The Data Act Explained: How Switching Rights Impact SaaS Providers
The EU’s Data Act, set to apply from September 2025, is a way to give users more control over their data and reduce barriers between providers. It sets new rules that change how SaaS companies design contracts and keep customers.
For companies used to relying on fixed-term subscriptions and predictable annual recurring revenue (ARR), one element of the Act stands out: mandatory switching rights. These rules give customers the ability to move between providers with no more than two months’ notice. We are going to explain more about the Act and how it will impact SaaS providers.
What the Data Act Is Trying to Achieve
The Data Act (Regulation (EU) 2023/1542) was designed to unlock data portability and reduce “lock-in” across digital services. The EU wants to create a fairer, more competitive digital economy, where businesses and individuals aren’t trapped by providers that make it difficult or costly to leave.
For cloud, infrastructure, and SaaS providers, this means contracts must no longer create artificial barriers that stop customers from switching. Migration should be simple, transparent, and free from hidden penalties.
This is a continuation of the EU’s wider digital agenda. Alongside the GDPR, the Digital Services Act, and the AI Act, the Data Act signals Europe’s intention to regulate not only how data is used, but also how companies compete.
Switching Rights Explained
Under the Data Act, SaaS customers must be able to switch providers with no more than two months’ notice. However, this is not a blanket termination right. The provision applies specifically to switching scenarios: customers can initiate a migration, providers are required to maintain service throughout the transition, and once the migration is complete, the contract is terminated.
Fixed-term contracts remain permissible. Providers may continue to offer annual or multi-year agreements, but the traditional approach of enforcing “pay for the full term, even if you leave early” is likely to weaken once switching rights are exercised.
Refunds remain an area of legal uncertainty. The Act does not expressly require providers to reimburse unused prepaid fees. Nevertheless, many legal experts expect that refunds will be necessary, as SaaS is typically classified as an ongoing service rather than a one-off product delivery. In practice, this could require providers to repay customers for unused subscription months.
Finally, by 2027, migration fees will be fully phased out. The clear policy direction is that switching should become seamless for customers. For SaaS providers, this means less revenue certainty, greater exposure to churn, and a need to compete more directly on service quality, transparency, and trust.
The Impact on SaaS Business Models
For SaaS companies, the implications are significant. Here are some reasons why:
Predictability of ARR
Annual recurring revenue is the cornerstone of SaaS growth models. Multi-year contracts, billed upfront, give providers cash flow and forecasting certainty. The Data Act could erode this predictability by making those commitments weaker.
Refunds and Upfront Payments
If regulators or courts decide prepaid fees must be refunded when customers switch early, SaaS providers may find themselves issuing reimbursements for contracts once thought “locked in.” That undermines the traditional ARR model and complicates cash flow.
Early Termination Penalties
The Act allows providers to impose penalties if customers leave early, but only if they’re proportionate and transparent. A penalty equal to the entire remaining contract value would likely be seen as a barrier to switching. Instead, providers may only be able to claim actual net losses, such as onboarding costs or waived discounts.
This is a major shift. SaaS providers will no longer be able to rely on penalties as a deterrent. Instead, they’ll need to justify charges based on real, demonstrable costs.
The Enforcement Challenge
While the Data Act applies uniformly across the EU, its enforcement rests with national authorities, and implementation is proving uneven. Several regulators, including the Dutch Competition Authority (ACM) and Hamburg’s Data Protection Authority, have already acknowledged they are not yet fully equipped to apply the new rules. Current estimates suggest that fewer than half of EU member states have formally designated or empowered their enforcement bodies.
This lack of preparedness raises the risk of fragmented enforcement across Europe. A SaaS provider operating in Germany may face stricter or earlier scrutiny than a competitor in a jurisdiction where national regulators are still catching up.
The European Commission has stressed that it is working with member states to ensure consistent application through mechanisms such as the European Data Innovation Board, but the delays highlight the scale and ambition of this legislation. The consequences of non-compliance are significant; breaches of the Act can lead to fines of up to €20 million or 4% of global annual turnover, whichever is higher.
The Political Debate
Beyond compliance, the Data Act has become a high-stakes political issue. SME associations and business groups broadly support the law, seeing it as a tool to prevent market lock-in, level the playing field, and guarantee fair access to industrial data. Fourteen trade groups, including the European Digital SME Alliance, have recently urged the European Commission to resist efforts to weaken the Act, stressing that it offers vital protections for smaller players and promotes data sharing on fair and transparent terms.
In contrast, large technology companies are pushing for delays and softer enforcement, citing concerns over compliance costs and the risk that certain provisions may stifle innovation. This lobbying has created pressure on EU institutions to adjust or phase in parts of the legislation more gradually.
For SaaS companies, this dynamic means preparing for more than just regulatory compliance. They must also anticipate a shifting legal and political landscape, where interpretations evolve and enforcement intensity may vary across member states. Building flexibility into contracts, pricing models, and compliance strategies will be essential to navigate both the immediate rollout and the longer-term political debate that continues to shape the Act’s future.
Challenges and Grey Areas
Despite its clarity on principles, the Data Act leaves big questions unanswered.
Refunds are unresolved. The legislation doesn’t specify whether providers must repay unused portions of prepaid fees. National courts may take different approaches.
What is “proportionate”? The Act bans excessive penalties, but leaves it to national law to define what counts as reasonable. Providers will need to tread carefully.
Different interpretations across the EU. Without harmonised case law, SaaS businesses operating in multiple countries may face fragmented expectations.
This uncertainty means providers will need to adapt not only their contracts, but also their risk appetite.
How SaaS Companies Can Prepare
Adapting to the Data Act is about proving your business can thrive in a market where customers expect transparency, fairness, and freedom of choice. For SaaS companies, the shift is especially significant. Subscription models rely on sticky customer relationships, but the Data Act lowers barriers to switching, giving users more control over their data and contracts. That means old tactics like locking people in with vague clauses or hidden migration hurdles are no longer sustainable.
SaaS leaders should start by reworking contracts. The days of one-sided terms are numbered. Contracts need to clearly explain switching provisions, exit processes, and migration support. Anything that looks like an attempt to trap customers could invite regulatory scrutiny and erode trust.
Next, redesign pricing strategies. Discounts and incentives tied to long-term commitments are still viable, but they must be structured transparently. Adding clawback clauses ensures customers don’t enjoy preferential rates while leaving early. This protects your revenue without clashing with the spirit of the law.
SaaS providers will also need to document real costs. If you apply early termination penalties or migration fees, you’ll need a defensible record showing these charges reflect actual expenses, not arbitrary deterrents. Regulators and increasingly, customers will demand evidence.
Financial planning also needs a refresh. Forecasting under the Data Act requires assuming greater churn and less predictable ARR. SaaS companies should build flexibility into models, stress-test different scenarios, and prepare for a reality where switching is easier and loyalty can’t be taken for granted.
Finally, compete on trust. Customers are likely to favour providers who embrace the Act as a chance to show openness, rather than resisting it. By positioning compliance as part of your brand, transparent contracts, fair terms, and easy switching, you turn a regulatory requirement into a competitive edge.
The Act reflects a broader trend in digital regulation, shifting power away from providers and toward users. For SaaS companies, this means business models must evolve. The companies that thrive will be those that embrace openness, build trust, and compete on service quality, not lock-in.
By 2025, customers will expect freedom of choice. Those providers that make switching easy, transparent, and fair will not only avoid legal trouble but also earn reputational advantages.
The Data Act doesn’t end fixed-term SaaS contracts. But it does demand a new way of thinking about them. The challenge now is to build contracts and businesses that can survive in a world where customers are no longer bound, but choose to stay.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.