SaaS legal expert – Bodle Law

SaaS Agreements – New EU and UK Laws Applicable to Online Platforms

01/11/2025 Irene Bodle

Below is a summary of the following online platform laws, the EU Digital Services Act, the European Accessibility Directive and the UK Online Safety Act, the UK Digital Markets Competition and Consumers Act and the EU Revised Product Liability Directive, that will impact SaaS suppliers and SaaS customers in 2025. Some of these laws apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively). It is important to be aware of these new laws in order to assess whether

SaaS Agreements – New EU and UK Data Security Laws

20/10/2025 Irene Bodle

Below is a summary of the following data security laws, the EU Network and Information Systems Directive 2, the EU Digital Operational Resilience Act, the EU Cyber Resilience Act, the EU Critical Entities Resilience Directive and the UK Product Security and Telecommunications Infrastructure Act that will impact SaaS suppliers and SaaS customers in 2025. Some of these laws apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively).

It is important to be aware of these new laws in order to assess whether or not they apply to your particular SaaS business, products and services.

SaaS Agreements – New EU and UK Data Laws

13/10/2025 Irene Bodle

Below is a summary of the EU Artificial Intelligence Act, the EU Data Act and the UK Data Use and Access Act that will impact SaaS suppliers and SaaS customers in 2025. These laws will apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively). It is important to be aware of these new laws in order to assess whether or not they apply to your particular SaaS business, products and services. The EU AI Act applies to AI systems and AI models and categorises AI systems into different risk categories.

SaaS Agreements – DORA – ICT Supplier Obligations

13/01/2025 Irene Bodle

SaaS suppliers obligations under the Digital Operational Resilience Act,(“DORA”), (Regulation (EU) 2022/2554 on digital operational resilience for the EU financial sector), are effective from the 17th of January 2025. From this date DORA provisions must be included in contracts entered into between financial services entities subject to DORA and their third party providers of ICT Services. As SaaS suppliers are third party providers of digital and data services on an ongoing basis they will be third party providers of ICT services if their SaaS customers are regulated by DORA. Both

SaaS Agreements – FAQs – Restricted Transfers

23/10/2023 Irene Bodle

Restricted transfers are a type of international data transfer to which special rules apply. SaaS suppliers and SaaS customers are responsible for complying with the relevant rules when making or permitting restricted transfers of personal data to their suppliers, customers, sub-processors, group companies and partners.

What is an international data transfer?

An international data transfer occurs when personal data is sent or transmitted from one country to another.

This includes:

SaaS Agreements – Data Protection: UK-US Data Bridge

26/09/2023 Irene Bodle

On Friday the 22nd of September the UK agreed its own transfer mechanism which can be used instead of UK standard contractual clauses.

From the 12 October 2023, SaaS Suppliers and SaaS Customers can start to transfer UK personal data to entities located in the USA provided that the US entity is certified under the new “UK Extension to the EU-US Data Privacy Framework” (UK-US Data Bridge).

This now means that all transfers of UK personal data made to US companies certified under the UK-US Data Bridge by SaaS companies will be deemed to be to a third country that has adequate data protection laws.

Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.

SaaS Agreements – Data Protection – Restricted Transfers

04/07/2023 Irene Bodle

SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when proving SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.

SaaS Agreements – Data Protection – Does your DPA and Sub-Processor List need updating?

20/06/2023 Irene Bodle

Meta were fined 1.2 billion Euros for breaches of EU data protection law and for transferring personal data of EU users to the US despite, using standard contractual clauses, (SCCs), having in place supplemental measures and carrying out data transfer impact assessments, (DTIAs). Google has also been pursued in various EU member states for similar breaches.

In light of these decisions, SaaS suppliers should review their own data protection practices and documentation to ensure that they are up to date and comply with the current rules.

SaaS Agreements – GDPR – US Companies

18/01/2018 Irene Bodle

From the 25th of May 2018 the EU General Data Protection Regulation (GDPR) will come into force and change existing UK data protection laws. The GDPR does not just apply to SaaS suppliers and SaaS customers located in the EU. The GDPR also applies extraterritorially, i.e. to SaaS suppliers and SaaS customers located outside of the EU, for example in the USA, as set out below.

GDPR Applies to US SaaS Customers and SaaS Suppliers

The GDPR will apply to SaaS suppliers and SaaS customers located in the USA if:

They offer goods or services to SaaS customers located within the EU; or
They monitor the behaviour of EU data subjects;

Even though the SaaS supplier or SaaS Customer is not located within the EU.

SaaS Agreements – GDPR – The General Data Protection Regulation

18/12/2017 Irene Bodle

The General Data Protection Regulation (“GDPR”) will replace the existing EU Data Protection Directive and harmonise European data protection law from the 25th of May 2018. In the UK the GDPR will replace the Data Protection Act 1998 from the 25th of May 2018, regardless of “Brexit”. This will have a significant effect on both SaaS suppliers and SaaS customers who will need to comply with the terms of the GDPR. SaaS suppliers and SaaS customers must update all contractual documents that involve data processing, such as SaaS agreements, privacy policies and hosting and support agreements to comply with the new rules under the GDPR before the 25th of May deadline.