.svg)
The EU Data Act (Regulation (EU) 2023/2854), which entered into force on January 11, 2024 and has now entered its application stage, represents one of the most consequential regulatory interventions in Europe’s digital markets. Although framed as a horizontal piece of legislation that establishes a set of rules on data access and use that respects the protection of fundamental rights and delivers wide-ranging benefits for the European economy and society, its implications for the financial sector, particularly payments, banking and fintech, are considerable.
As institutions deepen their reliance on cloud infrastructure for real-time processing, transaction monitoring and fraud analytics, the Data Act introduces a legally enforceable framework designed to eliminate cloud lock-in, promote data portability and strengthen systemic resilience. For the purposes of the financial services sector, the cloud switching provisions of the act are of significant importance.
The bigger picture
Cloud infrastructure enables real-time data processing, thereby enhancing the precision of risk assessment models, the robustness of analytical outputs and the efficiency of institutional decision-making processes. Cloud service platforms offer significant scalability, allowing financial institutions to accommodate peak operational demands and increase computational capacity as required, without requiring substantial capital expenditure.
Furthermore, the use of artificial intelligence-enabled, cloud-based risk management tools facilitates the identification of patterns and anomalies indicative of emerging risks or potential fraudulent activity. These capabilities support proactive risk mitigation, strengthen the safeguarding of institutional assets and assist in maintaining compliance with applicable regulatory obligations. In the financial services industry, where continuity, speed and security are paramount, the Data Act is reshaping long-standing architectural assumptions and establishes new regulatory expectations regarding cloud governance. For firms, this could lead to potential renegotiation of data processing contracts with third-party providers to facilitate easier access.
At its core, the Data Act mandates that cloud providers remove technical, contractual and commercial barriers to switching. This includes the obligation to support functional equivalence when a customer migrates to an alternative provider, the requirement to publish clear switching plans and the phased reduction and eventual elimination of exit fees by January 2027. In practical terms, the regulation allows financial institutions to move datasets, virtual machines, applications and logs between cloud environments without friction. The Data Act modernises the infrastructure layer by enforcing interoperability and data mobility across cloud services.
This reform is closely aligned with Europe’s wider digital agenda, including Regulation (EU) 2022/2554 (Digital Operational Resilience Act - DORA), Regulation 2022/868 (Data Governance Act) and the European Commission’s broader ambition to foster a competitive and resilient data protection and usage framework. These acts complement each other in that each of them focuses on a core area of the data ecosystem, with the General Data Protection Regulation (GDPR) laying down guidelines on personal data protection, DORA on financial resilience and the Data Act on data access and sharing.
The Data Act has wide-reaching implications for various stakeholders. For policymakers, the act is part of a strategic effort to reduce systemic concentration risk, diversify the EU’s data market and ensure that critical financial infrastructures are not structurally dependent on a handful of non-EU providers. It provides supervisors with new tools to assess whether institutions can credibly exit their cloud relationships and maintain continuity of critical functions under stress. As a result, financial institutions are particularly affected by this fundamental shift in the governance expectations surrounding cloud outsourcing.
The act will reshape the daily operations of banks, payment service providers (PSPs) and fintechs. Firms will need to assess the portability of their existing architectures, address dependencies on proprietary cloud services, renegotiate complex vendor contracts and embed new governance processes that reflect the statutory requirements of the Data Act. The obligations under the Data Act, taken together with new requirements under parallel legislation, demonstrate the European Union’s accountability-led framework for data protection and governance. Institutions running cloud-native payment engines, machine-learning models or real-time monitoring systems will be required to carry out comprehensive operational work to support interoperability. Cumulatively, the regulatory burden on firms is significant and necessitates a proactive risk-averse approach to managing data.
Although the Data Act promotes substantial long-term benefits, it also introduces meaningful risks. From a regulatory perspective, institutions that fail to adapt may face supervisory challenges or enforcement action, particularly where cloud dependencies undermine operational resilience or infringe any GDPR provisions. Data protection authorities/designated competent authorities of member states may set penalties and other punitive measures to deter non-adherence. Under the GDPR, for example, fines can be crippling. In particular, for especially severe violations, listed in Article 83(5), fines of up to €20m, or in the case of an undertaking, up to 4 percent of their total annual turnover of the preceding fiscal year, whichever is higher, can be imposed. In November 2025, American Express was fined €1.5m in France for data processing violations.
Why should you care?
As the Data Act is now applicable, if they have not done so already, financial institutions should be conducting detailed assessments of where vendor lock-in exists within their architecture and by identifying which components of databases, analytics pipelines, container orchestration layers or identity systems require refactoring to support portability.
Legal and procurement teams will need to renegotiate cloud contracts to reflect the act’s provisions on switching, termination, interoperability and migration support, ensuring that contractual terms do not contradict statutory obligations.
Governance frameworks, including outsourcing registers, cloud exit strategies and DORA-aligned ICT risk assessments must be updated to incorporate the new rights and duties introduced by the legislation. Institutions will also need to conduct practical migration testing rather than relying on theoretical documentation, demonstrating that data, applications and configurations can be ported in real scenarios.
Cloud concentration is now recognised as a financial stability issue, and the act aims to shift the balance of power between hyperscale cloud providers and their regulated customers. Institutions that anticipate the changes and treat cloud mobility as an opportunity rather than a compliance burden will be better positioned to enhance resilience, negotiate more favourable commercial terms and accelerate innovation by adopting best-in-class cloud capabilities. Conversely, firms that delay may find themselves tied to non-portable architectures, facing supervisory challenge, and ultimately losing competitiveness in an industry where cloud agility increasingly underpins operational excellence.
Looking ahead, firms should be planning for a more modular and vendor-agnostic cloud architecture, incorporating open standards and cloud-neutral security models. European regulators expect financial institutions to be able to maintain continuity regardless of the provider hosting their critical workloads. The Data Act strengthens the supervisory rationale for multi-cloud strategies and heightens the expectation that firms distribute critical functions across providers where appropriate. At the same time, the regulation opens the door to innovation. The ability to move workloads easily between environments allows institutions to take advantage of emerging providers offering advanced analytics, specialised fraud detection or real-time liquidity optimisation tools.
As firms accelerate their alignment with the EU Data Act, the scope of required work is expanding beyond IT and compliance teams. In the context of mergers, acquisitions and joint ventures, due diligence must now include a detailed examination of Data Act compliance, the technical feasibility of providing user data access and the adequacy of cloud-switching arrangements. A failure to meet these expectations can introduce material liabilities and depress deal valuations, particularly where business models depend heavily on proprietary data or non-portable cloud architectures.
Consequently, commercial contracting will also undergo substantial change. Agreements that govern data access, cloud services or outsourcing must be updated to reflect statutory user rights, fair data-sharing obligations and enforceable switching mechanisms. Any attempt to contractually restrict these rights will be void, creating legal risk if legacy agreements are left unchanged. Institutional investors, lenders and strategic partners are increasingly incorporating Data Act compliance into broader environmental, social and governance (ESG) and operational-risk assessments, and firms that are unable to demonstrate readiness may face higher financing costs or reduced deal appetite.
Compliance with the Data Act will affect technology partnerships as well. New arrangements will require standard interfaces, secure data-transfer pathways and comprehensive audit trails. Financial institutions running cloud-native infrastructures will need to ensure that real-time systems can support compliant data export without service degradation. Firms that fail to modernise their architecture may find themselves unable to meet regulatory expectations or commercial demands, which could ultimately result in punitive action being taken.
What firms should be planning for
With key switching and interoperability obligations beginning to take effect from 2025 and extending to 2027, financial institutions should be progressing towards ensuring they are operationally aligned. Cloud contracts, governance documentation, architectural design and operational testing must all be aligned with the requirements of the Data Act. Firms should initiate:
1. Scoping and gap analysis
- Identify in-scope products, services and contracts.
- Map where user data rights, cloud switching and data export will require changes.
- Clarify the firm’s roles under the act (i.e., data holder, cloud customer, cloud provider).
2. Compliance programme design
- Develop processes for user data access, export and separation.
- Implement technical mechanisms that support secure, auditable data transfer.
- Ensure alignment with the GDPR, DORA, trade-secret protections and other relevant or upcoming legislation.
3. Contract review and remediation
- Update templates and legacy agreements to reflect Data Act obligations.
- Remove unenforceable restrictions on user rights or switching.
- Ensure fair-pricing terms and transparent cloud exit provisions.
4. Governance and documentation
- Establish policies, user notices and access logs demonstrating compliance.
- Maintain defensible documentation for supervisory review or litigation.
- Integrate Data Act obligations into outsourcing registers and risk frameworks.
5. Litigation and enforcement readiness
- Prepare response plans for regulatory requests and potential class actions.
- Preserve evidence and ensure audit trails are complete and reliable.
- Identify high-risk legacy practices and prioritise remediation.
6. Training and monitoring
- Train legal, compliance, operations and engineering teams on the Data Act and other relevant legislation.
- Monitor regulatory developments across EU markets and update policies accordingly.
7. Strategic opportunities
- Explore new data-driven services and partnerships enabled by compliant data access.
- Participate in industry standard-setting on cloud interoperability.
- Reassess business models to leverage improved data mobility and reduced lock-in.
In an environment where data mobility is becoming synonymous with operational resilience, alignment with the Data Act will define which institutions remain agile, resilient and competitive as Europe’s financial infrastructure evolves and develops.
