the largest EU cloud operator has a mere 2% share. The Data Act is intended to help open the market and increase competition.

A proposed new Cloud and AI Development Act (the consultation for which closed recently and a proposal is due in Q4 2025), alongside other policies that include a proposed single EU-wide cloud policy for public procurement, aims to bolster the growth of EU cloud providers to make the deployment of data centres easier and support investments in sovereign cloud.

Conclusion

While the Data Act presents compliance challenges, it also offers opportunities for CSPs to differentiate themselves through interoperability and customer-centric service models. As the regulatory landscape continues to evolve, our extensive experience of advising clients on the various regulations making up the Digital Decade means that we are well-placed to help them navigate this new era of cloud regulation.

[View source.]