EU Data Act: Why cloud providers (and their customers) need to act now

The EU Data Act has been European law since January 2024. This should make providers of cloud IT services in particular sit up and take notice. This is because part of the law will present them with enormous challenges.

So far, however, we as consultants have noticed that the relevant section, which is hidden in the sixth of a total of ten chapters of the regulation, has received little attention in the public and professional debate. For cloud service providers, this can lead to considerable financial losses and legal disputes. It is not only the large hyperscalers that are affected by the new requirements, but also medium-sized operators of private clouds as well as providers of infrastructure and software-as-a-service solutions, for example storage solutions or tools for collaboration and time recording.

Chapter VI regulates “Cloud Switching”

Unlike the other provisions of the Data Act, Chapter VI does not deal with the release of data for IoT applications or public purposes. Rather, it deals with “cloud switching”, the change from one cloud provider to another. It provides for contractual, technical and organisational requirements that make such a move much easier for customers. For cloud providers, this means that they must be able to provide customers with their data in a functionally equivalent form within 30 days upon request, but at the latest upon exit – i.e. at the end of the contract. They should also take appropriate measures to support the customer in using the services without interruption. A maximum period of seven months must be set for complex software projects.

Another challenge for providers is that exit support may no longer be invoiced separately after a transitional period of three years. During this transitional period, service providers will be able to charge reduced switching fees, but these may not exceed the actual costs directly associated with the switch.

What cloud providers must do now

In order to fulfil the legal requirements and avoid financial losses, cloud providers need to take action today and address two key points:

• Ensure that they can provide the data to customers in the prescribed time. Important questions that need to be clarified: Are we able to provide the data in the specified time? What does “appropriate” support involve when “seamlessly” switching to a competitor provider? For example, what metadata is not considered intellectual property and must be provided to facilitate the switch?

• Adapt service and price models accordingly. Questions such as these need to be clarified: What costs will be incurred if the data has to be provided within the legally prescribed period of 30 days? What costs can we charge the customer today and in the coming years? How can we modify our service and pricing models to avoid financial losses?

In order to avoid legal disputes as well as fines and sanctions, which are still to be determined by the EU member states, companies should take action now. They have 20 months to implement the Data Act after it comes into force. A transitional period of three years will apply until the final abolition of exchange fees. It is not clearly regulated whether the new regulation also applies to an exit after the end of the transition period if the contract was concluded before entry into force or before the end of the transition period.

Why customers must also act

The new law is basically an advantage for customers. They can switch cloud providers more quickly. Previously, this was often associated with high financial and practical costs for them, meaning that they only realised limited cost or functionality benefits with other providers. In future, they should be able to act much more flexibly and avoid so-called “lock-in” effects.

However, there are also no automatic advantages for customers in specific cases. This is mainly due to the contradictions and ambiguities in the wording that a generalised set of standards inevitably entails. For example, key terms such as “metadata” are not clearly defined. There will also be discussions about what constitutes “appropriate” measures. In addition, legal action against the provider is not necessarily expedient, as in this case the data may not be released until years later. Users should therefore pay attention to exit agreements in their outsourcing contracts, in which the elastic terms are defined. Existing contracts should also be reviewed with regard to the points mentioned.