The Data Act means cloud service providers need to take action. Part 2 of our article provides an overview of the process for switching providers.
Next blog post in the #CMSdatalaw series
As part of its digitalisation and data strategy, the European Union (EU) wants to create an internal data market and make it easier for customers and others to switch cloud service providers (CSPs). The Data Act (Regulation on harmonised rules on fair access to and use of data, "DA"), which came into force on 11 January 2024 and will apply throughout the EU from 12 September 2025, sets out in Chapter VI a large number of new information obligations and requirements regarding drafting contracts for CSPs. In this article, we provide an overview of the new DA regulations on the switching process.
The three phases of the switching process according to the DA
Article 25 DA divides the switching process into three phases. The associated regulations are of particular practical relevance and each must be included in the provider's cloud contracts. Firstly, the provider must grant the customer the right to initiate a termination and switching process for the concluded contract at any time with a "notice period" of a maximum of two months, which begins a "mandatory maximum transitional period" of 30 days upon expiry of the notice period instead of causing the contract to be terminated immediately. During this period, the CSP is required to enable the customer to switch to a different provider or to the customer's own infrastructure (Article 25 (2) (a) and (d) DA).
In addition, the CSP must grant the customer the right to choose the type of switch after expiry of the "maximum notice period" (i.e. after the maximum period of two months has expired) (Article 25 (3) DA). This allows the customer to decide whether data should be ported to a third-party or in-house infrastructure or whether the CSP should erase the customer data. The DA leaves open whether the CSP may use clauses that restrict exercising the right to choose.
Option to extend the transitional period
However, if the customer exercises their right to choose by requesting to switch providers instead of to erase the data, Article 25 (4) DA grants the provider a unilateral right to extend the "transitional period" within which the switch is to be carried out. If the formal requirements for the provider to unilaterally exert a right of extension are met and the provider can justify that the switch cannot be implemented within the "mandatory maximum transitional period" of 30 days for technical reasons, the transitional period can be extended to a maximum of seven months. The DA also grants the customer the right to unilaterally extend the "transitional period" (see Article 25 (5) DA) but does not attach any further conditions to this besides that the extension period is appropriate taking into account the purposes pursued by the customer.
Regardless of whether the transitional period is extended or not, the provider is required to continue to provide the services to the customer and to support the customer in transferring the services.
In addition to these legal specifications, the DA also contains specifications regarding the technical implementation of switching providers.
Technical specifications for switching providers according to the DA
Article 30 DA sets out specifications for the technical implementation of switching providers (and the establishment of interoperability) and distinguishes between two categories of data processing services: data processing services that are limited to "scalable and elastic computing resources" at the infrastructural level, such as servers, networks and "the virtual resources necessary for operating the infrastructure" and that "do not provide access to the operating services, software and applications that are stored, otherwise processed, or deployed on those infrastructural elements", such as services offered in the infrastructure-as-a-service (IaaS) model (Article 30 (1) sentence 1 DA), and "other" data processing services without the presence of an IaaS service, to which Article 30 (2), (3) and (4) DA apply. For example, these may be cloud offerings that are offered as platform-as-a-service (PaaS) and software-as-a-service (SaaS) models.
The switching process for infrastructure-as-a-service models
If the customer is only provided with the hardware/infrastructure required to implement certain applications and located in data centres managed by the CSP, this is an example of IaaS. The DA requires providers of IaaS to take "all reasonable measures in their power" and to enable the customer to achieve equivalent functionality when using the new data processing service after switching to a service of the same type (Article 30 (1) sentence 1 DA). According to Article 2 no. 37 DA, this "functional equivalence" exists if after the switch to the new provider the new service provides "a materially comparable outcome" (i.e. essentially comparable) to the previous service "in response to the same input". The DA leaves open the criteria that can be used to determine in which cases an outcome is comparable.
The switching process for platform-as-a-service and software-as-a-service models
PaaS offerings generally provide software developers with an infrastructure and platform to develop their own systems, while SaaS models involve the provision of software applications to end users. For both services and for all other services that are not IaaS, Article 30 (2), (3) and (4) DA impose technical requirements on the provider in the event of switching providers. If a customer wishes to switch to a different provider, the previous provider will in future be required to provide both its customer and the new provider it wishes to switch to with an open interface to the services operated (Article 30 (2) sentence 1 DA) and the necessary documentation, both free of charge (Article 30 (2) sentence 2 DA). However, the previous provider is not required to take any action in the new provider's third-party infrastructure. In addition to providing the interface, the provider must ensure compatibility with open interoperability specifications.
The DA provides for exceptions to the requirements imposed on the provider in the switching process
Article 31 (1) DA exempts individual offerings by CSPs of which "the majority of main features has been custom-built to accommodate the specific needs of an individual customer" and which are "not offered at broad commercial scale" from the requirements to achieve functional equivalence, withdraw switching charges and ensure compatibility with open interoperability specifications.
However, further obligations for CSPs also apply to these providers. Services that are provided "as a non-production version for testing and evaluation purposes and for a limited period of time" are exempt from all obligations in Chapter VI (see Article 31 (2) DA).
Complying with DA obligations and seizing opportunities
Switching projects will become more cost-effective and efficient for customers and cloud users in the future thanks to the reforms brought about by the DA, the guaranteed support and requirement to cooperate and the technical specifications. At the same time, CSPs will be faced with legal and technical challenges when implementing the requirements of the DA, which will require adjustments to both contracts and organisational processes, meaning that affected companies should already be dealing with the new obligations arising from the DA during the current implementation period. However, companies should take seriously not just the obligations in the DA, but also the opportunities it presents: Market entry, especially for new providers, can be facilitated by the DA, which should have an effect that promotes innovation.
With our German CMS blog series "#CMSdatalaw" we provide an overview of data law, such as the Data Act and the Data Governance Act. You can find the introductory article to our blog series here. Please also visit our CMS Insight page "Data Law“.
The legal text and recitals in the Digital Services Act (DSA) and the Data Governance Act (DGA) can be found in compact form for practical use at CMS DigitalLaws.
Philippe Heinzke, Julia Dreyer, Björn Herbers, Michael Kraus, Tom De Cordier, Italo de Feo, María González Gordon, Johannes Juranek, Ian Stevens.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.