The Data Act and cloud contracts: What startups need to know about unilateral changes

The Data Act as a new benchmark for cloud contracts

The Data Act is often seen primarily as European legislation on data sharing, IoT and interoperability. That picture is correct, but it is not complete. Indeed, there is another relevant track for B2B cloud contracts: the law introduces a framework for fair, reasonable and non-discriminatory contract terms, also known as FRAND.

For startups and scale-ups, this is not a theoretical detail. Many young tech companies are building their product, infrastructure and internal processes on cloud services from a limited number of suppliers. Especially then, it matters a lot whether a provider can independently adjust terms, service levels or other contractual agreements. What used to seem like practical flexibility can in practice turn into uncertainty, vendor lock-in or extra costs.

At Startup-Recht, we regularly see that founders and legal teams pay particular attention to price, uptime and security. But the amendment clause is just as important. The Data Act and the associated standard clauses of the European Commission set a new bar for this.

Why the Data Act is also relevant to cloud contracts

Since September 12, 2025, the Data Act has been applicable. In the market, this is primarily known as legislation that promotes access to and use of data. In addition, the Data Act regulates data portability, interoperability and switching between cloud providers, among other things.

The latter is essential for B2B cloud contracts. The European legislator wants to remove barriers that business customers stick to one provider. That is why the Data Act contains rules about switching and exit, such as phasing out switching costs, technical support for migration and continuity of service during the transition.

This is relevant for startups and scale-ups because dependency on one cloud supplier often occurs faster than expected. Especially in growth phases, technical choices are made under time pressure. What starts as an efficient choice for one platform can later develop into a contractual and operational dependency that is difficult to reverse. The Data Act does not try to completely remove that dependency, but it does try to limit it.

In addition to switching and exit, article 41 is particularly important. This article is about fair, reasonable and non-discriminatory terms in B2B cloud contracts. To help parties do this, the European Commission has published standard contract clauses. They are not mandatory, but they do show what the Commission thinks a balanced cloud deal should look like.

Unilateral change rights are very common in cloud contracts

In many cloud contracts, the provider reserves the right to unilaterally change terms or services. Sometimes this is explicitly stated in the agreement. Sometimes it happens indirectly, for example because the contract refers to online documents, such as terms of service, SLAs, or policies, that can later be amended without the customer's active consent.

This can easily be explained from the provider's perspective. Cloud services are usually delivered at scale to many different customers at the same time. Standardisation is then crucial. Providers don't want to have to renegotiate for every customer if a service is modified, new functionality is rolled out, or a security measure is needed.

In addition, the cloud market is moving rapidly from a technical point of view. New features, vulnerabilities, compliance requirements and market standards follow each other at a rapid pace. From the supplier's point of view, it is logical to then keep space to let contracts and service descriptions move along. This flexibility is also attractive legally and operationally, especially for providers who are active in multiple countries.

However, there is a clear downside to this for customers. A broad change authority can lead to uncertainty about exactly what has been agreed and what will still apply tomorrow. Think about changes in service levels, pricing mechanisms, functionalities or the way in which a service is delivered. For a startup, this can directly affect product development, internal processes, compliance and budgeting.

Those risks increase when a company is highly dependent on one provider and has few effective remedies. In such a situation, a customer can actually do little more than accept a change, even if it is commercially or operationally unfavorable.

What the Data Act standard clauses try to change about this

On November 19, 2025, the European Commission published voluntary standard contract clauses for cloud contracts under the Data Act. An important part of this is the non-amendment approach: as a starting point, neither party may unilaterally change a cloud contract.

That is a remarkable starting point. In cloud practice, a certain amount of unilateral adjustment is actually common. The standard clauses reverse that and start from contractual stability. The idea behind this is clear: parties must be able to rely on the rights and obligations they agreed upon when concluding the agreement.

For cloud customers, that sounds attractive. In principle, more predictability means fewer surprises. This is extra important for startups and scale-ups, as they often work with limited legal and operational capacity. An unexpected change in a core service can have a disproportionate impact on a small or growing team.

At the same time, the Commission is introducing exceptions. Under certain circumstances, the provider may nevertheless propose unilateral changes. In doing so, the model tries to find a middle ground between stability for the customer and the necessary flexibility for the supplier.

The first exception: changes due to new legislation

The first exception concerns changes that are necessary to comply with new mandatory legislation that was not in force at the time the cloud contract was concluded. In such a case, the provider may amend the agreement to remain compliant.

That sounds practical, but this is where difficult questions arise. The standard clauses mainly work from the position of the cloud provider. They don't really regulate what to do if new regulations lead to additional requirements on the customer side. This can be very relevant for certain sectors or customer groups.

For tech companies that are active in regulated markets, that can be chafing. After all, not every legal change affects provider and customer in the same way. Sometimes there is even tension between rules that apply to the supplier and rules that apply to the customer. Then it's not enough to just say that the provider can change due to legislation. The real question is how parties deal with conflicting compliance interests.

There is something else to add. New legislation leaves room for interpretation. A provider may believe that a certain change is legally necessary, while the customer sees it differently. Other market parties can also come to a different explanation. The standard clauses do not provide a clear solution to such differences in interpretation. For the customer, this is a weak point, because invoking “new legislation” can quickly become a difficult ground for a contract change to be tested.

For startups and scale-ups, this means that a legislative amendment clause should not be too open. In practice, it is wise that the agreement leaves room for consultation, explanation and a structured process when a provider invokes new legislation. This is where the difference often lies between a workable and a risky cloud deal.

The second exception: changes that are beneficial to the customer

The second exception concerns changes that are beneficial to the customer's use of the cloud service. The standard clauses, for example, mention substantial improvements to the service and updates that are necessary for security purposes.

On paper, this also makes sense. Not every unilateral change is disadvantageous. Some adjustments make a service better, safer or more efficient. However, qualifying “beneficial for the customer” is less simple than it seems.

A new functionality can be an improvement for one customer and may involve extra work or risk for the other customer. A security update may be necessary, but also have an impact on integrations, internal processes or compliance. So the question is not only whether a change is positive from an abstract point of view, but also what the concrete consequences are for the specific customer.

That is precisely why the standard clauses require that the provider may not make such changes overnight. There are information and transparency obligations. The customer must be informed in good time, in principle at least thirty calendar days in advance. In addition, the provider must clearly explain what the change entails, why the provider believes it benefits the customer, what the difference is with the existing situation and what contractual, financial, organizational, operational and compliance consequences the change may have.

That is a step forward. It forces providers to make their change proposal more concrete and transparent. This is valuable for customers, because it allows them to better assess what an adjustment means in practice.

However, an important point remains here as well. If the conditions are met, the standard clauses assume that the change is accepted. In other words: there is no fully-fledged built-in appeal procedure. For cloud customers, this is a relevant loss. Because transparency is useful, but without a clear right to object or terminate the contract in the event of an undesirable change, the negotiating position remains limited.

Which parts should not be adjusted unilaterally

The standard clauses draw clear boundaries on a number of topics. Certain contractual parts may not be changed unilaterally by the provider, even if, in the opinion of the provider, the change would be beneficial to the customer.

This includes the choice of applicable law and forum, the contract modification procedure, term and termination, liability, confidentiality, agreements about subcontractors and their modification, access and information rights, quality service level objectives, pricing mechanisms and other financial terms, and the location of data processing or storage outside the EU.

This is an important signal for startups and scale-ups. These are exactly the components that have a lot of influence on risk distribution, governance and operational continuity. A price change, a change in service levels, or a shift in data location can have a direct effect on runway, compliance, and product architecture. The fact that the standard clauses require mutual consent on these points is well in line with the idea that the core of the deal should not be able to shift silently.

What happens if the provider doesn't follow the rules?

If the provider does not comply with the conditions for a permitted unilateral change, the standard clauses provide the customer with various remedies. The customer must then be able to terminate the agreement at no additional cost and claim compensation, including costs of switching to another provider.

In addition, other remedies remain open in principle. So the customer can do more than just cancel. This makes the regulation more serious than a mere symbolic obligation to provide information.

In practice, this is relevant because remedies only really give meaning to contractual boundaries. An amendment clause without consequences in case of abuse is often of little value. At the same time, the question remains how much comfort these remedies offer in practice to customers who are deeply embedded in a cloud environment. On paper, termination can be a strong option, but operationally, this is far from always an attractive or feasible scenario.

That is precisely why it is smart for startups to not only look at the right to leave, but also at the question of how feasible departure actually is. An exit right without a realistic switch offers less protection than it seems at first glance.

Why this is extra important for startups and scale-ups

For large companies, an unfavorable contract change is often annoying. For a startup or scale-up, the same change can immediately be strategic. Think of a change that affects integration with the product, involves new internal activities or has unexpected financial effects. In a growth phase, these consequences add up quickly.

In addition, young tech companies often work with standard terms and conditions from major suppliers. The room for negotiation is then limited. It is precisely in that playing field that standards of fairness, transparency and contractual stability are important.

At Startup-Recht, we therefore see that cloud contracts often only get real attention when there is already an issue: a price increase, an adjusted SLA, a security update with an impact on the product, or an exit issue after rapid growth. The Data Act makes it clear that these topics are not separate from each other. Unilateral change rights, switching options and contractual fairness are closely related.

This is also relevant for investors and management teams. A company that relies heavily on one cloud provider, but contractually has little control over changes, builds up an operational risk. That doesn't have to be a deal breaker, but it is something that needs to be identified early.

Will these standard clauses soon become the market standard?

The standard clauses are voluntary. This means that parties are not obliged to take over them. However, it is quite possible that in practice, they will gain more weight than their formal status suggests.

Because they are published by the European Commission and are in line with the principles of the Data Act, they can become a reference point for what is seen as fair and balanced in B2B cloud contracts. This can affect how market parties negotiate, but also how supervisors, judges and public customers look at cloud contracts.

This does not automatically mean that the standard clauses will literally become the new norm. They also contain too many open questions and practical tensions for that. For example, they do not really offer the customer a detailed objection mechanism, while the provider does have room to make changes under certain circumstances. The clauses for providers can also lead to more rigidity, more contract management and possibly higher execution costs.

There is therefore a real chance that the market will not adopt these provisions one-on-one, but will use them as a negotiating anchor. This is actually relevant enough for startups and scale-ups. Even if the model clauses don't literally end up in a contract, they can set the tone for what you can reasonably ask for or expect in a cloud negotiation.

What you should pay attention to in practice

The most important lesson is that an amendment clause in a cloud contract is not an afterthought. For startups and scale-ups, it is wise to take a close look at how changes are contractually arranged. Not only in the main agreement, but also in online documents that are referred to.

In any case, note whether the provider can make changes without active consent, which topics are excluded, how much prior notice is given, and what information the provider must provide about the impact and reason for the change. It is just as important whether there is room for discussion, objection or termination if a proposed change is unworkable for your organization.

The relationship with switching and exit also deserves attention. The more dependent you are on one supplier, the more important it becomes not only to look at the change authority itself, but also at the practical feasibility of a switch if things go wrong.

Conclusion

The Data Act is therefore about more than just sharing data. For cloud contracts in B2B relationships, the law also puts pressure on a practice that was fairly normal for years: broad unilateral change rights for cloud providers.

The European Commission's standard clauses try to bring more stability and fairness, but do not do so entirely without friction. They offer cloud customers more guidance, especially through transparency, restrictions on certain core topics, and remedies for incorrect changes. At the same time, important questions remain open, for example about objection rights, interpretation of new legislation and the practical balance between customer protection and the necessary flexibility for providers.

For startups and scale-ups, the message is clear. Those who conclude or renegotiate cloud contracts would do well not to discard change rights as a standard boilerplate. This is where it is determined how much control you have on costs, compliance, continuity and scalability as your company grows.

‍