ARTICLE
11 June 2025

The Data Act's Changes To Cloud Services Contracts – Tipping The Scales On Switching

TS
Travers Smith LLP

Contributor

Travers Smith LLP logo
It’s not just law at Travers Smith. Our clients’ business is our business. Independent and bound only by our clients’ ambitions, we are wherever they need us to be. We focus on key areas of work where we are genuinely market leading. If it’s hard – ask Travers Smith.
Explore Firm Details
Customers in the EU on the receiving end of (often) one-sided cloud services contracts should see improvements...
United Kingdom Corporate/Commercial Law
Louisa Chambers,James Longster, and Helen Reddish
Your Author LinkedIn Connections

Customers in the EU on the receiving end of (often) one-sided cloud services contracts should see improvements in the terms they are offered around switching – or at least have a strong basis to negotiate better terms. From 12 September 2025, the EU's Data Act will apply directly to the provision of "data processing services", principally cloud and edge services, into the EU. The legislation's primary aim, as it relates to these services, is to prevent "vendor lock-in" by making it easier for EU customers to switch between providers or to on-premises ICT infrastructure or to a multi-cloud solution. There are mandatory content requirements for existing and new contracts from this date to ensure that there are no contractual obstacles to switching. This briefing focusses on these contractual changes.

Which services (and therefore contracts) are in scope?

These requirements apply to contracts for any "data processing service", which is:

a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Recital 81 of the Data Act mentions specifically Software as a Service (SaaS), Platform as a Service (PaaS) and "Infrastructure as a Service" (IaaS), as well as "Storage as a Service" and "Database as a Service". The definition of a data processing service is very similar to the definition of "cloud computing service" in the Network Information Security (NIS2) Directive.

The Data Act has extra-territorial effect – it applies where customers are based in the EU, rather than with reference to the location of providers, so non-EU providers are potentially in scope. Unlike the data sharing aspects of the Data Act, there are no carve-outs specifically to benefit smaller providers of data processing services. The provisions also apply regardless of whether the services are provided to customers which are businesses or consumers. 

The core obligations, set out in Article 23, require that providers of data processing services remove pre-commercial, commercial, technical, contractual and organisational obstacles which inhibit customers from switching to another provider, an on-premises solution, or using the services of multiple providers. There are some carve-outs for customised solutions, i.e. where all or the majority of main features of the services have been custom-built, but these are only carve-outs from provisions relating to functional equivalence, restrictions on switching charges and technical aspects of switching. The mandatory contract requirements will therefore largely still apply to custom-built services. Moreover, as soon as customised services are included in the provider's standard service catalogue (i.e. become one-to-many), these carve-outs cease to apply. Services provided for testing and evaluation purposes for a limited period only, however, are excluded. Where scope exclusions apply, the provider must draw this to the customer's attention pre-contract.

Obligations in relation to switching to another data processing service provider only apply where services are of the "same service type", which means services of the "same primary objective, data processing service model and main functionalities" – so there's room for debate in this switching scenario if services are only similar.

What is to be switched?

It will be important to check how current definitions in contracts, e.g. definitions for "Customer Data" and "User Data" (or similar), align with Data Act definitions. Data that must be portable are "exportable data" (input data, output data, including metadata directly or indirectly generated by the customer's use of the services) and "digital assets". "Digital assets" are applications and metadata (e.g. configuration of settings, security and access and control rights management) that a customer has a right to use independently of their contractual relationship with the provider. However, exportable data excludes data and assets of the provider or of a third party that are protected by IP or trade secrets and cyber security related data. 

Which terms must be included in contracts?

The customer's rights and the provider's responsibilities must be contained in a written contract. Check that the contract includes the following mandatory content:

  • Data specifications: an exhaustive specification of data and digital assets that can be ported (including identifying any data excluded based on the trade secrets exception).

  • The right to switch: the contract should stipulate that customers have the right to begin the switch after providing a maximum of two months' notice. Once the notice period concludes, the contract should specify that customers can choose to switch to a different data services provider, migrate to an on-premises solution, or delete their data.

  • Transition period: providers must ensure a transitional phase of no more than 30 calendar days starting with the end of the maximum two-month notice period. This phase can only be extended by the provider under specific conditions. Customers, on the other hand, have the option to postpone transition once for a duration which they deem most suitable for their needs.

  • The duty to assist: providers are required to give reasonable assistance during the transition, act with due care to maintain business continuity and provide a high security standard throughout the switch (as well as providing information about known risks to service continuity). Providers must also support the customer's exit strategy and provide relevant information. There is clearly scope for different interpretations of what constitutes "reasonable" assistance.

  • Termination: successful switching, once completed, results in the termination of the contract or, if data is erased without switching, termination occurs when the maximum notice period expires. No termination notice is required from customers, but providers must notify customers of contract termination.

  • Data retrieval:  providers must enable a minimum data retrieval period for customers of no less than 30 calendar days following the end of the transition phase.

  • Right to full data deletion  after the data retrieval period or longer agreed timeframe.

  • Switching charges must be specified in the contract (see section 3 below).

  • Details of website(s)  containing mandatory information must also be included in the contract (see "Transparency" in section 5  below.

Switching charges

From 11 January 2024 – 11 January 2027, switching charges must not exceed the direct costs incurred by the provider due to the switching (i.e. no overheads). From 12 January 2027 onwards, providers cannot charge for switching. This will need to be reflected in contracts and should incentivise providers to avoid complex, labour-intensive switching activity as they will bear the cost. Switching charges cover all the activities involved in switching and porting data to the new provider or bringing services inhouse to the extent required to meet the obligations in relation to switching in the Data Act (including support and tools for that process). 

What can providers still charge for after January 2027?

  • Multi-cloud deployment – where data processing services are used in-parallel, the providers can still charge for data egress, but no more than costs actually incurred for egress
  • Additional support in the switching process that goes beyond the switching obligations of the provider is chargeable where the customer agrees to the price of those services in advance
  • Switching charges for custom-built services
  • Standard service fees don't count as switching charges
  • Proportionate early termination fees can still be included in fixed duration contracts

Calculating direct switching costs can be challenging. As such, providers like AWS, Google and Microsoft have already introduced "free" data egress programmes (to varying degrees).

Standard contractual clauses

The Data Act does not mandate specific contractual wording to meet its requirements. However, it requires the EU Commission to provide standard contractual clauses (SCCs), a final version of which was published in April 2025 by the expert group appointed (their report containing the SCCs can be downloaded here). At the time of writing (June 2025) the SCCs are yet to be approved by the EU Commission.

The SCCs are non-binding, so providers are likely to use them flexibly and create their own versions. They are discrete provisions, rather than an entire contract, and are intended to be incorporated into existing cloud computing contracts – adaptations will be necessary to reflect the specific services involved and to fit in with existing terms. They include general provisions and definitions; switching & exit; termination; security and business continuity; liability; non-dispersion (ensuring that contractual documentation is readily available); and non-amendment. While many provisions are a restatement of Data Act provisions, they do go beyond this, to try to be more workable in practice, for example, by suggesting a switching and exit plan in an annex, with an alternative option for self-service automated switching tools. 

The only guidance so far on the Data Act takes the form of FAQs, which contain sparse information on the data processing provisions, and so the SCCs are also helpful from this perspective for their explanatory notes.

What do the parties need to consider beyond the contract?

It will come as no surprise that changes to contracts are just part of a package of wider changes. For example:

  • Parties must act in good faith.   All parties, including both the source providers and destination providers, are obliged under Article 27 of the Data Act to cooperate in good faith to make the switching process effective, enable the timely transfer of data and maintain the continuity of data processing services.

  • Transparency. There are significant transparency requirements. Providers need to provide clear information on procedures for switching and porting to a new data processing service, including an online register with technical details on the exportable data (e.g. data formats and interoperability specifications). They must also make information available on their website on standard service fees, early termination penalties, switching charges (including information on highly complex or costly switching), the jurisdiction to which the infrastructure is subject and information relating to international transfers and governmental access to non-personal data.

  • Technical changes. These will vary according to the type of service. IaaS providers must take all reasonable measures to help customers achieve functional equivalence after switching to a service of the same type. Other providers (SaaS and PaaS) must provide open interfaces to facilitate switching and comply with common specifications based on open interoperability specifications or harmonised standards that may be published by EU Commission. If no applicable common specifications exist, all exportable data must be exported in a structured, commonly used and machine-readable format.

  • Fines  can be imposed on providers for non-compliance. The Data Act requires EU members states to lay down "effective, proportionate and dissuasive" penalties by 12 September 2025. So far, however, few member states have set maximum fines. 

What about the UK?

There is currently no equivalent for the Data Act in the UK - the Data (Use and Access) Bill, which is currently making its way through Parliament, is due to bring in a (more limited) framework in relation to data sharing but does not address cloud services and switching. 

As we discuss in the two briefings here and here, the Competition and Markets Authority, as result of its cloud services market investigation, looks likely to take steps under the Digital Markets, Competition and Consumers Act in relation to the largest cloud service providers, AWS and Microsoft.  This may impact their terms and could also have a ripple effect for other providers.  Customers should keep a careful eye on developments, as intervention by the CMA may help them get a better deal.

There are already examples of cloud providers not differentiating between their EU and UK customers in shifting away from charging for data egress, and so UK customers may experience some benefit from the Data Act's impact in this respect.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Louisa Chambers
Louisa Chambers
Photo of James Longster
James Longster
Photo of Helen Reddish
Helen Reddish
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More