EU Data Act 2025: What SaaS & Cloud Developers Must Know — Complete Compliance Guide
Post #1 in the sota.io EU Data Act SaaS Compliance 2025 Series
Regulation (EU) 2023/2854 — the EU Data Act — entered into force on January 11, 2024 and has been fully applicable since September 12, 2025. Unlike the EU AI Act (which peaks in August 2026) or NIS2 (which started enforcement in late 2024), the Data Act is already in force with real obligations that affect SaaS platforms, cloud providers, and any software that processes data from connected products.
If you run a SaaS platform, a managed cloud service, or a product that integrates with IoT devices, the Data Act introduces obligations that existing GDPR and NIS2 compliance programmes do not cover. This guide explains what you need to know, what your exposure is, and what to implement first.
What Is the EU Data Act?
The EU Data Act (Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data) creates a horizontal framework for data sharing across the EU economy. Its core purpose is to prevent data lock-in — ensuring that users of connected products and cloud services can access, share, and move their data freely.
The Act sits alongside GDPR in the EU data-law stack. GDPR governs personal data and privacy. The Data Act governs data access rights and sharing obligations, many of which apply to non-personal data or to B2B contexts outside GDPR's scope.
Key publication milestones:
- Published in the Official Journal: January 11, 2024
- Applicable from: September 12, 2025
- Cloud switching fee phase (reduced): January 12, 2027
- Cloud switching fee phase (prohibited): September 12, 2027
The Act covers three distinct obligation clusters that affect different types of businesses:
Cluster 1: Connected Product Data (IoT / Smart Device Manufacturers)
If you manufacture or sell connected products — physical devices that generate data during use — or if you provide services that process data from such products, the Data Act creates a new class of user rights over that data.
What is a "connected product"? The Act defines it broadly: any physical article that can connect to the internet or to another device, generates data during use, and where data collection was a design objective or consequence of the product's function. This captures:
- Smart home devices and appliances
- Industrial sensors and machinery
- Connected vehicles and mobility equipment
- Wearables and health monitoring devices
- Any product that pairs with a companion app
User rights over connected product data: Users who own or rent a connected product have the right to access the data generated by that product in real time and free of charge. They can request that the data holder make this data available to a third-party service provider of their choosing. The data must be provided in a structured, commonly used, machine-readable format.
For SaaS developers: If your platform receives connected-product data on behalf of users, you now operate in a regulated role as a "third-party data recipient." You must not use this data for purposes beyond serving the user who authorised the transfer. You cannot use it to build competing profiles of the data holder's customers, and you cannot share it with further third parties without explicit authorisation.
Cluster 2: B2B Data Sharing Obligations
The Data Act requires "data holders" — companies that have collected data through their products or services and control access to that data — to make data available to third parties under certain conditions.
Who is a data holder? Any company that collects and controls data generated by connected products or services. If you run a SaaS platform that captures user-generated events, telemetry, or operational data, you may be a data holder under the Act.
Horizontal B2B data sharing: The Act establishes that data holders cannot deploy contractual terms that are "unfair" in the sense of creating a significant imbalance between the parties when obligating SMEs to share data. Specific unfair terms are listed — including terms that:
- Unilaterally limit the data recipient's ability to use the shared data
- Grant the data holder the right to unilaterally modify contract terms without reasonable notice
- Grant excessively broad licences over the recipient's own data
This creates a new due-diligence requirement for your Terms of Service and data processing agreements if you operate in B2B markets and use data received from partners or customers in your platform.
Practical implication for SaaS: Review your current data licensing language in customer contracts. Terms that grant your platform "irrevocable, perpetual, transferable" licences over customer data — common in US-style SaaS T&Cs — may now fall within the unfair-terms prohibition when applied to EU SME customers.
Cluster 3: Cloud Switching Rights (Directly Affects SaaS Providers)
This is the obligation cluster most likely to require immediate technical investment for managed cloud and SaaS providers. The Data Act establishes a right for cloud customers to switch between cloud service providers smoothly, without undue cost or technical barrier.
The Switching Obligation
Any IaaS, PaaS, or SaaS provider operating in the EU must:
1. Enable complete data portability within 30 days. When a customer requests to switch to a different cloud service provider, you must export all their data — including data objects, configurations, metadata, and application settings — in a structured, machine-readable, and interoperable format. The 30-day window starts from the customer's formal switch request.
2. Provide API-based export documentation. The portability mechanism must be documented in a machine-readable format that allows the receiving cloud provider to import the data without manual intervention. Proprietary-only export formats that require the customer to re-format data before importing elsewhere are non-compliant.
3. Maintain export capability for 30 days post-switch. After a customer's data has been exported, you must keep a complete export available for a further 30 days in case the customer needs to retrieve anything from the original environment.
The Fee Timeline
The Data Act introduces a phased prohibition on cloud switching fees:
Phase 1 (January 12, 2027): Switching fees must be reduced to a level that does not exceed the costs directly attributable to the switching process. Fees designed to create lock-in are prohibited. This means egress fees — charges for bandwidth used during data export — cannot include a profit margin component when the purpose of the bandwidth use is customer switching.
Phase 2 (September 12, 2027): All switching fees are prohibited. The data export and portability service must be provided free of charge to the customer.
This timeline matters now because building fee-free portability APIs into existing infrastructure takes 6–18 months of engineering. Platforms that do not begin this work in 2026 will face compliance gaps when January 2027 arrives.
What "Cloud Service Provider" Means
The Act's definition is intentionally broad. You are a cloud service provider for Data Act purposes if you offer any of the following as a service over the internet:
- Compute infrastructure (IaaS)
- Platform services including databases, runtime environments, or development toolchains (PaaS)
- Application software running on cloud infrastructure, where the customer stores data in your system (SaaS)
A SaaS CRM that stores customer records, a managed database-as-a-service, a project management platform with file storage — all of these are within scope.
Cluster 4: Smart Contracts and Automated Data Sharing
The Data Act recognises smart contracts as a mechanism for automated B2B data sharing and establishes minimum requirements for their use in this context.
For SaaS platforms that use on-chain or programmatic contracts to govern data access (for example, decentralised data marketplaces or token-gated API access), the Act requires that these contracts include:
- Mechanisms to terminate the data sharing arrangement at any time
- A kill-switch or administrative reset capability that a designated party can activate if the contract behaves unexpectedly
- Protections against a smart contract outcome that was not intended by the parties at the time of execution ("unforeseen circumstances")
This has practical implications for platforms building DeFi-adjacent data-sharing infrastructure or using smart contracts for automated B2B data licences.
Cluster 5: B2G Data Sharing (Emergency and Exceptional Need)
The Act also creates a right for public sector bodies to request access to privately held data in exceptional circumstances — primarily for emergency response (natural disasters, public health crises) or to fulfil a specific statutory task where no commercial alternative exists.
For most SaaS developers, this is not an immediate operational concern. However, if your platform handles data that could be relevant to emergency services — critical infrastructure monitoring, health data, logistics — you should be aware that a request from a national authority is legally possible under the Act and must be responded to without undue delay.
Overlap With GDPR
The EU Data Act does not amend GDPR. The two regimes apply in parallel, and in cases of conflict, the Data Act explicitly states that GDPR provisions on personal data take precedence.
The key interactions:
- Data minimisation: If a user exercises their Data Act right to receive connected-product data, and that data includes personal data, the export must still comply with GDPR's data minimisation and purpose-limitation principles.
- Portability vs. erasure: A cloud-switching export under the Data Act does not automatically constitute fulfilment of a GDPR Art.20 portability request, and vice versa. Each framework has its own trigger, format requirements, and timelines.
- Third-party recipients: When connected-product data is shared with a third party under the Data Act, the third party is subject to GDPR if that data includes personal data. Their use of the data for training AI models or building profiles is limited under both the Data Act's own-use prohibition and GDPR's purpose limitation.
Enforcement and Penalties
Unlike GDPR, the EU Data Act does not itself set maximum fine levels. Instead, each EU member state is required to designate a national competent authority to enforce the Act and set their own maximum penalties, which must be "effective, proportionate and dissuasive."
Several large member states have already named their enforcement authority:
- Germany: Bundesnetzagentur (Federal Network Agency)
- France: CNIL retains jurisdiction where the Data Act intersects with personal data; a separate sectoral authority covers non-personal data
- Netherlands: Autoriteit Persoonsgegevens (AP) and the Autoriteit Consument & Markt (ACM)
The practical consequence is that penalty exposure depends on where your EU customers are based and which authorities have jurisdiction over your platform. Cross-border enforcement coordination is expected to follow the GDPR model, with a lead supervisory authority mechanism based on the provider's main EU establishment.
What SaaS Developers Must Do in 2026
Based on the obligations above, the Data Act creates five concrete workstreams for SaaS engineering teams:
1. Cloud Switching API (P0 — January 2027 hard deadline) Design and implement a customer-triggered data export API that:
- Returns all customer data in a structured, interoperable format (JSON, CSV, or an agreed open standard)
- Can be completed within 30 days of the request
- Is documented in machine-readable format that a receiving provider can consume without manual transformation
- Includes all data objects: application data, configuration, metadata, audit logs
2. Contract and Terms of Service Review (P1 — completed within 6 months) Review your data licensing language for EU SME customers. Engage legal counsel to identify clauses that may fall within the Data Act's unfair-terms provisions. Particular attention to:
- Irrevocable or perpetual data licences granted in your favour
- Unilateral modification rights
- Broad-scope data use for product improvement that extends to customer data
3. Connected Product Integration Audit (P1 — if applicable) If your SaaS platform receives data from connected products on behalf of users:
- Implement an access log showing what connected-product data your platform holds per user
- Ensure you can respond to a user request to receive their connected-product data within the Act's timelines
- Confirm your data use is limited to the purpose for which the user authorised the transfer
4. Smart Contract Compliance (P2 — if applicable) If you use smart contracts for automated data sharing:
- Add termination and kill-switch mechanisms to contract logic
- Document the unforeseen-circumstances handling process
- Review with legal counsel whether existing deployed contracts require migration
5. B2G Preparedness (P3) Establish an internal escalation path for public-sector data requests. Designate a point of contact and a review process so that a legitimate emergency request can be evaluated and responded to within a reasonable timeframe without creating operational chaos.
Why Cloud Switching Matters for sota.io Customers
sota.io is built as a EU-native managed PaaS — deployed exclusively on Hetzner Germany, no US parent entity, no CLOUD Act exposure. From a Data Act perspective, sota.io's architecture is aligned with the regulation's intent: customer data stays in the EU, can be exported via standard Git-based workflows, and is not subject to cross-border data transfer risks.
For teams evaluating cloud providers under the Data Act framework:
- Data locality: sota.io stores all deployment data in Germany under German and EU jurisdiction
- Portability: Applications deployed on sota.io use standard container images and Git repositories — the most portable format available
- No lock-in by design: No proprietary runtimes or opaque data formats that would complicate a future switch
The Data Act's cloud switching framework effectively makes EU-native, open-format cloud providers more competitive. Providers that have relied on egress fees and proprietary formats as lock-in mechanisms face the highest compliance cost.
Series Roadmap
This is Post #1 of a five-part series on EU Data Act compliance for SaaS and cloud developers:
| Post | Topic | Slug |
|---|---|---|
| #1 (this post) | Complete overview and obligation clusters | eu-data-act-2025-saas-cloud-developer-compliance-guide |
| #2 | Building a compliant cloud switching API | eu-data-act-cloud-switching-api-implementation-guide-2026 |
| #3 | B2B data sharing contracts and fair terms for EU SMEs | eu-data-act-b2b-data-sharing-fair-terms-sme-compliance-2026 |
| #4 | EU Data Act vs GDPR: dual-compliance framework for SaaS | eu-data-act-vs-gdpr-dual-compliance-saas-guide-2026 |
| #5 | Complete toolkit: portability APIs, fee timeline, and contract templates | eu-data-act-compliance-finale-saas-toolkit-january-2027 |
Key Takeaways
- Already in force: The EU Data Act has applied since September 12, 2025. This is not a future obligation — it is current law.
- Three audiences: Connected product makers, B2B data holders, and cloud service providers each face distinct obligations. Most SaaS companies fall into at least two categories.
- Cloud switching is the biggest engineering workstream: Build the portability API now. The January 2027 fee deadline requires infrastructure that takes 6–18 months to build correctly.
- GDPR does not substitute: The Data Act creates obligations that GDPR compliance does not cover. You need both.
- Enforcement is live: National competent authorities are designated and operational. The enforcement pattern will follow GDPR, with lead-authority coordination for cross-border platforms.
sota.io is an EU-native managed PaaS — Hetzner Germany, no US parent, no CLOUD Act exposure. Deploy any language or framework with Git push. From €9/month.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.