“Data processing services” under the Data Act

8 December 2025

The EU’s Data Act introduces important rules for performance of data processing services. Given their importance for businesses, these rules deserve to be discussed in a separate article. Here we examine more closely the definition of “data processing services” in the Data Act. We attempt to outline what types of services may, in practice, be covered by the new regulations, and how it should be determined whether a given service constitutes a data processing service for purposes of the Data Act.

Legal definition

Under the Data Act (Regulation (EU) 2023/2854), “data processing service” is defined as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

It should be pointed out that the definition of “processing,” which is a key element of data processing services under the Data Act, is closer to the technological understanding of “data processing.” “Processing” is defined as “any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making them available, alignment or combination, restriction, erasure or destruction.” It therefore covers the entire technological life cycle of data.

Specific elements of the definition

	A service is a data processing service if it meets all of the following conditions:	Comment
1.	It is a digital service	Based on the definition in Directive (EU) 2019/770 of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services, a “digital service” means a service that: Allows the consumer to create, process, store or access data in digital form, or Allows the sharing of or any other interaction with data in digital form uploaded or created by the consumer or other users of that service.
2.	It is a service provided to a customer	Under the Data Act, “customer” means a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services. Significantly, data processing services may be provided free of charge (see recital 78 of the Data Act).
3.	It is a service enabling access to a shared pool of computing resources	Computing resources include such resources as networks, servers, or other virtual or physical infrastructure, software, including software development tools, storage, applications and services (recital 80). A “shared pool of computing resources” means resources provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment (recital 80).
4.	Access to computing resources is ubiquitous	“Ubiquitous” access refers to computing capabilities provided over the network and accessed through mechanisms promoting the use of heterogeneous thin or thick client platforms (from web browsers to mobile devices and workstations) (recital 80).
5.	Access to computing resources is on demand	Access “on demand” means that a customer can unilaterally provision the computing resources available over the network and through standard mechanisms, such as mobile phones, laptops or workstations (Commission document “Frequently Asked Questions, Data Act,” 12 September 2025, ver. 1.3).
6.	The computing resources are configurable	In common parlance, “configurable” means that it can be adapted, e.g. to the expected task. Thus it appears that the provider must be capable of adapting the resources to the expected tasks.
7.	The computing resources are scalable	“Scalable” computing resources are flexibly allocated by the provider of data processing services, irrespective of the geographical location of the resources, to handle fluctuations in demand (recital 80).
8.	The computing resources are elastic	“Elastic” computing resources are provisioned and released according to demand, to rapidly increase or decrease resources available depending on workload (recital 80).
9.	The computing resources are centralised, distributed or highly distributed	“Distributed” computing resources are located on different networked computers or devices, and communicate and coordinate among themselves by message-passing. The term “highly distributed” is used to describe data processing services that involve data processing closer to where the data are generated or collected, for instance in a connected data processing device (recital 80).
10.	The computing resources are rapidly provisioned	“Rapidly provisioned” means that the customer can begin using the resources almost immediately after they are accessed (see Commission document “Frequently Asked Questions, Data Act,” 12 September 2025, ver. 1.3).
11.	The computing resources can be provisioned and released with minimal management effort or service provider interaction	This condition is met in a situation where the customer can unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the provider of data processing services (recital 80).

Other pointers for interpretation

According to the preamble to the Data Act, data processing services:

Include cloud services and edge services (recital 78)
Fall within at least one of the following data processing service delivery models, representing a specific, pre-packaged combination of ICT resources offered by a provider of data processing services:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS) (recital 81).
May be further complemented by other emerging delivery models, such as Storage as a Service (StaaS) and Database as a Service (DBaaS) (recital 81).

How to determine whether a service constitutes a data processing service under the Data Act?

The analysis of whether a service qualifies as a data processing service for purposes of the Data Act may be carried out as follows:

Step 1:

Is the service a digital service?

If the service allows for:

Creation, processing, storage of data, or accessing data in digital form, or
Sharing of data in digital form uploaded or created by the user of the service, or other interaction with such data

it may be assumed that the service meets the condition set forth in point 1 above.

Step 2:

Is the service provided to customers?

If the service is used by persons external to the service provider under a contract (regardless of the form or name of the contract and whether it is paid), it may be assumed that the service meets the condition set forth in point 2.

Step 3

Is it a service enabling access to computing resources

Are the computing resources shared?

If:

The service includes remote access to resources such as networks, servers, or other virtual or physical infrastructure, software (including software development tools), storage, applications and services, and
The service provides makes the same resources available to multiple customers at the same time

it may be assumed that the service meets the condition set forth in point 3.

Step 4

Does the service enable ubiquitous network access to computing resources, at the customer’s demand?

If the service is provided via internet to the customer, who decides when and how to use it, and the customer can use the service through standard devices (e.g. computer, laptop or smartphone), it may be assumed that the service meets the conditions set forth in points 4 and 5.

Step 5

Are the computing resources scalable, elastic, configurable and distributed?

If the service is developed and delivered so that the computing resources:

Can be adapted to the customers’ current needs (and the functionalities used by the customers)
Can be flexibly allocated and released according to customers’ current demands, while maintaining the same service quality, and
Are located on different computers or devices networked by the service provider

it may be assumed that the service meets the conditions set forth in points 6, 7, 8 and 9.

Step 6

Are the computing resources rapidly provisioned?

If the service is configured (e.g. in the form of packages or modules) so that the customer can begin using the resources almost immediately after they are made available (without the need for significant adjustment of the resources for the customer, creation of a new customer interface etc), for example as soon as the contract is formed, it may be assumed that the service meets the condition set forth in point 10.

Step 7

Can the customer access the computing resources with minimal management effort or service provider interaction?

If the customer can use the service without interacting with the service provider (in particular without consent each time by the provider, and without the service provider having to “switch on” the service each time at the customer’s request), it may be assumed that the service meets the condition set forth in point 11.

Importantly, a mere finding that a given service constitutes a data processing service as defined in the Data Act does not necessarily mean that the Data Act as a whole applies to the service. The Data Act contains certain exemptions (which are beyond the scope of this report).

It must be remembered that not every service in the same category will automatically constitute a data processing service. The definition is so extensive that whether it applies may be determined by specific secondary features or functionalities of the technical solutions. Consequently, the conditions set forth in the definition of “data processing services” must be examined individually. No general findings can be provided about services of a particular type.

However, exemptions would probably cover such items as:

– “On-premises” services, i.e. processing on the user’s device

The device doesn’t have to formally belong to the user (but may be borrowed or leased). This has to do with a situation where management of the device is under the user’s full control or is delegated to a third party.

This would include for example:

Rent of a physical server located in the customer’s data centre
Traditional databases in the on-premises model (such as Oracle Database)
The SAP model implemented in the form of a local installation.

Data processing service providers may charge fees for switching to on-premises infrastructure, consistent with the Data Act, but only during the first three years after the Data Act enters into force.

– Any services without on-demand network access, such as:

Services accessible only locally
Services accessible on the user’s local network
Typical desktop (offline) services.

– Services provided exclusively, such as the user’s exclusive access to services (thus excluding the condition of shared computer resources).

Depending on functionality, a VPN could be a practical example. VPNs in site-to-site infrastructure or in the MPLS VPN technology would probably not qualify as a data processing service.

However, VPNs offering services in the SaaS model probably would qualify as a data processing service.

A key element for treating a VPN as a data processing service would be whether it offers access to computing resources, rather than only offering communication services.

There may be doubts about classification of firewall software which, apart from filtering traffic, also analyses threats. The following would probably be regarded as a data processing service:

Firewalls using the cloud-native technology
Desktop applications with functions for analysing threats.

However, the following firewalls would not be deemed to be data processing services:

Device firewalls, particularly when the threat analysis is made on the device locally
Desktop firewalls in the form of local software.

It is also highly likely that the Data Act will not apply to traditional hosting services, when they do not meet the criteria of:

Scalability and elasticity
Being able to rapidly allocate and release resources with minimal management effort.

It should be apparent that services in the same category might or might not fit within the definition of data processing services, depending on their technological construction. Thus it is essential to evaluate each service individually, by analysing the technological features and solutions it offers.

Summary

The definition of “data processing services” in the EU’s Data Act is fairly complicated and references various technical issues. Thus, to determine whether a service may be regarded as a data processing services for purposes of the Data Act, it must be examined from both the legal and the technical side.

This analysis needs to be conducted by all entities that may be providing services of this type, because the Data Act imposes major obligations on providers of data processing services. For example, most of today’s “cloud services,” as popularly understood, may fall within the definition of data processing services under the Data Act. Consequently, the number of entities providing data processing services under the Data Act appears to be quite significant.

Łukasz Rutkowski, Bartosz Kurzec

Łukasz Rutkowski

Bartosz Kurzec