What are the key provisions of the EU Data Act for cloud service providers?

For cloud service providers, the EU Data Act is not just another regulatory text to hand over to legal.

It changes expectations around control, portability, interoperability, and customer power in ways that directly affect product design, contracts, and operating models.

Many providers are discovering that while they may be technically compliant with GDPR, they are structurally unprepared for the Data Act.

This article highlights the key provisions cloud providers need to understand, where companies usually underestimate the impact, and what tends to go wrong in practice.

Why the EU Data Act matters specifically for cloud providers

The EU Data Act is about rebalancing power.

Where GDPR focused on personal data and lawful processing, the Data Act focuses on:

• access to data

• control over data usage

• portability between providers

• prevention of vendor lock-in

For cloud service providers, this directly affects:

• Infrastructure as a Service

• Platform as a Service

• Software as a Service

• data hosting, analytics, and managed services

If your business model depends on customers staying because it is hard to leave, the Data Act is aimed squarely at you.

1. Switching and portability obligations

What the Data Act requires

Cloud providers must:

• enable customers to switch providers or move workloads back on-prem

• remove obstacles to switching

• provide clear exit processes

• ensure data portability in usable formats

• gradually remove switching charges

Where providers get exposed

Many providers assume:

“We already let customers export data.”

That is rarely sufficient.

Common issues include:

• undocumented dependencies

• proprietary formats

• missing metadata

• unclear timelines

• manual processes that do not scale

From a regulatory perspective, friction by design is not neutral.

2. Interoperability and technical transparency

What the Data Act requires

Cloud services must support:

• interoperability with other providers

• compatibility with open standards where possible

• sufficient technical documentation to enable migration

This applies especially to PaaS and SaaS offerings.

Common pitfall

Providers document APIs but not:

• transformation logic

• service dependencies

• configuration assumptions

• data semantics

In practice, this means customers can technically extract data, but cannot realistically recreate functionality elsewhere.

That gap is exactly what the Data Act seeks to close.

3. Contractual fairness and transparency

What the Data Act requires

Contracts must clearly specify:

• data access rights

• data usage conditions

• exit and switching terms

• limitations on unilateral changes

Clauses that are unreasonably one-sided may be invalidated.

What we see go wrong

Cloud contracts often:

• reserve broad unilateral change rights

• bury exit conditions in annexes

• rely on ambiguity rather than clarity

Under the Data Act, ambiguity becomes risk, not flexibility.

4. Data access and third-party sharing

What the Data Act requires

Customers must be able to:

• access their data

• share it with third parties of their choice

• do so without unnecessary delay or discrimination

This applies to both raw and derived data, depending on context.

Practical warning

Many providers do not actually know:

• what data they hold per customer

• where it is replicated

• how it flows through downstream services

Without a solid data inventory and lineage, compliance becomes theoretical.

5. Security and protection remain mandatory

The Data Act does not reduce security obligations.

Cloud providers must:

• protect data during transfer

• ensure access is authorized

• prevent unlawful access by third parties

This includes resisting unlawful government access requests where applicable.

Security cannot be used as a pretext to deny legitimate portability.

6. No more “email us and we’ll send a file”

One of the most underestimated shifts is expectation of scale.

Manual processes might technically comply for a handful of customers. They do not comply in spirit when thousands request access or migration.

If your process relies on:

• support tickets

• manual exports

• ad-hoc approvals

you are likely exposed.

The Data Act assumes repeatable, scalable mechanisms, not heroic support work.

The uncomfortable truth for cloud providers

The EU Data Act forces providers to confront questions they often avoided:

• Do we actually know what data we hold and where?

• Can customers leave without engineering involvement?

• Are we relying on friction to retain customers?

• Would our contracts survive scrutiny if power were balanced?

Trying to comply only at the contract level, without touching systems and processes, is where most providers fail.

What regulators will look for

Based on how similar regulations are enforced, regulators will focus on:

• traceability of data flows

• clarity of contracts

• feasibility of switching in practice

• evidence of intent to comply

• documented remediation when gaps are found

They are far more forgiving of imperfect systems with transparent improvement plans than of polished statements with fragile reality.

Where governance and stewardship matter

For cloud providers, Data Act compliance is not a one-time project.

It requires:

• clear data ownership

• neutral data stewardship

• end-to-end visibility

• documented decision-making

• audit logs that show behavior, not promises

Without this, compliance efforts tend to collapse under operational pressure.

A practical first step

If you provide cloud or cloud-adjacent services, start with a focused assessment:

• identify which data customers can access today

• map dependencies and hidden coupling

• test an exit scenario end to end

• review contracts against actual system behavior

The gap between “what the contract says” and “what the system does” is where most risk lives.

How we help

We support cloud service providers with:

• EU Data Act readiness assessments

• governance and stewardship design

• portability and exit process reviews

• informal audits aligned with upcoming enforcement

• translation of legal obligations into operational reality

If you want to understand where your biggest exposure lies, you can request a discovery call or book an informal governance and Data Act assessment.

That is usually the fastest way to move from assumptions to clarity.

How We Can Help

Our Audits & Compliance Assessments help organizations verify compliance, reduce uncertainty, and move forward with confidence.