EU cloud agreements have been reshaped by three converging regimes: the GDPR, the Data Act (Regulation (EU) 2023/2854), and the cybersecurity framework (NIS2 and DORA for financial entities). Together they change what a 'reasonable' cloud contract looks like — particularly around data residency, third-country transfers, and switching providers. Before signing, examine lock-in provisions, transfer mechanisms, and supplier switching commitments — especially for regulated workloads.
What is a Data Sovereignty?
A cloud services agreement in the EU typically combines hosting, storage, compute, and platform services delivered to a customer as a service. Key regulatory overlays include: Regulation (EU) 2016/679 (GDPR); the Data Act (Regulation (EU) 2023/2854), which introduces switching rights for cloud customers (Chapter VI, effective 12 September 2025); the NIS2 Directive (EU 2022/2555) for cybersecurity; the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) for financial entities; the Cyber Resilience Act (Regulation (EU) 2024/2847); and the Cloud Services Regulation being developed under the EUCS scheme. Many Member States add residency requirements for specific sectors (health, defence, classified data).
Red flags to watch for
Chapter VI of Regulation (EU) 2023/2854 requires providers to facilitate customer switching, progressively remove switching charges (egress fees gradually eliminated), and support functional equivalence. Contracts silent on this are non-compliant.
GDPR Art. 28 and Art. 44-50 require clarity on where personal data is processed and on any transfers to third countries. 'Globally available infrastructure' boilerplate without specific regions is a transfer-mapping failure.
Privacy Shield was invalidated in Schrems II (C-311/18). SCCs must be the 2021 Commission Implementing Decision version, and the Data Privacy Framework (effective July 2023) must be referenced for US transfers where relevant.
Post-Schrems II, both controller and processor must assess whether third-country law provides essentially equivalent protection. Providers must support this assessment.
Customer data cannot be held hostage. The Data Act and EU unfair terms principles require proportionate suspension and exit support.
NIS2 Art. 21 requires supply-chain security, and DORA Art. 28-30 imposes specific contractual requirements for ICT services to financial entities. Standard-form cloud contracts often fail DORA's register of ICT third-party providers.
Article 29 of the Data Act requires a progressive reduction of switching charges, fully removed from 12 January 2027 under Art. 29(4). Egress fees locked in for 3+ years are a red flag.
Your legal rights
EU cloud customers are protected by: Regulation (EU) 2016/679 (GDPR) — especially Art. 28 (processor contracts), Art. 32 (security), Art. 33-34 (breach notification), and Chapter V (international transfers); the Data Act (Regulation (EU) 2023/2854) — particularly Chapter VI on switching between data processing services and Chapter VII on international data transfers; the NIS2 Directive (EU 2022/2555) on cybersecurity risk management; the Digital Operational Resilience Act (Regulation (EU) 2022/2554) for financial entities; the Cyber Resilience Act (Regulation (EU) 2024/2847); the Platform-to-Business Regulation (EU 2019/1150) where applicable; Member State sector-specific residency rules; and the unfair-terms regime under Directive 93/13/EEC for consumer cloud services. Enforcement involves national data protection authorities, the European Data Protection Board, the European Commission, and national competent authorities under NIS2/DORA.
Questions to ask before you sign
- 1In which EU data centres is customer data stored, processed and backed up?
- 2What transfer mechanism is used for any third-country transfers, and when was the Transfer Impact Assessment last updated?
- 3How does the contract implement the Data Act switching rights (functional equivalence, egress-fee reduction)?
- 4What are the SLA credits and customer remedies for prolonged outages?
- 5How does the contract flow down NIS2 and (for financial entities) DORA obligations?
- 6What are the breach-notification timelines under GDPR Art. 33 and DORA?
- 7What is the exit assistance period, and what egress fees apply during it?
- 8Who is the data importer for Module 2 SCCs, and has the DPF certification been verified for US transfers?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.