Cloud Exit Strategy — Avoiding Vendor Lock-in 2026

Cloud & DevOps · May 2026 · 14 min read

← Part of the Cloud & DevOps Guide
Emre Yilmaz By Emre Yilmaz · Reepa Solutions

Vendor lock-in was long considered an academic problem — until 2024, when several large European companies migrated out of a single hyperscaler at costs running into the tens of millions, managing re-engineering projects that lasted six to nine months. Since January 2025, DORA has required financial services firms and insurers to maintain a documented and testable exit plan for every critical cloud provider. The EU Data Strategy and the Data Act deepen this obligation in 2026 for additional industries; KRITIS operators are also covered under NIS2. For management boards, CFOs, and IT leadership this is no longer an optional architecture topic but a regulatory necessity with direct personal liability. This article explains what an effective cloud exit strategy looks like, what lock-in tiers exist, how a realistic exit plan is structured, which architecture decisions make an exit possible in the first place, and what costs to expect. For the broader strategic picture, see our Cloud & DevOps Guide for the Mid-Market.

Why DORA and the EU Data Strategy Make Cloud Exit Mandatory in 2026

The regulatory landscape has changed dramatically over the past 18 months. Three levers are operating simultaneously and create an obligation for a large part of the German mid-market that barely existed a few years ago.

First, DORA — the Digital Operational Resilience Act has been directly applicable EU law since 17 January 2025 for banks, insurers, payment service providers, crypto-asset providers, and a large segment of the financial mid-market. Article 28 requires a written, tested exit plan for every critical ICT third-party service provider, including a transition architecture. Hyperscalers such as AWS, Azure, and Google Cloud are classified as critical third-party service providers as soon as they support core business functions. In 2025 Germany's BaFin conducted several supervisory conversations about missing exit plans — consequences range from formal requirements to special audits.

Second, the EU Data Strategy and the Data Act, which has been fully applicable since September 2025. Articles 23 to 31 of the Data Act govern provider switching for data processing services and explicitly require "functional equivalence" and "switchability" — changing a cloud provider must genuinely be possible within an agreed timeframe, data must be made available in a structured, commonly used, machine-readable format, and switching fees will be banned from 2027 onwards. For affected companies this means: no more architectures that make a switch practically impossible.

Third, KRITIS and NIS2. Operators of critical infrastructure — energy, water, healthcare, transport, finance, telecommunications — are required under the BSI Act and the NIS2 transposition to manage their dependencies on individual service providers and to demonstrate resilience concepts. A purely single-cloud architecture without an exit plan is no longer acceptable for KRITIS audits.

Operationally, a second wave adds further pressure — not regulatory, but economically decisive: cyber-insurers now explicitly ask about reversibility, supplier audits by major industrial customers include standard questions on exit plans, and investors treat cloud lock-in as a risk factor in due-diligence processes. A company without an exit strategy pays higher premiums, loses contracts, or receives lower valuations.

Understanding the Four Lock-in Tiers

"Vendor lock-in" is not a binary state but is distributed across four distinct dimensions. Anyone planning an exit without separating these tiers is planning around the wrong problem.

TierWhat it meansTypical symptoms
Workload lock-inApplications use proprietary services of the provider — Lambda, Step Functions, EventBridge, Azure Functions, Cloud Run-specific triggersCode cannot be run on another platform without re-engineering
Data lock-inData resides in proprietary formats or databases — DynamoDB, Cosmos DB, BigQuery, Aurora-specific features, S3 Glacier structuresMigration requires export–transform–reimport and schema adjustments; egress costs are substantial
Skill lock-inThe team only knows one provider's tools; all automation is written in vendor-specific CLIs and SDKsMigration fails due to re-skilling effort and the cost of porting an established tooling landscape
Contract lock-inMulti-year reserved-instance bookings, enterprise discount programmes, marketplace contracts tied to a single providerTermination results in residual-value loss and contractual penalties; switching is economically unattractive

An effective exit strategy addresses all four tiers. From our consulting practice, workload lock-in is the most common bottleneck — many mid-market companies have made intensive use of proprietary managed services in recent years because they were more productive in the short term. Data lock-in is the most expensive bottleneck, because egress costs and schema transformations quickly reach six-figure sums. Skill lock-in is the underestimated bottleneck — even if the architecture is portable, an exit fails if nobody on the team can operate the alternative platform. Contract lock-in is the easiest bottleneck — it can be avoided by keeping contract terms short and consciously limiting reserved-instance bookings.

Which Services Are Particularly High-Lock-in

Not all cloud services are equally problematic. From an exit perspective, hyperscaler offerings broadly fall into three classes.

Highly lock-in-prone — deliberate avoidance recommended. These services bind so deeply to the provider that switching means months of re-engineering.

Moderately lock-in-prone — acceptable with a reversibility wrapper. These services can be replaced with manageable effort if the abstraction is kept clean.

Low lock-in risk — use without concern. These services are essentially standardised building blocks.

Request a free cloud exit consultation

Do you need to demonstrate an exit plan for DORA, NIS2, or KRITIS, or do you want to make your architecture more reversible? We offer a free 30-minute initial conversation — we assess your current lock-in depth, identify the critical services, and outline a realistic exit path with a cost framework.

Request a free cloud exit consultation

Building Blocks of a Robust Exit Plan

An exit plan is not a Word document that gets signed off by an auditor once a year, but a living, multi-part construct comprising an inventory, mapping, architecture decisions, and test restores. The following five building blocks belong in every DORA-compliant plan.

Data Migration Paths

The data layer is by far the most expensive and slowest part of an exit. Three migration patterns have proven themselves in practice.

Online migration with Change Data Capture. Suitable for databases with high availability requirements. Tools such as Debezium or pgAudit replicate changes in real time to the target database, which becomes consistent after a multi-day sync run. The cut-over moment is a brief read lock. Advantage: minimal downtime. Disadvantage: complex preparation, double licensing costs during migration.

Snapshot restore with controlled cut-over. Suitable for databases with a plannable maintenance window. Export a snapshot, restore in the target environment, cut over with a DNS switch or load-balancer change. Advantage: simple, easy to test. Disadvantage: longer downtime, typically 2 to 12 hours.

Bulk export with format transformation. Necessary for proprietary databases such as DynamoDB, Cosmos DB, or BigQuery. Export to CSV or Parquet, transform the schema to a relational or document-based target structure, bulk import. Advantage: the only option for deep lock-in. Disadvantage: complex, error-prone, significant downtime.

Egress costs are a central line item. Hyperscalers historically charge between 0.02 and 0.09 euros per gigabyte of outbound traffic — for a 50-terabyte dataset that is 1,000 to 4,500 euros per full export. The Data Act will ease this from 2027, but the costs are still real today and must be included in every business case.

Architecture Decisions That Guarantee Reversibility

The most important insight from completed exits: reversibility is not created at the time of exit, but at the time of build. Architecture decisions made consciously today determine whether an exit in three years costs 200,000 or 2 million euros.

AreaLock-in variantPortable alternative
ComputeLambda, Azure Functions, Cloud Run with vendor-specific triggersOCI containers on Kubernetes or Knative, with standardised event sources
DatabaseAurora-specific features, DynamoDB, Cosmos DB, BigQueryPostgreSQL with standard extensions, Postgres with JSONB instead of NoSQL, ClickHouse for analytics
Container orchestrationECS, Fargate, Azure Container AppsStandard Kubernetes (EKS, AKS, GKE, or self-managed) with identical manifests
IdentityCognito, Azure AD B2C, Firebase AuthKeycloak or Authentik, OIDC standard, portable between clouds
MessagingEventBridge, Azure Service Bus with proprietary filtersApache Kafka, NATS, RabbitMQ
Infrastructure as CodeCloudFormation, ARM Templates, Deployment ManagerTerraform or OpenTofu with cross-provider modules

Portable architecture typically costs 5 to 15 percent more to operate than an architecture fully tailored to a single provider — self-managed database operations, self-managed authentication, your own Kafka cluster instead of managed eventing. These additional costs are the insurance premium for reversibility. For more detail on IaC decisions see our cluster on Terraform IaC Best Practices, for the fundamental provider choice our comparison of AWS vs. Azure vs. GCP, and for the multi-cloud discussion Multi-Cloud vs. Single-Cloud.

Contract Clauses That Should Be in Every Cloud Contract

The legal side of an exit is underestimated in many mid-market contracts — standard terms and conditions from hyperscalers are not DORA-compliant and do not contain adequate exit guarantees. At least five clauses belong in every negotiating mandate.

Testing the Exit — Otherwise It Doesn't Exist

The biggest difference between a Word-document exit plan and a robust exit plan is the test. DORA explicitly requires that exit plans be regularly "tested, reviewed, and updated" — and the BaFin takes this seriously. In practice this means at least one annual exit test at one of these three depths.

Tier 1: Tabletop exercise. Management and IT leadership walk through the exit plan in a multi-hour workshop — who does what, when, with which tools. Effort: 1 to 2 person-days. Benefit: reveals gaps in the plan, validates responsibilities. Sufficient for low criticality.

Tier 2: Partial restore of a workload. A non-critical workload is actually restored in the second cloud — end-to-end, with data and application layer. Effort: 5 to 15 person-days. Benefit: validates data paths and architecture assumptions. Standard for DORA-compliant programmes.

Tier 3: Full failover exercise with load. A critical workload is fully operated in the second cloud, including production load and cut-over. Effort: 20 to 60 person-days. Benefit: validates the real exit path including performance and costs. Recommended every two to three years for KRITIS- and DORA-regulated entities.

What Does a Real Cloud Exit Cost?

The cost of a full cloud exit depends heavily on lock-in depth, data volume, and time pressure. The table below shows typical ranges for mid-market companies — intended as guidance; precise estimates require an inventory workshop.

Exit scenarioTotal one-time costDurationExternal person-days
Container and Postgres stack without proprietary services (50–200 employees)120,000–280,000 €6–9 months60–140
Standard mix with moderate managed-service usage (200–500 employees)280,000–620,000 €9–15 months140–320
Deep lock-in with serverless and proprietary DBs (500–1,500 employees)620,000–1,400,000 €15–24 months320–700
Pure reversibility preparation without an actual exit40,000–120,000 €3–6 months20–60

The main cost items are re-engineering proprietary services, parallel operations during migration, data egress charges, external consulting, and internal personnel. The ongoing additional cost of a portable architecture compared to one fully tailored to a single provider is around 5 to 15 percent of operating costs. That is the insurance premium for reversibility — and compared to the one-time cost of an unplanned exit under pressure, it is always the cheaper option.

Reepa Cloud Exit Audit

We offer a structured cloud exit audit that evaluates the DORA and Data Act compliance of your current cloud architecture in three to six weeks. The audit covers a complete workload inventory with lock-in classification, a service substitution mapping, an assessment of existing contracts against the five key clauses, a written exit plan in a DORA-compliant structure, and a one-page management report with risk assessment and effort estimate. Optionally, we conduct the first Tier 2 test in a second cloud.

Frequently Asked Questions

Is a cloud exit strategy truly mandatory for German mid-market companies?

For financial services firms and insurers it has been mandatory since 17 January 2025 under DORA — Article 28 requires a documented exit plan for every critical ICT third-party service provider, including hyperscalers. For KRITIS operators the obligation arises from the IT Security Act and NIS2. For all other mid-market companies it is not formally required, but practically indispensable — supplier audits by major industrial customers and cyber-insurers now routinely ask about reversibility, and without an exit plan a cloud architecture becomes de facto irrevocable.

How long does a realistic cloud exit take?

A full exit from a hyperscaler typically takes a mid-market company between 9 and 24 months, depending on lock-in depth. Pure container and database workloads without proprietary managed services can be migrated in 6 to 9 months. Workloads with deep ties to proprietary services — SageMaker, Cosmos DB, BigQuery, vendor auth such as Cognito or Azure AD B2C — require 12 to 24 months of re-engineering. DORA requires that the exit is genuinely achievable within the contractually agreed timeframe, typically between 6 and 12 months.

Is a multi-cloud architecture sufficient as an exit strategy?

No. Multi-cloud only means that multiple providers are used in parallel — it does not automatically mean that one provider can be replaced at short notice. An effective exit strategy also requires portable architecture building blocks (containers, open databases, open identity standards) and a tested failover path. Multi-cloud without portability is double lock-in. More on this in the cluster on Multi-Cloud vs. Single-Cloud.

What does a real cloud exit cost?

One-time exit costs for a mid-market company typically range from 150,000 to 1.2 million euros — depending on workload size, lock-in depth, and time pressure. The main costs are data egress charges at the hyperscaler, re-engineering proprietary services to open alternatives, parallel operations during migration, and external consulting. Add the ongoing overhead of portable architecture — typically 5 to 15 percent higher operating costs compared to an architecture fully tailored to a single provider.

Which contract clauses should be in every cloud contract?

At least five: first, a right to data repatriation in a documented, machine-readable format at no extra cost; second, a contractually guaranteed exit period of at least six months from termination; third, full data deletion with written confirmation after exit completion; fourth, an obligation to provide advance notice of service discontinuation or major price increases; fifth, access to audit reports and service descriptions that enable a substitution mapping. DORA-regulated entities additionally need clauses on supervisory communication and sub-contractor transparency.

Ready to build your DORA-compliant cloud exit plan?

Let's talk for 30 minutes, no obligation. We assess your current lock-in depth, review your contracts against the key exit clauses, and outline a realistic roadmap for a documented, testable exit programme — including effort and cost estimates.

Schedule a 30-minute call
Emre Yilmaz
Emre Yilmaz · DevOps Engineer · Reepa Solutions

IT security and cloud architect with over ten years of experience. Together with his team he develops Reepa Security, an offensive audit platform for the mid-market. He writes regularly about cloud architecture, DORA, NIS2, and cloud exit strategies.

Reviewed: 22 May 2026 · More about Emre

More from our knowledge hubs

🛡
Security
Cybersecurity
15 articles →
🧠
Artificial Intelligence
AI for the Mid-Market
15 articles →
Infrastructure
Cloud & DevOps
15 articles →
💻
Development
Software Development
15 articles →