Exit plan in the Data Act vs DORA

Why are exit plans so important?
Exit plans are intended primarily to ensure digital security and facilitate the change of provider. This obligation stems mainly from two EU regulations: DORA and the Data Act. Although both legal acts differ in their objectives and addressees, they impose on entrepreneurs the requirement to implement appropriate mechanisms – each time tailored to the specifics of the services provided.

When planning the implementation or update of digital services, it is worth keeping in mind the full set of applicable regulations to ensure compliance with the law and protect the interests of your company.

Data Act vs DORA – general remarks

Both DORA and the Data Act began to apply across the European Union in 2025. DORA has been applicable since 17 January, and the Data Act – since 12 September this year. Both legal acts take the form of regulations, which means that they apply directly in Poland without the need for implementation into national law. Nevertheless, legislative work is underway to clarify the rules for applying both regulations at the national level.

What does DORA regulate, and what does the Data Act regulate?

The main goal of DORA is to increase the operational resilience of entities operating in the financial sector. The regulation aims to reduce risks related to cyberattacks and other digital security incidents.

In practice, DORA applies not only to financial institutions, but also to their partners – providers of information and communication technologies (ICT). DORA introduces a number of requirements regarding the content of agreements between a financial institution and an ICT provider. One of them is the obligation to prepare an exit plan.

The Data Act, on the other hand, covers entrepreneurs providing data-based services (e.g., analytics, service personalization, AI solutions, or Fintech). The regulation is not limited to personal data – it applies primarily to non-personal data, such as organizational or technical data. Its main objective is to facilitate access to data and allow users to more easily change providers. For this reason, the Data Act also regulates in detail matters related to the exit plan.

Exit plan in DORA

DORA requires each financial institution to prepare an exit plan concerning cooperation with an ICT service provider supporting critical functions. A critical function is one whose disruption could significantly affect financial performance, service continuity, or the security of the institution.

Elements that an exit plan must include under DORA

The exit plan should take into account risks related to ICT services, in particular potential failures or deterioration in quality of services. It must be prepared independently of the agreement with the provider, regularly reviewed, and – if necessary – updated.

The plan should be realistic and feasible, based on probable scenarios and rational assumptions. It should include a timeline consistent with the conditions under which agreements with providers can be terminated and be tested in a manner proportionate to the scale of the enterprise’s activities. The exit plan constitutes part of the policy on the use of ICT services supporting critical or important functions provided by external ICT service providers.

Links to EBA guidelines

These requirements refer to earlier EBA outsourcing guidelines (EBA/GL/2019/02 of 25 February 2019), which also required defining rules for terminating outsourcing contracts, alternative solutions, and transitional plans. The EBA recommended that institutions define in advance the criteria for successful service migration and indicators showing the need to transfer services to another provider.

Contractual regulation of the transitional period

In addition to preparing such an exit plan, the financial entity should include appropriate provisions in agreements concluded with providers of critical services.

The basic purpose of contractual provisions regarding the exit plan is to determine the rules under which services will be provided during the transitional period, i.e., between the termination of the agreement with the ICT provider and the beginning of service provision by the new provider.

The agreement should ensure that during this period, the ICT service provider continues to provide appropriate services so as to reduce the risk of disruptions in the functioning of the financial sector institution. The former provider should also enable the financial entity to migrate to the new provider.

The aim of all procedures should be to transfer operations to another provider or to on-premise infrastructure as quickly and safely as possible, if necessary.

Exit plan in the Data Act

One of the main objectives of the Data Act is to remove barriers to changing digital service providers. The regulation obliges providers to eliminate all obstacles – legal and factual – that could limit the user’s right to transfer data or use it within their own on-premise infrastructure.

Rights of the end user in the provider-change process

The end user should have control over their data. The agreement with the provider should therefore allow them to choose: transfer data to another provider, retain it locally, or permanently delete it after the contract ends.

Deadlines for changing provider and migrating data

The Data Act also introduces specific deadlines for termination and data transfer (or provider change):

• The notice period initiating the provider-change process may not exceed 2 months;
• Data transfer or provider change must take place without delay, no later than after the mandatory maximum transitional period of 30 calendar days following the end of the notice period initiating the provider-change process;
• In exceptional cases, the deadline for data transfer/provider change may be extended, but – in the case of the provider – not longer than up to 7 months.

Provider obligations during the transitional period

Throughout the transitional period, the provider is required to maintain service continuity. After it ends, the client must be able to download the data for at least 30 days, and the provider must then permanently delete it.

The provider is also obliged to support the client in the provider-change process and inform them of any known risks to service continuity.

Fees for data migration

The agreement should clearly specify which categories of data are subject to transfer and which are not. Until 11 January 2027, providers may charge fees for activities related to provider change, but not higher than the actual costs incurred. From 12 January 2027, charging such fees will generally be prohibited, except where the service was developed individually for the client. A service developed individually is one that does not have a standardized character and was not prepared for a broader group of clients. The amount of the fee must always be indicated in the agreement.

Provider’s information obligations

Providers must also provide clients with information about provider-change procedures, the scope of data that can be transferred, and the registers in which the data is stored. At the same time, the Data Act does not require providers to create new technologies or disclose trade secrets or intellectual property to enable data transfer.

Key differences between the exit plan in DORA and the Data Act

The differences between DORA and the Data Act are significant and stem from the different purposes of the regulations.

The provisions of DORA do not include any restrictions preventing ICT service providers supporting critical functions from charging additional fees for services provided during the transitional period. In the case of the Data Act, such fees will, from January 2027, be excluded in most cases, and even today their level is significantly limited.

Duration of the transitional period

Another difference concerns the planned length of the transitional period. DORA does not introduce any specific time frames for this period. It leaves greater flexibility to financial institutions, which adapt the exit plan to the realities of a given cooperation. In the case of the Data Act, the maximum notice period initiating the provider-change process and, as a rule, the maximum duration of the transitional period are defined.

Different objectives of the regulations

These differences reflect the different philosophies of the two regulations.

DORA focuses on the digital operational resilience of the financial sector, while the Data Act focuses on the free flow of data and flexibility in changing providers, as well as increasing competitiveness in the data processing services market.

The fact that the exit plan appears in both acts shows that the EU legislator is increasingly emphasizing the importance of managing relationships with technology providers. Entrepreneurs should take a close look at this area as they prepare for the full implementation of the new EU regulations.