On 4 February 2026, Ireland published the General Scheme of the Data Bill 2025, the domestic machinery that will enforce the EU Data Act inside the bloc's largest cloud and data-hosting hub. The choice it encodes matters well beyond Dublin: faced with the fashionable language of 'digital sovereignty,' Ireland has opted to pursue it through portability and switching rights rather than through data localization mandates. For a country that hosts a disproportionate share of Europe's hyperscale infrastructure, that is the right call — and a model worth watching.
What the General Scheme actually does
The EU Data Act became applicable on 12 September 2025. Among its most consequential provisions are Articles 23–31, which require cloud providers to remove the contractual, technical and commercial obstacles that trap customers with a single vendor, and Articles 34–35, which push interoperability between data-processing services. The Regulation applies directly, but it leaves enforcement design to member states — and that is what Ireland has now sketched out.
The General Scheme designates two competent authorities. The Commission for Communications Regulation (ComReg) takes the cloud-switching and interoperability brief, a fit the Data Act itself anticipates by requiring that those articles be policed by a regulator with experience in data and electronic communications. The Competition and Consumer Protection Commission (CCPC) becomes the national Data Coordinator and single point of contact, coordinating between authorities and fielding requests from other member states and EU bodies. The Data Protection Commission keeps its GDPR teeth: where data-sharing or data-access infringements touch personal data, the DPC can levy Article 83 fines of up to €20 million or 4% of worldwide turnover. ComReg has confirmed it expects to be a competent authority and that its supervision will be funded by a levy on providers established in Ireland.
Steelmanning the regulators
The case for vigorous enforcement here is genuinely strong, and it should be stated plainly. Vendor lock-in is a real market failure: egress fees, proprietary APIs and migration friction can make 'choice' theoretical. Customers who cannot leave cannot discipline a provider on price, security or service. Lock-in also concentrates systemic risk — a single misconfiguration or outage at a dominant provider cascades across hospitals, banks and government. Mandatory switching rights, properly enforced, are a pro-competition intervention that expands the market rather than fences it off. On that logic, designating an experienced telecoms regulator to run the switching regime is sensible institutional design, not regulatory overreach.
Why portability beats localization
The deeper point is what Ireland chose not to do. Across Europe, 'digital sovereignty' is increasingly invoked to justify data-residency rules that force data to stay on home soil. Those mandates are expensive, fragment the single market, and rarely deliver the security they promise — a server in Frankfurt is not safer than one in Dublin by virtue of its postcode. They also cut directly against the open, cross-border internet that made Europe's data economy viable in the first place.
Ireland's approach inverts that instinct. By making it cheaper and faster to move between providers, switching rights deliver the substance sovereignty advocates actually want — control, exit, and resilience — without trapping data behind borders. Sovereignty as the freedom to leave is a far healthier concept than sovereignty as the obligation to stay. For Ireland specifically, whose tech sector depends on frictionless cross-border data flows, localization would have been self-harm.
The execution risk
The stance is right; the details will decide whether it works. Two risks stand out. First, dual competent authorities plus the DPC create overlap, and the General Scheme's value will hinge on whether the CCPC's coordinating role genuinely prevents firms from being investigated three times for one event. Clear jurisdictional lines, not just a coordination title, are what reduce compliance cost. Second, the ComReg levy must be calibrated so it funds credible supervision without becoming a tax that deters the very providers Ireland wants to keep. A levy that scales punitively with establishment in Ireland would perversely encourage firms to base themselves elsewhere — undermining both enforcement reach and the domestic tech base.
That base is not abstract. Ireland's R&D tax credit rose from 30% to 35% in the most recent budget, and nearly 70% of surveyed firms reported increasing R&D spend over three years — evidence that proportionate, investment-friendly policy is doing real work. The Data Bill should be drafted in that same register: pro-competition where lock-in genuinely harms customers, light-touch where the market already functions.
What to watch
Pre-legislative scrutiny by the Joint Committee on Enterprise, Tourism and Employment ran with written submissions closing on 13 April 2026, and the Data Bill has been prioritised for drafting in the 2026 spring session. The questions that matter now are operational: How sharply are ComReg's and the CCPC's remits delineated? How is the levy set? And do the switching rules translate the Data Act's intent into migrations that actually happen? Get those right, and Ireland will have shown that digital sovereignty and an open internet are not opposites — that the best answer to lock-in is the right to leave, not the duty to stay home.