EU Digital Omnibus package: Major Changes to the Data Act Proposed

The European Commission has unveiled a comprehensive overhaul of Europe's digital regulatory framework on 19 November 2025. Whilst these are only proposals, subject to the outcome of the EU legislative process, they should be considered as the Commission's view and starting point for simplifying and streamlining Europe's data rules whilst maintaining robust protections. 

The changes outlined below focus exclusively on the Data Act and represent only a selection of the amendments contained in the proposal called the “Digital Omnibus Regulation” – the full package is far more extensive including:

• Establishing a single reporting point for all incidents under the GDPR, NIS2, DORA and the upcoming CER;
• Abolishing the P2B Regulation;
• Changing the “cookie consent” rule;
• Amending the definition of personal data and special category data; and
• Allowing the processing of personal data to train AI models based on a legitimate interest.

The Commission has also presented another regulation exclusively focused on reform of the AI Act called “Digital Omnibus on AI”, which we will cover in a separate update.

Furthermore, the Commission published on 19 November 2025 the (overdue) Recommendation on non-binding model contractual terms on data access and use, and non-binding standard contractual clauses for cloud computing contracts under the Data Act, which we will analyse in a separate update.

Data Act: Key proposed changes

The Commission continues to pursue its goal of reconciling innovation and data availability with safeguarding the rights and interests of data holders. The proposed amendments aim to reduce burdens while clarifying the law and strengthen Europe's competitive position. According to the draft, this involves addressing four interconnected challenges:

• Protection of trade secrets against the risk of leaks to third countries in the context of the mandatory IoT data-sharing provisions (Chapters 2 and 3 of the Data Act)
• The current fractured and complex B2G framework is partly outdated and casts too wide a net, creating legal uncertainty.
• The rules on essential requirements for smart contracts in data-sharing agreements have proven unclear in practice.
• The provisions enabling switching between cloud and data processing services remain crucial for opening up the data market but are inappropriate for legacy contracts regarding custom-made data processing services and overly burdensome not only for small and medium-sized enterprises (SMEs) but also for small mid-caps (SMCs).

The Commission suggests addressing these issues as follows: 

1. Protecting trade secrets in a global economy

Responding to the first challenge, the proposal introduces new safeguards for businesses concerned about their confidential information ending up in the wrong hands. Under Articles 4(8) and 5(11) of the Data Act Draft, data holders could refuse to hand over information to users where there is a substantial risk that trade secrets could be unlawfully acquired, used, or disclosed to entities in third countries, particularly those operating under legal regimes that offer weaker protection than the EU. This amendment addresses genuine concerns raised by numerous EU businesses about exposing valuable information to jurisdictions where legal safeguards fall short. The refusal must be based on a case-by-case assessment of all objective factors. 

2. Business-to-government data sharing gets narrower 

Addressing the second challenge, the proposal significantly narrows the circumstances under which public authorities can demand data from businesses. The trigger would shift from broadly defined "exceptional needs" to specifically defined "public emergencies" only. A new Article 15a Data Act Draft would become the single gateway for such requests, applicable only when data is genuinely necessary to respond to a public emergency or to help mitigate or recover from one. This brings much-needed precision to what was previously an uncomfortably vague obligation. Crucially, microenterprises and small businesses would gain the right to seek compensation when required to provide data during emergencies – acknowledging that compliance costs can be high, especially for smaller players. Larger data holders would continue to provide data without charge in these emergency situations.

3. Three regulations merge into one

The Commission further proposes merging three separate legal instruments into the Data Act: the Free Flow of Non-Personal Data Regulation (Regulation (EU) 2018/1807), the Data Governance Act (Regulation (EU) 2022/868), and the Open Data Directive (Directive (EU) 2019/1024). This consolidation aims to establish a unified rulebook for how data held by public authorities can be reused, eliminating the overlapping and sometimes contradictory provisions that have confused businesses and public bodies alike. Outdated requirements will be swept away, replaced with a coherent set of rules. 

4. Voluntary certification and trust-building

The mandatory regime for data intermediary services, stemming from the Data Governance Act, is being reimagined as a voluntary, trust-enhancing framework. This allows neutral market players to differentiate themselves whilst reducing regulatory overhead. Under the proposed rules, the Commission would maintain a public EU register listing recognised data intermediation service providers and recognised data altruism organisations, creating transparency and helping businesses identify reliable partners in the data-sharing ecosystem.

5. Smart contracts clarified

Tackling the third challenge, the proposal eliminates Article 36 of the Data Act, which sets out essential requirements for smart contracts used in data-sharing arrangements without replacement. This removal is designed to resolve legal uncertainties and encourage innovation in how businesses structure their data-sharing deals, giving companies more room to develop solutions that work for their specific circumstances.

6. Cloud switching slightly adjusted

Responding to the fourth challenge, the amendments introduce a lighter regime for custom-made data processing services (i.e., which are not off-the-shelf and would not function without prior adaptation), but only if provided under contracts concluded before or on 12 September 2025. Similarly, SMEs and small mid-caps providing services other than infrastructure-as-a-service under contracts signed before or on 12 September 2025 would get exemptions from certain requirements. A clarification is added that such providers could include early termination penalties in fixed-term contracts. These changes aim to ease burdens on providers of bespoke services and smaller companies, whilst still working towards the goal of eliminating vendor lock-in. They also reflect the Commission’s stance on early termination fees, a topic that has been heavily discussed in the past 6 months. 

What this means for your business?

The Data Act amendments signal a clear first step towards pragmatism and proportionality. Consolidating three separate legal instruments into a single framework will eliminate some confusion and duplication that have made navigating Europe's data rules a headache.

For EU businesses operating in global markets, the strengthened trade secrets protections offer welcome reassurance. If you are worried about disclosing sensitive information to users in jurisdictions with weak safeguards, you will have a clear legal basis to refuse – if you can convincingly demonstrate the risk.

However, many challenges posed by the broader EU digital acquis remain unsolved. Businesses should assess whether the proposed changes impact their current activities and monitor further developments closely.

What's next?

As mentioned, the Omnibus reform package also includes proposals addressing amendments to the GDPR and the AI Act.  In addition, the Recommendation on non-binding model contractual terms on data access and use and non-binding standard contractual clauses for cloud computing contracts under the Data Act, has been published, which will now be translated in all EU languages until March 2026 at the latest. As for the next steps, the Commission is expected to publish the Guidelines on reasonable compensation to clarify what can be charged to data recipients for data sharing under Article 5 of the Data Act and to work on a Data Act legal helpdesk to assist companies with concrete questions on how to apply the new rules.

The overall legislative process is outlined below. We will continue to monitor developments throughout the legislative process and keep you informed of any changes that may affect your business operations.

Legal legislative process:

• Late November–December 2025: The European Commission will send its proposals for the Digital Omnibus package to the European Parliament, which will allocate the package to the relevant committee(s). The Committee on the Internal Market and Consumer Protection (IMCO), the Committee on Industry, Research and Energy (ITRE) and the Committee on Civil Liberties, Justice and Home Affairs (LIBE) are likely to play leading roles. Political groups will then nominate a rapporteur and shadow rapporteurs to draft the Parliament’s report in the relevant Committees;
• From January 2026: Members of the European Parliament (MEPs) will discuss and table amendments to the proposals during Committee meetings, with the aim of adopting on a final Report by Q1 2026;
• Council discussions: In parallel, representatives of the 27 EU Member States in the Council will begin technical talks to prepare their position, known as a ‘general approach’, expected in Q1 2026;
• By Q2/Q3 2026: Once the responsible European Parliament Committee(s) adopts their final report and this Report is endorsed by a vote by all MEPs in plenary session, and the Council agrees on its approach, interinstitutional “trilogue” negotiations between the European Commission, European Parliament, and Council will begin—likely in spring 2026—to reach a compromise text on the proposal;
• Possible acceleration: This timeline could accelerate if the European Parliament decides to apply its urgent procedure under Rule 170 of its Rules of Procedure, as it has done for previous omnibus packages. This would allow the proposal to bypass the full Committee stage and go directly to a vote during a Parliament plenary session, potentially enabling adoption as early as Q1 2026. This fast-track option reduces opportunities for amendments and shortens stakeholder engagement windows;
• Final adoption: Under the standard process, adoption is expected by mid-2026, or earlier if the urgent procedure is triggered.

How our Regulatory & Public Affairs team can help:

• Monitoring and Intelligence: tracking developments in real time, including Committee debates, amendments, the positioning of political parties and deadlines;
• Advocacy Strategy: Preparing tailored engagement plans to position your priorities effectively during the examination of the proposals by the EU institutions and during the trilogue negotiations;
• Messaging and Outreach: Drafting briefing materials and voting recommendations, in addition to facilitating direct dialogue with policymakers to ensure your voice is heard.