The EU Data Act (the “Act”) went into effect on 12 September 2025. While the Act is mainly intended to regulate the Internet of Things (IoT) eco-system, many may have overlooked the Act’s Chapter VI, which introduces far‑reaching obligations for providers of data processing services, regardless of their affiliation with the IoT realm. In practice, Chapter VI captures a broad range of cloud service offerings (including many types of IaaS, PaaS, SaaS). This update focuses solely on the main obligations of Chapter VI with implications on Israeli data processing service providers, noting that the Act contains broader obligations for IoT manufacturers and related service providers.
Why this matters for Israeli companies?
The Act applies irrespective of where your company is established. If you make data processing services available to EU customers, the Act applies to you, and you will be subject to significant obligations: you will need to make it easy for customers to switch to your competitors (or move to their own infrastructure); your contracts need to include new mandatory terms; your pricing model may need to be revised, especially around fess charged for exporting data and switching to other service providers, as well as termination fees; you will need to appoint a representative in the EU (to the extent you are not established in the EU). The Act’s obligations could impact your customer retention strategy and revenue model. Enforcement, penalties and terms regarding private rights of action vary among member states. Note that this regime complements (and does not replace) the EU’s General Data Protection Regulation (GDPR) for personal data.
Practical implications: Technical, Operational and Contractual Changes
For covered data processing services, providers must remove obstacles to switching between service providers of the same service type or to on‑premises infrastructure and embed switching in contracts. Key obligations include: allowing customers to initiate a switching process with up to 2 months’ notice; having a default transitional period to complete switching of 30 days (extendable where technically unfeasible); and having a minimum post‑transition retrieval period of at least 30 days. You will need to offer tools and support for data export in simple commonly used methods. Notably, providers must progressively eliminate switching charges: today you may charge switching fees limited to your reasonable direct costs, however such switching fees are prohibited starting January 2027. However, this does not mean that you cannot impose proportional early termination fees in accordance with applicable EU member state laws.
The data to be provided for switching includes data provided by the customer, data generated through customer’s use of the services, and metadata associated with the foregoing. However, this does not include provider’s proprietary intellectual property and data licensed from third parties (not owned by customers).
Contracts with customers should be updated. The Act prescribes several mandatory clauses that need to be included in service agreements for covered data processing services, with respect to mandatory switching terms and include disclosures on related terms and conditions, such as switching fees (for the permitted time-period), timeframes, data formats and other related provisions.
Which Services Are Covered by the Act?
The “data processing services” regulated by the Act are defined as services that enable on‑demand network access to a shared pool of configurable, scalable and elastic computing resources, including centralized, distributed or highly distributed deployments that can be rapidly provisioned and released with minimal management effort or service provider interaction. Such services may include many types of Software-as-a-Services, even if the providers of such SAAS services do not independently provide services that employ such characteristics, but use a third party (like an IaaS) to provide such features to customers.
It is important to note that customers include incorporated entities and large enterprises who contract with the data processing service provider. The scope of the Act does not require customers to be individuals, consumers, SMEs or otherwise have special characteristics.
Action points for Israeli businesses active in the EU
If you are active in the EU, we recommend you assess whether your services qualify as “data processing services” under the Act. If your services fall under the Act, make sure your contracts clearly explain how customers can switch providers and what information they will receive when switching. You should also check if you need to create or update tools for data transfers, and review how your processes interplay with GDPR for mixed datasets.
The above content is a summary provided for informational purposes only and does not constitute legal advice. It should not be relied upon without obtaining further professional legal counsel.
