“Data Processing Services” under the Data Act – Pars pro toto or totum pro parte?

Starting in September 2025, providers of certain digital services must allow their customers to switch to competing products. What at first glance appears to be clear market regulation raises fundamental questions regarding implementation: Which providers are actually affected? How short can switching periods be? And what applies to contracts that existed before the regulation took effect? The following article addresses these questions and provides guidance for practice.

I. Background: Why the Legislator Is Regulating the Cloud Market

Anyone purchasing digital infrastructure today – whether storage space, computing power, or a complete software platform – often enters into a long-term commitment. Data is stored in proprietary formats, interfaces are tailored to a specific provider, and switching providers often fails due to the technical and financial hurdles of migration. This phenomenon – known in technical jargon as vendor lock-in – not only impairs the flexibility of individual companies but also hinders competition across the entire European cloud market.

This is precisely where Chapter VI of the Data Act (Regulation (EU) 2023/2854) comes into play. The regulations, effective as of September 12, 2025, require providers of so-called data processing services to enable their customers to switch providers seamlessly. The scope of these obligations ranges from mandatory contract terms and the provision of open interfaces to the phased elimination of switching charges. However, for these obligations to take effect, a preliminary question must first be answered: Does the service in question even fall under the definition of a data processing service?

II. What the Data Act means by a data processing service

Article 2(8) of the Regulation contains a definition that establishes the scope of Chapter VI. According to this, a data processing service exists when a digital service provides the customer with network-based access to a shared pool of computing resources – such as storage, processing power, or network components – that can be provided on-demand, in a scalable manner, and with minimal administrative overhead.

This description is based on the internationally established cloud computing definition from the National Institute of Standards and Technology (NIST) from 2011. The regulator has largely adopted the terminology used there and merely supplemented it with elements intended to include decentralized processing models such as edge computing. The explanatory notes to the Regulation (Recital 81) explicitly mention the three common service models – IaaS, PaaS, and SaaS. Furthermore, the definition is technology-neutral, meaning that newer concepts – such as data-driven services or AI-based offerings – can in principle also fall under the term.

Upon closer examination, it becomes clear that drawing the line in practice is anything but trivial. This is because the definition combines around 17 individual characteristics, many of which are open to interpretation. Furthermore, the various language versions of the Regulation are not entirely consistent with one another.

III. Where the distinction becomes difficult: The example of complex software services

For traditional infrastructure offerings  – such as virtual servers, storage capacity, or database instances – there is little doubt that they fall under the definition of data processing services. These services directly provide customers with technical resources that they can scale up or down as needed. This constitutes the core business of the major cloud platforms, and the legislature clearly had these offerings in mind when designing the switching regime.

The situation is less clear-cut for software services that, while provided via the Internet, derive their actual value not from computing power but from the specific functions they perform. A cloud-based accounting program, a human resources management system, or industry-specific planning software naturally utilize scalable computing resources in the background. However, the customer does not purchase storage or processor time, but rather a business solution. They configure payroll rules or inventory management processes—not server instances.

The crucial question is therefore: Is it sufficient for classification as a data processing service that a service is based on cloud infrastructure in the background? Or must the customer themselves have access to the underlying resources? If one follows the framework and purpose of the regulation, there is a reasonable case for the second interpretation: The text of the law requires that the service “enables” access to computing resources – which implies more than the provider’s mere internal use of such resources.

A look at the NIST framework also supports this assessment: It distinguishes between the infrastructure layer, where resources are directly provided, and the application layer, where ready-made software is consumed without resource control. The more a service maps operational processes, is configuration-intensive, and requires individual customization, the further it moves away from the type of data processing service that the regulation has in mind.

In practice, this means: A provider that exclusively provides server capacities or platform services clearly falls under Chapter VI. By contrast, a provider of highly specialized industry-specific software, whose value lies in the business logic rather than in the provision of technical resources, has several good reasons for considering itself outside the scope of the regulation. Between these two extremes, of course, there are numerous hybrid forms for which a blanket answer is not possible. Therefore, a specific analysis of the actual services offered and their concrete structure is always required.

IV. Deadlines and Contract Terms When Switching Providers

1. The Process of Switching Under Art. 25 DA

The Regulation provides for a phased switching process. First, the customer must notify the provider of their intention to switch. For this purpose, Art. 25(2)(d) DA provides for a maximum notice period of two months, which must be specified as an upper limit in the contract. Following the expiration of this period, a mandatory maximum transitional period of generally 30 calendar days begins, during which the actual data migration is to take place. During this phase, the provider must continue to provide the service and assist the customer with the switch.

2. A Linguistic Issue with Practical Consequences

In the German version of the Regulation, the two-month period was originally referred to as a “Kündigungsfrist.” This was misleading, as the contract does not end upon the expiration of this period. In fact, it merely marks the starting point of the switching process – the contract is only considered terminated once the switch has actually been completed or the transition period expires. Consequently, the act of notifying a data processing service provider of the intention to switch does not constitute a contractual right in the strict sense. A formal notice of termination is therefore not required in this context.

The consolidated version of the Data Act now uses the more accurate term “Ankündigungsfrist.” 

3. Reality Check: 30 Days for a Migration?

The 30-day transition period is realistic for simple services, but quickly reaches its limits in complex environments. If large amounts of data must be migrated, interfaces adapted, and business processes mapped in a new environment, one month is likely to be insufficient in many cases. The regulation takes this into account by allowing the provider to apply for an extension of up to seven months if they can demonstrate technical infeasibility (Art. 25(4) DA). However, it remains unclear whether and how this proof can be provided in practice.

V. What applies to existing contracts?

One of the most controversial issues regarding Chapter VI concerned whether contracts concluded before the Regulation took effect on September 12, 2025, would be covered. The Regulation itself does not provide a clear answer to this. Article 50 of the Data Act (DA), which specifies the effective dates for each chapter, simply contains no explicit provision for Chapter VI – unlike, for example, the provisions on unfair contract terms, for which the legislature has provided a clear transitional provision.

However, the Federal Network Agency – which was designated as the supervisory authority by the Data Act Implementation Act (DADG) passed by the Bundestag on March 26, 2026 – clarifies this and states unequivocally in the FAQ section on the DA: The provisions of Chapter VI of the DA apply to both existing and new contracts. 

VI. Digital Omnibus 

1. The Proposal for Article 31(1a) of the DA-E

In November 2025, the European Commission also proposed amendments to the Data Act as part of its Digital Omnibus Package. For the issue discussed here, one new exemption is particularly relevant: According to the proposed Article 31(1a) DA-E, services whose functionality has been predominantly tailored to a customer’s individual requirements are to be exempted from most switching obligations – but only if the relevant contract was concluded before September 12, 2025.

This proposal is revealing in two respects. On the one hand, it confirms that the switching regime primarily targets standardized, widely available infrastructure and platform offerings and not individually configured specialized applications. On the other hand, it also raises new questions: When exactly is the “majority of the functions” of a service customized for a specific customer? And why should the exception apply only to existing contracts, when the demarcation problem also exists for new contracts? Ultimately, the proposal addresses the issue of temporal applicability but leaves the fundamental question of demarcation unanswered.

VII. Conclusion and Recommendations

The regulations on cloud switching in Chapter VI of the Data Act pursue a clear objective: customers should no longer be trapped in closed systems. In practical implementation, however, it becomes apparent that key questions remain unresolved – above all, the scope of the term “data processing service.”

For companies that offer or use cloud services, this gives rise to specific requirements for action: Providers should analyze their product portfolio to determine which services could be classified as data processing services. In doing so, the marketing label matters less than the question of whether the customer gains access to technical resources or uses a ready-made application functionality. Existing contracts must be reviewed for compliance with the requirements of Article 25 of the Data Act and amended as necessary. 

Given the uncertainties that still exist, it is advisable to closely monitor further developments: The EU Commission’s FAQs on the Data Act, the standard contractual clauses for cloud migration, the administrative practices of the Federal Network Agency, and the progress of the Digital Omnibus will play a key role in clarifying the currently unresolved issues in the coming months.