Partnerblog
With the EU Data Act now in force, cloud providers are on the clock to revamp their contracts.
The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and will apply in full on 12 September 2025. Before that date, providers of data processing services (DPS) must align all customer contracts with the new rules, as Chapter VI focuses specifically on such agreements. It imposes several contractual obligations for providers of data processing services, which are briefly outlined below. By curbing vendor lock-in, the Act seeks to empower customers and give them greater freedom to move their data. It pursues this goal by imposing contractual obligations, outlined in the summary below. Certain elements of the grid are elaborated in greater detail beneath the grid.
- What Cloud Contracts must now include (Article 25 Data Act)
The Data Act requires that certain points be clearly communicated to customers when they make use of data processing services. The cornerstone of the contractual obligations is Article 25 of the Data Act. A summary of what must be included in your Cloud Contracts according to Article 25 is set out here:
Theme
Information obligation
Minimum content
More general: clauses about requesting (i) a switch to a different provider of DPS, or (ii) on-premises ICT infrastructure, or (iii) erasure of all exportable data and digital assets are required.
The Article continues to more specifically list certain clauses:
- Clause requiring the provider to support the customer’s exit strategy, including by providing all necessary information;
- Information on any continuity risks in the provision of the switching services by the source DPS provider;
- A clause setting out the conditions under which the contract is considered to be terminated, this is either when;
- There is successful completion of the switching process; or
- At the end of the maximum notice period, when the customer wants to erase its exportable data.
- The notice period that must be given to the provider of DPS for wanting to export or erase data (the maximum notice period) – this can be no more than two months* (see below);
- All the categories of data that can be ported during the switching process;
- All categories of data specific to the internal functioning of the provider of DPS that might risk a breach of trade secrets which are exempted from the exportable data;
- The minimum period in which the customer must undertake the download or port the data themselves (minimum period for data retrieval) – this should be at least 30 days;
- A guarantee that all exportable data directly generated by the customer will be erased after the switching procedure;
- Any applicable switching charges (see below);
- The possibility for the customer to extend the transitional period once for a period that the customer considers more appropriate for its own purposes.
‘* More than two months is allowed where the switching would otherwise be technically unfeasible.
Technical aspects
- The supported machine-readable formats, export tools and open interfaces that the data processing service provider offers for the switching process.
- Any restrictions and technical limitations known to the provider of DPS should be specified.
- A reference to an up-to-date register with details of all the data structures and data formats as well as the relevant standards and open interoperability specifications.
Article 25 of the Data Act stipulates that the contract must be in writing and must be made available to the customer before it is signed. This enables the customer to compare contracts side by side and make an informed, well-considered choice about which data processing service provider to engage.
- Cancellation and switching timelines
Under the Data Act, a customer may be obliged to observe a notice period before switching to a new data processing service. That period may never exceed two months, and it would be wise to expressly set out any specific procedures or shorter timelines in the contract. Once the notice has taken effect, the provider must complete the migration within 30 days of the termination date, unless the provider can show that exceptional technical complexity makes an extension of this period unavoidable.
- What you can no longer include
In addition to the positive obligations – the do’s – imposed by the Data Act, the Act also specifies a number of prohibitions – the don’ts. Providers must remove all existing barriers and refrain from creating new ones that could impede switching, including contractual barriers. A clause that prevents a customer from migrating its data to in-house servers is a clear example of such an unlawful obstacle.
- Switching charges
Switching charges are only allowed until January 2027 – and only under strict conditions.
Any such fees must be cost-based, transparent and non-discriminatory, so it is prudent to spell them out clearly in the contract from the outset. Fixed-term agreements may also include pro-rata early-termination penalties, provided these are proportionate to the remaining term and fully disclosed to the customer.
- Unfair terms in B2B contracts (Chapter IV, section 2)
Beyond customer-facing cloud contracts, the Data Act also reshapes B2B data sharing agreements. The guiding principle is fairness: any term unilaterally imposed that “grossly deviates from good commercial practice” in relation to data access or use will be unenforceable. The Commission will publish non-binding model clauses to help businesses assess compliance.
What Should You Do Now? Next Steps for Legal & IT
With the September 2025 deadline approaching, legal and IT departments should work together to ensure compliance. Legal teams should review and revise existing cloud contract templates, focusing on switching clauses, termination triggers, and transparency around fees. Meanwhile, IT teams must ensure that technical capabilities — such as data export tools, supported formats, and interoperability documentation — align with the requirements of the Data Act. Both teams should collaborate to map out relevant data categories and ensure retrieval procedures are clear, tested, and documented. Eliminating any contractual or technical lock-in mechanisms now will reduce compliance risks later.
Authors
Lotte Cools – Edwin Jacobs
