The EU Data Act (Regulation (EU) 2023/2854) is the first binding EU instrument that gives cloud customers an enforceable right to leave their provider, take their data with them and connect to a competing service without paying prohibitive exit fees or confronting technical dead ends. For compliance officers, CISOs and data protection officers in government, finance, healthcare and legal services, the Data Act is not peripheral regulation: it rewires the commercial balance of power in cloud procurement and creates a new category of audit evidence that supervisory authorities will expect to see.
What Chapter VI Actually Requires from 12 September 2025
Data Act Chapter VI imposes mandatory switching and portability obligations on all cloud service providers offering services to customers located in the EU, effective 12 September 2025. The core duties under Articles 23 to 31 include: providing a complete export of all customer data in a structured, commonly used and machine-readable format; enabling porting to a competing provider without functional degradation; and eliminating switching fees progressively (reduced fees permitted until 12 September 2027, then zero thereafter).
These obligations differ materially from the portability duties under the Digital Markets Act (DMA). The DMA targets designated gatekeeper platforms such as Alphabet and Meta, requiring them to allow business users and end-users to port data generated through platform use. The scope is platform-specific and applies only to entities formally designated under Article 3 DMA. Data Act Chapter VI is horizontal: it applies to infrastructure-as-a-service, platform-as-a-service and software-as-a-service providers of any size, regardless of gatekeeper status, and it covers operational data stored in the cloud rather than only platform-generated behavioural data. For a government body procuring a sovereign Nextcloud-based workspace, this means the hosting provider is directly subject to Chapter VI obligations even if it has never attracted DMA scrutiny.
Technical Reference Offers and the Interoperability Duty
Chapter VI also requires cloud providers to publish a technical reference offer that specifies the interoperability interfaces, data formats, transport protocols and migration assistance they will provide. This document must be publicly available and kept current; a provider cannot satisfy the obligation with a vague commitment in marketing materials.
For regulated buyers evaluating sovereign or Swiss-hosted alternatives, the reference offer is the first document to request during procurement. It should specify: the data export API endpoints and their versioning policy; supported open formats (for example, open document formats compatible with Nextcloud and standard SQL exports); maximum migration assistance periods; and the technical contacts responsible for coordinating a switch. If a provider cannot produce this document, it is already non-compliant.
Enforcement sits with national competent authorities designated by each member state under Article 37. They can order a provider to produce or correct its reference offer, impose remediation timelines and ultimately refer persistent violations to the European Commission. The Commission retains oversight authority and can issue implementing acts standardising interoperability specifications if the market fails to converge voluntarily.
The Three Data Act Standard Contractual Clauses
The European Commission has published three Standard Contractual Clauses (SCCs) specifically for cloud contracts under the Data Act. Regulated buyers should understand what each one covers and how to embed them in sovereign procurement:
| SCC Name | Core Obligation | Why It Matters for Regulated Buyers |
|---|---|---|
| SCC Non-Dispersion | Prohibits the provider from dispersing, distributing or making available the customer’s data to third parties without explicit authorisation | Directly addresses the risk that data hosted with a US-affiliated provider can be accessed by parent entities subject to CLOUD Act or FISA 702 orders |
| SCC Non-Amendment | Prevents the provider from unilaterally altering the agreed data processing conditions, formats or interfaces in ways that impede switching | Prevents a provider from quietly deprecating an export API or changing data formats mid-contract to create lock-in |
| SCC Liability | Establishes the provider’s liability for failure to meet portability, switching and data integrity obligations | Creates an enforceable damages basis for loss caused by migration failures, data corruption during export or delays that breach the switching timeline |
Procurement teams should incorporate all three SCCs by reference in the main service agreement and in any data processing agreement required under GDPR Article 28. These clauses are not optional add-ons: omitting them from a contract for a regulated service creates an audit gap that a DPA or sectoral supervisor can cite as evidence of inadequate contractual safeguards.
Article 30 and Protection from Unlawful Third-Country Access
Data Act Article 30 addresses a risk that GDPR alone does not fully close: the compelled disclosure of non-personal operational data held in the EU to a third-country government, most commonly under the US CLOUD Act, the US Patriot Act or FISA Section 702. Article 30 requires cloud providers to take all reasonable technical and legal measures to prevent or challenge unlawful third-country government access orders before complying. The provider must notify the customer when it receives such an order, unless legally prohibited from doing so.
“The Data Act is a central element of the European data strategy. It will make Europe a role model for a data-driven society, creating value for businesses, consumers and public administrations alike.” — Thierry Breton, former European Commissioner for Internal Market, European Commission, June 2023
The technical controls Article 30 implies include: end-to-end encryption with keys held exclusively by the customer or a trusted third party in an EU or Swiss jurisdiction; zero-knowledge architecture where the provider cannot read stored data; and legal entity structures that avoid subjecting the provider to US personal jurisdiction. A Swiss-hosted provider incorporated entirely under Swiss law, operating infrastructure without US-based parent ownership, eliminates the jurisdictional hook that makes CLOUD Act production orders executable. This is a concrete, verifiable structural control, not a contractual promise.
Avoiding Lock-In Under Chapter IV During Multi-Year Negotiations
Chapter IV of the Data Act prohibits unfair contractual terms in business-to-business data sharing agreements where one party imposed the terms unilaterally. For multi-year sovereign hosting contracts, the most common lock-in mechanisms targeted include: proprietary data formats that prevent interoperable export; auto-renewal clauses that reset switching windows; minimum commitment volumes that make early termination economically prohibitive; and technical integration dependencies that require the customer to rebuild workflows from scratch when leaving.
To demonstrate compliance during a DPA or supervisory audit, organisations should maintain: the full negotiation record showing that key terms were not imposed unilaterally; a Data Act compliance annex in the contract cross-referencing Chapter IV prohibited terms; annual confirmation from the provider that its reference offer remains current; and a tested migration plan showing that an export of all data can be executed within the contractual switching window. ENISA’s 2023 Cloud Cybersecurity Market Analysis found that 72 percent of cloud users surveyed experienced at least one significant lock-in barrier, a figure that supervisors are aware of and that gives context to why documentary evidence of free switching capability is now expected.
Interaction with GDPR Article 28, DORA and the Data Act MCTs
Regulated entities sharing operational data with a sovereign infrastructure partner face a three-layer contractual architecture: the GDPR Article 28 data processing agreement governing personal data; the DORA ICT third-party risk requirements under Regulation (EU) 2022/2554 for financial entities; and the Data Act Model Contractual Terms (MCTs) for data sharing published by the European Commission.
The MCTs are not identical to the SCCs. The SCCs address the cloud service contract itself. The MCTs govern the data sharing relationship between two businesses when one makes data available to the other under the Data Act’s data sharing obligations. For a financial institution sharing transaction monitoring data with a sovereign AI analytics provider running Mistral or Llama locally, the MCTs define the permitted use, the return or deletion of data after processing and the audit rights of the data holder.
DORA adds a fourth layer for financial entities: under Articles 28 to 30 of DORA, any ICT third-party service agreement must specify data localisation, sub-contracting chains, termination rights and audit access. The interaction with Data Act obligations means that a DORA-compliant contract must simultaneously satisfy the Data Act MCT framework. The practical approach is a master services agreement with the sovereign provider that incorporates by reference the GDPR Article 28 processor clauses, the three Data Act SCCs, the relevant MCT modules and the DORA ICT contractual annexes as separate schedules. The Data Act Legal Helpdesk, operated by the European Commission through its digital strategy portal at digital-strategy.ec.europa.eu, publishes guidance on aligning these instruments and is the first reference point for compliance teams building this contract architecture.
“Cloud providers must not use contractual or technical means to prevent customers from switching. That is not a recommendation; it is a legal obligation from September 2025.” — European Data Protection Supervisor (EDPS), EDPS Opinion 3/2023 on the Data Act proposal
IBM’s 2023 Cost of a Data Breach Report put the average total cost of a breach at USD 4.45 million, the highest recorded figure. That number, combined with the legal exposure created by non-compliant cloud contracts, means the compliance investment required to align sovereign procurement with Data Act obligations is modest against the liability it removes.
FAQ
From what date do Data Act Chapter VI cloud switching obligations become enforceable?
Chapter VI obligations apply from 12 September 2025, exactly three years after the Data Act entered into force on 12 September 2023. Contracts signed before that date must still be brought into conformity by 12 September 2027 at the latest.
Do the Data Act switching obligations cover Swiss-hosted providers serving EU customers?
Yes. The Data Act applies to cloud services offered to users located in the EU regardless of where the provider’s infrastructure sits. A Swiss provider offering services to an EU public authority must comply with Chapter VI portability and interoperability requirements.
What is the difference between the Data Act SCCs and GDPR Article 28 processor agreements?
GDPR Article 28 agreements govern the processing of personal data and establish controller-processor responsibilities. The Data Act SCCs (Non-Dispersion, Non-Amendment, Liability) govern the cloud contract itself, covering data portability, switching rights and provider liability. Both sets of clauses can and should coexist in a single sovereign procurement contract.
How does Article 30 of the Data Act differ from GDPR protections against third-country access?
GDPR Chapter V restricts transfers of personal data to third countries. Data Act Article 30 covers both personal and non-personal data and specifically requires providers to have technical and contractual measures that prevent or challenge unlawful third-country government access orders, regardless of whether a transfer takes place. This closes the gap for operational and financial data that falls outside GDPR scope.
Where can organisations find the official Data Act Model Contractual Terms and the Data Act Legal Helpdesk?
The European Commission publishes the Data Act Model Contractual Terms and hosts the Data Act Legal Helpdesk through its digital strategy portal at digital-strategy.ec.europa.eu. The Helpdesk provides guidance for businesses navigating compliance with Regulation (EU) 2023/2854 and can assist in aligning MCTs with GDPR and DORA contractual requirements.
