EU Data Act: The Beginning of the End for Cloud Monoculture?

Dieser Artikel ist auch auf Deutsch verfügbar

This article is part of a series

• Part 1: EU Data Act: The Beginning of the End for Cloud Monoculture? (this article)
• Part 2: Data Inventories in the EU Data Act: The Democratization of IoT Devices

The next issue likely to stir up emotions is the EU Data Act (Regulation (EU) 2023/2854)[1]. It will have strategic significance for European companies – and for anyone wanting to do business in the EU.

In 2025, most cloud infrastructure in the EU runs on U.S.-owned platforms. AWS, Azure, and Google Cloud dominate much of European enterprise IT – deeply embedded, sometimes by choice, sometimes seen as an emerging risk.[2] Switching providers is a technically challenging, expensive, and often unrealistic undertaking.

This is exactly where the parts of the EU Data Act we’ll look at more closely come in: tackling cloud lock-in and Europe’s dependence on U.S. hyperscalers.

Let’s be clear: regulation is coming, and it will require effort–especially from the big players. But that’s not our focus here. We want to look at the potential benefits of the Data Act, leaving the inevitable LinkedIn bottle cap analogies to others.

From Federation to Concentration: Where It Went Wrong

The internet was originally envisioned as a network of many computers, run by many different actors – technically decentralized, open, and federated. For a time, companies ran their own infrastructure, operating data centers, servers, and networks–not out of choice, but because there was no real alternative. The rise of hyperscalers and their all-in-one offerings shifted the focus: less time on operations, more on business features.

The public cloud has become the standard – driven not only by operational simplicity, but by offerings attractive to both startups and large enterprises: inexpensive to begin with, scalable, and immediately accessible. While costs are often precisely itemized, they remain difficult to predict intuitively. Today, few organizations build everything in-house, in part due to a lack of the necessary expertise.

The Price of Convenience

Today, three U.S. providers dominate the European cloud market: AWS, Azure, and Google Cloud. Many companies have used them for years because they’re powerful, quick to deploy, and well integrated. Vendor lock-in was often a conscious trade-off.

Even when companies initially relied on open standards or well-known open-source products, proprietary services tend to creep in over time. AWS Lambda, Google’s BigQuery, or Azure App Services are convenient – but hard to replace once woven into the architecture. Switching is possible in theory, but rarely realistic: it’s complex, and the effort is hard to gauge.

Even with services like Amazon S3 – often seen as portable thanks to numerous S3-compatible implementations – lock-in can come from a different source: the pricing model. Moving large amounts of data incurs high egress fees, often enough to make switching economically unrealistic.[3]

From Lock-in to Exit-ready – Europe’s New Mandate

This is exactly where the EU Data Act comes in. One of its aims is to reduce dependence on individual cloud providers by setting binding rules, backed by sanctions.[4] It requires providers to ensure interoperability and to remove technical barriers to switching.

Lock-in through proprietary formats, incompatible APIs, or deliberately vague migration paths should no longer be legally possible. Under Article 23, existing barriers must be removed.[5]

Once the technical requirements for migration are met, providers must keep switching costs low – and from January 12, 2027, waive them entirely.[6]

For many decision-makers, this may be perfect timing. The new U.S. administration initially stirred unease, and near-total dependence on U.S. hyperscalers suddenly felt like a real risk.

Even in 2027, not all APIs will be portable and not all systems interchangeable. But anyone launching new services today should ask: How tightly is this tied to the platform’s proprietary features? Are there realistic migration paths? The Data Act will mandate interoperability, but how much of it you can use later will depend heavily on the architectural choices you make now.

When Infrastructure Becomes Portable – New Options Emerge

In the medium to long term, the new requirements could prove a real advantage for regulated companies in particular. Financial regulators have long demanded that exit scenarios be prepared both technically and organizationally[7]– something difficult to achieve until now, partly because key capabilities were missing on the provider side. The EU Data Act changes this: providers must make switching both technically feasible and economically viable. For CTOs, that means when switching becomes possible, exit readiness and standardized interfaces return to the agenda – not just as theory, but as concrete architectural choices.

Multi-cloud strategies could also become more achievable. Problems that today stem from interfaces, incompatibilities, or limited portability should be easier to solve in the future. For POs, that means provider switches or hybrid deployments could not only be technically feasible, but viable for the roadmap.

Anyone now tasked with implementing Data Act requirements should see it as more than just a compliance exercise. The same technical foundations can be used to create meaningful internal data products – real value, not just something that looks good on paper.

This also affects governance : if switching providers becomes not only allowed but enforceable, procurement processes, contract terms, and exit rules will need to be rethought – even at the CIO level.

Maybe the EU Data Act will not only reduce lock-in, but also help European cloud providers like IONOS, OVHcloud, or Open Telekom Cloud become more than just footnote alternatives, now that switching is easier.

Many technical details of the Data Act remain unsettled. What exactly counts as “raw data”? Who decides if a provider is truly switchable? Germany’s implementation law still exists only as a draft from the previous government. Some requirements won’t take effect until 2027; others are awaiting clarification. But anyone who waits now risks missing the chance to design systems for future flexibility – without last-minute, panicked rebuilds.

tl;dr – Now, Next, Action

Identify Cost Drivers and Explore Alternatives

Over the years, many cloud services have become entrenched parts of the system landscape – often for economic and technical reasons, but rarely with any thought to switchability, since changing providers faced too many practical barriers. Now is a good time to expose major dependencies and cost drivers, and assess whether alternatives could make sense in the medium term. The EU Data Act creates, for the first time, a regulatory framework that makes such evaluations realistic.[8]

Review Cloud Contracts for Barriers to Switching

Many existing contracts contain clauses that make switching providers later difficult – such as restricted data access, unclear exit terms, or exclusive use of proprietary formats. The EU Data Act strengthens customers’ position and is expected to give them more power to challenge such barriers when they effectively block switching.

Important Dates:

• January 2, 2024: EU Data Act / Regulation (EU) 2023/2854 takes effect.

• September 12, 2025:

  • The EU Data Act becomes applicable.
  • Chapter IV[9] rgoverns abusive contractual terms relating to data access and use between companies; these provisions apply immediately to all new contracts.
  • Chapter III[10] outlines the duties of data holders when required by Union law to share data; these obligations apply from this date to all newly enacted laws containing such requirements.

• September 12, 2026: All connected products and their associated services must comply with Article 3(2)[11]. Users must be clearly informed before signing a contract about the data that can be generated – its type, format, scope, real-time availability, storage location and duration, access rights, deletion options, and the technical means and terms of use that apply.

• September 12, 2027: Chapter IV[12] also applies to contracts signed on or before September 12, 2025, if they have no end date or run at least until January 11, 2034.

1. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L_202302854  ↩

2. https://www.security–insider.de/us–zugriff–europaeische–cloud–daten–microsoft–digitale–souveraenitaet–a–0e0d349084423354aa06e191f535cbe4/ and https://www.google.com/url?q=https://www.senat.fr/compte–rendu–commissions/20250609/cecommandepublique.html&sa=D&source=docs&ust=1753887314367675&usg=AOvVaw3uSOhHUIwBJSI3k_eSd2gp  ↩

3. https://assets.publishing.service.gov.uk/media/67976c3acbd1e3a508a22c74/AppendixQ2.pdf  ↩

4. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#art40  ↩

5. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#art23  ↩

6. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#art29  ↩

7. see for example BaFin  ↩

8. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#art50  ↩

9. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#cptIV  ↩

10. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#cptIII  ↩

11. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#art3  ↩

12. https://eur–lex.europa.eu/legal–content/EN/TXT/HTML/?uri=OJ:L202302854#cptIV  ↩