This advisory is part of a series that summarises the key issues arising from the introduction of the Data Act.
On September 12, 2025, the obligations introduced under the EU’s Data Act (Regulation 2023/2854) become applicable – including new rules designed to facilitate switching between cloud service providers.
1. What are the goals of the Data Act’s rules on cloud services switching?
The purpose of the Data Act is to promote the EU’s digital economy by making data more accessible and usable, as well as by increasing fairness and competition.
In particular, the rules on cloud services switching aim to address vendor lock-in challenges by lowering barriers for customers seeking to switch to: (1) a cloud service covering the same service type provided by an alternative provider; (2) the customer’s on-premises IT infrastructure; or even (3) several cloud service providers at the same time.
2. What services and service providers are targeted by the new rules?
We use the term ‘cloud services’ to describe the main category of services impacted by the rules. But the Data Act’s rules on switching do not only apply to cloud services: they apply to providers of all ‘data processing services’. These are defined in the Data Act as:
Digital service[s] that [are] provided to a customer and that [enable] ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The term ‘data processing services’ therefore covers different types of service – notably edge computing services – and delivery models, including infrastructure as a service (laaS), platform as a service (PaaS), and software as a service (SaaS), provided they meet all the criteria in the definition. The concept is also flexible enough to cover emerging service variations, such as storage as a service and database as a service. Excluded from the switching rules are services which require a high level of management effort or service provider interaction – though there is a specific ‘slimmed down’ regime which applies to data processing services which are custom-built (e.g. to accommodate the specific needs of an individual customer).
Like the GDPR, the Data Act contains explicit extraterritorial application provisions. The rules apply to cloud service providers established outside the EU – if the services are provided to customers in the EU.
3. How are cloud service providers targeted and what are their obligations?
The Data Act imposes a multitude of obligations on cloud service providers to facilitate switching. To take just a few examples, the Data Act provides that:
- Cloud service providers must remove obstacles to switching. For example, providers must not impose, and must remove any obstacles (commercial, technical, contractual, and organisational) inhibiting customers from: (1) terminating the contract for the cloud services; (2) concluding new contracts with a replacement service provider; and (3) porting exportable data and digital assets to the replacement cloud service provider (or on-premises IT infrastructure).
- Cloud services contracts must contain particular provisions about switching. For example, the contract must contain:
- Clauses that allow customers to switch to a different cloud service provider or port exportable data and digital assets to on-premises IT, without undue delay and within a maximum transitional period of 30 days (following a notice period of a maximum of two months).
- An obligation on the cloud service provider to support the customer’s exit strategy relevant to the services and to provide reasonable assistance to the customer.
- An exhaustive specification of all categories of data and digital assets that can be ported during the switching process.
- The provider of cloud services must make certain information available to customers. This includes, in particular, information on: (1) available procedures for switching (as well as restrictions and technical limitations); and (2) measures adopted by the cloud service provider to prevent certain international governmental access to (non-personal) data.
- From January 12, 2027, cloud service providers can generally no longer impose switching charges on the customer. Until January 12, 2027, switching charges are permitted, but they cannot exceed the costs directly incurred by the cloud service provider for the switching. However, it will still be possible for cloud service providers to impose early termination penalties.
- Certain technical aspects of switching must be addressed, depending on the nature of the cloud services. For example, providers of IaaS offerings must take measures to assist the customer achieve ‘functional equivalence’ with their replacement cloud service provider. In other cases, the service provider must facilitate the switching process by making open interfaces available to customers and cloud service providers and ensure compatibility with certain common specifications based on interoperability specifications or harmonised standards.
4. What should cloud service providers do to comply with Data Act requirements?
Providers of cloud services should in particular:
- Assess whether they fall within the scope of the Data Act’s rules on cloud switching – and if necessary take inventory of which service offerings may be impacted.
- Review relevant customer contracts and terms of service to ensure they align with mandatory provisions (if desired by leveraging the European Commission’s model contractual terms that are scheduled to be published before the end of 2025).
- Develop documentation to meet transparency requirements and set up processes for updating the documentation as required.
- Update or create policies, procedures, and technical capabilities to ensure that switching processes can be completed in line with the Data Act’s requirements (including within appropriate timescales).
- Create a process for calculating (and, if necessary, eliminating) switching charges in line with the Data Act’s requirements and re-evaluate service costs and early termination fees in light of the new switching rules.
5. What if we don’t comply?
The Data Act requires each EU Member State to designate one or more competent authorities with the power to enforce the Data Act. This may be an existing authority – such as the Member State supervisory authority – already responsible for data protection matters.
Customers can lodge a complaint with the relevant authority if they believe their rights under the Data Act have been infringed. If an infringement is established, the authority can impose penalties on the cloud service provider. The rules surrounding the levels of fines competent authorities are permitted to impose are not set out in the Data Act; it instead stipulates that each Member State will lay down their own rules in local legislation. Penalties may vary across EU Member States; however, the Data Act specifies that fines must be ‘effective, proportionate and dissuasive’.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.