Garrigues Digital_

Legal innovation in Industry 4.0

 

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAÍS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

The Data Act and cloud switching: keys to the new rules on changing cloud service providers

Begoña González Otero, of counsel of Industrial and Intellectual Property at Garrigues and expert in digital law.

The new EU Data Regulation (Data Act) introduces an unprecedented regime to facilitate switching between cloud service providers. The aim: to eliminate the technical and contractual obstacles that have constrained many users. As from September 2025, portability will be a legally binding right with specific obligations for providers.

The Data Act (Regulation (UE) 2023/2854) establishes a new framework to facilitate switching between cloud service providers. These obligations, which are mainly contained in articles 23 to 31 (Chapter VI), seek to remove the technical and contractual barriers that hinder the portability of data and services between different providers. The Regulation entered into force on January 11, 2024 and is applicable from September 12, 2025. Providers must progressively adapt their contracts and internal procedures in order to come into line with the new portability framework envisaged in the Data Act. In this context, we analyze the main characteristics of this regime, the possible risks and which it implies for businesses.

What is ‘cloud switching’ according to the Data Act?

The Data Act perceives cloud switching as the process whereby the customer of a data processing service is able to change from one provider to another with as little friction as possible. This involves migrating from one cloud service to another equivalent service offered by a different provider, or returning the data and applications to the company’s on-premises infrastructure. It also contemplates scenarios in which several providers are used are the same time (multicloud) and imposes on providers the obligation to refrain from preventing their customers from distributing their services between different clouds at the same time.

With this aim in mind, Chapter VI requires that providers “shall not impose and shall remove pre-commercial, commercial, technical, contractual and organizational obstacles” that inhibit customers from switching services, porting to an ITC infrastructure or using several providers at the same time (art. 23). The operational objective is to enable a “secure and timely transfer” in a commonly used format, by means of “open interfaces”, while maintaining the “continuity of the service” during the switching process (Whereas 97). The strategic objective is to avoid vendor lock-in.

Obligations for cloud service providers

The new regime imposes technical, contractual and organizational obligations to facilitate portability and the interoperability between services. Broadly speaking, the following are the most relevant practical obligations:

1. Contractual obligations

The Data Act provides that contracts must expressly include the customer’s right to switch provider, setting out a clear migration procedure. A mandatory maximum transitional period of 30 days must be established during which the outgoing provider shall continue to provide the service and assist the customer with the migration. During this period, the provider shall take due care to maintain continuity, provide reasonable assistance to the customer and, where applicable, to the new provider, provide information regarding risks to continuity and ensure that a high level of security is maintained throughout the switching process. The contract must include support with the customer’s exit strategy, providing the relevant information to plan the migration.

Other relevant contractual aspects include: a maximum notice period for initiation of the switching process (no longer than 2 months); the specification of which categories of data and digital assets can be ported (including, at least, the input and output data generated by the use of the service) and which are excluded as the provider’s own data (i.e. trade secrets provided that they do not hinder the migration); a minimum period of 30 days from the termination of the service for the customer to retrieve the data; a provision guaranteeing full erasure of the data at the end of the process. In addition, once the switching process has been completed successfully or the prior notice period has expired (should the customer decide not to migrate its data) the contract will be considered terminated as a matter of law.

Interplay with the AI Act

The interplay with the AI Act (Regulation (EU) 2024/1689, (the “AI Act”) is particularly important in relation to the obligation to delete data. In projects with high risk cloud AI systems the switching process crosses two frameworks: the Data Act requires the erasure of the customer’s data and assets at the end of the process, following the retrieval period (art. 25.2, h); the AI Act requires the automatic recording of events, that logs and documentation be kept and also cooperation with the authorities (arts. 12, 16, 18, 21 and 26). The practical issue in a migration is what is exported and deleted and what is kept, who does this and for how long. In addition, a change in platform that modifies essential technical aspects could be considered a “substantial modification” and require a new conformity assessment (article 43.4 of the AI Act).

For example, if a financial institution migrates a SaaS creditworthiness evaluation, the Data Act supports the termination, regulates the export and requires the erasure of exportable data on termination. The AI Act in turn requires that the system logs be kept for a minimum period where they are under the control of the obliged entity and to provide them to the competent authority if required to do so (arts. 12 and 21). In such event it is necessary to identify which logs are stored, define who keeps them and to verify whether the switch affects compliance.

2. Technical obligations and interoperability

The providers must facilitate the portability of the data and the interoperability of their services so that the customer can operate its data at the destination service with minimal effort. This involves providing open interfaces (APIs) and standard formats for data export that are available to an equal extent to all customers and the destination providers at no extra cost. The technical information necessary (i.e., data structures, formats, metadata, etc.) must be made available in an up-to-date online register so that third parties are able to develop compatible conversion or migration tools.

The obligations depend on the type of service: if it is IaaS or basic computing resources, the source provider must take reasonable steps to ensure that the customer achieves functional equivalence at the destination service, always where this is technically feasible and without comprising the security and integrity of the systems. This means that when switching to an equivalent structure, the customer’s applications work in a comparable manner and obtain a materially comparable outcome in response to the same input, at all times for common functionalities. The regulation clarifies that the outgoing provider is not obliged to rebuild the service within the competitor’s infrastructure, but it must provide capabilities, documentation, technical assistance and the necessary tools to ensure that the transfer is effective (Whereas 92). An example is the use of virtual machines or containers to transfer workloads to another environment. With Platform as a service (PaaS) and Software as a Service (SaaS), the priority is to open interfaces and standardization to migrate data between different applications.

The details of standardization are set out in art. 35. In short: Chapter VI establishes “what” and art. 35 establishes “how”. When the Commission publishes a harmonized standard or common specification in the repository, the provider has twelve months to ensure compatibility; all without the need to develop new technologies, reveal protected assets (for example the source code or algorithms) or compromise the security and integrity of their systems as a condition for migration.

According to the latest version of the FAQs of the Commission (September 12), question 57 indicates that the repository will take the form of a one-stop-shop per service type. As a first step, in September 2025, the Commission has concluded a mapping of existing harmonized standards and open specifications that qualify for recognition and before publishing a standard or specification will consult the relevant stakeholders and adopt an implementing act. The first version of the repository will be published on europa.eu and will be progressively completed per service type. For the time being and in the absence of applicable standards, customers must at least be able to export all their data in a structured, commonly used and machine-readable format, should they so request. It should be borne in mind that there is still no closed taxonomy on the “same service type”, which affects when functional equivalence or compatibility is required.

3. The obligation to cooperate and good faith

The cloud switching process involves the customer, the outgoing provider and the incoming provider. The Data Act imposes a general duly to cooperate in good faith to ensure that the migration is effective, quick and secure. This includes the need for the destination provider to cooperate technically with the customer (and if necessary, with the original provider) to ensure continuity of the service in the new environment. The aim is to avoid any of the parties — due to any action or omission — hindering the switch. This obligation supplements the specific measures imposed on the outgoing provider and reinforces the idea that the switch must be a joint effort that benefits the customer.

4. Transparency on location of data and governmental access

As part of Chapter VI, providers must also provide information to the public on the jurisdiction to which their infrastructure is subject and on the measures they take to prevent governmental access to non-personal data in the EU. This obligation (art. 28.1, a) and b)) seeks to reassure customers regarding where their data are located and how they are protected from orders from third countries that may create a conflict with relevant Union law or national law. The information must be made available on the website of the provider listed in the contracts (art. 28.2). Although this does not affect portability directly, it does form part of the framework of trust in the cloud established in the Data Act, supplementing the right to change providers with guarantees as regards data sovereignty.

5. Switching charges clause: “charges… strictly limited to the costs incurred”

A crucial aspect of portability is the costs that a provider may charge a customer who wants to switch service. Historically, many providers imposed substantial charges to extract data (data egress charges) or other charges due to early termination of a contract, which had a strong dissuasive effect. The Data Act addresses this problem with a gradual withdrawal of switching charges (art. 29).

In practical terms, as from January 12, 2027 the customer may not impose any charges for the switching process. Until then, only reduced switching charges may be imposed, which may not “exceed the costs incurred by the provider that are directly linked to the switching process concerned” (art. 29.3). This includes expenses that are objectively attributable to the migration (i.e., bandwidth to transfer data, technical assistance time, use of specific export tools), but excludes profit margins and unrelated costs (i.e. general infrastructure costs or penalties).

Whereas 89 cautions that certain costs may not be charged to the customer such as those arising from the outsourcing of services engaged by the provider. The customer may only be charged for additional services it may request that go beyond the provider’s obligations under the regulation (i.e. services tailored to its activities), following an advance pricing arrangement. In short, the cost rule under art. 29 seeks to ensure that the customer pays, during the transitional period, the real cost involved in extracting their data. From 2027, the switch will be free of charge for customers and the providers must assume the internal costs involved. We will have to wait and see what method is used to verify that the costs charged until 2027 are in line with this limitation, which may require accounting transparency. Aware of this, the Commission has powers to monitor these charges during the transitional period (art. 49.1, i)).

6. Microenterprises and SMEs: Are they exempt from cloud switching obligations?

Article 7 of the Data Act includes an exemption for microenterprises and small enterprises with respect to some obligations. Specifically, the obligations in Chapter II do not apply to the data generated by products or services of a microenterprise or small enterprise, provided that it does not form part of a larger corporate group or is subcontracted by another company. This exemption was included so as not to burden small manufacturers of devices or service providers with the obligations to share data in the IoT environment. However, does this exemption extend to the cloud switching obligations under Chapter VI?

The answer, according to the regulation is no. The exception under art. 7 is limited to Chapter II and does not mention any exemption with respect to cloud switching rules. Consequently, even microenterprises and small enterprises that offer data processing services are subject to the cloud switching regime. This could pose challenges for these players, since implementing interoperability standards, data export tools or bearing the cost of free migrations could entail a substantially greater effort.

The lawmakers are aware of this possible impact: art. 49.2 requires the Commission to assess by September 12, 2028 at the latest, the impact of cloud switching obligations (arts. 23 to 31) on the market, with a special focus on SME providers. It should also be borne in mind that art. 31 establishes a specific regime for certain data processing services, such as software custom-built for an individual customer (tailor-made solutions that are not offered at scale) or non-production versions for testing, where some switching obligations are not applicable. This is an exception due to the nature of the service, not the size of the company.

In short, the cloud switching regime of the Data Act marks a turning point in the relationship between cloud service providers and customers. From September 2025, switching provider has been made easier, since clearer steps, time periods and limits have been established. Businesses will be free to choose the solution that best suits them at any given time which will logically lead to greater competition in the quality of the services offered. The scenario we are looking at is a more open and dynamic market, where the ability to switch provider and interoperability will be central to innovation and competition. As with any transformation, it will come hand in hand with challenges to adapt, but also with opportunities for those who are quick off the mark.

Checklist: key steps in the new cloud switching regime

For cloud service providers:

  • Update contracts and templates: include prior notices, transitional periods, retrieval, termination and deletion; remove obstacles; cost policies according to “costs incurred” until 2027 and zero after this.
  • Enable tools: export in structured, commonly used formats, open APIs and technical information on online registers; with IaaS, measures for functional equivalence; with PaaS/SaaS, focus on open interfaces.
  • Switching operation: internal playbook with managers, SLA for the transitional period, provide reasonable assistance to the customer and, as the case may be, the incoming provider; security during the transfer and safe erasure on termination.
  • Identify and adapt technical and contractual policies that may be considered obstacles to the switching process such as performance limitations (throttling), exclusives or penalties, adapting them progressively to the new portability framework; reduce switching costs until 2027 and eliminate them afterwards; allow in-parallel use in accordance with the legal regime.
  • Governance and standards: maintain public transparency; monitor the repository under art. 35 and activate the 12-month compatibility term following publication of references.

For customers (business users):

  • Review contracts in force: prior notice of switch (≤ 2 meses), transitional period (30 days), retrieval (≥ 30 días), termination and deletion; eliminate penalties and incompatible obstacles.
  • Design an exit plan: inventory of data and exportable assets, technical dependencies, formats and APIs available; time periods and internal managers.
  • Use the provider’s transparency: consult switching procedures, supported formats, limitations and jurisdictions published.
  • Assess alternatives and multicloud: compare offers and costs, include the cost rule until 2027 and the egress charge in-parallel use of services.
  • Exercise rights: document notices and requests; if there are obstacles or delays, use the channels envisaged.
  • In the case of high risk AI: identify logs subject to storage and safekeeping needs before exporting or deleting.