The European Data Act: 5 Things Cloud Services Provider Should Know

6 minute read | June.28.2024

This Essential Guide to the European Data Act is part of Orrick's Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to the evolving cybersecurity and privacy regulatory landscape.

In this guide, we answer these five pressing questions about the European Data Act for providers of cloud-based services:

Does the Data Act Apply to cloud service providers?

What do affected companies need to do to comply?

Should companies amend current agreements?

What about adapting technical aspects of the services?

What is the timeline for implementation? What are risks of non-compliance?

1. Does the Data Act Apply to cloud service providers?

Yes, cloud services providers are very likely subject to the Data Act.

The Act does not explicitly refer to "cloud service providers" and instead employs the less well-known phrase "data processing services." This term refers to any digital service provided to a customer that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature, that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This is virtually the same definition of " cloud computing service” in the Network Information Security (NIS 2) Directive.

The term "data processing services" encompasses companies that provide typical cloud service distribution models such as Infrastructure as a Service, Platform as a service or Software as a Service.

In contrast, online platforms and online search engines within the meaning of the EU Digital Services Act and telecommunications services typically do not qualify as "data processing services."

Whether a service qualifies as a "data processing service" depends on its specific functions and properties.

The Data Act sets out a series of obligations for providers of data processing services. Unlike other chapters of the Data Act, the provisions addressing data processing services do not include exceptions for micro, small and medium-sized enterprises.

2. What do affected companies need to do to comply?

The Data Act primarily affects manufacturers of connected products and related services, but numerous obligations apply to "data processing service" providers as well. Those obligations support the Data Act's goal of preventing vendor lock-in effects and freeing up the movement of data.

The law requires data processing providers to:

Include mandatory contractual terms in their customer agreements ensuring customers' rights to switch providers.
Comply with technical obligations to enable switching.
Fulfill accompanying information obligations vis-à-vis customers.

The Data Act imposes these requirements to remove commercial, technical, contractual and organizational obstacles that prevent customers from switching to other cloud services providers (or from simultaneously using services of several providers).

3. Should companies amend current agreements?

Yes, companies should update agreements covering cloud services to comply with the Data Act. To ensure customers can switch services, the Data Act requires providers to include certain rights and obligations in their agreements, including:

Customer rights to initiate the switching process following a two-month notice period.
Customer rights after the notice period to switch to a different data processing services provider, switch to an on-premises IT infrastructure or erase its data.
A provider's obligation to ensure a maximum transitional period of 30 calendar days, only extendable under certain circumstances, after the two-months maximum notice period for switching to another data processing service (or for porting the customer's data to a on-premises infrastructure).
A provider's obligation to assist during the transitional period, including acting with due care to maintain business continuity (including continuing to provide data processing services) and ensuring a high level of security throughout the switching process.
Description of the legal effects of the switching, leading to the termination of the agreement upon completion of the switching process (or upon expiry of the maximum switching notice period in case of mere erasure of data without switching).
Provider's obligation to ensure a minimum data retrieval period for the customer of at least 30 calendar days upon termination of the applicable transitional period.
Customer rights to request full erasure of the customer's data after the data retrieval period (or a longer period agreed).
Provider's right to request switching charges to be paid by customers (until 12 January 2027, providers may impose charges for the switching process, which may not exceed the costs incurred by the provider that are directly linked to the switching process and from 12 January 2027 on, provider may not impose any such switching charges, however, this does not apply to early termination penalties).

From a commercial perspective, it is important to understand that proactively addressing the Data Act in the customers agreements is a significant advantage for SaaS-Providers. They can define the migration services from their perspective and also include clauses ensuring that the initially agreed remuneration is paid for the agreed contract term should a customer request an early termination.

The Data Act also sets out a series of information obligations to ensure that companies provide customers with the information necessary to switch, including:

Information on procedures for switching and porting to a new data processing service.
An online register with technical details on the exportable data (e.g., data formats, interoperability specifications).
Pre-contractual information on standard service fees, early termination penalties, and switching charges.
Information on data processing services with highly complex or costly switching.

4. What about adapting technical aspects of the services?

Most providers will likely have to implement at least some minor technical changes. The Data Act distinguishes two groups of providers:

Providers of data processing services concerning computing resources limited to infrastructural elements (servers, networks, virtual resources etc.) without providing operating services, software and applications (typically IaaS providers).
- These providers must take all reasonable measures to help customers achieve functional equivalence after switching to a service of the same type.
All other providers, i.e., in particular, SaaS and PaaS providers, have to:
- Provide open interfaces to all customers and the destination providers of data processing services to facilitate switching.
- Comply with common specifications based on open interoperability specifications or harmonized standards for interoperability (that may be published by EU Commission) or if no applicable common specifications exist, export all exportable data in a structured, commonly used and machine-readable format.

Exemptions apply to data processing services custom-built for an individual customer without being offered at broad commercial scale. Providers of these services only need to export all exportable data in a structured, commonly used and machine-readable format.

5. What is the timeline for implementation? What are the risks of non-compliance?

The Data Act applies from 12 September 2025 – so, while there's no need to panic yet, businesses are best advised to take steps addressing the Data Act sooner rather than later.

Based on our experience helping companies comply with new regulations, especially those touching on technical requirements, organizations typically require some lead time to do such things as ensure alignment across departments.

Companies that fail to comply with the Data Act face fines, although the amounts are yet to be defined and may vary by member state. The Data Act says that, by 12 September 2025, EU member states shall lay down effective, proportionate and dissuasive penalties for violating the Data Act.

National data protection authorities will levy fines in cases involving personal data. In case involving other types of data, each EU member state will designate authorities to enforce the law.

Want to know more? Reach out to one of the authors or other members of the Orrick team. Also, check out previous articles on key questions on the European Data Act in general and key points about new French legislation – the SREN law – that supplements the Data Act.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Henry Wu Managing Associate, Technology Transactions, Intellectual Property

Düsseldorf

See my bio

D:+49 211 3678 7168
E: [email protected]

Practice:

Technology Transactions
Intellectual Property
Trademark, Copyright & Media
Cyber, Privacy & Data Innovation
Trade Secrets Litigation
Patents
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Henry Wu Managing Associate

Düsseldorf

Henry represents clients on business transactions involving IP and data protection aspects, including licensing and technology transfers, mergers and acquisitions, venture and other strategic transactions that involve the commercialization of IP.

He also advises his clients on strategic IP protection and enforcement, in particular in the field of patent, trademark and copyright law.

Prior to joining Orrick, Henry was an attorney with a law firm focusing on trademark, competition and media law.

Robert Weinhold Senior Associate, Technology Companies Group, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7158
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Companies Group
Technology Transactions
General Data Protection Regulation
Intellectual Property
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Robert Weinhold Senior Associate

Düsseldorf

Robert has always been fascinated by new technologies and digitization. Pursuing his fascination, he focused his legal studies on media law, intellectual property law and data protection law. Prior to working at Orrick, he also gained experience by founding a company that provided a software as a platform solution and working for a German venture capital investor. His legal advice on technology transactions—in particular, SaaS and IP agreements, e-commerce-related topics, related assistance in mergers and acquisitions or core data privacy—thus reflects not only his legal experience but also his experience and fascination with new technology. Being an IT and IP lawyer with a very commercial mindset, Robert drafts and negotiates all sorts of IT and IP agreements, for small to medium companies and large multinationals. He advises on privacy compliance—in particular drafts, privacy policies, and national as well as international data processing agreements—or provides his knowledge with the assessment of the IP/IT and privacy matters in M&A transactions.

He joined Orrick in 2017 after working as a scientific researcher in the field of Data Privacy.