EU Data Act and Video Conferencing: What SaaS Providers Must Know

Legal disclaimer: This article is for informational purposes only and does not constitute legal advice. If you need guidance on EU Data Act compliance specific to your organisation, please consult qualified legal counsel.

On 12 September 2025, Regulation (EU) 2023/2854, the EU Data Act, became fully applicable across the European Union. If you operate or procure a video conferencing platform in the EU, the rules around data access, switching providers, and contractual lock-in changed significantly on that date.

For many compliance officers and legal teams, the EU Data Act has sat at the back of their regulatory backlog, overshadowed by GDPR enforcement cycles and the EU AI Act. That is a mistake worth correcting now. The Data Act introduces obligations that go well beyond privacy: it restructures how SaaS customers can access their own data, move between providers, and negotiate contractual terms. Understanding what has changed is no longer optional for EU video conferencing users and providers alike.

This article walks through what the EU Data Act actually requires, whether video conferencing platforms are likely in scope, what data must be portable, and how Digital Samba's architecture aligns with these obligations.

Table of contents

1. What the EU Data Act requires from SaaS providers
2. Does the EU Data Act apply to video conferencing SaaS?
3. Data portability for video platforms: what must be exportable?
4. How this differs from GDPR
5. What this means for vendor lock-in
6. Digital Samba's EU-first compliance
7. Compliance checklist
8. FAQ

What the EU Data Act requires from SaaS providers

The Data Act is not a narrow privacy regulation. Its ambition is structural: to open up the EU data economy by removing the technical and contractual barriers that have allowed platform providers to accumulate and hold on to data that their customers generated but cannot easily access or move.

For providers of data processing services, the category that covers cloud and SaaS, four obligations carry the most immediate practical weight.

• Data portability and interoperability. Customers must be able to export their data in structured, commonly used, machine-readable formats. Providers must also offer open, well-documented interfaces (in practice, APIs) that enable data to be transferred to a competing provider or to the customer's own on-premises infrastructure. According to Cooley, providers must enable the transfer of all exportable data and digital assets within a maximum 30-day transition period, extendable only in cases of genuine technical complexity.
• Maximum two-month termination notice. This is the provision that will most directly affect SaaS commercial models. Under Article 25 of the Data Act, customers can initiate a switch at any time and trigger contract termination with no more than two months' notice, regardless of whether they are mid-way through a three-year fixed-term agreement. As Addleshaw Goddard has noted, this effectively operates as a right to terminate for convenience for all cloud customers, irrespective of contract length. Fixed-term contracts remain lawful, and proportionate early termination fees are permitted, but lengthy lock-in periods enforced by contractual exit barriers are not.
• Switching facilitation obligation. Providers cannot simply permit switching in theory while making it painful in practice. The Data Act requires active facilitation: publishing online registers of data formats and switching procedures, providing advance transparency notices, and maintaining business continuity and security throughout a 30-day switching transition period. Providers are not required to rebuild the customer's environment within the destination infrastructure, but they are required to support the migration process.
• Switching fee ban by January 2027. From 11 January 2024, when the regulation entered into force, providers have only been permitted to charge switching fees up to their actual costs of facilitating the switch. From 12 January 2027, all switching charges are prohibited outright, with limited exceptions for parallel-use scenarios where the customer is simultaneously running both the old and new platform. This deadline is fixed and applies regardless of when the original contract was signed.
• Third-country government access (Article 32). This obligation is often overlooked but is directly relevant to any provider positioning itself on data security. Chapter VII of the Data Act requires providers to take all adequate technical, organisational, and legal measures (including contractual safeguards) to prevent unlawful third-country government access to non-personal data held in the EU. Personal data is covered separately by GDPR's Chapter V transfer rules; Article 32 fills the gap for non-personal data, such as machine-generated session data, logs, and usage metadata. When a foreign authority makes a data request, the provider must assess whether it is reasoned and proportionate, challenge orders that conflict with EU law, and if disclosure cannot be avoided, provide only the minimum data necessary. Providers are also required to publish a description of the jurisdiction of their ICT infrastructure and the measures they have taken to resist unlawful third-country access. This obligation applies regardless of where the provider is incorporated or where data is stored. An EU-headquartered company with EU-only infrastructure still needs a documented Article 32 programme.

Together, these obligations shift the balance considerably between SaaS providers and their enterprise customers. Data Act compliance for SaaS is not simply a matter of updating privacy notices; it requires reviewing contracts, technical architecture, and pricing models.

Does the EU Data Act apply to video conferencing SaaS?

The short answer is: most likely yes, but a careful scope assessment is still necessary.

The Data Act applies to providers of "data processing services," defined broadly to cover cloud and edge computing services that provide on-demand access to scalable computing resources. Regulation (EU) 2023/2854 explicitly references IaaS, PaaS, and SaaS as categories within this definition.

However, the European Commission's updated Data Act FAQ has introduced an important nuance, highlighted in Morrison Foerster's December 2025 analysis. Question 58a of the Commission's FAQ clarifies that SaaS solutions fall within the data processing services definition only if they meet all of the hallmark criteria of cloud computing:

• The customer must have access to configurable computing resources (networks, servers, storage)
• The service must allow on-demand provisioning of those resources
• The service must offer rapid scalability with minimal provider involvement

The Commission illustrates this with a concrete negative example: a music streaming platform is not in scope, because users are not contracting to access scalable computing resources, but rather to listen to music. Any data processing involved is incidental to the service's primary purpose.

Where does video conferencing fall?

Video conferencing platforms that offer configurable rooms, programmable recording infrastructure, REST APIs, session management, and scalable media processing are a fundamentally different category from a streaming service. Customers are not simply attending calls. They are deploying a platform with configurable resources, managing data assets (recordings, transcripts, participant data), and integrating via APIs into their own systems. That is precisely the profile of a service contracting for the use of computing resources, not a service that incidentally uses them.

The embedded video conferencing model, where organisations deploy video infrastructure via API into their own applications, reinforces this analysis. When a developer provisions a Digital Samba room, configures recording behaviour, sets role-based access controls, and retrieves session data via REST API, they are interacting with configurable, scalable computing infrastructure. That is the definition of a data processing service under the Act.

That said, legal guidance from firms including Morrison Foerster, Fenwick, and Greenberg Traurig notes that the Commission's FAQ is high-level and leaves room for interpretation. How national regulators will apply the rules in practice is not yet fully settled, and no regulator has ruled specifically on video conferencing. The prudent approach is to treat enterprise video conferencing platforms as in scope and conduct a gap assessment with legal counsel.

Data portability for video platforms: what must be exportable?

The EU Data Act requires that customers can access and export data in structured, commonly used, machine-readable formats. For a video conferencing platform, this covers a broader set of data assets than many providers have historically made available through self-service tools.

• Session recordings. The most obvious category. Video and audio recordings generated during sessions are data the customer produces and must be able to retrieve, export, and transfer. Format requirements point towards standard, non-proprietary containers; MP4 is the established baseline for video recordings.
• Chat transcripts and session metadata. Written communications exchanged during sessions, alongside associated metadata (session identifiers, participant lists, start and end timestamps, duration, and room configuration), constitute a distinct and exportable data set. This metadata is also necessary to make recordings searchable and usable in downstream compliance or archival systems.
• Transcripts, captions, and AI-generated summaries. Where a platform generates transcripts, live captions, or meeting summaries, these outputs are data produced through the customer's use of the service. The Data Act's portability obligations extend to this generated content, and it must be exportable in machine-readable formats.
• Whiteboards, shared files, and content libraries. Collaborative content created within sessions (virtual whiteboard output, documents shared during calls, and any content stored in a platform's library features) is in scope. The Data Act does not limit portability obligations to session recordings alone.
• Format and machine-readability requirements. Exported data must be in formats that can be ingested by other systems without proprietary tooling. JSON and CSV for structured data, MP4 for video, and standard text formats for transcripts and chat are the expected baseline. The Commission has issued Standardisation Mandate M/614 to CEN, CENELEC, and ETSI, who accepted it in July 2025 and are developing harmonised format standards. Until those standards are finalised, there remains some uncertainty about which formats fully satisfy the requirement for specific data types. Providers should monitor the forthcoming harmonised standards for updates.

Separately, enhanced interoperability requirements for cloud services under Chapter VIII take effect on 12 September 2026. These go beyond the September 2025 baseline and introduce additional obligations around how providers must support customers in achieving comparable outcomes in a destination environment. Providers should treat 2025 compliance as a floor, not the finish line.

How this differs from GDPR

The EU Data Act and GDPR cover different ground, and the Data Act does not replace or remove your GDPR obligations.

GDPR governs the protection of personal data: how data about identifiable individuals is collected, processed, stored, and transferred. Its portability provision (Article 20) gives data subjects the right to receive their personal data in a machine-readable format, but only data the individual themselves provided, and only where processing is based on consent or contract.

The EU Data Act applies to both personal and non-personal data and creates rights for customers as organisations, not just individual data subjects. It extends portability obligations to machine-generated session data, metadata, and non-personal usage data that GDPR Article 20 would not cover.

In practice, the frameworks are complementary. Where a video platform processes personal data (participant names, emails, voice data used for transcription), GDPR governs it. Where the same platform generates session recordings, metadata, and usage logs, the Data Act adds access and portability rights on top.

The key practical difference: GDPR Article 20 requests come from individuals and are handled through your data subject rights process. Data Act portability is a contractual and technical obligation owed to your customer as a business, so it must be built into your platform architecture and contracts from the outset.

What this means for vendor lock-in

For many years, multi-year SaaS contracts with lengthy notice periods and high data egress costs functioned as a reliable retention mechanism. Customers might be dissatisfied with a platform but face a realistic exit barrier of twelve months' notice, significant migration costs, and a technical export process that required months of engineering effort.

The EU Data Act takes direct aim at that model.

• The two-month notice right means that any enterprise customer can initiate a switch at any time. The question is no longer whether they are contractually permitted to leave, but whether leaving is technically feasible and whether the data can be transferred cleanly. Providers who have invested in making that process smooth gain a competitive advantage; those who have not are exposed to both legal risk and accelerating churn.
• The switching fee ban from January 2027 removes what has historically been a secondary financial barrier. Data egress charges and porting fees that once made switching economically unattractive will be prohibited. Providers whose retention strategy relied on these charges need to move to value-based retention before that deadline.
• The open API obligation may be the most far-reaching for enterprise buyers. Providers must offer well-documented interfaces that enable customers to extract their data programmatically without depending on the provider's support team or proprietary tooling. For enterprise buyers, the quality of a platform's API is now a compliance criterion, not just a technical convenience. A documented API alone does not satisfy the Data Act's portability requirements, though. The format, completeness, and interoperability of exported data also matter, and the harmonised standards that will define the precise requirements are still being developed.

The commercial implication is clear: Data Act compliance has become a procurement question. Enterprise buyers are starting to evaluate providers not only on features and price, but on the openness of their data architecture and the clarity of their exit process.

Digital Samba's EU-first compliance

Digital Samba was designed with EU compliance as a starting requirement. Several aspects of this architecture are directly relevant to Data Act obligations.

• EU-headquartered and EU-only data residency. Digital Samba is incorporated in Spain and processes all customer data exclusively within the EU, with production infrastructure in the Netherlands, backup in Germany. No application or session data is stored outside the EU. This is primarily a GDPR benefit: it removes the Chapter V cross-border transfer question for personal data entirely. On the Data Act side, the relevant obligations concern data access and portability rather than storage location, so EU residency is a complement to Data Act compliance rather than the foundation of it.
• REST API as built-in portability infrastructure. The Digital Samba REST API provides programmatic access to recordings, session metadata, participant data, transcripts, and room configurations in machine-readable formats (MP4 for video, JSON for structured data). This is not a recently added export feature built to satisfy regulatory requirements; it is the core architecture through which enterprise customers integrate video into their own systems. The same API that powers integrations with CRMs, LMSs, and compliance archival platforms is the mechanism through which data portability is exercised. Customers can schedule automated exports, trigger downloads via webhook events (such as recording.available), and ingest data into their own infrastructure without any manual involvement from Digital Samba's support team. As the Commission's harmonised format standards are finalised under Mandate M/614, Digital Samba will ensure its export formats align with the adopted specifications.
• Open API architecture. The EU Data Act requires that providers offer documented, open interfaces enabling interoperability with other platforms. Digital Samba's API documentation is publicly accessible, versioned, and maintained as a first-class product asset. Customers evaluating Data Act requirements can audit the available endpoints, data formats, and export capabilities before signing a contract. The enhanced interoperability requirements that arrive in September 2026 are on our compliance roadmap.
• Third-country access safeguards. Consistent with Article 32, Digital Samba's EU incorporation and EU-only infrastructure are accompanied by contractual and technical measures to prevent unlawful third-country government access to customer data. Our Data Processing Agreement includes provisions on this point, and the technical controls are documented in our Security Whitepaper. EU residency is part of this picture, but Article 32 compliance rests on the full combination of contractual safeguards, encryption architecture, and documented procedures for responding to foreign authority requests.
• Data Processing Agreement available on request. Digital Samba provides a GDPR Article 28-compliant Data Processing Agreement on request, covering video recording and session data as processing activities. The DPA addresses all material sub-processors and confirms EU-only data residency. To request a DPA, contact dpo@digitalsamba.com.
• Self-hosted AI processing on European infrastructure. AI-powered platform features (transcription, live captions, and meeting summaries) run on self-hosted models deployed by a European-owned AI provider on European-owned infrastructure. No meeting content is sent to external AI services or LLM APIs. This is relevant to Data Act portability because it means AI-generated outputs (transcripts, summaries) are fully accessible via the REST API, without dependency on external provider terms or rate limits.

EU Data Act compliance checklist for video conferencing providers

Use this checklist to assess your current position against the Data Act's core obligations for data processing services. This is not exhaustive legal guidance, so make sure to consult your legal team for a full gap analysis.

1. Scope assessment. Confirm whether your video conferencing service meets the hallmark criteria of a "data processing service" under the Act: configurable resources, on-demand provisioning, scalability. If in doubt, seek legal advice; the default assumption for enterprise video platforms is that you are likely in scope.

2. Contract review. Audit all customer contracts (existing and template) for compliance with the two-month maximum termination notice requirement. Fixed-term contracts and proportionate early termination fees remain permissible, but provisions that effectively prevent switching are not. Contracts signed before 12 September 2025 must comply with Article 13 (unfair contractual terms) by 12 September 2027 if the conditions for delayed application apply (specifically, contracts of indefinite duration or those expiring no earlier than 11 January 2034). Note also that the application of the Chapter VI switching provisions to pre-September 2025 contracts involves some interpretive uncertainty; seek specific legal advice on your existing contract portfolio.

3. Switching procedure documentation. Publish a clear, accessible description of your switching and data porting procedures. This includes available export formats, the technical steps involved in a migration, known limitations, and the timeline for completing a switch (the 30-day transition period baseline).

4. Data export capability audit. Confirm that all key customer data categories are exportable in machine-readable formats: session recordings (MP4), chat transcripts (JSON or plain text), session metadata (JSON), AI-generated transcripts and summaries, whiteboard exports, and shared files. Test the process end-to-end. Keep track of the Commission's harmonised standards work under Mandate M/614, as finalised format requirements will need to be incorporated once adopted.

5. API documentation. Ensure your API is documented, publicly accessible, and covers all exportable data types. The Data Act requires open interfaces enabling interoperability; undocumented or poorly maintained APIs create both compliance risk and customer friction. A documented API is necessary, but also confirm that what the API exports is in formats a destination provider or on-premises system can actually ingest without extensive reformatting.

6. Switching fee review. Identify all fees currently charged in connection with data export, migration, or contract termination. Note that the cost-only cap has been in force since 11 January 2024. Plan for the full elimination of switching fees by 12 January 2027. Review whether current early termination fees are proportionate and clearly documented in customer contracts.

7. Transparency notice. Prepare and publish a transparency notice informing prospective and existing customers about your data processing practices, the types of data processed, storage jurisdictions, and available switching procedures. The Data Act requires this to be maintained as a live, up-to-date register. Under Article 32, this notice should also cover the jurisdiction of your ICT infrastructure and the technical and organisational measures you have taken to prevent unlawful third-country government access.

8. DPA alignment. Review your Data Processing Agreement to ensure it covers all processing activities relevant to the Data Act, including session recordings, AI-generated outputs, and metadata, and that all sub-processors are identified with their EU (or adequacy-covered) locations confirmed.

FAQ

Ready to discuss EU Data Act compliance for your video platform?

If you are evaluating video conferencing providers against EU Data Act requirements, Digital Samba's REST API, EU-only data residency, and open API architecture are built for exactly this standard.

Request our Data Processing Agreement: dpo@digitalsamba.com

Talk to our team to discuss your organisation's compliance requirements and see our API in action.

Download our Security Whitepaper for full technical architecture details, including encryption, data residency, sub-processor documentation, and our Article 32 technical and organisational measures.

References

1. Addleshaw Goddard LLP. (2025, September). EU Data Act: Gamechanger for SaaS contracts.
2. Bird & Bird LLP. (2025). EU Data Act.
3. Bryan Cave Leighton Paisner LLP. (2025, December 3). The impact of the EU Data Act on data processing services agreements.
4. CEN-CENELEC. (2025, July 11). Data Act standardisation request.
5. Cooley LLP. (2025, September 8). PaaS, IaaS or SaaS, be aware: new switching rules will become applicable in EU.
6. Digital Samba. (2026). Security whitepaper: architecture, encryption, and compliance. Digital Samba S.L.
7. European Commission. (2023). Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data (Data Act). Official Journal of the European Union.
8. European Commission. (2025). Data Act explained. Shaping Europe's Digital Future.
9. Fenwick & West LLP. (2025, December). The EU Data Act: what U.S. tech companies need to know about the EU's new data sharing rules.
10. Goodwin Procter LLP. (2025, October 1). Navigating the EU Data Act: key obligations and a spotlight on switching rights.
11. Greenberg Traurig LLP. (2025, September 25). Cloud switching under the EU Data Act: implications for IaaS, PaaS, and SaaS providers.
12. Latham & Watkins LLP. (2025). EU Data Act: what businesses need to know.
13. Morgan Lewis. (2025, September 11). EU Data Act begins September 12, impacting cloud services, connected products, and other data industries.
14. Morrison Foerster LLP. (2025, December 22). Top 10 questions about the EU Data Act.