Imagine you’re an early-stage software company and you’ve just negotiated one of your first contracts with a large European enterprise customer. The customer had a lot of extra requests and wanted a large discount. You hesitated, weighing the risks (esp. the engineering capacity tied up by one customer and the danger that what you build won’t fully align with your roadmap) against the upside of signing a reference customer with a strong logo that can unlock future sales. To tip the balance, you insisted on a three-year term, which the customer accepted.
You might think: Great — all fair and square, both sides got what they wanted.
Well, no — at least not according to the EU.
Under the new EU Data Act, your customer will have the right to terminate the contract on two months’ notice, irrespective of the three-year term you agreed(1). If you think that sounds crazy, it’s because it is. Protecting consumers from being locked into unfair contracts is one thing. Overriding carefully negotiated, fixed-term agreements between sophisticated commercial parties is another.
Where this all comes from
According to the EU, the termination right is a necessary consequence of another principle codified in the new law: the right to switch to another data processing service(2). This switching right seems fair. If, after signing a long-term contract, a customer finds another supplier with much better service or pricing, it shouldn’t be tied-in simply because the existing supplier refuses to cooperate.
What’s surprising is why the right to switch should necessitate another right altogether — the termination of the existing contract. The EU argues that termination is necessary to make the switching right effective. This may well be the case for a small retail customer subscribing to a mass-market cloud service with standard, non-negotiable terms. Yet most consumer-oriented software already offers short-term plans anyway, often due to national fairness rules for standardized terms.
For the many long-term contracts individually negotiated between professional parties, this rationale does not apply. Yes, it’s fair and common sense that a customer should be able to request transfer of its data at any time, but that has nothing to do with honouring the underlying contract when it was negotiated and agreed at eye level.
The “proportionate” enigma
The EU seems to understand this, having added the following sentence to the recitals of the law (recital 89):
“Nothing in this Regulation prevents a customer from compensating third-party entities for support in the migration process or parties from agreeing on contracts for data processing services of a fixed duration, including proportionate early termination penalties to cover the early termination of such contracts, in accordance with Union or national law.” (highlighting by the author)
Setting aside the contradiction between a fixed-term contract and a general termination right, this sentence raises more questions than it answers. What does “proportionate” mean? Proportionate to what? What does “in accordance with Union or national law” mean, given that national law generally respects fixed-term contracts as a natural part of contractual freedom and therefore requires full payment of the agreed fees even if a customer no longer wants the service? How could anything be considered “disproportionate” if it follows the basic principle of pacta sunt servanda?
The only sensible answer is that “proportionate” does not limit the contractual freedom of consenting professionals and that contractually agreed payment obligations must be honoured — even if a party decides to switch to another provider and no longer wants the service. But if that is the case, why stipulate a termination right at all instead of simply regulating the switching right? Why introduce an ominous qualifier like “proportionate” in relation to remaining fees, creating massive legal uncertainty, rather than focusing on the supplier’s cooperation obligation?
There’s no obvious explanation, at least none that we can see. The best hope at this point is for the EU to quickly clarify its intention, and for practitioners, first and foremost legal advisers, not to speculate about its meaning but to stick to established legal principles (pacta sunt servanda). If you decide to take this route, you’re in good company. There are plenty of cloud-based service providers that demand full payment, often pointing to upfront costs and significant discounts granted in return for long-term revenue certainty (see e.g. Asana, Cisco, Cloudflare, IONOS, Salesforce, teradata).
All this notwithstanding, it may be worth considering a somewhat more conciliatory approach, especially if you’re a smaller provider without a massive legal budget. After all, the “termination right cum proportionate penalties” now exists. Even if it is pointless and contrary to basic legal principles, accommodating it in a workable way might appease counterparties and — if push comes to shove — make it easier for a judge to decide in your favour.
If you want to follow this route, we’d suggest allowing for a small reduction of fees for the time after termination. A reasonable benchmark could be your approximate gross margin or the costs that fall away if the service no longer needs to be provided (also referred to as “saved expenses,” e.g. third-party cloud fees). To keep things manageable, setting termination fees somewhere between 80% and 95% of the original contract fees should be fully defensible.
Other “goodies”
The termination right is by far the most consequential provision of the Data Act for data processors, but it’s not the only one to keep in mind. Here are some of the other “goodies” the Act has in store:
- If you thought you might be out of scope because you’re small or don’t materially change customer data, forget it. The Data Act definition is extremely wide. The moment you provide “centralized or distributed computing resources,” you’re in, regardless of company size. The only way around the Data Act might be if you install your software on servers exclusively owned or run by the customer (“on-premises”) without any third-party access.
- You’re not just subject to the switching right; you must also include it in every customer contract — including contracts concluded long before the Data Act. How to do this without customer consent remains an open question.
- You need to add extensive additional content to contracts, including an “exhaustive” list of all data and digital assets that can be ported (Art. 25).
- You must inform customers about switching and porting methods, formats, restrictions, and technical limitations, and publish an online register detailing available data structures and formats (Art. 26).
- Your website must inform customers about the jurisdiction governing your data-processing infrastructure and the measures taken to protect non-personal data against “international governmental access” (Art. 28).
As of today, only a few member states have enacted enforcement legislation for the Data Act (e.g. the Netherlands, Finland, Denmark, and Malta). Yet many more are in the making, making it advisable to implement the necessary changes sooner rather than later, even if you’re not located in an early-adopter country. To illustrate how contractual matters could be handled in practice, we found the addenda published by AWS and Cisco particularly helpful.
Fingers crossed
In a best-case scenario, the required changes to contract terms and websites will be a one-time effort and won’t materially impact the economics of long-term software contracts. In that case, the Data Act would mean more red tape, but not a major burden for the European startup scene. If, however, a more far-reaching interpretation of the “proportionate” limitation prevails or causes lasting legal uncertainty, European data processing providers may face yet another competitive disadvantage compared to rivals outside the EU, who don’t have to deal with the Data Act as long as they don’t serve EU customers. Fingers crossed.
Notes:
(1) The EU also requires you to inform your customer about the termination right and make it part of the contract with you, even if the contract dates back to a time before the Data Act came into force (12 September 2025).
(2) Somewhat strangely the Data Act does not expressly stipulate the termination right, but rather seems to assume it’s pre-existent: Art. 23 obliges data processing providers to implement the switching right (which triggers the termination of the contract) in customer contracts and make certain information available (Art. 25, 26) but it remains unclear where the (assumed) switching/termination right comes from.
The Right to Switch under the EU Data Act was originally published in Point Nine Land on Medium, where people are continuing the conversation by highlighting and responding to this story.