Switching and porting rules under the EU Data Act

The Data Act defines ‘data processing services’ as digital services that are provided to a customer and that enable ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.

In detail:

• ‘ubiquitous’ is used to describe the computing capabilities provided over the network and accessed through mechanisms promoting the use of heterogeneous thin or thick client platforms – from web browsers to mobile devices and workstations. In other words, network access anytime and anywhere;
• ‘shared pool’ is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment;
• ‘scalable’ refers to computing resources that are flexibly allocated by the provider of data processing services, irrespective of the geographical location of the resources, in order to handle fluctuations in demand;
• ‘elastic’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase or decrease resources available depending on workload;
• ‘computing resources’ include resources such as networks, servers or other virtual or physical infrastructure, software, including software development tools, storage, applications and services;
• ‘distributed’ is used to describe those computing resources that are located on different networked computers or devices and which communicate and coordinate among themselves by message passing;
• ‘highly distributed’ is used to describe data processing services that involve data processing closer to where data are being generated or collected, for instance in a connected data processing device. This is often referred to as edge computing; and
• ‘minimal management effort or service provider interaction’ refers to the capability of the customer of the data processing service to unilaterally obtain computing capabilities, such as server time or network storage, without any human interaction by the provider of data processing services.

Ultimately, whether a service qualifies as a ‘data processing service’ will be decided on a case-by-case basis and depends on the specific functions and properties of that service.

• Cloud services
• Edge services

The definition of ‘data processing services’ above adopts key elements and nearly identical wording from existing definitions of ‘cloud computing’ that can be found in other EU legislation, such as the Digital Markets Act, the NIS2 Directive, as well as in the US National Institute of Standards and Technology (NIST) cloud computing standards roadmap.

Notably, that NIST roadmap mentions ‘Software as a Service’, ‘Platform as a Service’ and ‘Infrastructure as a Service’ as examples of typical service models for cloud computing. The Data Act also highlights these as being typical service models for data processing. In fact, the Data Act itself seems to use data processing and cloud computing interchangeably when it refers to standard contractual clauses for ‘cloud computing contracts’ instead of ‘contracts for data processing services’.

• Application service provisioning (ASP)
• Edge services that autonomously process data collected at the edge of the network without a permanent connection to a cloud
• Hosting services
• Shared hosting services

All those services are typically neither scalable nor elastic, i.e. cannot be extended as desired nor be dynamically adjusted. Additionally, ASP and hosting do not provide for common access to a shared resource, as required under the definition of ‘data processing services’.

Out of scope in general are data processing services that are only provided:

• as a non-production version for testing and evaluation purposes; and
• for a limited period of time.

Customers have three primary options when it comes to switching their data processing services.

First, to switch to a data processing service covering the ‘same service type’ which is provided by a different provider of data processing services.

‘Same service type’ is defined under the Data Act. If interpreted consistently with the definition’s wording, the scope of application might be significantly reduced. The term would otherwise be understood to refer toa set of data processing services that cumulatively share the same – i.e. identical – primary objective; data processing service model, such as SaaS to SaaS, PaaS to PaaS, IaaS to IaaS, or DaaS to DaaS; and main functionalities.

The second option is to deploy a multi-cloud strategy by using several providers of data processing services at the same time. A multi-cloud strategy might be applied to reduce operational resilience and/or utilise complimentary functionalities. Hence, in-parallel use of data processing services, it does not have to fulfil the same service type criterion.

The third option is to switch to an on-premises ICT infrastructure.

All exportable data

Exportable data covers input and output data, as well as meta data that is directly or indirectly generated, or co-generated, by the customer’s use of the respective data processing service. This excludes data protected as intellectual property and trade secrets of the provider or a third party.

Digital assets

Open interoperability specifications and harmonised standards for the interoperability of data processing services also enhance the portability of digital assets between different data processing services that cover the same service type.

Digital assets refer to elements in digital form, including applications, for which the customer has the right of use, independently from the contractual relationship with the data processing service it intends to switch from. This would include elements that the customer needs to be able to effectively use their data in the environment of a new service provider to which they have switched.

The non-binding Data Act FAQs published by the Commission on 13 September 2024 specify that digital assets, therefore, cover non-input and output related types of meta data, for example those related to the configuration of settings, security and access and control rights management, as well as applications and virtualisation technologies, like virtual machines and containers.

Digital assets that compromise the customer’s or provider’s security and integrity of service do not have to be transferred.

First and foremost, providers are not required to develop new technologies or services.

Otherwise, the technical requirements depend on the data processing service provided. The Data Act distinguishes between two groups of providers.

IaaS providers, respectively providers of data processing services concerning computing resources limited to infrastructural elements – servers, networks, virtual resources etc. – that do not also provide operating services, software or applications, must take all reasonable measures to help customers achieve functional equivalence after switching to a service of the same type. In addition source providers of data processing services must facilitate the switching process by providing capabilities, adequate information, documentation, technical support and, where appropriate, the necessary tools.

For all other providers, such as SaaS and PaaS providers, they must provide open interfaces to all customers and the destination providers of data processing services free of charge to facilitate switching; comply with common specifications based on open interoperability specifications or harmonised standards for interoperability, as may be published by the Commission; and as long as no applicable common specifications exist, export all exportable data in a structured, commonly used and machine-readable format. This latter obligation continues to apply regardless of the adoption of common specifications for custom-built data processing services as described under question five above.

The providers’ obligations during the switching process are vaguely expressed in the Data Act. They include:

• providing reasonable assistance to the customer and third parties;
• continuing to provide the functions and services under the contract;
• acting with due care to maintain business continuity;
• maintaining a high level of security throughout the switching process;
• supporting the customer’s exit strategy;
• ·notifying the customer of the termination of the contract; and
• informing the customer about any switching charges.

Switching is supposed to be completed in three phases: via a notice period; a transitional period; and a retrieval period.

The notice period

The customer must have the right to initiate the switching process, for which the provider and the customer must contractually agree a notice period that does not exceed two months.

The customer may notify the provider of its decision to perform one or more of the following actions upon termination of the notice period:

• switch to a different provider – details to be provided by customer – and/or;
• switch to on-premises ICT infrastructure and/or;
• erase exportable data and digital assets.

Standard transitional period

This period is provided for to enable the provider to prepare the actual switching. It should last a maximum of 30 calendar days but be completed without undue delay.

Alternative transitional period

An alternative transition period can be requested by the provider if:

• the standard transitional period is technically unfeasible;
• the provider duly justifies this technical unfeasibility and indicates an alternative transitional period of up to seven months; and
• the provider notified the customer within 14 working days of the making of the switching request.

An alternative transition period can also be requested by the customer, as part of the customer’s statutory right of option, to extend the standard transitional period once for a period that the customer considers to be more appropriate for its own purposes.

The customer’s right neither indicates any maximum extension of the transitional period nor does it specify the form in which the customer should exercise his right.

As we understand it, it would disproportionately affect the rights of providers if an unlimited extension were to be permitted, as this would violate the provider's fundamental rights, for example in cases of a disturbed relationship of trust between the customer and provider. A consideration of the mutual interests of the customer and the provider points to a maximum transitional period of seven months. A provider that wants to part with a customer following the customer’s switching request would thus be bound to the customer for a maximum of seven months.

Due to the potentially significant extension of the transitional period during which the provider’s obligations – see question 8 above – continue to apply, it seems advisable to allow and, in any case, also require the extension to be noted in writing, so that verbal option declarations by the customer are void.

Retrieval period

In the case of switching upon termination, customers have a right to request full erasure of all exportable data and digital assets generated directly by the customer or relating to the customer directly after termination of the data retrieval period – the Data Act provides that this should last no longer than 30 calendar days unless parties contractually agree to a longer period, which might be a crucial point for business models that depend on monetising such data.

The provider of data processing services must make available certain information on their websites and keep this up to date. That information includes:

• the jurisdiction to which ICT infrastructure deployed for data processing of individual services is subject;
• a general description of the technical and organisational measures adopted by the provider to prevent: international governmental access to non-personal data held in the EU; and transfer of non-personal data held in the EU;
• information on switching charges, including on data processing services: that involve highly complex or costly switching; and for which it is impossible to switch without significant interference in the data, digital assets or service architecture.

The provider of data processing services must also provide its customers with certain contractual references to / pre-contractual information. This includes information specifying:

• websites where it publishes the above transparency information;
• available procedures for switching and porting to the data processing service, including: available switching and porting methods and formats; and restrictions and technical limitations known to the provider;
• an up-to-date online register hosted by the provider, including details of all data structures and data formats and relevant standards and open interoperability specifications for exportable data;
• reduced switching charges, standard service fees and early termination penalties;
• Chapter VI Data Act obligations that do not apply due to the operation of Article 31(1) of the Data Act – this provides a carve out for data processing services designed to meet bespoke customer needs and not otherwise offered at broad commercial scale.

The Data Act may be enforced under sovereign or civil law.

Enforcement by the authorities

Companies that fail to comply with the Data Act face fines, although the amounts are yet to be defined and may vary by member state. By 12 September 2025, EU member states must lay down effective, proportionate and dissuasive penalties for Data Act violations.

National data protection authorities will levy fines in cases involving personal data. In cases involving other types of data, each EU member state will designate authorities to enforce the law. 

Individual enforcement by the customer

Although the Data Act provides a basic framework for contracts for data processing services, it does not grant the customer any rights or claims that they could enforce directly against the provider, apart from the right to conclude a contract with specified content.

Efficient enforcement should be possible by means of competition law.

In light of the Data Act objectives, the material requirements of Article 25 of the Data Act are likely to have a protective function regarding the fairness of competition and are market behavior regulations within the meaning of Section 3a of the UWG, Germany’s Unfair Competition Act.

Moreover, the various information and transparency obligations in Chapter VI of the Data Act establish information requirements in relation to commercial communication within the meaning of Article 7(5) of the Unfair Commercial Practices Directive. Withholding the relevant information is “unfair” under sections 5a(1) and 5b(4) of the UWG and can be prosecuted citing offences listed under Section 8 of the UWG.

There are a variety of actions businesses can take to prepare for the switching and porting rules under Chapter VI taking effect.

Data mapping

Specify all categories of data and digital assets that can and that cannot be ported, thereby also identifying trade secrets and ensuring they retain maximum protection.

Update and amend data processing contracts

Apply changes to, among other things:

• include mandatory contractual terms in customer agreements ensuring customers’ rights to switch providers as well as providers’ respective obligations;
• define migration services from the provider’s perspective;
• include clauses to the effect that, in the event of early termination by the customer, as much of the initially agreed remuneration as possible is to be paid;
• include clauses that the initially agreed remuneration is paid to the maximum amount possible for the agreed contract term if the customer requires early termination; and
• pre-agree erasure periods with the customer in cases where the provider’s business model includes using customer data.

Other measures

Businesses should also consider:

• Complying with technical obligations to enable switching.
• Fulfilling accompanying information and website transparency obligations – see question 10 above.
• Establishing processes on how to handle switching requests and (re)design IT infrastructure powering required data switching.
• The business opportunity. In this regard, they could provide a comprehensive open interface to attract non-customers setting up their multi-cloud strategy in order to increase their operational resilience.