What is the essence of 'vendor lock-in,' an obstacle to cloud migration? Today, countless businesses easily store and process data using cloud services. But imagine this scenario: you've stored your data with a particular cloud service, and unexpectedly, you try to migrate to a competing service with better terms, only to face difficulties due to technical barriers imposed by your current provider. This situation is commonly referred to as 'vendor lock-in.' This issue is more than just an inconvenience; it acts as a factor that hinders business operations and competitiveness, and can be an even greater burden for small and medium-sized enterprises (SMEs). The recently announced 'EU Data Act' by the European Union (EU) is shaking the global financial and IT industries by declaring its intent to fundamentally change these vendor lock-in practices. Vendor lock-in refers to the practice where a specific cloud service provider's technology, pricing policies, or contractual terms make it difficult for consumers to switch to other services. For instance, using proprietary APIs or data formats of a particular cloud platform can make migration to another platform technically complex and incur enormous costs. Furthermore, some providers impose high fees for data transfer or include long-term commitments in their contract terms, effectively tying down customers. Such situations not only limit users' freedom of choice but also suppress market competitiveness and can lead to consumer harm. To address these issues, most provisions of the EU Data Act came into effect on September 12, 2025. However, key requirements concerning the enhancement of cloud service interoperability are scheduled to apply from September 12, 2026. This law aims to significantly reshape the rules for cloud service contracts, particularly for Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), thereby laying the groundwork for users, small and medium-sized enterprises (SMEs), and even large corporations to benefit from fairer services. Through this, the EU has expressed a strong commitment to substantially reduce the effects of vendor lock-in in the cloud market and facilitate transitions between service providers. One of the core elements of the EU Data Act is ensuring the portability of cloud services. This complements the data portability right under Article 20 of the EU General Data Protection Regulation (GDPR). While GDPR primarily focused on the mobility of personal data, the Data Act strengthens the mobility of all cloud data, including non-personal data. Users must be able to easily transfer their existing data and settings to another cloud provider without technical hindrance. To achieve this, the EU has mandated the removal of contractual and technical barriers to data migration between service providers. Specifically, cloud providers must support standardized data formats and APIs and provide technical tools for data extraction and transfer. Additionally, the Act stipulates that pricing policies related to data transfer and contract termination must be transparently disclosed. Many cloud providers have charged high 'egress fees' for data transfer, but the Data Act requires these costs to be clearly revealed and limited to a reasonable level. This can be seen as a cornerstone for promoting competition in the cloud market while also providing universal access to cloud migration for smaller businesses. Given that SMEs typically have weaker bargaining power and limited technical capabilities compared to large corporations, these regulations are expected to significantly boost their adoption of cloud services. Furthermore, the Act has greatly expanded user access rights to data generated by connected products. Data generated by IoT devices such as smart home devices, connected vehicles, and industrial equipment must now be directly usable by the user or a third party designated by the user, and data providers must ensure that such data is provided in a structured, commonly used, and machine-readable format. In this context, data, whether personal or non-personal, must be provided to the user free of charge. When providing data to a third party, the data holder may request reasonable compensation, but this is limited to the direct costs incurred in providing the data. For example, actual server costs or network costs for data transfer can be charged, but amounts including excessive margins cannot be demanded. EU Data Act: A Strong Step Towards Data Democratization These provisions are expected to accelerate Data Democratization. Previously, manufacturers or service providers exclusively owned and utilized data generated by IoT devices, but now users will be able to directly manage and utilize data generated by their own devices. This strengthens individual users' control over their data and provides businesses with opportunities to foster data-driven innovation. For example, manufacturers can anal
Related Articles