EU Data Act + DORA: Cloud Exit & Portability for Financial Services

From 12 September 2025, the EU Data Act’s cloud switching regime starts to apply, turning “cloud exit strategy” for risk, compliance and tech leadership, into an audit ready operational control with specific notice periods, timelines, assistance duties and a phased ban on switching fees. The Data Act requires providers of “data processing services” (e.g., cloud and edge; IaaS/PaaS/SaaS) to remove obstacles to switching, including pre commercial, commercial, technical, contractual and organisational barriers.

Extensions are allowed where technically unfeasible, but the alternative transitional period cannot exceed seven months. Providers must maintain service continuity and help execute the switch. These obligations will need to be written into contracts.

Providers also owe information disclosures both before and once under contract. Switching procedures, formats, standards and an online register of data structures/formats are to be made available. Providers must also disclose the jurisdiction governing their infrastructure plus measures to prevent unlawful international governmental access to non personal data.

New Rules on Fees

“Switching charges” (including data egress fees) are on a countdown: they were capped at direct costs from January 2024 and are prohibited entirely from 12 Jan 2027. Providers may still levy cost based egress charges for in parallel use (multi cloud) after that date, but not for the one off switching process. The Act still allows early termination penalties if they are clearly disclosed up front.

The Act differentiates between service types:

• IaaS providers are required to take all reasonable measures so that, after switching to an equivalent service, the customer can achieve functional equivalence, i.e., materially comparable outcomes to the same inputs for shared features. The regulation clarifies this doesn’t require the source provider to rebuild the service inside the destination’s environment, but it does require capabilities, documentation, support and, where appropriate, tools.
• For PaaS/SaaS and other services, providers must expose open interfaces at no cost and adopt common specifications or harmonised standards (once published) within 12 months. If no standard exists, they must at least export all exportable data in a structured, commonly used, machine readable format on request.

A Checklist for Contracts

By September, contracts should include and evidence in practice, the following:

• Switch notice & timing: explicit right to start a switch on 2 months’ notice; 30 day transitional period; rights to extend once; retrieval period 30 days; and the escalation path to an alternative (7 months) if technical unfeasibility is justified.
• Exit assistance: provider obligations to support an exit strategy with information, documentation, and technical support; continuity and security requirements during switching.
• Fees: clear separation of standard fees, any early termination penalties, and (until Jan 2027) cost based switching charges; commitment to zero switching charges from 12 Jan 2027.
• Interoperability: open interfaces for PaaS/SaaS and a plan to adopt EU common specifications/standards when they land.
• Sovereignty transparency: website references listing the jurisdictions and safeguards against governmental access to non personal data.

Also watch for the Commission’s non binding model contractual terms (MCTs) on data access/use and standard contractual clauses (SCCs) for cloud contracts, due by 12 Sept 2025 – useful benchmarks for remediation programmes.

DORA Alignment

For EU regulated financial entities, the Data Act dovetails with DORA, which has applied since January this year and requires: (i) an ICT third party risk strategy and register of information on all ICT third party arrangements; (ii) key contractual provisions (audit/access, incident support, subcontracting oversight); and (iii) exit strategies with a mandatory transition period to move to a new provider or in house.

A documented Data Act cloud switching evidence pack covering notice, transitional/retrieval periods, exportability and functional equivalence tests, can be leveraged for DORA’s exit strategy and transition period requirements.

Place of establishment doesn’t insulate a firm from the ACT. If you offer in scope services to EU customers (or place connected products/related services on the EU market), the Data Act’s obligations can apply to you. Many multinationals will therefore adopt these clauses globally to avoid complex contract management.

Regulatory Next Steps

• Commission model terms and SCCs: Expect non binding model contractual terms for data access and use, and separate, non binding SCCs for cloud contracts. They will act as de facto templates for remediation through 2025–2026 and will quickly influence procurement checklists and supervisory expectations. Plan a clause by clause cross walk as soon as they land, covering notice and transitional periods, assistance duties, export formats, trade secret handling and reasonable compensation.
• Interoperability specifications and standards: Look out for references to common specifications or harmonised standards in the Union repository and Official Journal. For anything beyond pure IaaS, you will have 12 months from publication to ensure compatibility. Build a trigger in the vendor management process to (a) update interfaces, (b) retest migrations against the new specifications, and (c) refresh schema register and customer documentation.
• Monitoring of switching charge withdrawal: The law requires a progressive reduction of switching charges, culminating in a ban on charges for the switching process from January 2027. Track the Commission’s monitoring mechanism as it is rolled out and be ready to adjust commercial positions with providers that attempt to rebadge switching costs.
• Supervisory signals and market practice: Watch for regulator Q&A, procurement questionnaires from large financial institutions, and updates from major providers on egress and portability commitments. These will shape the practical “floor” for what counterparties expect in due diligence and contract renewals.

Portability as the New Baseline

The Act is designed to establish a harmonised floor for switching and data mobility across the EU market. In tandem with DORA, the compliance focus shifts from contractual terms to demonstrable capability i.e., exportability, open interfaces and, for IaaS vendors, functional equivalence. With switching charges set to disappear from 12 January 2027 and interoperability specifications due to follow, exit frictions are likely to recede as a differentiator, placing more weight on service quality, security and resilience. For cloud based RegTech and their financial sector clients, the effect is a more portable operating model and clearer expectations around the artefacts that evidence it.