The EU Data Act and SaaS: How to secure annual recurring revenue amid mandatory termination rights

The EU Data Act will apply from 12 September 2025. Thus far, much of the attention has focused on the IoT side of the regulation, specifically on data holder obligations and data sharing. Discussion around Chapter VI of the Act concerning switching between data processing services (such as IaaS, PaaS, and SaaS) and its implications for such services has been relatively sparse. Yet, this Chapter’s provisions will undoubtedly have a major impact on how our cloud-connected world operates in the future, particularly in Europe. One of the most significant issues in Chapter VI is its potential to impact the annual recurring revenue (ARR) of SaaS companies.

The Data Act can be interpreted as mandating contractual provisions that give customers the right to terminate data processing service contracts for convenience, likely even if the term of such contract is fixed. This may have a significant impact on ARR. Alongside these ARR implications, it is important to note that Chapter VI also imposes further requirements on data processing service providers to remove obstacles to effective switching, including technical, informational and transparency obligations, as well as the removal of switching. However, this article focuses solely on the ARR aspect.

The importance of ARR

ARR is one of the most crucial performance indicators for SaaS companies. It often serves as the foundation for company valuation and is a key metric in sales incentive programs. A common SaaS company valuation model is based on a multiple of ARR, with historical averages in the range of 5–15 × ARR.

There are two main paradigms for calculating ARR, each affecting revenue stability differently:

• The conservative way: This approach counts only solid annual purchase commitments, such as annual subscriptions, toward ARR. If a customer has a month-to-month service or the right to terminate a service for convenience, the revenue generated by such a customer does not contribute to ARR. This approach makes ARR more stable and predictable, mitigating certain risks associated with short-term customer churn.
• The flexible way: In this approach, ARR is calculated as the company’s monthly recurring revenue (MRR) at a given point in time (for example, subscription fees for M1Y2024) multiplied by 12. This approach allows for more variance from month to month and can therefore fluctuate significantly based on factors such as customer churn. This may be useful for rapidly growing companies but may introduce instability and unpredictability.

SaaS as data processing services

Articles 23(a) and 25(c)–(d) of the Data Act state that data processing service providers cannot limit a customer's right to terminate the service contract after a maximum notice period of two months and the successful completion of the related switching process (if relevant). In short, customers have the right to terminate data processing services for convenience.

Data processing services, in turn, are defined as digital services that enable ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction. Recital 81 clarifies that these services include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

While the recital does not allow for the conclusion that all SaaS are necessarily data processing services, it creates a strong presumption in this regard. It may be possible to argue that certain SaaS solutions don’t meet the full definition of a data processing service, but this approach is challenging and may lead to unpredictable outcomes.

The upshot is that Chapter VI could be read as giving all SaaS customers a mandatory termination-for-convenience right, even in cases of fixed-term contracts, which could render the conservative ARR for these companies effectively zero.

Mitigating ARR impact

Recital 89 of the Data Act may offer a solution, as it states that nothing in the Act prevents the parties from agreeing on contracts for data processing services of a fixed duration, including proportionate early termination penalties to cover the early termination of such contracts.

This recital is somewhat ambiguous. One interpretation could be that, in the case of fixed-term SaaS contracts, the customer’s termination rights under Chapter VI do not apply. This interpretation would be brave and contentious in equal measure.

A more practical interpretation, and one likely sufficient for most SaaS companies, would acknowledge that customers do have early termination rights as set out in Chapter VI, even for fixed-term contracts, but impose early termination penalties.

The Data Act does not provide much guidance on what constitutes a “proportionate” early termination penalty. The most natural approach would be to tie the penalty to the payments the customer would have made during the remaining fixed term of the contract, potentially stating that the penalty equals such payments. This arrangement would allow a customer to terminate a fixed-term SaaS contract for convenience but would require them to pay out the remaining term (or a portion of it), thus mitigating the impact to even conservative ARR calculations.

Article 29(4) of the Act also requires that service providers inform customers of any early termination penalties before entering into a contract, which underscores the need for clear communication around any such mechanism.

What should SaaS companies do?

To prepare for the Data Act and mitigate its impact on ARR, SaaS companies operating in the EU should consider taking the following steps:

1. Determine whether your services fall under the Data Act’s definition of 'data processing services'.
2. If the answer is yes, establish a policy for handling early terminations, particularly with regard to early termination penalties. An ARR-neutral solution would involve setting penalties equivalent to the payments the customer would have made over the remaining fixed term.
3. Before 12 September 2025, update your service terms to include a mechanism for early termination penalties (alongside other contractual terms related to switching as required by Article 25) and notify existing customers of this inclusion.
4. As of 12 September 2025, inform all new customers of early termination penalties before entering into contracts.

Early preparation is crucial for SaaS companies to align their policies with the Data Act and to secure ARR. Should you require assistance with any of these actions, other measures required under Chapter VI, or the Data Act in general, our team at Krogerus would be more than happy to help.