Skip to main content

The Data Act Unlocked – A New European Framework for Digital Freedom and Data Mobility

In today’s data-driven economy, information is not just a byproduct of digital services, it is a core asset. Acknowledging this, the European Union has introduced the Data Act, a landmark Regulation that will enter into force on 12 September 2025. As part of the EU’s broader data strategy, the Data Act aims to unlock the value of data by making it more accessible, shareable and portable across sectors and borders – aiming to reduce vendor lock-in and foster a more competitive digital market.

The Data Act sets clear rules on who can access and use data generated within the EU, under which conditions, and how that data may be transferred. It applies to both public and private entities and covers a broad range of scenarios.

One of the most transformative elements of the Data Act is Chapter VI, which focuses on making it easier for users to switch between data processing services, such as cloud service providers (CSPs). This is particularly crucial given that users often have little negotiating power when dealing with major CSPs (hyperscalers). This Chapter VI directly tackles the issue of vendor lock-in, where users are constrained by technical, contractual, or financial barriers that make switching between CSPs difficult.

Who are considered CSPs under the Data Act?

The Data Act refers to “providers of data processing services,” which are entities that deliver a wide range of digital services over the internet. This includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These services are typically offered through self-service models, allowing users to scale resources up or down without direct provider intervention.

The Data Act applies to any provider offering such data processing services within the EU, regardless of their size or origin, if they serve EU-based customers. Therefore, CSPs are considered providers of data processing services under the Data Act.

What are the obligations of CSPs under Chapter VI of the Data Act?

To address the power imbalance between providers and customers in the cloud market, the Data Act establishes minimum contractual requirements for cloud agreements in Chapter VI.

Chapter VI of the Data Act introduces a set of binding obligations designed to facilitate seamless switching between CSPs. These providers must eliminate all barriers, technical, contractual, commercial or organisational, that could prevent users from transferring their data or digital assets to another provider or back to their own systems.

  • CSPs must allow users to terminate their contracts with a maximum notice period of thirty (30) days;

  • after termination, users must be granted a minimum thirty (30)-day transition period to:
    • access their data,
    • retrieve their data, and
    • transfer their data to another provider or back to their own systems;
  • until 12 January 2027, providers may only charge for directly incurred switching costs, after this date all switching costs must be eliminated
  • CSPs must offer tools and interfaces that allow data to be exported in a structured, commonly used and machine-readable format;

  • CSPs must ensure that the functionality and performance of services remain consistent during and after switching;

  • CSPs must collaborate in good faith to enable effective and timely switching between services;

  • for PaaS and SaaS, CSPs must ensure compatibility with open standards recognised by the European Commission;
  • national supervisory authorities are responsible for:
    • monitoring compliance,
    • enforcing obligations, and
    • handling complaints from users

These measures are intended to foster a more competitive and user-centric cloud market, where customers are free to choose the services that best meet their needs, without being penalised for switching.

Implementation of B2B Standard Contractual Clauses to prevent vendor lock-in

Regarding the switching requirements to prevent vendor lock-in under Chapter VI of the Data Act, the European Commission will issue several sets of Standard Contractual Clauses (SCCs) that are intended to largely complement one another, though they may also be used independently.

In February 2022, as part of implementing the Data Act, the European Commission formed an expert group to develop these SCCs for cloud computing contracts. This group, composed of legal experts, practitioners, and academics, was tasked with drafting voluntary, non-binding clauses to promote fair and balanced cloud service agreements. These SCCs address key contractual issues such as switching and exit strategies, termination procedures, security and business continuity, liability, non-amendment, and non-dispersion. The aim is to assist businesses, particularly small and medium-sized enterprises (SMEs), in drafting and negotiating cloud contracts that are aligned with the Data Act’s objectives.

While the SCCs will not be legally binding, they are intended to provide a clear and consistent framework that businesses can voluntarily adopt to ensure compliance with the Data Act. By offering model clauses on key contractual aspects, the European Commission aims to reduce the legal and operational uncertainties associated with data sharing and cloud service agreements, thereby fostering a more dynamic, competitive and secure digital economy.

The SCCs may also serve as a valuable reference point for users to assess how the model contractual clauses differ from those proposed by their CSP. In cases where users have limited or no contractual provisions, such as when contracting with SMEs, the SCCs can serve as a source of inspiration or a benchmark for fair and balanced clauses.

The development of the SCCs is being conducted in close consultation with stakeholders, including through public webinars and expert feedback sessions held in late 2024. To facilitate uptake, the European Commission is preparing accompanying guidance materials aimed at supporting businesses in the effective implementation of the SCCs.

The European Commission is expected to finalise and recommend these non-binding SCCs by 12 September 2025, in line with the Data Act’s implementation timeline.

When do the obligations under Chapter VI of the Data Act become binding?

The obligations set out in Chapter VI will apply as of 12 September 2025 and will be directly enforceable in all EU member states. As an EU regulation, the Data Act does not require national implementation laws, meaning its provisions will have immediate legal effect.

Under the current framework, the Data Act does not apply retroactively. Consequently, pre-existing agreements remain subject to their original terms and conditions, including any limitations on data portability or switching restrictions imposed by vendor lock-in provisions. This means that, absent specific contractual clauses allowing adaptation to new laws or voluntary concessions by the CSP, the user’s rights under these existing agreements remain unchanged. Agreements concluded before the application date of the Data Act (12 September 2025) are thus not subject to Chapter VI. However, if such agreements are amended, renewed, or extended after this date, they must comply with the relevant obligations set out in the Data Act.

Although not legally required, it is anticipated that existing agreements will need to align with the Data Act over time. CSPs should proactively review and update their terms and conditions to comply with the new legal framework. For users, this presents an opportunity to reassess their cloud strategies and ensure that their service agreements support future flexibility and compliance.

Practical steps for compliance

With the introduction of the Data Act, the EU is taking a bold step toward a more open, transparent, and interoperable digital economy. By tackling vendor lock-in and empowering users to move their data freely, the regulation promotes innovation, competition, and trust in cloud services.

For CSPs, this marks a shift toward greater accountability and customer empowerment. For users, whether businesses, public institutions, or individuals, it signals a future where data mobility is not a privilege, but a right.

Now is the time for businesses to prepare and bring their existing and future agreements in line with the Data Act.

If you are a CSP, it is advisable to:

  • review your agreements and identify any clauses that may hinder compliance with the Data Act's obligations;

  • establish processes and systems that facilitate the switching and data transfer requirements introduced by the Data Act.

Our Information & Communication Technology (ICT) and Information Governance and Data Protection (Privacy) teams at Lydian will be happy to assist you with any questions concerning the new legal obligations introduced by the Data Act.

Authors

  • Françoise Billen.JPG
    Associate

    Françoise Billen

    Download VCARD