6 minute read | June.28.2024
This Essential Guide to the European Data Act is part of Orrick's Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.
In this guide, we answer these five pressing questions about the European Data Act for providers of cloud-based services:
1. Does the Data Act Apply to cloud service providers?
Yes, cloud services providers are very likely subject to the Data Act.
The Act does not explicitly refer to "cloud service providers" and instead employs the less well-known phrase "data processing services." This term refers to any digital service provided to a customer that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature, that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This is virtually the same definition of " cloud computing service” in the Network Information Security (NIS 2) Directive.
The term "data processing services" encompasses companies that provide typical cloud service distribution models such as Infrastructure as a Service, Platform as a service or Software as a Service.
In contrast, online platforms and online search engines within the meaning of the EU Digital Services Act and telecommunications services typically do not qualify as "data processing services."
Whether a service qualifies as a "data processing service" depends on its specific functions and properties.
The Data Act sets out a series of obligations for providers of data processing services. Unlike other chapters of the Data Act, the provisions addressing data processing services do not include exceptions for micro, small and medium-sized enterprises.
2. What do affected companies need to do to comply?
The Data Act primarily affects manufacturers of connected products and related services, but numerous obligations apply to "data processing service" providers as well. Those obligations support the Data Act's goal of preventing vendor lock-in effects and freeing up the movement of data.
The law requires data processing providers to:
The Data Act imposes these requirements to remove commercial, technical, contractual and organizational obstacles that prevent customers from switching to other cloud services providers (or from simultaneously using services of several providers).
3. Should companies amend current agreements?
Yes, companies should update agreements covering cloud services to comply with the Data Act. To ensure customers can switch services, the Data Act requires providers to include certain rights and obligations in their agreements, including:
From a commercial perspective, it is important to understand that proactively addressing the Data Act in the customers agreements is a significant advantage for SaaS-Providers. They can define the migration services from their perspective and also include clauses ensuring that the initially agreed remuneration is paid for the agreed contract term should a customer request an early termination.
The Data Act also sets out a series of information obligations to ensure that companies provide customers with the information necessary to switch, including:
4. What about adapting technical aspects of the services?
Most providers will likely have to implement at least some minor technical changes. The Data Act distinguishes two groups of providers:
Exemptions apply to data processing services custom-built for an individual customer without being offered at broad commercial scale. Providers of these services only need to export all exportable data in a structured, commonly used and machine-readable format.
5. What is the timeline for implementation? What are the risks of non-compliance?
The Data Act applies from 12 September 2025 – so, while there's no need to panic yet, businesses are best advised to take steps addressing the Data Act sooner rather than later.
Based on our experience helping companies comply with new regulations, especially those touching on technical requirements, organizations typically require some lead time to do such things as ensure alignment across departments.
Companies that fail to comply with the Data Act face fines, although the amounts are yet to be defined and may vary by member state. The Data Act says that, by 12 September 2025, EU member states shall lay down effective, proportionate and dissuasive penalties for violating the Data Act.
National data protection authorities will levy fines in cases involving personal data. In case involving other types of data, each EU member state will designate authorities to enforce the law.
Want to know more? Reach out to one of the authors or other members of the Orrick team. Also, check out previous articles on key questions on the European Data Act in general and key points about new French legislation – the SREN law – that supplements the Data Act.