2 February 2024

The Data Act – Important New Obligations For All Cloud And Edge Services

Taylor Wessing PartG mbB


Deeply embedded within our sectors, we work closely together with our clients to crack complex problems, enabling ideas and aspirations to thrive. Together we challenge expectation and create extraordinary results. We are at you service in 17 locations, at 29 offices, and with more than 1,100 lawyers.
The Data Act entered into force on 11 January 2024 and complements the Data Governance Act. Until now, discussions focused on the right to access data generated by connected products.
Germany Privacy
To print this article, all you need is to be registered or login on


The Data Act entered into force on 11 January 2024 and complements the Data Governance Act. Until now, discussions focused on the right to access data generated by connected products. However, a big part of the Data Act directly addresses so-called providers of data processing services ("DPS") such as cloud and edge services. In the near future, customers will have a right to easily switch between different services and to terminate their contracts. Main obligations for providers refer to a variety of new mandatory contractual terms, information obligations, exit and transition support as well as harmonized interoperability standards.

Who is the addressee?

The Data Act stipulates far-reaching requirements for DPS providers – covering in particular cloud service providers, such as

  • Infrastructure as a Service (IaaS), Platform as a service (PaaS), Software as a Service (SaaS) providers and
  • emerging variations such as Storage as a Service and Database as a Service providers.

Vice versa, customers of these services will have new rights such as to switch between services and to easily terminate their contract. For individual, custom-built DPS or for mere testing and evaluation purposes the scope of the Data Act's obligations is limited.

What are the new measures?

  • Customers have the right to easily switch between DPS providers. This comes with a variety of requirements for contractual terms:
  • Customers have the right to switch between DPS or port all of their exportable data generally free of charge.
  • Upon completion, the DPS contract is considered to be terminated. It is questionable until when the customer has to pay the previous DPS provider. This may lead to broad extraordinary termination rights at the discretion of the customer.
  • The DPS provider has to support customers with their exit strategy (i.e. completion of the switching process or erasure of all exportable data). After a notice period of max. 2 months, switching shall generally be completed.
  • Even after completion of the switching, the DPS customer can retrieve all data from the provider for at least 30 additional days.
  • After the retrieval period the provider has to guarantee full erasure of all exportable data relating to the customer.
  • From 11 January 2024, only reduced switching charges can be imposed and switching providers shall generally be free of charge from 12 January 2027 on.
  • DPS providers have to specify all categories of data and digital assets that can be ported in order to facilitate the switching process.
  • To facilitate the switching process the EU Commission will develop standard contractual clauses – this is familiar to the concept under the GDPR.
  • DPS providers must remove any form of obstacles that inhibit customers – among others – from
  • terminating their contracts,
  • concluding new contracts with different providers and
  • porting customer's exportable data.
  • The provider's information obligations relate to
  • switching and porting methods, formats, restrictions and technical limitations,
  • an online register with details of the exportable data and
  • standard service fees and early termination penalties.
  • DPS providers have to ensure technical interoperability between different DPS, based on harmonized standards.
  • In this regard, the ISO/IEC 19941:2017 standard is already named by the Data Act.
  • Specific future standards will be published by the EU Commission in a central repository.
  • DPS providers must implement security measures to protect the switching process and prevent unlawful governmental data access. This requires safeguards such as encryption of data, frequent submission to audits and modification of corporate policies.

From when do these measures apply?

In general, the Data Act applies from 12 September 2025. Reduced switching charges already apply from 11 January 2024.

Enforcement of Data Act obligations

Data Act obligations can be enforced contractually by customers and by Member States. Penalties will likely be calculated on methods already known from GDPR – e.g. the infringing party's annual turnover.

For completeness: The Data Act encompasses many challenges and opportunities related to data use in the European Union but also brings uncertainty for the data industry. We assist with guidance on all of these issues, ranging from general overviews to detailed assessments of expert topics such as data access, smart contracts, financial data and interfaces between AI and the Data Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More