Regulation (EU) 2023/2854 (the “Data Act”) entered into force across the EU on 12 September 2025. We outlined the key provisions of the regulation in our previous article, available here. Broadly speaking, the Data Act establishes a comprehensive framework governing how data is accessed, used, and shared across connected products, digital services, and data processing environments, including cloud and edge computing.

Who falls within scope?

The Data Act defines ‘data processing service’ as a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.

To put it in simple words, various services with a very broad range of different purposes, functionalities and technical set-ups may fall within this definition. As commonly understood by providers and users and in line with broadly used standards, ‘data processing services’ fall into one or more of the following three data processing service delivery models, namely Infrastructure as a Service (IaaS), Platform as a service (PaaS) and Software as a Service (SaaS).

Implications for SaaS providers

The purpose of the Data Act is to strengthen the EU’s digital economy by ensuring that data is more accessible, usable, and fairly shared, thereby enhancing competition and innovation. By facilitating switching between cloud providers, the Data Act requires all parties involved, both the originating and receiving providers, to cooperate in good faith to ensure an effective transition, maintaining service continuity and enabling the secure, timely transfer of necessary data in a commonly used, machine-readable format.

The Data Act is a gamechanger for SaaS contracts across Europe. Here are the key implications for SaaS providers:

• switching rights: SaaS providers must remove contractual and technical barriers to switching by allowing their customers to switch between providers, to multiple providers, or to their own infrastructure and should remove obstacles to switching;
• withdrawal of switching charges: until 12 January 2027, cloud providers may impose reduced switching charges on the customer for the switching process; from 12 January 2027, all such switching charges will be prohibited;
• contractual terms concerning switching: the rights of the customer and the obligations of the provider of data processing services in relation to switching must be clearly set out in a written contract. The set of minimum contractual arrangements around switching is set out in the Data Act. The contract should specify not only the switching process, but also the maximum notice period and a detailed specification of all categories of data and digital assets that can be ported during the switching process;
• information obligations: cloud providers should provide a transparency notice to customers, informing them about available procedures for switching and porting (including information on available switching and porting methods and formats), and keep an up-to-date online register showing what types of data they use, how the data is organised, and which rules or standards they follow to make sure their systems can work with others.

Key contractual obligations for SaaS providers

The impact of the Data Act on SaaS contracts is significant; here are our key takeaways: 

• Early termination rights: SaaS providers must allow customers to initiate the switching process with a maximum notice period of two months. This will have a similar effect to permitting early termination for convenience. In effect, the Data Act gives all cloud customers a right to end their contract at any time, regardless of the duration of the contract – it applies also to fixed term cloud contracts. 
• Migration: SaaS providers must begin the switching process within no more than two months after receiving the request and complete migration within 30 days after the maximum two-month notice period referred to in the previous paragraph, during which the provider is required to keep operations running smoothly and uphold strong security standards. If technically impossible, they can extend this to seven months, but only with justification and the provision of continued services to customers.
• Fixed-term contracts: fixed term SaaS contracts are still permitted, but the customer’s right to request vendor switch must be respected.
• Early termination penalties: are allowed but must be proportionate and aligned with applicable national law. In effect, in case of early termination by the client, requesting full recovery of the remaining contract value by the provider could be treated as a switching barrier which is prohibited under the Data Act. This will likely affect the ARR (annual recurring revenue) of many SaaS providers.
• Impact on existing contracts: the Data Act applies not only to cloud contracts concluded after 12 September 2025, but changes are also required for contracts concluded before this date.
• Extraterritorial reach: the Data Act has extraterritorial reach and SaaS providers from outside the EU providing services to customers in the EU are also affected. In practice, the Data Act may have significant effects on the operations of cloud providers from outside the EU (e.g., from the UK, US, Asia and South America), even if they don’t have any formal establishment across the EU, but do provide services to EU customers (both B2B and B2C).

Required actions

The new rules on switching and interoperability will have significant implications for cloud providers’ business and pricing models. Therefore, cloud providers should assess whether they fall within scope of the Data Act and if so, how their business may be affected by this new law. If this exercise determines that they are in scope, organisations are advised to: 

• amend their existing cloud contracts to align with the Data Act’s requirements;
• review and align their vendor switching procedures, data-sharing arrangements and data access procedures;
• revise transparency notices and website information;
• implement measures to secure IP rights and know-how;
• review internal procedures (e.g., for governmental access requests or trade secret protection); and
• ensure technical readiness (e.g., by developing robust technical capabilities to allow data export, migration and interoperability).

Click here to learn more about the EU Data Act in the brochure prepared by our data experts.