The European Data Act and French SREN Law: A Customer Relationship Checklist for Cloud Providers, Including SaaS Companies, Operating in France

12 minute read | June.25.2024

For more information about France’s SREN law, see our update that provides five key takeaways for businesses.

Two new laws impose an array of obligations and restrictions on cloud providers in France.

First, the European Parliament passed the Data Act in December 2023, a wide-ranging law that seeks to make it easier to share and circulate data to increase competitiveness and innovation and to switch between cloud providers. The Data Act harmonized rules in Europe on fair access to and use of data. The relevant provisions take effect in September 2025.

Then, in May 2024, a law took effect in France that imposes similar obligations on data processing – before similar portions of the Data Act take effect. As a result, cloud providers that offer services in France cannot wait for the Data Act requirements to kick in – they must comply now with the French law, known as the SREN law (Loi Visant à Sécuriser et à Réguler l’Espace Numérique).

How will these laws affect cloud providers in France? What should a company do to comply? Consult the table below to find out – and peruse our Q&A section below providing further background and guidance to help companies navigate the complexities of these legal frameworks.

Checklist for Cloud Providers

Reconsidering Commercial Practices
Complying with Transparency Obligations
Reviewing Contractual Terms
Product Adaptations
Reconsidering Obstacles to Changing Cloud Providers

A Deeper Dive: Key Questions and Answers About the Data Act and the SREN Law

Who do the laws affect?
What are goals of the law?
What do we mean by “cloud providers?”
When do relevant provisions of the laws take effect?
What are key obligations the law imposes?
Are any cloud providers exempt?

Checklist for Cloud Providers

The following checklist will help cloud providers assess what they need to do concerning relationships with customers under these new regulations. We have noted whether there is an obligation under the Data Act without any France-specific provision and/or SREN law provisions that are unique to the provision of services in France.

Topic	Considerations	Data Law
1. Reconsidering Commercial Practices	Are open-ended cloud credits offered to the cloud provider’s customers? Are these credits granted in exchange of an exclusivity commitment? Companies that offer cloud credits should reconsider this practice. The SREN law (Article 26) prohibits cloud providers from granting open-ended cloud credits and cloud credits granted subject to a condition of exclusivity. A supplementary regulation is expected to define a maximum period of validity for each category of cloud credits.;	SREN law provisions.
	Are open-ended cloud credits offered to the cloud provider’s customers? Are these credits granted in exchange of an exclusivity commitment? Companies that offer cloud credits should reconsider this practice. The SREN law (Article 26) prohibits cloud providers from granting open-ended cloud credits and cloud credits granted subject to a condition of exclusivity. A supplementary regulation is expected to define a maximum period of validity for each category of cloud credits.	SREN law provisions.
	Are conditional sales included in the cloud provider’s practices/contracts? Cloud providers whose practices include conditional sales should make sure that does not constitute an unfair commercial practice. The SREN law (Article 26) prohibits providers from making the sale of a product/service conditional upon the simultaneous conclusion of a contract to provide cloud services, where this constitutes an unfair commercial practice under French law.	SREN law provisions.
	If software is provided as part of the cloud providers’ services (as opposed to IaaS or PaaS), are the pricing/functional terms different compared with when provided through a third-party service? It’s important to justify any difference in pricing/functional terms. The SREN law (Article 26) says cloud providers that also provide software may not provide software to a customer through a third-party cloud provider on pricing and functional terms that differ significantly from those under which the cloud provider provides the same software through its own cloud service if such differences are not justified (“autopréférence”).	SREN law provisions.
2. Complying with Transparency Obligations	Are customers systematically informed of financial implications of switching providers (if any) before entering into an agreement? If customers are not provided with this information, companies should include it as part of negotiations/commercial discussions. Cloud providers must communicate clear information to prospective customers and make such information publicly available on standard service fees and early termination penalties that might be imposed, as well as on any switching charges that might be imposed, according to the Data Act (Articles 29(4) to 29(6)). If a service involves a highly complex or costly switching process or if it is impossible to switch without significant interference to the data, a company must mention that. The SREN law (Article 27) also requires cloud providers to communicate to customers and potential customers in a clear and comprehensible manner, in particular prior to the signing of a contract, information on data transfer and provider switching charges, including the nature and amount of such charges. Exemptions apply to services that mainly consist of features or components that are custom-built or developed for the specific needs of a customer and pre-release versions.	Obligations imposed under the Data Act and France-specific provisions under the SREN law.
	Are customers systematically informed of technical and operational procedures for switching providers? Cloud providers need to provide this information if they are not already doing so. The Data Act (Article 26) requires providers to communicate information on procedures for switching and porting, including on methods and formats as well as restrictions and technical limitations. The law does not specify whether it needs to be publicly available and how to communicate this information. In the absence of guidance and as a risk-mitigating measure, cloud providers should consider publishing a notice on their website. Providers also must create and update an online register with details of data structures and formats as well as the relevant standards and open interoperability specifications in which the exportable data is available.	Obligations imposed under the Data Act and France-specific provisions under the SREN law.
	Does the cloud provider’s website contain information concerning the location of the infrastructure used to provide services and measures taken to prevent access to or transfer of data conflicting with EU law? Is information provided on environmental considerations? Cloud providers should add this information to their websites if it is not already there. The Data Act (article 28(1)) requires cloud providers to disclose on their websites: Details on the jurisdiction with laws and regulations governing the information and communication technology (ICT) infrastructure used for data processing. A description of the technical, organizational and contractual measures adopted to prevent international governmental access to or transfer of non-personal data held in the EU if that would conflict with EU law or the national law of the relevant Member State. Customer contracts must also refer to the websites where this information is provided. The SREN law (Article 33) provides a similar obligation. It also requires cloud providers to include information on their websites about the environmental footprint of the services, including carbon footprint, water consumption and energy consumption.	Obligations imposed under the Data Act and France-specific provisions under the SREN law.
3. Reviewing Contractual Terms	Do customer contracts contain the rights of the customer and obligations of the cloud provider in relation to switching cloud providers? Companies should ensure that customer contracts include this information. The Data Act (Article 25) grants rights to customers in relation to switching cloud providers within a given timeline. The Data Act also requires companies to provide information on switching charges, exportable data and their full erasure. These rights, obligations and associated information must be provided in a contract that shall be made available to the customer before signing in a way that allows the customer to store and reproduce it. The SREN law (Article 27) contains the same requirement. It adds that, for contracts already in force when the SREN law took effect, providers shall inform customers of the nature and amount of the data transfer charges and switching charges.	Obligations imposed under the Data Act and France-specific provisions under the SREN law.
3. Reviewing Contractual Terms	Are switching charges applied? Cloud providers that impose switching charges on customers should reconsider that practice. Under the Data Act (Articles 29(1) to (3)) until 12 January 2027, cloud providers may impose reduced switching charges on the customer (not exceeding the costs a provider incurs that are directly linked to the switching process). From 12 January 2027, cloud providers shall not impose any switching charges. The SREN law (Article 27) also restricts switching and data transfer charges. A supplementary regulation will provide more details. Authorities may delay enforcing these rules pending the supplementary regulation, although the law does not require that. Exemptions apply to services that mainly consist of features or components that are custom-built or developed for the specific needs of a customer and are pre-release versions.	Obligations imposed under the Data Act and France-specific provisions under the SREN law.
4. Product Adaptations	Are processes in place to help customers achieve functional equivalence when switching provider? Cloud providers will need to adapt processes if they provide services limited to infrastructural elements (servers, networks, virtual resources) The Data Act (Article 30(1)) requires cloud providers to take all reasonable measures so the customer, after switching cloud providers, achieves functional equivalence in using the new cloud provider’s service. Cloud providers must facilitate switching by providing capabilities, information, documentation, technical support and, where appropriate, necessary tools. If services provided by the cloud provider are not limited to infrastructural elements, customers must receive information to facilitate the switching process. The Data Act ( Article 30(2)) requires cloud providers to make available open interfaces with information to facilitate switching (Article 30(2)) and ensure compatibility with interoperability standards when these standards are published. In the absence of harmonized standards, cloud providers should, at the request of the customer, export all exportable data in a structured, commonly used and machine-readable format. The SREN law includes interoperability and portability requirements that are not yet specified. Exemptions apply to services that mainly consist of features or components that are custom-built or developed for the specific needs of a customer and pre-release versions.	Obligations imposed under the Data Act and France-specific provisions under the SREN law.
5. Reconsidering Obstacles to Changing Cloud Provider	Do contractual and operational practices create obstacles that restrict the ability of customers to easily change cloud providers? The Data Act (Article 23) prohibits cloud providers from imposing obstacles that inhibit customers from: Terminating the agreement after switching. Concluding new contracts with a different provider covering the same services. Porting customer’s data to a different provider or an on-premises infrastructure. Achieving functional equivalence in the use of a new provider. Unbundling cloud services that do not provide access to the operating services or software stored or deployed on infrastructural elements from services that provide access to such operating services or software. Cloud providers need to cooperate to make the switching process effective, enable the timely transfer of data and maintain the continuity of the cloud service (Article 27).	Obligations imposed under the Data Act and France-specific provisions under the SREN law.

A Deeper Dive: Key Questions and Answers About the Data Act and the SREN Law

Who do the laws affect?

Both laws appear to target software providers that make products available in the cloud.

The Data Act refers to SaaS as one of the three fundamental data processing models. The EU Commission also refers to SaaS as a data processing service in online guidance, including this one.
The Data Act also distinguishes cloud services limited to infrastructure elements from cloud computing services that contain the provision of software, making SaaS models subject to the Data Act.
The SREN law should also be considered as covering SaaS providers. That’s because the SREN law provisions concerning changing a cloud provider anticipates the application of the Data Act and because documentation issued as part of the legislative process refers to cloud providers, including SaaS providers.

What are goals of the law?

The Data Act seeks to remove obstacles that prevent customers from easily switching between service providers. A key goal is to make it easier to share and circulate data to increase competitiveness and innovation. The law includes mandatory contractual provisions and transparency obligations.
The SREN law adapts French law to broader EU laws and regulations, including the Data Act.
The Data Act and an accompanying regulation seek to harmonize rules on fair access to and use of data. It imposes obligations and restrictions on data processing service providers.
The SREN law implements provisions of the Data Act relating to providing data processing services before the Data Act provisions take effect.

What do we mean by “cloud providers?”

The Data Act defines a “data processing service” as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
The SREN law defines a “cloud computing service” the same way.
This overview refers to “data processing services” and “cloud computing services” as “cloud providers.”

When do relevant provisions of the laws take effect?

The relevant portions of the Data Act take effect on 12 September 2025.
The SREN law applies as of 21 May 2024.
- Additional regulations will specify obligations related to switching charges, cloud credits and interoperability and portability. Authorities may delay enforcing these provisions pending regulations even though the law does not delay their effective date.
- Some provisions of the SREN law concerning cloud providers anticipate Data Act requirements. Those provisions will apply to companies doing business in France from now through 12 January 2027.

What are key obligations the law imposes?

The rights and obligations under the Data Act include an obligation to inform, share data and provide data in standard formats; incentives for investing in data; a public entity’s right to access data and measures meant to facilitate data portability and rebalance micro-, small- and medium-sized enterprises.
The SREN law contains obligations and restrictions similar to those in the Data Act plus a few others. The SREN law provisions that do not overlap with the Data Act will continue to apply after 12 January 2027.

Are any cloud providers exempt?

Cloud providers are exempt from some obligations imposed by both laws when the services provided:

Mainly consist of features or components that are custom-built or developed for the specific needs of a customer.
Pre-release versions.

If an exemption applies, the service provider will need to mention this in its customer agreements. These exemptions are identified in the table above.

If you have questions about this update, reach out to Julia Apostle, Rami Kawkabani or Robert Weinhold. You can also read our general update covering five things to know about the new SREN law in France.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Rami Kawkabani Senior Associate, Technology & Innovation, Technology Transactions

Paris

See my bio

D:+33 1 5353 8157
E: [email protected]

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Rami Kawkabani Senior Associate

Paris

Rami advises clients in drafting and negotiating their contractual terms and in the context of strategic transactions covering significant and complex technological issues including in terms of liability and intellectual property.

He also regularly advises clients on compliance with tech and data European and French regulations (Digital Services Act, AI Act, RGPD, Data Act, LCEN) and in the context of their commercial practices towards consumers.

Rami has spent time in-house with major tech companies, and is able to quickly understand his client’s requirements and priorities.

Robert Weinhold Senior Associate, Technology Companies Group, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7158
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Companies Group
Technology Transactions
General Data Protection Regulation
Intellectual Property
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Robert Weinhold Senior Associate

Düsseldorf

Robert has always been fascinated by new technologies and digitization. Pursuing his fascination, he focused his legal studies on media law, intellectual property law and data protection law. Prior to working at Orrick, he also gained experience by founding a company that provided a software as a platform solution and working for a German venture capital investor. His legal advice on technology transactions—in particular, SaaS and IP agreements, e-commerce-related topics, related assistance in mergers and acquisitions or core data privacy—thus reflects not only his legal experience but also his experience and fascination with new technology. Being an IT and IP lawyer with a very commercial mindset, Robert drafts and negotiates all sorts of IT and IP agreements, for small to medium companies and large multinationals. He advises on privacy compliance—in particular drafts, privacy policies, and national as well as international data processing agreements—or provides his knowledge with the assessment of the IP/IT and privacy matters in M&A transactions.

He joined Orrick in 2017 after working as a scientific researcher in the field of Data Privacy.

Related Areas

Markets

France