1. The Data Act is now applied – the regulatory landscape to watch out in technology transactions widens
Since 12 September 2025, the EU Data Act (2023/2854) is directly applicable legislation in all EU Member States. Its mandatory requirements should now be considered also in the context of technology transactions and related due diligence processes. This is especially important when the target entity is either a cloud service provider or a manufacturer of IoT devices or a provider of related services. The level of preparation and compliance with the Data Act’s mandatory requirements may also have a direct impact on the target’s risk profile and value – depending on the scope of services and products in question. Therefore, the Data Act must now be added as a key component to the pallet of regulatory compliance due diligence in connection with technology transactions in addition to other technology related aspects.
2. Vendor lock-ins become history in cloud computing
The Data Act governs the so called “data processing services” which refer to various types of cloud computing models such as infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). The scope of application is thus very large. One of the Data Act’s objectives is to leave “vendor lock-ins” to history by making it easy for customers to switch from one cloud service to another or to in-source the services to the customer’s own ICT infrastructure. The Data Act also allows the customers to simultaneously download their data and digital assets to the new environment at no cost. Further, the service providers must assist in the process first against reduced switching charges and, after a transition period, finally for free.
3. Termination for convenience at two months’ notice may blur revenue recognition
The Data Act establishes a maximum statutory notice period of two months for customers in cloud computing contracts. A contractual clause providing for a longer notice period or prohibiting early termination before the end of a fixed term does not bind the customer, regardless of whether it is a natural or legal person. This means, in practice, that the customer now always has the right of termination for convenience on two months’ notice. Because the Data Act is directly applicable mandatory legislation, it prevails over any old agreements having longer termination periods, or new contracts based on longer fixed term subscriptions. In an industry where contractual setups and revenue models are often based on recurrent fixed term subscriptions, this is a significant change limiting the service providers’ revenue recognition.
4. Termination fees are still allowed in cloud computing agreements
While the right to terminate the agreement on two months’ notice by the customer may not be limited, the service provider may still charge a termination fee or a penalty from the customer to cover, for example, potential stranded costs for the early termination. The fee must, however, be agreed in the service agreement and be proportionate and predictable in the sense that the provider must have given the prospective customer clear advance information on the early termination penalties that might be imposed. Further, the parties’ freedom of contract is limited to a certain extent as the Data Act requires that cloud computing agreements contain certain mandatory contractual terms relating especially to the customer’s termination rights as well as the service provider’s assistance in the switching process and specifications of relevant data categories.
In the due diligence context this means that the potential buyer would need to review whether the target’s customer agreements include the required contractual terms concerning switching. If these are not in place, they should be fixed at the latest as post-closing actions in technology transactions. Further, the potential buyer would need to pay close attention not only to the target’s recurrent revenues from the previous years, but also to the width of the customer base, contractual clauses on the early termination fees and the target’s practices in customer retention.
5. Capability of sharing data in a controlled manner becomes crucial
In addition to the changes in cloud computing services, the Data Act places statutory obligations on entities manufacturing or selling connected products and related services. Given the ample definition of connected products, these requirements touch upon a wide range of IoT device makers and related digital applications.
From the due diligence perspective, a potential buyer should pay attention to the target entity’s assessment of its products, services and related (potentially business critical) data within the scope of the Data Act’s data sharing obligations. The data sharing obligations require said entities to share the user generated data with customers, which in turn may use such data for any purposes whatsoever excluding only production of a competing product. The users may also share such, potentially business critical, data even to the manufacturer’s competitors. Further, the due diligence should include an assessment of the target entity’s actual implementation actions taken regarding the data sharing to users and third parties as well as revision or implementation of related contractual practices.
All in all, it would be a mistake to consider the mandatory requirements of the Data Act in technology transactions only from a compliance perspective by analysing the potential compliance gaps and risks of administrative fines. It is equally important, if not even more relevant, to assess the long-term impact of the new mandatory requirements on the target entity’s business and technological requirements enabling regulatory compliance.