EU Data Act 2025: Your Right to Switch Cloud Providers (Chapter VI Guide)
The EU Data Act — Regulation (EU) 2023/2854 — became applicable on 12 September 2025. While most coverage focused on its IoT and data-sharing provisions, Chapter VI (Articles 23–31) directly affects every developer running workloads on cloud infrastructure: it gives you a legally enforceable right to switch providers, mandates zero egress fees by 2027, and prohibits contractual lock-in practices that have become standard across the industry.
Most developers do not know these rights exist. This guide covers Chapter VI specifically — what it requires, what it does not fix, and how to use it.
What Is the EU Data Act?
Regulation (EU) 2023/2854 was signed on 13 December 2023, entered into force on 11 January 2024, and became applicable 20 months later on 12 September 2025. It covers:
- Chapter II–IV: IoT data access and sharing rights (machines, connected devices)
- Chapter V: Data sharing between businesses and public sector bodies
- Chapter VI: Switching between cloud and data processing service providers
- Chapter VII: International transfers of non-personal data
- Chapter VIII: Interoperability requirements for data spaces
For PaaS developers, Chapter VI is the operative section.
Chapter VI: Articles 23–31
Article 23 — Scope
Chapter VI applies to "data processing services" — a term that explicitly covers:
- Infrastructure-as-a-Service (IaaS)
- Platform-as-a-Service (PaaS)
- Software-as-a-Service (SaaS)
If you run your application on Render, Railway, Fly.io, AWS, Azure, or GCP, your provider is subject to Chapter VI obligations. The regulation applies to providers operating in the EU, regardless of where they are incorporated — which means US-headquartered providers serving EU customers are covered.
One important exception: services provided "exclusively for non-commercial purposes" are excluded. This covers academic research and internal tools without commercial intent. It does not cover standard commercial cloud services.
Article 25 — Removal of Obstacles to Switching
This is the operational core of Chapter VI. Article 25 requires providers to:
-
Remove contractual obstacles — providers cannot include terms that prevent or deter switching. Auto-renewal clauses with switching penalties, or contractual provisions requiring extended advance notice beyond what Article 26 allows, are prohibited.
-
Remove technical obstacles — providers must enable data export in "commonly used, structured, machine-readable formats." Proprietary backup formats that require the same vendor to restore are a compliance problem.
-
Remove commercial obstacles — providers cannot make switching economically unviable through pricing mechanisms that specifically penalise departure. This directly targets egress fee structures designed as switching penalties rather than cost recovery.
Article 27 — Switching Charges
Article 27 establishes a phased elimination of switching fees:
| Period | Obligation |
|---|---|
| 12 September 2025 — 11 September 2026 | Fees reduced significantly; providers must justify any remaining charges as direct cost recovery |
| 12 September 2026 — 11 September 2027 | Fees further reduced; only directly attributable transmission costs permitted |
| From 12 September 2027 | Zero switching charges — providers cannot charge for data egress when a customer is switching providers |
The "switching charges" covered by Article 27 specifically include data egress fees charged when customers move data to another provider. This does not apply to egress fees for ongoing operational data transfer (i.e., serving your API to users) — it applies to the act of switching.
AWS currently charges $0.09/GB for outbound data transfer to the internet. A 10TB dataset costs $921 to move. Under Article 27, this specific charge becomes illegal for switching scenarios starting September 2027. The Commission can extend the transition by 12 months if providers demonstrate technical or economic infeasibility — but this requires an explicit Commission decision.
Article 26 — Contractual Requirements
Article 26 requires cloud contracts to contain specific provisions:
- Maximum notice period: Providers cannot require more than 30 calendar days notice to initiate a switching process. Notice periods longer than 30 days in your service agreement are non-compliant.
- Switching assistance period: After notice is given, the provider must maintain service and provide reasonable technical assistance for the duration of the switch.
- Data availability: All customer data must remain accessible throughout the switching process. Providers cannot suspend access to data during a switch.
- Pre-contractual information: Before you sign up, providers must disclose all data categories stored, the formats available for export, and any technical dependencies that affect switching.
Article 28 — Equivalence of Service During Switching
During the switching window, the incumbent provider must:
- Maintain the service at contractually agreed quality levels
- Not introduce technical changes that increase switching complexity
- Not target pricing changes at departing customers
This prevents the practice of degrading service quality or raising prices for customers who have announced they are leaving.
Articles 29–31 — Interoperability and Portability Standards
Articles 29–31 require the European Commission and ENISA to develop:
- European schemes for cloud interoperability — standardised APIs and data formats enabling cross-provider compatibility
- Open interoperability specifications — covering data portability formats, functional equivalence documentation, and minimum API standards
These schemes are in development as of 2026. The practical effect for developers is that future cloud services will need to implement standardised portability interfaces — think of it as a technical specification mandate for the industry, not just a legal right.
What Chapter VI Does Not Fix: The CLOUD Act Problem
The Data Act gives you the right to leave. It does not undo the legal exposure created by past data processing under US jurisdiction.
If you ran workloads on AWS, Azure, or GCP between 2018 and your switching date, the CLOUD Act (18 U.S.C. § 2523) may still apply. The CLOUD Act allows US law enforcement to compel US-incorporated providers to hand over data stored anywhere in the world, including EU datacenters, without EU legal process.
The key point: once your data has been processed by a US-incorporated provider, the historical data may still be accessible to US authorities under CLOUD Act orders issued after you switched. Switching to an EU-native provider reduces future exposure — it does not retroactively protect data that was already held under US jurisdiction.
This creates a meaningful distinction between switching from one US provider to another versus switching to an EU-native provider. Under the Data Act, both are legally equivalent switching scenarios. But for GDPR Article 46 third-country transfer compliance — and for EU AI Act Article 9(4) risk management — the jurisdiction of the destination provider matters.
Data Portability: What "Commonly Used Formats" Means in Practice
Article 25 requires export in "commonly used, structured, machine-readable formats." The Data Act does not specify exact formats — the interoperability schemes under Article 29 will define these over time. Current interpretation guidance from the European Data Innovation Board suggests:
- Databases: PostgreSQL dump format (
.sql), CSV, or Parquet are sufficient; proprietary backup formats alone are not - Application data: JSON or XML with documented schema; binary-only formats without documentation are problematic
- Infrastructure configuration: Standard formats like Terraform HCL or Docker Compose files qualify; vendor-specific console exports do not
For PaaS developers, this matters at the application layer: if your application uses a managed service with a proprietary data model and no standard export path, the provider is at risk of Chapter VI non-compliance — and you should document this risk in your technical architecture.
Provider Obligations: What to Look For in Your Contract
Check your cloud service agreement for the following, which must be present after 12 September 2025:
- Notice period ≤ 30 days for initiating a switch (Article 26(1)(a))
- Data export in standard format explicitly stated (Article 25(1))
- No penalty clauses for switching (Article 25(2))
- Pre-contractual disclosure of data categories and export formats (Article 26(2))
- Switching charges timeline — are they disclosing the path to zero by September 2027? (Article 27)
If your current provider's terms do not reflect these requirements, they are in breach of the Data Act. You can request compliant terms — and if the provider refuses, the national data protection or competitively authority can receive a complaint.
Enforcement and Penalties
Chapter VI is enforced by the competent authorities designated by each EU member state. Germany designates the Federal Network Agency (Bundesnetzagentur) for data processing services. France designates ARCEP. Penalties under the Data Act are up to €20 million or 4% of global annual turnover, whichever is higher — the same structure as GDPR.
The first enforcement actions under Chapter VI are expected in 2026–2027 as the egress fee deadlines approach.
What This Means for PaaS Developers
Three practical takeaways:
1. You have a legal right to zero-cost data export for switching — use it. If you are planning to migrate workloads, the September 2026 transition milestone is a natural trigger. Providers who continue charging full egress rates for switching after September 2026 are in violation.
2. Portability is now a procurement criterion. When evaluating PaaS providers, ask: what format is my data exported in, and what is the switching process? Providers who cannot answer this concisely are not compliant.
3. Switching to EU-native infrastructure addresses what the Data Act cannot. The Data Act gives you the right to leave a US provider. But only switching to an EU-jurisdiction provider removes the ongoing CLOUD Act exposure. EU-native PaaS providers that run under EU law — with no US parent company — eliminate the Article 46 third-country transfer risk that persists even after you switch away from AWS.
Practical Switching Checklist
Before initiating a cloud switch under the Data Act:
- Review your service agreement — confirm notice period is ≤ 30 days and no penalty clauses exist
- Request data inventory — providers must disclose all categories of data held (Article 26(2))
- Verify export format — request a test export before committing to switch; confirm standard format
- Document egress charges — get written confirmation of switching charges timeline (Article 27)
- Check for technical dependencies — proprietary runtimes or managed services may need migration planning
- Verify destination provider's Data Act status — EU-native providers have an advantage here: no Article 46 exposure on arrival
See Also
- EU Sovereignty Audit 2026: The PaaS Layer Compliance Blindspot — how to audit your stack for CLOUD Act exposure
- EU Cyber Resilience Act 2027: Open-Source PaaS Developer Checklist — CRA obligations running in parallel with Data Act
- GDPR Article 25: Privacy by Design for Hosting Decisions — upstream privacy obligations that inform switching decisions
- AWS European Sovereign Cloud: What Developers Should Know — why "sovereign" EU offerings by US companies are still CLOUD Act-exposed