Dutch Data Act proposals underline impact on cloud software services

The EU’s Data Act was issued on 13 December 2023 and a recent consultation on a draft execution act shows how it will be embedded into the Dutch legal system. The Data Act has direct effect and does not need implementation in each of the EU member states; however, some Dutch legislation must be amended to ensure provisions are in line with the EU Act, resulting in changes for IT firms.

Frederik Harms, tech & trade expert at Pinsent Masons, said: “As of 1 September 2025, under the Data Act all IT providers that provide their services as some form of data processing services should allow and facilitate the transfer of such services to another service provider that offers the same sort of service. This requires change to contracts and may as well require changes as to the IT services providers’ business to ensure interoperability.”

The right to switch services will impact all providers of data processing services in the EU including those providing software-as-a-service (SaaS), as well as platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) solutions.

The Dutch legislation also provides some clarification on a national level and “states that the switching right applies to a broad spectrum of services that are offered by cloud or edge technology, which includes cloud infrastructure services and cloud software services, such as account software and ERP software,” Harms added.

The Data Act focuses on two main pillars: first, on data access and sharing of data connected products and related services; and second, on switching of data processing services. With regard to the latter, the execution act proposals “have provided more clarity as data processing services have to be understood quite broadly,” said Andre Walter, data law expert at Pinsent Masons.

The draft reiterates that the Data Act provides the right to switch data processing services and sets out further details of how this will work. The Data Act provides a “very broad definition that was difficult to apply to the IT landscape”, Walter added.

The Data Act aims to facilitate the ability of service users to transfer between different data processing service providers. It requires providers to remove all obstacles to users switching to other providers while maintaining functional equivalence of the provided service. It also requires providers to inform their customers of their rights and obligations when transferring to a different service, and to facilitate this within reason.

Other important aspects of the Dutch execution act draft include that the Dutch Authority for Consumers and Markets (ACM) has been assigned as the national regulatory authority (NRA) for Data Act enforcement. However, the Dutch Data Protection Authority will be enforcing provisions on making data available to public sector bodies based on exceptional need.

The Dutch Database Act will be amended to ensure that rightsholders cannot invoke database rights to refuse access to data that needs to be shared under the Data Act. Fines for breaching the Data Act can be severe, with potential penalties reaching up to €760,000 or 10% of a company’s annual turnover, whichever is higher.