Back to Blog
Systems & Architecture

The Data Portability Gambit: How the EU Data Act Rewrites SaaS Vendor Strategy (And What It Means for Your Tech Stack)

The vendors that enable data freedom will thrive; the ones building walls face challenges

TL;DR

The EU Data Act (effective September 12, 2025) mandates machine-readable data export and active switching support, ending the SaaS lock-in playbook that relied on proprietary formats, rate-limited APIs, and migration friction. Documented switching costs: 3-4 weeks, $40K+ per migration. Vendors built moats on data gravity—the Data Act floods those moats. The counterintuitive truth: data freedom is competitive advantage. Customers trapped by lock-in resent vendors and seek alternatives; customers who choose to stay become advocates. MCPs (16,000+ servers, 8M+ downloads, Block case: 50-75% time savings) provide the technical infrastructure for compliance via JSON-RPC 2.0 standard protocol. Vendor strategy shifts: 67% moving to usage-based pricing (vs. seat-based), API-first architecture (not bolted-on afterthought), competing on intelligence not lock-in. Buyers should: audit tech stack for portability risk, prioritize vendors with MCP support, build internal data lakes, demand Data Act compliance statements in RFPs. The 2025-2026 transition period determines winners: vendors embracing portability gain competitive advantage, vendors resisting face enforcement risk and customer attrition. Data freedom isn't a threat—it's the new moat.

Quick Navigation

The Shift

On September 12, 2025, the EU Data Act takes full effect. Many executives view it as a compliance checkbox requiring minimal legal and API documentation updates.

This may underestimate its impact.

The Data Act potentially rewrites SaaS vendor lock-in economics. Vendors embracing data portability versus resisting it may see significantly different outcomes.

The change: The EU Data Act mandates machine-readable data export and active support for switching to competitors. Not performative CSV dumps losing metadata or rate-limited APIs making bulk export impractical, but comprehensive, usable data portability.

For vendors who built competitive moats on proprietary formats and data gravity, this represents a fundamental challenge.

For vendors embracing data freedom as competitive advantage, it represents opportunity.

Siloed Information: How SAAS Companies Protect Their Moat explained why vendors trap data. The SAAS Reckoning: Evolution in the AI Era explained why that strategy is dying. This post is about what replaces it—and what you should do about it.

↑ Back to top

The Traditional Lock-In Strategy

SaaS data portability challenges weren't accidental but strategic:

Proprietary Export Formats: Data exports technically exist but often use vendor-specific formats losing record relationships, dropping custom fields, stripping metadata, making competitor migration extremely painful or effectively impossible. Example: Salesforce's Data Export Service performs full exports only (no incremental), with weekly or monthly schedules (not on-demand), in formats challenging to preserve when importing to competitors.

Rate-Limited APIs: Vendors advertise "robust APIs" while imposing rate limits making bulk extraction impractically slow. Professional Salesforce users get 1,000 API calls per user per 24 hours (analyzing full customer databases could take weeks). Slack's 2024 API changes prohibited bulk export. Twitter limits exports to 1.5 million tweets monthly with tweet IDs only (requiring additional "rehydration" API calls for content). Pattern: claim openness while making real portability impractical.

Data Gravity: Once data, workflows, employee training, and integrations depend on a system, switching becomes expensive. Three documented 2025 SaaS migrations each took 3-4 weeks developer time, costing over $40,000 in developer hours for relatively straightforward migrations. Switching costs include prompt re-optimization, employee retraining, integration rebuilding, testing, and data loss risk. Most organizations stay despite better alternatives or price increases.

For 20 years, this approach proved effective.

↑ Back to top

Why the EU Data Act Changes Everything

The Data Act doesn't just require data export. It requires continuous, real-time, machine-readable data portability for business users.

Article 6: Right to Access and Use Data

Organizations have the right to access data generated by their use of connected products and services. Not just their input data—all derived data, analytics, behavioral patterns, everything the vendor's system generates.

Article 5: Switching Between Data Processing Services

This is the nuclear option: vendors must provide "effective technical and organizational measures to facilitate the switching of the data user to another data processing service." That means actively helping customers move to competitors.

Not grudging compliance. Active facilitation.

The Timeline:

  • September 12, 2025: Full enforcement begins
  • 2025-2026: Transition period where vendors must demonstrate compliance
  • 2027 onward: Penalties for non-compliance can reach 4% of global annual turnover (GDPR-style enforcement)

The European Commission isn't messing around. They watched GDPR enforcement generate €4.5 billion in fines through 2024. The Data Act uses the same enforcement framework.

↑ Back to top

The Unexpected Dynamic: Data Freedom as Advantage

A common vendor concern: "If customers can leave easily, they will leave."

An alternative perspective: When customers know they can leave, they may choose to stay.

This pattern appears across multiple markets.

Customer Psychology: Customers experiencing lock-in often resent vendors, actively seeking alternatives, talking to competitors, building internal solutions to reduce dependency, negotiating aggressively, and providing minimal commitment.

Customers choosing to stay because products genuinely excel often become advocates, expanding usage, providing feedback, and renewing enthusiastically.

The question: which relationship creates more value?

Economic Dynamics: Vendors competing on lock-in face ongoing retention challenges, requiring aggressive sales tactics to prevent churn, spending on retention versus innovation.

Vendors competing on value invest in quality making products indispensable through merit rather than friction. Customer lifetime value increases, acquisition costs decrease through referrals.

Strategic Context: In markets where AI makes custom development increasingly viable (Claude Code: The Agentic Tool Everyone is Sleeping On), build-versus-buy calculations shift constantly.

Organizations trapped in mediocre SaaS platforms increasingly consider building. Organizations valuing their SaaS vendors continue buying even when building becomes technically feasible.

Data freedom signals confidence: "Our product stands on merit. We don't need traps." This confidence may attract customers.

↑ Back to top

MCPs: The Technical Infrastructure for Data Portability

Model Context Protocols: The Connectors That Enable Everything covers MCPs in depth, but here's why they matter for Data Act compliance.

The Problem MCPs Solve:

Traditional integrations require custom code for each vendor pair. Salesforce → HubSpot requires one integration. Salesforce → Pipedrive requires a different integration. Scaling this across the SaaS ecosystem creates exponential complexity.

MCPs provide a standard protocol—like USB ports for data access. Build an MCP server once, any compatible system can connect.

The Architecture:

MCP uses JSON-RPC 2.0 over stdio, HTTP, or WebSocket transports. The protocol defines:

  • Standardized discovery (what capabilities does this server expose?)
  • Consistent authentication (OAuth 2.1 support as of March 2025)
  • Structured data formats (JSON Schema definitions)
  • Built-in streaming for large datasets

Why This Enables Data Act Compliance:

Instead of building custom export tools for every possible competitor, SaaS vendors can expose MCP servers that any system can query.

A customer wants to evaluate a competitor? They grant the competitor's system access to their existing vendor's MCP server. The competitor pulls data directly, in real-time, with full fidelity.

No custom integration. No manual CSV export and import. No data loss. No weeks of developer time.

The Adoption Numbers:

  • 16,000+ MCP servers deployed across organizations by April 2025
  • 8 million+ downloads of MCP implementations
  • Major vendor support: OpenAI (March 2025), Google (April 2025), Microsoft (May 2025)

This isn't a theoretical standard. It's production infrastructure, scaling rapidly.

Real-World Impact:

Block's engineering team integrated MCP-based development tools and reported 50-75% time savings on routine tasks like code review, documentation lookup, and debugging. These tools are now used by thousands of engineers daily.

When a standard can demonstrate that level of efficiency gain, adoption accelerates. And when adoption reaches critical mass, it becomes infrastructure—not a choice, but a requirement.

↑ Back to top

Impact on Vendor Strategy: Four Fundamental Shifts

The Data Act forces SaaS vendors to make strategic choices they've avoided for 20 years.

Shift 1: From Seat-Based to Usage-Based Pricing

When customers can leave easily, charging for "seats" makes no sense. You need to charge for value delivered, not access granted.

The Data:

67% of SaaS companies now use usage or consumption-based pricing, up from 52% in 2022. Meanwhile, traditional seat-based pricing dropped from 21% to 15% in just 12 months.

More telling: Companies maintaining seat-based pricing for AI products see 40% lower gross margins and 2.3 times higher churn than those adopting usage or outcome-based models.

Why Usage-Based Pricing Works Better:

  • Revenue scales with customer success (alignment of incentives)
  • Customers can start small and expand naturally (lower barriers to entry)
  • Overuse becomes a revenue opportunity, not a cost center
  • Customers perceive fair pricing (pay for what you use)

Examples Done Right:

  • Stripe: Percentage + fixed amount per successful payment API call
  • Twilio: Pay-as-you-go, volume discounts, and committed-use discounts for communications APIs
  • Snowflake: Charges for processing power by seconds of query usage plus compressed data storage
  • OpenAI: Per-token pricing, transparent and directly tied to value

These companies don't trap customers with seat licenses. They compete on API quality, reliability, and value.

Shift 2: From Walled Gardens to Ecosystem Platforms

The vendors that win enable their customers to build on top of them—even if that means customers could leave.

Strategic Calculation:

Option A (Old Model): Build a walled garden. Limited integrations. Proprietary formats. Hope customers get too embedded to leave.

Option B (New Model): Build a platform. Rich APIs. Open standards. Compete on being the best foundation for customer workflows.

Option B sounds risky. It's actually safer.

Why? Because in a world where customers can leave, the vendors that become infrastructure—that other systems are built on top of—create switching costs through genuine value, not artificial friction.

Case Study: HubSpot

HubSpot was the first major CRM to ship a production-grade MCP integration in June 2025. Their "deep research" connector allows AI systems to perform natural language queries with live HubSpot data.

Critically, they built for open interoperability with a wide range of AI models—not just one vendor's ecosystem.

The result? HubSpot positioned themselves as the CRM for organizations building AI-native workflows. Competitors without MCP support fell behind.

Shift 3: From API as Afterthought to API-First Architecture

Most SaaS products are "web app with an API bolted on." That model dies under the Data Act.

What API-First Actually Means:

  • Your own web interface uses the exact same API that customers use
  • No "internal APIs" with more capabilities than public ones
  • API documentation is first-class, not buried in support docs
  • API performance is a product metric, not an infrastructure concern

Why This Works:

When your product relies on the same API you expose to customers, you're forced to make that API excellent. Because if it's slow, limited, or poorly documented, you feel the pain directly.

And when the Data Act requires comprehensive data access? You're already compliant. Because your product already depends on that access layer.

Shift 4: From Data Lock-In to Intelligence Lock-In

The new moat isn't "we have your data." It's "we make your data more valuable."

The Strategic Question:

If customers can easily port their data to competitors, why would they stay with you?

The Answer:

Because your system does something with that data that competitors can't match.

  • Better AI-powered insights from domain-specific models
  • Superior data quality (de-duplication, enrichment, validation)
  • Unique integrations that create compound value
  • Network effects (industry benchmarks, community data)
  • Proprietary algorithms that genuinely work better

Notice what's missing from that list: "because switching is too painful."

The vendors that build moats through genuine intelligence—not artificial friction—thrive in a world of mandatory data portability.

↑ Back to top

Buyer Considerations: Leveraging Data Portability

The Data Act creates negotiation leverage previously unavailable to customers (CTOs, VPs of Engineering, enterprise architects).

Tech Stack Audit for Lock-In Risk:

Questions for each SaaS vendor: Can we export all data in standard, machine-readable formats (including metadata, relationships, derived data)? Can we perform bulk access without rate limits? Do they support industry-standard APIs (REST, GraphQL) versus proprietary protocols? Have they announced MCP or equivalent interoperability support? What would competitor switching actually cost (developer time, migration risk, business disruption)?

Risk assessment: High (proprietary formats, limited APIs, no MCP support, "migration not supported"), Medium (standard formats with complex models, rate-limited APIs, migration "possible but not recommended"), Low (open standards, comprehensive APIs, MCP support, vendor facilitates switching).

High-risk vendors face Data Act enforcement, potentially improving customer positions or creating instability.

Prioritize Data Freedom in Evaluations:

Make data portability first-order in SaaS tool evaluations. RFP questions: Data Act compliance strategy? MCP or equivalent support? Full export testing before commitment? Technical support for competitor switching? Portability feature roadmap?

Vendors hesitating or providing vague answers may signal lock-in strategies. Vendors enthusiastically demonstrating portability signal product quality confidence.

Internal Data Infrastructure:

Consider not letting canonical data live exclusively in SaaS platforms. Central data warehouses you control (syncing from SaaS platforms, using ETL for normalization, making the data lake your analytics/AI source of truth) position SaaS as operational systems versus strategic repositories.

Benefits: control access patterns and costs, consolidate across platforms, switch vendors without losing history, consistent AI system access regardless of operational tools.

Multi-Tenant Architecture Visibility:

Questions: Logical versus physical data isolation? Demonstration that other customers can't access your data? Data residency policy (critical for EU under GDPR + Data Act)? Multi-regional deployment export handling?

The Data Act strengthens positions to demand answers.

↑ Back to top

The 2025-2026 Transition Period: Strategic Timing

The Data Act enforcement begins September 12, 2025. But practical compliance will play out over 18-24 months.

What's Happening Right Now (Q4 2025 - Q2 2026):

Phase 1: Vendor Announcements

SaaS vendors are announcing compliance strategies. Some are genuine (comprehensive API improvements, MCP adoption, migration tooling). Some are performative (minimal changes, compliance theater).

Your move: Watch what vendors do, not what they say. Test their data export capabilities. If they're announcing compliance but haven't shipped real improvements, they're stalling.

Phase 2: Competitive Pressure

Vendors that ship real portability first will use it as a competitive weapon. "Unlike Competitor X, we fully support Data Act portability—try us risk-free."

Your move: Leverage this. When negotiating renewals, reference competitors' superior portability. Even if you're not switching, the competitive pressure works in your favor.

Phase 3: Enforcement Examples

The European Commission will make examples of high-profile non-compliance cases—just like they did with GDPR (Google's €50 million fine in 2019 for data portability failures).

Your move: If you're an EU-based company or serve EU customers, prioritize vendors with demonstrated compliance. Avoiding vendor-related regulatory risk is worth the switching cost.

The Strategic Window (2026-2027):

By 2027, data portability will be table stakes. The vendors that moved first will have learned what works, built better tooling, and established themselves as the "safe choice" for data-conscious buyers.

The vendors that resisted will be playing catch-up, defending their installed base, and fighting regulatory battles.

Which group do you want to build your stack on?

↑ Back to top

Getting Started: Concrete Next Steps

For SaaS Vendors:

If you're running a SaaS company and you're reading this, here's the brutal truth: you're either adapting or you're dying slowly.

30-Day Plan:

  1. Audit your current data export capabilities - Can a customer actually leave with full-fidelity data? Be honest.
  2. Assign a Data Act compliance owner - This is a strategic initiative, not a legal checkbox. Make it someone with product authority.
  3. Evaluate MCP implementation - Start with the official MCP documentation and community examples. Budget 80-160 hours for a basic implementation.
  4. Test your own export process - Actually try to export your data and import it into a competitor. Document every friction point.

90-Day Plan:

  1. Ship a functional MCP server - Even if it's limited scope initially, get something in production.
  2. Publish a Data Act compliance statement - Proactively communicate your strategy to customers.
  3. Train customer success teams - They need to speak fluently about data portability as a feature, not a threat.
  4. Evaluate pricing model shifts - If you're still seat-based, model what usage-based pricing would look like.

For SaaS Buyers:

If you're building or managing a tech stack, this is your leverage moment.

This Month:

  1. Create a vendor portability scorecard - Rank all major SaaS vendors on data portability (export formats, API quality, MCP support, migration tooling).
  2. Identify your top 3 lock-in risks - Which vendors would be most painful to switch away from? Why?
  3. Request Data Act compliance statements - Send a formal inquiry to each vendor asking about their compliance roadmap.

This Quarter:

  1. Test one vendor migration - Pick a non-critical system and actually attempt to switch to a competitor. Document costs and friction points.
  2. Build or adopt an abstraction layer - For critical systems, implement LangChain, custom APIs, or MCP clients that reduce direct vendor dependency.
  3. Renegotiate one contract - Use data portability as a negotiation point. "We need guaranteed API access rates and MCP support for our next renewal."

This Year:

  1. Establish internal data infrastructure - If you don't have a central data warehouse, build one. Sync SaaS data into systems you control.
  2. Shift procurement requirements - Make data portability a first-order evaluation criterion for all new SaaS purchases.
  3. Monitor enforcement actions - Watch how the EU enforces the Data Act. Learn from other companies' compliance failures.

↑ Back to top

Connecting to the Bigger Picture

The Data Act isn't happening in isolation. It's part of a larger shift in how software ecosystems operate.

Regulatory Momentum:

  • GDPR Article 20 (2018) established data portability rights for individuals
  • Digital Markets Act (2023) targeted gatekeepers with interoperability requirements
  • Data Act (2025) extends portability to business relationships and IoT
  • Seven U.S. states passed data portability laws in 2024 alone

The trend is clear: regulators globally are breaking down data silos that vendors spent decades building.

Technical Infrastructure:

Model Context Protocols explains how MCPs provide the technical foundation for data portability at scale. The Data Act creates regulatory pressure; MCPs provide the implementation path.

Multi-Cloud Strategy:

Multi-Cloud in the AI Era: Strategic Hedging or Complexity Trap? explores similar lock-in dynamics with cloud providers. The same principles apply: data portability enables negotiating leverage and reduces existential risk.

SaaS Business Model Evolution:

The SAAS Reckoning: Evolution in the AI Era covers the broader transformation of SaaS business models. Data portability is one symptom of a larger shift: from vendors competing on lock-in to vendors competing on value.

The vendors that understand these trends are connected—regulatory, technical, and business model shifts all pointing the same direction—will position themselves correctly.

The ones treating the Data Act as a compliance checkbox will be case studies in "how not to respond to structural change."

↑ Back to top

The Bottom Line

The EU Data Act accelerates a reckoning that seems inevitable as AI makes custom development increasingly viable and organizations need data freedom for intelligent systems. Lock-in strategies effective for 20 years may be becoming strategically disadvantageous.

Vendor Considerations:

Two paths: Resist (minimal compliance, preserve lock-in where possible, bet on defensible installed base and weak enforcement) or Embrace (make portability a feature, implement MCPs, shift to usage-based pricing, compete on quality versus switching costs).

The first may represent gradual decline. The second may enable thriving in a post-lock-in environment.

Buyer Leverage:

Leverage previously unavailable for 20 years enables: tech stack audits for lock-in vulnerabilities, prioritizing vendors enabling data freedom, building controlled internal data infrastructure, renegotiating contracts with portability requirements, making data freedom a first-order evaluation criterion.

Vendors enabling data freedom may become strategic partners. Those resisting may become technical debt slated for removal.

The 2025-2026 Transition:

Vendors making bold portability moves may establish themselves as safe choices. Vendors stalling may spend years playing defense.

Tech stack decisions in the next 18 months may compound effects for a decade.

Consider: vendors believing data freedom represents competitive advantage may be correct.

Related Posts:

Related Posts

Systems & Architecture

Agentic AI Interoperability: Why 87% Say Integration Is Crucial But Nobody's Solving It

The missing layer between AI agents and legacy systems, and why MCPs aren't enough

Systems & Architecture

Architecting Data for Agentic AI in Private Wealth Management

Why the Medallion architecture is the foundation for autonomous AI workflows in financial services

Systems & Architecture

The Cognitive Enterprise: A Strategic Roadmap for AI Readiness in the Microsoft Ecosystem

Moving from "Siloed Knowledge" to "Agentic Intelligence" without the costly migration project

← Swipe to see more →

Continue Reading

Explore more insights on organizational intelligence, AI strategy, and enterprise transformation.

View All Posts
Published in Systems & ArchitectureReturn Home