The EU Data Act  (Regulation (EU) 2023/2854) applies from 12 September 2025 to switching between data processing services (with some exceptions). For providers of what the Data Act calls “data processing services,” the compliance calendar is no longer theoretical.

The definition of “data processing service” in Article 2(8) of the Data Act is deliberately broad. It covers any digital service provided to a customer that enables on-demand access to a configurable pool of shared and distributed scalable computing resources. The full definition imports several cumulative criteria drawn from the EU cloud definition ecosystem.

However, one element in particular deserves close attention because it does the heaviest sorting work between what is and is not caught: the requirement that the service can be rapidly provisioned and released with minimal management effort or service provider interaction.

Why This  Element of “Rapid Provisioning” Matters?

The Data Act’s obligations for data processing services are significant. Getting the scoping question wrong has direct commercial and legal consequences: providers who incorrectly assume they fall outside the definition will find themselves non-compliant when a customer invokes switching rights; providers who assume they are covered when they are not may take on unnecessary compliance costs or, more problematically, make misleading representations to customers about their rights.

What are the origins of Element “Rapid Provisioning”?

The rapid provisioning criterion is based on the NIST cloud computing definition (SP 800-145). Its purpose is to distinguish genuinely elastic, self-service digital infrastructure and platform services from other categories of IT supply. As confirmed by Recital 80 of the Data Act (which breaks down the elements of the Article 2(8) definition), the legislature deliberately adopted a technologically neutral and functional approach — what matters is how the service operates, not what it is called.

The “NIST roots” of definition of “data processing services” is also explained in Commission’s Frequently Asked Questions about the Data Act, see answer to question 58a (Version 1.4, 22 January 2026): “This definition builds on the widely and internationally accepted definition of cloud computing by the National Institute of Standards and Technology...”

In the “original” NIST definition, words “rapid” and “provision” come up in Essential Characteristics:

  • “On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.”
  • “Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.”

What does “Rapid Provisioning” mean under EU Data Act?

According to the EU Data Act definitions, “data processing service” means a “digital service that is provided to a customer and that enables ubiquitous and on-demand network access … that can be rapidly provisioned and released with minimal management effort or service provider interaction”.

Recital 80 of the Data Act explains such “minimal effort and interaction” related to rapid provisioning as follows: “The capability of the customer of the data processing service to unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the provider of data processing services could be described as requiring minimal management effort and as entailing minimal interaction between provider and customer.”

Further explanation is provided in Commission’s Frequently Asked Questions about the Data Act, see (relevant part of) answer to question 58a:

Chapter VI of the Data Act does not make a distinction between different types of SaaS, and thus applies to all SaaS types which display the characteristics listed in the definition of data processing services:…

  • They enable on-demand network access, meaning that a customer can unilaterally provision these computing resources which are available over the network and through standard mechanisms, for example via mobile phones, laptops, or workstations;
  • They can be rapidly provisioned and released with minimal management effort or service provider interaction, which implies that the unilateral provision can be done without significant intervention from the service provider and can be deployed quickly, allowing organisations to start using the resources almost immediately;...”

Comparing the Data Act to the root source of widely and internationally accepted definition of cloud computing by the National Institute of Standards and Technology, which essentially covers (only) On-demand self-service which can unilaterally provisioned, as needed automatically without requiring human interaction. However, the Data Act permits some “minimal effort and interaction” to take place, for the respective Cloud Service or SaaS Service to be in the scope of Data Act, as long as such minimal effort and interaction can be done without significant intervention from the service provider and service can be deployed quickly, allowing organisations to start using the resources almost immediately.

Tips and Advice for Providers of Cloud Services and SaaS Services

Do not assume that marketing terminology determines legal classification. A service marketed as “managed services” or “IT outsourcing” may still be a data processing service if it meets the EU Data Act definition of “data processing service”. Equally, a service marketed as “cloud” or “SaaS” may fall outside the definition.

Note also that under EU Data Act

  • Business-to-buseinss (B2B) agreements are covered, not only consumer agreements. Customer in Data Act means a “natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services”
  • Switching requirements require that also the Customer’s new provider’s cloud service or SaaS services fall within the scope of “data processing service” (See article 23 of Data Act).
  • Data Processing Services custom-built to accommodate the specific needs of an individual customer have their own regime under Article 31