1. Objective of the Data Act on the cloud: break lock-in and facilitate multi-cloud

The Data Act imposes mandatory rules on cloud service providers (IaaS, PaaS, SaaS) to enable:

• full data portability,
• the reversibility of applications,
• the transition to another provider without friction,
• the ability to use multiple clouds (multi-cloud) or on-premise environments,
• operational resilience, avoiding dependence on a single supplier.

This is a major regulatory revolution for European architectures.

2. Key obligations regarding the portability of cloud services

End of vendor lock-in

Cloud providers must make it possible to switch providers without technical, contractual, or financial obstacles.

This includes:

Data portability

• The customer must be able to export all of their data, including:
  • usage data,
  • metadata
  • configurations,
  • logs,
  • images, snapshots, volumes,
  • configuration files (YAML, Terraform, Docker Compose, etc.).

Application and workload portability

• Suppliers must facilitate the compatibility of execution environments:
  • containers
  • VM,
  • database,
  • API.

Open formats

Data must be exportable in structured, widely used, machine-readable formats.

Documentation enabling the switch

The supplier must provide:

• API documentation,​
• diagrams
• complete migration procedures,
• guaranteed deadlines.

Predictability and legal certainty

The contract must clearly state:

• the migration procedures,
• any costs,
• portability deadlines,
• technical limitations.

3. Obligations regarding migration costs

Elimination of exit fees

Suppliers may no longer charge fees for:

• data copying,
• portability,
• migration to a competitor.

Only costs actually incurred (e.g., outgoing bandwidth) may be passed on, and for a transitional period until January 2027 at the latest.

After 2027 → exit fees = $0.

4. Interoperability obligations

Interoperability is becoming a regulatory requirement, particularly for PaaS services.

The supplier must guarantee:

• documented and standardized APIs
• automated export/import mechanisms
• market-compatible interfaces
• the possibility of using third-party tools

Suppliers must adopt European or international standards, or justify why they do not use them.

5. Multi-cloud resilience requirements

This point is key: the Data Act encourages companies to stop relying on a single supplier.

Obligation to allow the simultaneous use of multiple clouds

Suppliers must ensure that their services can be combined with:

• other clouds,
• sovereign clouds,
• private clouds,
• on-site data centers.

No contractual restrictions

A supplier may not prohibit:

• data replication to another cloud,
• the use of competing services,
• the use of multi-cloud tools.

Ability to distribute a service across multiple environments

The customer must be able to:

• perform part of its service with another provider,
• synchronize or replicate data,
• ensure continuity in the event of a major failure (resilience).

That is precisely the aim of the Data Act: to promote multi-cloud for European resilience.