Publications

You should read this update if:

• Your company provides or uses data processing services (including cloud or SaaS services) in the EU;
• Your company holds or shares data generated by connected products (e.g. IoT devices);
• You are a CFO or otherwise have an interest in the accounting impact of this law and the statutory provisions that create termination for convenience rights for EU customers; or
• You are considering an investment or an acquisition of a company subject to any of the above.

What is the EU Data Act? The EU Data Act (“Data Act”) establishes harmonized rules on fair access to and use of data within the EU. Note that “data” is defined very broadly and is not necessarily limited to personal data. It also captures technical and other forms of non-personal data. In this context, the law creates significant legal, technical and contractual requirements for companies, including Israeli companies, that fall within the scope.

When is it applicable and enforceable? The Data Act applies since September 12, 2025. However, it is not fully enforceable yet. This is because EU Member States must designate one or more competent authorities to monitor and enforce the Data Act and as of the date of publication of this client update, this process has not been completed. In fact, in some EU countries this is likely to take several months.

What does the Data Act cover? The Data Act covers, among other elements, the following key aspects:

• Requirements on business-to-business and business-to-consumer data sharing in the context of IoT: users of IoT objects are allowed to access, use and port data that they co-generate through their use of a connected product.
• Requirements on business-to-business data sharing: this includes the data-sharing conditions wherever a business is obliged by law, including through the Data Act, to share data with another business.
• Limitations on unfair contractual terms: these provisions protect all businesses, in particular SMEs, against unfair contractual terms imposed on them by larger players.
• Provisions on switching between data processing services: providers of cloud and edge computing services, including SaaS companies, must meet minimum requirements to facilitate interoperability and enable switching.
• Limitations on third country government access to data: non-personal data stored in the EU is protected against unlawful foreign government access requests.

We encourage you to contact us to assess your exposure to these requirements.

What requirements are likely to have more impact on Israeli companies? In our view, the provisions of Chapter VI on “switching between data processing services” are likely to impact many Israeli companies operating in the EU. These provisions are likely to be interpreted as creating a right to terminate certain contracts “for convenience”, potentially impacting traditional metrics of SaaS companies’ evaluation (such as revenue recognition, contract duration or contract-based KPIs). In other words, this could affect long-term and multi-year agreements, potentially disrupting traditional valuation models.

Switching Between Data Processing Service Providers. Impact on Israeli companies.

• What is the overall objective? The Data Act introduces detailed provisions to facilitate switching between data processing service providers and to remove obstacles that prevent customers from changing providers or moving to on‑premises infrastructures. Providers of data processing services must ensure that customers can switch to another provider (or to their own infrastructure) without undue obstacles. This includes removing technical, contractual, and organisational barriers and allowing customers to port their data and digital assets in a structured, commonly used and machine‑readable format.
• What are the contractual implications? The Data Act provides that customers may terminate contracts after completing a switching process. In other words, the Data Act provides for statutory termination for convenience rights, for in-scope agreements. Providers of data processing services are required to include clear contractual clauses on switching, data portability, and termination rights.  The Data Act also allows companies to charge switching fees under certain conditions, as well as early termination penalties.
• Technical implications.  Certain providers are required to adopt reasonable technical measures to ensure that the customer, after switching to a service covering the same service type, achieves functional equivalence in the use of the destination data processing service (including adequate information, documentation, technical support and, where appropriate, the necessary tools). Other providers of data processing services are required to make open interfaces available free of charge to facilitate the switching process. However, the law does not expect companies to develop new technologies or services, or disclose or transfer digital assets that are protected by intellectual property rights or that constitute a trade secret, to a customer or to a different provider or compromise the customer’s or provider’s security and integrity of the service.
• Information requirements. Among other information requirements, providers of data processing services must provide customers with information on switching procedures and maintain an online register with details of all the data structures and data formats, as well as the relevant standards and open interoperability specifications, in which the exportable data are available.
• Are there any exceptions? First, not all contracts or companies are impacted by the Data Act. Contracts and companies with no EU nexus are generally not impacted. Moreover, for the switching provisions to apply, the company in question must be considered a provider of a data processing service. It is worth clarifying that “data processing service” has a different meaning than in the GDPR. A data processing service is defined broadly by the Data Act, and the EU Commission has already clarified that infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) offerings are included in the definition. However, certain provisions do not apply to data processing services where most of the service’s main features have been custom-built to accommodate the specific needs of an individual customer, or where all components have been developed for an individual customer, and where those data processing services are not offered on a broad commercial scale. Furthermore, the switching provisions do not apply to data processing services provided as a non-production version for testing and evaluation purposes and for a limited period of time.

What are the consequences of noncompliance? The Data Act provides for penalties. However, as opposed to the GDPR or the EU AI Act, these measures are not directly included in the law. Instead, the Data Act directs and requires Member States to lay down the rules on penalties applicable to infringements, which are required to be effective, proportionate and dissuasive. In our view, this situation is not ideal since it is likely to result in divergences among EU countries, which will make it harder for companies to assess the relevant risks and adopt a unified approach. As of the date of this update, these penalties have not yet been defined and may vary between Member States.

The Data Act creates a number of practical challenges to Israeli companies that require a cross-sectional approach and several contract strategies. If you would like assistance or would like to discuss these regulatory changes, feel free to contact us.