EU Data Act

EU Data Act: What U.S. SaaS, PaaS, and IaaS Providers Need to Know Now

The EU Data Act (the “Act”) is now in effect and applies to many U.S.-based cloud and software providers that have customers in the European Union (EU). The Act’s purpose is to allow customers to easily switch providers, move data without undue barriers, and prevent vendor “lock-in.” It creates new rights for customers to access and move their data and new obligations for providers to enable switching between services with minimal friction. The Act will impact how affected vendors actually contract with customers, and will require affected vendors to ensure compliance with operational and technical requirements intended to make data transfer to other vendors easier.

Who the law applies to

The EU Data Act applies to cloud and other “data processing services,” including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), offered to users in the EU, even if the provider is located outside the EU. It also covers data from connected products/IoT and related services, but this client alert focuses on cloud and software providers.

Timing (it’s live)

The Regulation entered into force on January 11, 2024, and became applicable on September 12, 2025. The switching rules for cloud/data processing services apply to new contracts as of September 2025 and will impact some existing long-term contracts by 2027.

What the law requires (high level)

  1. Easy switching & portability
    • EU customers must be able to terminate covered vendor contracts for convenience with no more than 60 days’ prior notice in order to switch to another provider (or move on-prem), with porting of all exportable data and relevant digital assets in a structured, machine-readable format.
    • Providers must assist during transition and avoid technical or contractual lock-in barriers; the EU is also moving toward interoperability standards to support this.
    • The customer’s data transition must be complete within 30 days of when the customer gives the vendor notice of termination, subject to limited rights to extend the transition period.
    • Providers need to provide technical interfaces using common specifications to enable the data transfers.  The transfer mechanisms must allow the customer to export its data in a structured, commonly used format at any time.
    • Providers must provide cooperation in good faith to its customer and the new vendor (if applicable).
  2. Fees for switching
    • During a transition period, any switching-related charges must be cost-based only; by 2027, providers must phase out fees (including data egress fees).
    • Early termination fees are not prohibited, but must be proportionate (e.g. recoupment of upfront investments or discounts provided for long-term contracts).
  3. Transparency
    • Providers should publish clear information about data formats/interfaces, export tools, timelines, and any limitations—ideally in an online “data formats & interoperability” register—so customers can plan exits.
  4. Government access safeguards
    • Providers must explain how they handle non-EU government data requests (e.g., policies to resist unlawful access and rely on appropriate EU legal channels).

Risks & penalties for noncompliance

Penalties must be “effective, proportionate, and dissuasive,” and each country will handle its own enforcement. The European Commission will maintain a public register of penalties.

If a breach of the Data Act also involves personal data, GDPR-level fines may apply—up to €20M or 4% of worldwide annual turnover, whichever is higher—imposed by data protection authorities.

What businesses should do next

If your business provides SaaS, PaaS, or IaaS to EU users, here are practical steps to start on compliance with the EU Data Act:

  • Assess which of your services are governed by the Act.
  • Create a data inventory for data and digital assets processed by the covered services.
  • Update EU customer contracts to: (i) embed switching/portability rights and timelines; (ii) remove lock-in terms and hidden egress/transition charges; (iii) add an Exit Assistance clause; and (iv) reference your data format/interface documentation.
  • Ensure you have self-service export tools/APIs, tested migration runbooks, and staff training to meet the 30-day style transition expectations and avoid undue obstacles.
  • Consider your pricing strategy given the new ability for an EU based customer to terminate for convenience.  Consider how agreement lengths and discount strategies need to be revised in light of EU customers’ right to terminate for convenience.
  • Consider inclusion of non-refundable prepayments or proportionate early termination fees (as opposed to switching fees or data transfer fees).
  • Map timelines: apply new terms to all new EU contracts now and plan amendments for in-scope existing agreements ahead of the 2027 milestone.

If you sell SaaS, PaaS, or IaaS into the EU—even on a limited basis—you likely need contract updates, playbooks, and technical disclosures to comply. For guidance on next steps, contact your primary KO attorney or KO partner Matt McKinney [email protected] to assess your product and contracts, prioritize gaps, and roll out a compliant, customer-friendly exit/portability framework.

KO Client GEF Capital Partners Launches Current iQ
Multi-State Privacy Enforcement Sweep: What Businesses Need to Know

Looking for a new partner?

We are changing the status quo in the legal industry one client at a time. Why not be next?

Contact Us
Related Articles
Bulk Data Transfer Rule

September 30, 2025

Preventing Access to Americans’ Bulk Sensitive Data: What the U.S. Federal Bulk Data Transfer Rule Means for Companies

Read the Article
Multi-state privacy enforcement sweep

September 30, 2025

Multi-State Privacy Enforcement Sweep: What Businesses Need to Know

Read the Article
GEF Capital Partners

September 29, 2025

KO Client GEF Capital Partners Launches Current iQ

Read the Article