Gabriela Kocurek and Joanna Kik for Rzeczpospolita: “FinTech and SaaS, PaaS and IaaS providers – what will Data Act change”

Data Act against vendor lock-in

The EU Data Regulation has been in force since September 12, 2024 and aims to regulate the principles of access to data, its use and transfer within the EU. The main objective is to counteract the phenomenon of vendor lock-in, i.e. users’ dependence on one provider due to insurmountable technical, legal or financial barriers. The Data Act focuses on data generated by devices and digital services – regardless of whether they contain personal data, which is a significant difference compared to GDPR. The addressees of the new requirements are not only direct cloud providers, but also entities providing their services using the cloud.

Detailed requirements regarding exit from the contract

The Data Act precisely regulates what the process of terminating cooperation with a data processing provider should look like. The contract must provide for a maximum notice period not exceeding two months. After this period, the client has 30 calendar days (maximum transition period) to transfer data to a new provider or local infrastructure – with the possibility of a one-time extension. The provider may extend this period to seven months for technical reasons. After the end of the transition period, another minimum data retrieval period of at least 30 days begins. These requirements are more detailed than those contained in DORA or EBA guidelines on outsourcing and in this respect override existing sectoral obligations.

Controversies surrounding fees for changing providers

A key change – and one that raises interpretative doubts – is the ban on charging clients fees for the provider switching procedure, which will come into full force on January 12, 2027. Until that time, reduced fees not exceeding the costs actually incurred directly related to the switching procedure are permitted. However, it is not clear whether the ban applies to all fees for outgoing data traffic or only to non-standard fees. There is also a question about the limit of admissibility of charging other fees for activities carried out as part of the exit plan. Therefore, it is crucial to regulate in detail in the contract which activities are performed free of charge, including the technical aspects of the standard exit plan.

Impact on the FinTech sector

Although the risk associated with the lack of implementation of the Data Act lies on the side of providers as addressees of the regulations, financial entities should also ensure compliance. As entities under regulatory supervision, they must ensure compliance with the law, especially since proper regulation of the exit process is a condition for meeting DORA requirements. There is a clear trend here in EU regulations on technology – they increasingly resemble connected vessels. Without fulfilling the requirements of one act, full compliance with another cannot be recognized. The FinTech industry, despite promises of deregulation, is once again burdened with additional obligations.

What specific obligations does the Data Act impose on cloud service providers in the FinTech sector? What will the procedures for exiting contracts with providers look like after the Data Act comes into force? Will any fees for changing data processing service providers be permitted from 2027?

Gabriela Kocurek and Joanna Kik answer these and many other questions in their text published in Rzeczpospolita.