Insights
The impact of the EU Data Act on data processing services agreements
Dec 03, 2025What is the EU Data Act ?
The EU Data Act (Regulation (EU) 2023/2854), applicable from September 12, 2025, introduces a comprehensive legal framework aimed at enhancing data portability, interoperability, and minimizing dependency on individual service providers throughout the digital economy. Among its most impactful provisions are the mandatory switching rights, which regulate cloud switching and impose significant obligations on providers of “data processing services.”
While fixed-term contracts remain lawful, service providers, including IaaS, PaaS and SaaS, are now required to reassess the structure and content of these agreements in light of the Data Act’s new obligations. This regulation introduces harmonized rules that affect the way providers interact with their clients, compelling them to ensure that contractual terms reflect fair, reasonable, and non-discriminatory conditions. As a result, many existing agreements may need to be adapted to align with the regulation’s requirements and to maintain compliance in future renewals or amendments.
Which entities are within scope ?
The Data Act applies to entities involved in the generation, processing, and use of data. Its scope includes:
- Manufacturers of connected products and Providers of related services: Entities placing Internet of Things (IoT) devices and their associated digital services on the EU market.
- Data Holders: This includes manufacturers, service providers, and platform operators who control access to data generated by connected products or services.
- Data Recipients: Entities, whether public or private, who receive data from data holders for commercial or public interest purposes.
- Public Sector Bodies: EU institutions and Member State authorities may request data from holders in cases of exceptional need, such as public emergencies.
- Providers of Data Processing Services: Data processing services are digital services enabling on-demand network access to a shared pool of configurable computing resources. This includes:
- Software-as-a-Service (SaaS)
- Platform-as-a-Service (PaaS)
- Infrastructure-as-a-Service (IaaS)
Nonetheless, the EU Data Act applies irrespective of where the provider is established, provided that the services are made available to customers within the EU.
What are the key obligations of data processing services providers ?
SaaS providers are subject to mandatory service switching obligations and contractual transparency requirements. From 12 September 2025, these include:
Providers must remove barriers to switching by enabling clients to port their data, and where feasible, applications and other digital content, to another provider.
While providers must offer reasonable assistance during the switching process, they are not required to rebuild the client’s environment within the destination infrastructure.
Contracts must clearly define the client’s rights and the provider’s obligations in the event of switching or migration to on-premise infrastructure. Contracts must include a two-month cancellation period and a 30-day switching period during which the provider must support the transition.
Providers must inform clients about available switching procedures, formats, and known technical limitations. They must also maintain an online registry detailing data structures, formats, and relevant interoperability standards.
All parties involved in the switching process must cooperate in good faith to ensure secure, timely, and disruption-free data transfers using open, machine-readable formats.
Providers must publicly disclose the jurisdictions of their ICT infrastructure and describe the safeguards in place to prevent unlawful international access to non-personal data. These disclosures must be referenced in service contracts.
Between January 2024 and January 2027, providers may charge reduced fees limited to direct costs. From January 2027 onward, switching must be free of charge.
Providers (excluding IaaS providers) must offer open interfaces free of charge to enable interoperability and data portability.
Providers may not impose unfair terms unilaterally in B2B contracts, particularly those affecting data access or use.
As an EU regulation, the Data Act is directly applicable across Member States, but enforcement is delegated to national authorities. Non-compliance may result in significant fines, civil liability, and regulatory investigations, especially where personal data is involved, triggering parallel enforcement under the GDPR.
Compliance timelines ?
The Data Act became applicable from 12 September 2025 to all entities within its scope. However, the Data Act also introduces a transitional regime specifically for contracts concluded before 12 September 2025, delaying the application of the obligations related to unfair contractual terms set out in Article 13:
- For contracts signed on or after 12 September 2025, Article 13 applies immediately.
- For contracts concluded prior to that date, Article 13 will only apply from 12 September 2027 if one of the following conditions is met:
- the contract is of indefinite duration, or
- it is set to expire at least ten years after 11 January 2024, meaning on or after 11 January 2034.
This phased approach ensures that long-term or open-ended contracts are gradually brought into compliance, while shorter-term agreements may remain unaffected unless they are renewed or amended.
What steps should you take now?
With the Data Act now in force, SaaS providers must act swiftly to align their operations, contracts, and technical infrastructure. The following steps are essential to ensure compliance and mitigate legal and commercial risks:
Contract audit and redrafting
- Review existing SaaS agreements to identify clauses that conflict with the Data Act such as restrictive termination terms or opaque switching procedures.
Technical readiness assessment
- Evaluate platform capabilities for data export, portability, and interoperability.
Governance and documentation
Customer Communication
Training and Monitoring
How can we assist you?
BCLP’s team is equipped to support your organization in navigating the compliance landscape introduced by the EU Data Act. We help identify services and contractual arrangements impacted by the regulation through targeted gap analyses, and assist in drafting or revising contract templates to ensure alignment with the new legal framework. Our guidance extends to the technical implementation of compliance measures, ensuring that operational strategies reflect the regulation’s requirements.
To support long-term compliance, we offer ongoing legal monitoring and deliver tailored training sessions to in-house teams, ensuring they remain informed and prepared.
By proactively addressing these obligations, SaaS providers not only mitigate legal risk but also strengthen their position in a competitive, data-driven market.
Related Capabilities
-
Data Privacy & Security
-
General Data Protection Regulation
