EU's new cloud portability requirements - What do they mean?

February 23, 2024 · 5 min read
Ekin Akar
Legal & Head of Ops
EU's Data Act and new cloud portability requirements

The EU adopted the Data Act last month, which is coming into effect in September 2025. One of Data Act's aims is to level the playing field among cloud and edge service providers in the EU. The act applies across all sectors of the EU and, unlike GDPR, to all types of data, including personal and non-personal.

In this blog post, we’re going to share four of the act’s rules that will collectively change the EU cloud market. We’ll also hypothesize about how public cloud providers might adapt or react to these changes based on past experiences with GDPR. In summary, these four mandates of the Data Act are as follows:

  • Remove obstacles that prevent customers from switching between cloud providers that provide the same type of service
  • Eliminate switching charges, including data egress fees, by January 2027
  • Introduce portability as a right in customer contracts
  • Define interoperability specifications and harmonize common standards

For Ubicloud, an open source and portable cloud, these changes are encouraging. The cloud hasn’t seen a major innovation in a decade; and we think that high barriers to entry in the cloud market hurts both EU and US businesses.

At the same time, we hypothesize that major cloud providers could argue technical challenges associated with compliance and aim to play a longer game as they “gradually” work towards compliance. Ultimately, we think good alternatives will also define EU Data Act’s feasibility. More on all of this below.

1. Removing obstacles to cloud portability

The Act requires cloud providers to remove all “pre-commercial, commercial, technical, contractual and organizational” obstacles that prevent their customers from switching providers with the same type of service. The Act also removes obstacles to porting exportable data and digital assets. These assets include virtual machines (VMs) and containers, if the customer has the right to use these VMs independent of their contractual relationship with their existing cloud (think using Linux versus Windows).

This requirement also applies when the cloud provider is asked to unbundle its IaaS offerings from its PaaS and Saas offerings, assuming the unbundling is technically feasible. In addition, IaaS providers must take all “reasonable measures” in their power to provide “functional equivalence” to destination cloud providers.

As for providers offering PaaS and SaaS, the Act includes an obligation to open interfaces to both the customer and the destination provider. This way, the old and new environments can communicate for data portability and interoperability, and they are compatible with future specifications and standards for interoperability.

2. Switching charges (and data egress fees)

Switching charges will be gradually withdrawn (capped at costs directly linked to the switching process) until January 2027. At that point, they must be abolished entirely. These charges include data egress fees and costs incurred for specific support during the switching process.

The EU Data Act recognizes that a customer may want to use products or services offered by different vendors in parallel, and imposes requirements to support multi-vendor use. In this case, the Act allows data egress charges, but caps them at cost to the cloud provider.

It’s worth noting here that Google Cloud announced the elimination of its data egress fees on the date the EU Data Act was adopted.  According to statements made to Bloomberg by Google, switching fees only represent about 2% of the total cost of migrating to a new provider, and don’t deter “many” clients from moving their data.

Even if one were to assume that switching costs really hover around the 2% number on average for all public cloud providers, in dollar amounts, they can still be quite significant for users. These fees probably don’t represent the actual cost of transferring the data, and more importantly, mainly serve to facilitate vendor lock-in. It’ll be interesting to see how AWS and Azure will adapt their pricing to the Act’s requirement to eliminate not just the data egress fees but all switching charges. The Act specifies that cloud providers must comply with effective switching requirements even after the end of their free-tier offering periods.

Also, AWS and Microsoft may not respond in the same way to the Act’s new requirements. Microsoft’s Office 365, Windows and SQL server license practices when these products are deployed on non-Microsoft Azure infrastructure are likely to continue to deter users from switching. In addition, Microsoft’s significant progress on the AI front could incentivize a move by some enterprises towards Azure.  

3. Introducing portability as a right in customer contracts

All cloud contracts will include explicit switching rights for customers. These rights will require cloud providers to:

  • Provide  “reasonable assistance” for switching and act with care to maintain business continuity and security during the switching process
  • Support a customer’s exit strategy
  • Provide an exhaustive specification of all categories of data and digital assets that can be ported
  • Act with care to maintain business continuity and security during the switching process
  • Erase all exportable data after switching
  • Put a cap on the period of the switch

4. Interoperability specification and standards

The Act requires that the EU adopt open interoperability specifications and harmonize standards. PaaS and SaaS providers will have to open their interfaces, free of charge, to both the customer and the destination provider. This way, the old and new environments can communicate for data portability and interoperability. If a customer wants to switch to another provider while the standards are still unpublished, the cloud provider will need to export all of the customer's data in a structured and standardized format.

These requirements borrow from the provider-switching regime under EU electronic communications law (for example, switching cell phone providers); and you’d expect them to require significant engineering investments.

This is where it gets interesting. To the contrary, the Act states that cloud providers aren’t required to develop new technologies or services to comply with the switching requirements of the Act. They aren’t required to disclose or transfer digital assets that are protected by intellectual property rights or that constitute a trade secret. As a result, the technical aspects of switching are going to be difficult for the EU to enforce.

Enforcement of the interoperability requirements in particular also faces other risks. First, the market could easily evolve to standardize to AWS, Azure, and Google Cloud’s offerings. Second, the open standards effort can get flooded with thousands of pages of documents, making any standardization effort impractical.

For example, the Gaia-X project launched in 2020 with the goal of providing an open data infrastructure initiative across the EU. Four years later, as The Register reports, the project derailed from its original goal by welcoming unrestricted feedback from the US cloud providers.

Will the cloud portability requirements have any impact?

It's also likely that major cloud providers will put forward other arguments. They will state that their compliance with respect to certain offerings is subject to technical complexity and challenges. Several of the provisions in the Act are already toned down to enable this. For example, CSPs can include, in their contracts, that it is “impossible” to switch without significant interference in the data or architecture. They can state that switching for some services is highly complex and costly. These could then pave the way for further differentiation in offerings, and de facto limits to portability in some sectors or for some customers.

Almost six years after the entry into force of the GDPR, the EU is still trying to “fix” international data transfers. Considering this, it is clear that meaningful change in the cloud market will take a long period of time. Still, unless the US public cloud providers genuinely work towards compliance and interoperability, sooner or later, they will risk some potentially significant fines.

If you're curious on our take on this new legistation, we'd be happy to talk anytime. Please drop us a note at [email protected]