In 30 places, it's also very illegal to do business with vendors who ransom your data, if you're in finance, i.e. an entity covered by the Digital Operational Resilience Act; NIS2 (27 places) doesn't spell it out but also requires business continuity planning. Natural persons in the EU+EEA also retain a right to data portability under GDPR and there are data access/portability provisions in the EU Data ACT and DMA. Many legal frameworks require the covered entity to be 'in control' of vendors and data. Proactive legalese allowing the vendor to ransom your data is not quite in line with that requirement; in many sane jurisdictions such clauses would be found unenforceable.