How does data portability affect CADA-mandated migration?

Summary As proposed, the Cloud and AI Development Act (CADA) requires Member States and Union entities to migrate to sovereign cloud services within a maximum 12-month transition period when a risk assessment dictates it. Article 29(6) explicitly mandates that this "reasonable transition period" must account for "technical feasibility, continuity of service and data portability requirements." While CADA does not invent new portability rights, it operationalizes the existing obligations under the Data Act (Regulation (EU) 2023/2854). For technical leaders, this means migration planning must prioritize interoperable formats and automated transfer protocols; failure to leverage Data Act switching mechanisms could jeopardize compliance with the strict 12-month ceiling.

Detail

The intersection of data portability and CADA-mandated migration represents a critical operational constraint for public sector IT architects. The proposed CADA establishes a sovereignty framework that may compel public sector bodies to switch from non-compliant cloud providers to those recognized under specific Union assurance levels. This switch is not discretionary for activities identified as contributing to the preservation of public order; it is triggered by mandatory risk assessments under Article 29.

The 12-Month Migration Clock

The definitive provision governing the timeline is Article 29(6) of the proposed CADA. The text states:

"Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This clause establishes a hard ceiling for migration projects. Unlike previous voluntary modernization initiatives where timelines could extend over several years, CADA imposes a strict one-year maximum. However, the text qualifies this as a "reasonable transition period," meaning the actual duration must be justified by three specific, interlocking factors:

1. Technical feasibility: The complexity of the existing architecture and the effort required to decouple from the incumbent provider.
2. Continuity of service: The imperative to maintain operational resilience and avoid service disruption during the switch.
3. Data portability requirements: The legal and technical obligations to transfer data securely, completely, and in a usable format.

Crucially, the 12-month limit is not a "grace period" that can be extended indefinitely due to administrative delays. It is a statutory cap. If a migration cannot be completed within this window because portability mechanisms are insufficient, the public body risks non-compliance with its own risk assessment obligations.

Linking CADA to the Data Act

It is vital to distinguish between the right to portability and the mechanism of portability. CADA does not create a new statutory right to data portability; rather, it relies entirely on the existing framework established by the Data Act (Regulation (EU) 2023/2854).

The explanatory memorandum of the CADA proposal explicitly notes its consistency with the Data Act. It states that the Data Act "enables switching and removing key sources of vendor lock-in" by ensuring cloud computing service providers in the EU compete on quality and innovation. The Data Act grants users the right to switch providers and requires providers to facilitate this switching through specific technical and contractual measures.

Under CADA, the phrase "data portability requirements" in Article 29(6) refers directly to these Data Act obligations. When a public sector body initiates a migration to comply with CADA's sovereignty levels (e.g., moving from a non-assured provider to a Union assurance level 2, 3, or 4 provider), the incumbent provider is legally bound under the Data Act to assist in the transfer. This includes:

• Providing technical interfaces for direct data transfer.
• Supplying data in open, commonly used, and machine-readable formats.
• Cooperating with the new provider to ensure a seamless handover.

Therefore, the "data portability requirements" mentioned in Article 29(6) are not abstract concepts but concrete, enforceable obligations on the outgoing cloud provider. If an incumbent provider fails to meet Data Act portability standards, it creates a bottleneck that could jeopardize the 12-month CADA deadline. The CADA framework effectively turns the Data Act's switching rights into a compliance prerequisite for meeting the migration timeline.

Strategic Implications for Migration Planning

For CTOs and architects, the reference to data portability in Article 29(6) signals that migration readiness is now a compliance metric. The "reasonable transition period" is not a blank check for delay; it is a window that must be actively managed. If data portability is hindered by proprietary formats, lack of API access, or insufficient technical interfaces, the migration may fail to meet the 12-month limit.

Consequently, the CADA framework incentivizes the adoption of multi-cloud strategies and open standards from the outset. By reducing dependency on proprietary ecosystems, organizations can ensure that when a risk assessment triggers a mandatory migration, the technical feasibility is high and the portability requirements are easily met. The Data Act's requirement for "switching" becomes the engine that drives the CADA migration clock.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the linkage between data portability and migration timelines requires immediate strategic adjustments.

1. Audit Your Portability Readiness Now Do not wait for a CADA risk assessment to trigger migration. Conduct a portability audit of your current cloud estate. Can you extract all data, including metadata and configuration settings, in machine-readable formats? If your current provider uses proprietary locks that hinder automated extraction, you are already at risk of missing the 12-month CADA deadline if a switch becomes mandatory. The "technical feasibility" factor in Article 29(6) will be scrutinized against your actual ability to port data.

2. Leverage Data Act Contracts Ensure your cloud service contracts explicitly reference the Data Act's switching obligations. When negotiating with incumbent providers, clarify the technical interfaces available for data transfer. If the current contract lacks these provisions, initiate amendments immediately. Under CADA, the inability to port data efficiently is a valid reason to justify a full 12-month transition period, but it is a defensive argument, not a strategic advantage. You must prove you attempted to utilize the Data Act mechanisms.

3. Design for Sovereign Switching Architect your systems with modularity in mind. CADA's sovereignty framework may require moving specific workloads to Union assurance level 2, 3, or 4 providers while keeping others elsewhere. Your architecture must support granular data portability, allowing you to move specific datasets without disrupting the entire environment. This aligns with the Data Act's goal of enabling multi-cloud approaches and ensures you can meet the "continuity of service" requirement in Article 29(6).

4. Document Technical Feasibility If a migration is complex, document the technical constraints thoroughly. Article 29(6) requires you to consider "technical feasibility." If data portability is slow due to the volume of data or lack of APIs, this documentation will be essential to justify a full 12-month transition period to regulators. Without evidence of active portability efforts, the "reasonable" period may be deemed shorter than 12 months.

5. SMEs: Compete on Portability For SMEs providing cloud services, demonstrating robust data portability capabilities is a competitive differentiator. Public sector buyers under CADA will favor providers who can facilitate rapid, low-risk migrations. Highlight your compliance with Data Act portability standards in your technical proposals to assure buyers that you can meet the 12-month migration mandate.

Common misconceptions

Misconception 1: CADA creates new data portability rights. No. CADA does not create new rights. It relies entirely on the Data Act for the legal basis of data portability. CADA merely sets the deadline and the context (sovereignty risk) for exercising those rights.

Misconception 2: The 12-month period is a fixed deadline for all migrations. Article 29(6) specifies a "reasonable transition period that shall not exceed 12 months." The actual duration depends on technical feasibility, service continuity, and portability requirements. Simple migrations may take weeks; complex, large-scale data transfers may take the full 12 months, provided the complexity is justified by the portability requirements.

Misconception 3: Data portability only applies to personal data. While GDPR governs personal data portability, the Data Act extends portability rights to non-personal data and business data in cloud computing contexts. CADA's reference to "data portability requirements" encompasses all data processed by the cloud service, including metadata and telemetry, which are critical for full service migration.

Misconception 4: Migration is optional if portability is difficult. No. If a risk assessment under Article 29 determines that a public sector activity requires a higher assurance level, migration is mandatory. Difficulty in porting data does not exempt the entity from migrating; it only influences the timeline within the 12-month cap.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Migration: How long is the transition period for mandated cloud migration?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessments: Commission Guidance, Methodology & Data Mapping
• How should data sensitivity be classified for CADA assurance levels?
• How does data sensitivity factor into a CADA risk assessment?

This is general information about a draft EU regulation, not legal advice.