Introduction: Data Act and SaaS Business

Your customer sends an email: they want to switch service providers mid-contract and request all their data. They mention the EU Data Act. Could your organisation deliver it in a technically and legally sound format?

The question is not only about who owns the data. It is about whether you can deliver it in a way that withstands both technical and legal scrutiny. This situation is the reality for an increasing number of SaaS operators, as the EU Data Act (EU) 2023/2854) has introduced from 12 September 2025 new rules to the market that directly affect cloud service business models. The Data Act uses the term data processing services, which covers, among others, SaaS services. For clarity, this article uses the term cloud services.

This article addresses the impacts of the Data Act on SaaS business and, in particular, the changes the regulation requires in contract terms, data portability, and pricing structures. The key message is that the Data Act necessitates potential changes in at least three contractual areas, and that when properly implemented, these changes can also serve as a competitive advantage.

Content and Scope of the Data Act

At the core of the Data Act is not only access to and availability of data, but also specifically facilitating the switching of cloud service providers and removing contractual barriers. This is not merely an individual compliance requirement but also regulation that reshapes market structure.

Many SaaS companies are already accustomed to the notion that the customer “owns their data.” However, the Data Act takes the discussion further, because merely stating ownership in a contract is insufficient if the customer cannot actually use or transfer their data. The matter must therefore be considered at a deeper level.

The obligations under the Data Act primarily concern data produced by the customer and processed within the service. It does not mean the disclosure of algorithms, source code, trade secrets, or system architecture.

Drawing this boundary is important, but it does not eliminate the core question: does the customer have a genuine ability to switch to another service without technical or contractual barriers making the transition practically impossible?

It should also be noted that micro and small enterprises are, in certain situations, exempt from some of the Data Act’s obligations. In practice, this means that micro and small enterprises are not in the same position as larger operators in all respects. However, each operator must first identify its own position in relation to the regulation before assessing the scope of its obligations.

Contract Terms and Switching Costs

The Data Act compels SaaS companies to re-examine their contract structures. Terms that restrict the customer’s right to obtain their data or that are based on clear contractual barriers may be problematic.

This does not mean that fixed-term contracts will disappear. It means that switching service providers must not be prevented by unreasonable terms or practices. Long contract periods, unclear exit processes, and high switching fees are particularly high-risk.

This is a significant detail that often goes unnoticed in practice. The service provider has the right under the Data Act to charge costs arising from the transfer, but the compensation must be based on actual and justifiable costs. If the fee effectively acts as a barrier to switching providers, it may be contrary to the regulation.

Furthermore, after the transition period, from January 2027 onwards, charging fees related to the switching process will be entirely prohibited. Accordingly, documenting switching costs is also part of regulatory risk management going forward.

A Business Model Without Contractual Barriers

The deeper impact of the Data Act is visible in the business model. Many SaaS solutions have historically benefited from technical or contractual barriers to switching services. When switching is difficult for the customer, retention is high.

The Data Act challenges this thinking. Customer retention must be based on the value of the service, not on the difficulty of leaving. This causes an uncomfortable question. If the customer could leave without friction, would they still stay?

If the answer is not an unequivocal yes, the Data Act serves as a wake-up call.

At the same time, the change offers an opportunity. A company that can openly demonstrate that data is genuinely portable builds trust. Large enterprises and public sector entities, in particular, are paying increasing attention to this during the procurement phase.

Practical Examples: HR and Financial Management SaaS Solutions

HR SaaS Facing a New Situation

Consider a SaaS company offering HR software that has provided its customers with the ability to export data in CSV format, but in practice only from limited reports. Exporting all data has required a separate project and a significant additional fee.

In light of the Data Act, the company must assess whether this model meets portability requirements. Does the customer truly receive all the data they have produced? Is the format genuinely usable or merely nominal? Is any transfer fee justifiable based on actual costs, and does it withstand scrutiny?

Often the answer leads to technical investments: developing API interfaces, documenting the data model, and standardizing processes. This is more than a legal update – it is a structural change to the product.

Financial Management SaaS Solutions

A similar situation applies to financial management SaaS companies, where accounting data, vouchers, and transaction history are stored in a manner that is not currently easily exportable in a structured format to a new system.

In the financial management context, the challenge is particularly pronounced because accounting material retention obligations are long and data integrity is critical. If the customer cannot transfer their historical data in a functional format to a new system, switching providers may be effectively prevented, even if the contract ostensibly permits it.

The industry changes, but the problem remains the same.

Risks of Inaction and Opportunities of Change

Inaction is not a neutral choice. A contractual term may prove to be void, a customer may use the regulation as a negotiating lever, and public procurement opportunities may be lost.

In practice, this means that in contract negotiations the counterparty may demand that the terms compliant with the Data Act and refuse to accept legacy contract templates. In public procurement, Data Act readiness may become a threshold issue that excludes unprepared operators from tender competitions.

Furthermore, in a market where transparency and data governance are emphasized, a reputation based on contractual barriers is not a competitive advantage. It is a risk.

The Data Act is not merely a new obligation. It is a signal to the market that customer retention must be based on the value of the service, not on the difficulty of leaving.

SaaS operators have a choice: implement the minimum requirements or seek to gain a competitive advantage from the change. Those who treat the regulation as merely a minimum requirement will do only as much as is necessary. Those who see it as an opportunity to build transparent and trust-based businesses, and to also receive data themselves and thereby develop, can turn the obligation into a competitive advantage.

Where to Start? Three Concrete Steps

1. Contract audit – Identify which current terms may be problematic in light of the Data Act. Pay particular attention to exit clauses and switching fees.
2. Technical assessment – Determine whether data is genuinely exportable in a structured, machine-readable format without a separate project. Assess the current state of API interfaces and export functionalities.
3. Pricing review – Ensure that current switching costs are justifiable based on actual costs and withstand scrutiny also after 2027.
   If you would like to discuss the impact of the Data Act on your business or need assistance in assessing contract terms, technical portability, or pricing structures, please contact our expert team. We will help you map your situation and plan the necessary measures – whether it concerns a contract audit, technical assessment, or comprehensive Data Act readiness.

As today on 28th January marks the annual Data Protection Day, proper data security remains a key priority. Personal data has become more valuable and more exposed to risk. This article explains what GDPR Article 32 requires and offers insights for Finnish organizations of all sizes. Today is a good time to ask: is your organization ready for a data security incident?

More and more organizations now store data in the cloud, use SaaS platforms and collaboration tools, and rely on AI-powered systems. Data is spread across more places, more people have access to it, and third-party vendors play a bigger role than ever. Meanwhile, cybercriminals have become more sophisticated, using automation and persistent attack methods.

Cyberattacks are now a fact of life for most organizations. Threats are evolving faster than ever and staying protected takes ongoing effort. What worked last year may not work today. Too often, organizations only improve their security after something goes wrong.

The GDPR requires organizations to protect personal data. Article 32 is one of the most important provisions as it sets out what security measures your organization need to have in place.

Article 32 applies to any organization that processes personal data. In practice, this means almost every company in Finland—from small online shops and sports clubs to municipalities and large corporations. The GDPR defines two main roles:

• Controllers decide why and how personal data is processed (for example, an employer keeping employee records), and
• Processors handle personal data on behalf of controllers (for example, an external payroll provider).

This distinction matters because it determines who is responsible for what. Both controllers and processors must meet the requirements of Article 32.

Article 32 also raises a key question: can you explain and justify how your organization protects personal data, especially when systems, vendors, and threats keep changing? How does your organization keep security measures up to date as technology and risks evolve?

Requirements under Article 32

Article 32 does not demand perfect security. What it does require is good decision-making, appropriate technical and organizational measures, and ongoing oversight. Your organization needs to review, test, and update security as your organization, processes, technology and risks evolve. A ‘set and forget” approach will not cut it.

Personal data lives in your systems, is accessed by people, and is often processed in ways that are hard to track. AI and automation have made this data more valuable—and more vulnerable. What was good enough yesterday may not be good enough today.

The GDPR states that security measures must match the level of risk. What counts as ‘appropriate’ will change as your organization, technology, and threats evolve. To ensure your organization is compliant, you need documented evidence that you regularly assess and update your security. The burden of proof falls on the controller. At the same time, authorized users must still be able to access personal data when they need it. Your system must also be able to handle disruptions and recover quickly.

Data security is a governance issue

Data security is not just a technical issue—it is a leadership responsibility.

When a data breach happens, the first questions are not about technology. Questions come from customers, senior management, and the board:

1. What was the cause of this incident?
2. What is the potential damage to the business?
3. Were the risks properly identified and assessed?
4. Could this have been prevented with reasonable measures?

In these situations, what matters most is not whether you had the right tools, but whether leadership was actively involved in data protection. Some breaches happen because of unclear accountability, outdated assumptions about security, or risks that were never reassessed. On the other hand, some breaches happen because of mishandling personal data.

Practical example: The Vastaamo case

The Vastaamo case shows what can happen when data security fails. In 2020, hackers broke into the systems of a Finnish psychotherapy provider and stole tens of thousands of sensitive patient records. They then used these records to extort both the company and individual patients. The Finnish Data Protection Ombudsman fined the company EUR 608,000 for failing to meet Article 32 requirements—including weak encryption, poor log monitoring, and inadequate access controls. The breach destroyed public trust and ultimately led to Vastaamo’s bankruptcy.

How we can help

We help organizations turn GDPR requirements into practical steps that hold up under regulatory scrutiny and reflect today’s technology and threats. We focus on security that works in practice.

1. We assess your data protection against real risks, not just what is written in your policies.
2. We find gaps between what you think is protected and what actually is.
3. We help you build governance structures that grow with your organization.
4. We prepare you to answer confidently when authorities, customers, or the board ask questions.
5. We help you show that your Article 32 compliance is solid and defensible.

This Data Protection Day, ask yourself: could you explain and defend your data protection measures if authorities, customers, or the board asked you to?

Companies that prepare early for the EU’s AI Act will not only avoid fines and reputational damage — they will strengthen customer and investor trust and gain a head start over competitors. This legislation will fundamentally reshape the way AI is used and governed across Europe. Now is the right time to ensure your organization not only meets the new requirements but also turns them into a strategic competitive advantage.

The EU’s AI Act (Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence) will reshape how companies design, deploy, and monitor AI systems across Europe, and management cannot afford to stand on the sidelines. In this blog, we look at what the Act really means for management and how preparing now can protect your business while building lasting trust.

The Role Of Management

The AI Act sets obligations mainly for providers and deployers of AI systems. Even though it does not impose direct statutory duties on individual managers, the overall responsibility for compliance and governance lies with management. This means management must take ownership of creating structures that enable responsible AI use and ensuring sufficient financial and human resources are dedicated to compliance. Oversight cannot be handed over entirely to IT teams or outsourced to service providers.

For Finnish companies, this responsibility rests with boards and executives, who must ensure their organizations are ready to meet not only the legal requirements but also the growing expectations of customers, stakeholders, and authorities. Management needs to demonstrate that effective processes exist for identifying, monitoring, and mitigating the risks connected to AI systems.

Good governance goes beyond ticking boxes. It requires a clear understanding of how AI influences the business model, the organization’s reputation, and the rights of customers and employees. By taking an active role, management not only ensures compliance with the AI Act but also builds resilience against legal, financial, and operational risks, turning responsible AI use into a strategic advantage.

High-Risk AI in Practice

The Act places particular emphasis on high-risk AI systems, such as those used in recruitment, credit scoring, healthcare, and public services. Systems falling into this category are subject to stricter requirements for testing, monitoring, and documentation.

Take the example of a Finnish company using an AI-powered recruitment platform to streamline hiring. While the tool may improve efficiency, the organization must ensure it does not unintentionally discriminate against applicants on the basis of age, gender, or other protected characteristics. Meeting this responsibility requires establishing regular monitoring processes, training HR staff in the responsible use of AI, and maintaining thorough documentation that shows risks have been identified and addressed. Being able to demonstrate these measures is essential if authorities request evidence of compliance.

Why And What Actions Are Needed

The consequences of non-compliance with the AI Act can be severe. Beyond potential administrative fines, organizations risk significant reputational damage if AI is used irresponsibly. Loss of customer trust and public confidence can be difficult to repair, and authorities are likely to scrutinize companies that fail to meet the expected standards.

Neglecting the responsibilities of the Act can expose boards and executives to questions under broader corporate governance and risk management standards, which increasingly emphasize ethical and responsible business practices.

A critical element of readiness is continuous training and education. Boards and executives need to understand the evolving landscape of AI risks, from algorithmic bias to security vulnerabilities. Only by embedding responsible practices and a culture of accountability can management safeguard both compliance and trust in AI-driven operations.

How To Prepare

Now is the time for management to take concrete steps toward AI Act readiness. Priorities may include setting up an internal AI governance group to coordinate efforts, providing targeted training for staff, and reviewing contracts with AI providers to ensure that issues such as liability, risk allocation, and data protection are clearly addressed.

Strong vendor risk management is essential, as the responsibility for compliance cannot be transferred to external providers. Regular audits and ongoing monitoring are particularly important for high-risk AI systems. Management should also embed AI oversight into the company’s broader compliance framework, ensuring that it aligns seamlessly with existing data protection and cybersecurity obligations.

The AI Act should not be viewed merely as a regulatory burden. For Finnish management, it represents an opportunity to demonstrate accountability, strengthen stakeholder trust, and turn responsible AI use into a strategic advantage. Organizations that act early will be best placed to manage risks effectively and to reassure customers, partners, and authorities that their use of AI is both lawful and trustworthy.

The AI Act is more than a regulatory challenge — it is a chance to show that your organization uses AI responsibly and transparently. We help leadership teams build clear processes, train staff, and manage risks so you can confidently tell customers, partners, and regulators: we are ready for the AI-driven future. Start preparing today and get in touch — we will help you turn compliance into a competitive advantage.

---

We are pleased to assist with any questions or challenges related to the Data Act and to support your organization in effectively preparing for these new obligations.