The Data Act Gave You the Right to Exit. Your Compliance Records Are Still Locked In.
Analysis of the EU Data Act's cloud switching regime, active since September 2025, and its intersection with AMLR retention obligations. Argues that management companies and TCSPs have a legal right to exit their compliance SaaS providers but lack the architectural prerequisites to exercise that right without losing evidentiary integrity.
The EU Data Act has been in force since September 12, 2025. Article 23 gives every B2B cloud customer the right to switch providers on two months' notice. Article 25 gives them the right to retrieve all their data within a 30-day window. Article 29 prohibits data egress fees entirely from January 12, 2027.
These are live rights, not future obligations. For management companies and TCSPs whose KYC and AML records live inside compliance SaaS platforms, the gap between the legal right and the operational reality is the story that compliance teams have not yet told themselves.
The January 2027 Milestone Is Not the Interesting One
The fee ban is the headline. The format question is the substance. Nineteen months from now, the last commercial barrier to switching cloud and data processing providers disappears. Providers may no longer charge for data egress, for the technical work of facilitating a switch, or for early termination under the Data Act. This has been covered extensively in cloud procurement circles as a significant commercial event.
For management companies and TCSPs in Luxembourg and Mauritius, the fee elimination is the wrong variable to watch. The question is not whether switching will be commercially possible. Under Article 23 of the Data Act, it already is. The question is whether the compliance records held on third-party platforms can survive a switch in a form that satisfies the CSSF, the FSC, or the AMLA if examined after the move.
What the Data Act Actually Requires from Providers
The switching provisions apply broadly and are in force now. The Data Act's switching rules cover data processing services, a category that reaches IaaS, PaaS, and SaaS. For a compliance officer at a Luxembourg management company, this means the KYC screening vendor, the AML risk platform, and the document management system holding CDD files are all within scope.
The specific obligations on providers are three-layered. First, providers must facilitate switching without imposing technical, commercial, or contractual barriers. Second, they must make all customer data available in open, commonly used, machine-readable formats during the 30-day retrieval window. Third, IaaS providers must take all reasonable measures to achieve "functional equivalence" for the customer on the destination platform, including documentation, capabilities, and technical support.
The functional equivalence and format requirements are where compliance-specific data creates a specific problem.
The Compliance Data Problem the Data Act Did Not Solve
AML/KYC records are evidentiary documents, not generic business data. Under AMLR Article 40(1), CDD records must be retained for at least five years after a business relationship ends. Under the AMLA supervisory methodology published in December 2025, those records must be structured and queryable to support risk assessment review. Each CDD outcome must be traceable to the source documents and risk indicators that produced it.
The Data Act's open format requirement addresses lock-in. A vendor cannot store your data in a proprietary binary format that only their platform can read. That is a legitimate and useful constraint. What it does not address is the evidentiary architecture of the exported records.
A CSV export of screened names, dates, and risk ratings satisfies the Data Act's format requirement. It does not satisfy a CSSF examiner's request to demonstrate the auditable link between a CDD decision, the documents reviewed, the risk indicators applied, and the person who approved the outcome. A JSON dump that requires the original platform's schema to reconstruct decision context satisfies the format requirement in letter but not in substance.
The Data Act's January 2027 milestone removes the commercial fee. It does not change the architecture of the records being exported.
Three Frameworks Pointing at the Same Gap
DORA, the Data Act, and the AMLR are converging on one operational question. DORA Article 28(8) requires documented, annually tested exit strategies for all material ICT providers. The CSSF Circular 25/882 on ICT third-party arrangements specifically requires fund managers to confirm professional secrecy obligations and exit feasibility for each critical provider. The Data Act's switching regime provides the legal and commercial framework within which that exit would be executed. The AMLR retention obligation specifies what needs to be preserved when it happens.
These three frameworks are each separately demanding the same thing from management companies and TCSPs: a documented, testable answer to what happens to compliance records when a provider relationship ends. None of them, individually, requires that the answer be complete. Together, they are asking whether the firm can exit a compliance platform and arrive on the other side with its evidential record intact.
A DORA exit plan that specifies data retrieval timelines but does not address evidentiary continuity is a plan that satisfies one regulator and creates a gap for two others. The intersection is where the compliance team's actual work lives.
What Management Companies and TCSPs Need to Map
The operational audit starts with the right question. The question is not whether the firm has a right to exit. It does. The question is whether the compliance data architecture supports an exit that produces auditable, portable, regulator-readable records.
Four specific checks belong on the compliance team's desk now, not in January 2027:
First, identify every platform that holds AML or KYC records subject to AMLR retention, including screening logs, CDD document stores, risk assessment outputs, and SAR preparation files. This is the scope of the Data Act switching right as it applies to compliance infrastructure.
Second, for each platform, confirm what format the exported data takes and whether that format preserves the linkage between documents, decisions, and the logic that connected them. Request a test export. Do not accept a contractual commitment to provide one.
Third, check whether the DORA exit strategy for that provider includes a specific section on evidentiary continuity, covering not just retrieval but usability of the retrieved records for regulatory purposes after the switch.
Fourth, confirm that the platform contract's data portability provisions, which should now be compliant with the Data Act, align with the AMLR's five-year retention clock. A 30-day retrieval window under the Data Act is not compatible with a five-year retention obligation if the records are not self-contained after retrieval.
The Architecture the Right Assumes
The Data Act was written assuming that exportable data is usable data. For most business data, this assumption holds. For compliance records that carry regulatory evidentiary weight, it does not.
The firms that will exercise their switching rights cleanly are the ones whose compliance data was built from the start as self-contained, portable, auditable records. Every CDD decision linked to the documents reviewed. Every risk rating traceable to the criteria applied. Every change logged with timestamp, user, and reason. When that architecture exists at the point of creation, the Data Act's export window produces evidence. When it does not, it produces files.
The right to leave is guaranteed. Whether you can leave with your evidence intact is a function of architecture, not of regulation. The January 2027 milestone will remove the exit fee. It will not install the exit ramp.