The Data Act (Regulation (EU) 2023/2854) has been applicable since 12 September 2025 and aims to make the European data economy fairer and more competitive. However, the European Commission now intends to amend the Data Act once again.
The reason: the EU’s digital regulatory framework has become too complex and needs to be simplified, clarified, and improved. With the proposal for a Digital Omnibus Regulation, the European Commission suggests amendments to several laws, including the GDPR and the AI Regulation discussed in earlier blogs. However, the proposed changes to the Data Act go beyond mere textual adjustments. Below, we outline the three most significant changes.
(insertion of Chapter VII bis, Chapter VII ter and Chapter VII quater)
In recent years, an increasing number of European data regulations have been introduced, resulting in a complex and fragmented framework with overlapping obligations and uncertainty about which rules apply in which situations. The proposal aims to bring order to this by incorporating three existing regulations into the Data Act and subsequently repealing them:
As a result, the Data Act will become the central framework for the European data economy. The substance of the repealed regulations will be integrated into three new chapters: Chapter VII bis on data intermediation services and data altruism, Chapter VII ter on the free flow of non-personal data, and Chapter VII quater on the re-use of public sector data. This is a significant change: organisations that have structured their compliance around the separate regulations will need to revise their approach.
(replacement of Articles 14 and 15 by new Article 15 bis)
Under the current Data Act, public authorities may request data from companies where this is “exceptionally necessary.” This is a vague criterion that leaves considerable room for interpretation in practice. The proposal replaces this with a stricter threshold: authorities may only request data in the event of a “public emergency.”
In such a situation, two types of requests are possible. The first type may be made where necessary to respond immediately to the emergency; the second type may be used to mitigate or support recovery measures after the emergency.
Under the first type of request, both personal and non-personal data may be requested. Personal data must, as far as possible, be provided in pseudonymised form, and the provision must be free of charge. Under the second type of request, only specific non-personal data may be requested.
Moreover, such requests may not be addressed to micro-enterprises and small enterprises. Companies that provide data under the second type of request are entitled to fair compensation. This means that such requests do not have to be complied with free of charge. This stricter framework provides companies with greater certainty about when authorities may request data, but it also requires a clear understanding of the applicable procedures.
(amendment of Article 4(8) and Article 5(11))
The Data Act requires companies, in certain cases, to share data with users of their products. This raises the question: what if that data contains trade secrets, and what if it ultimately ends up with parties in jurisdictions with limited legal protection? These risks need to be addressed.
The proposal introduces a specific ground for refusal. A company may refuse to share data with a user if it can demonstrate that there is a high risk that its trade secrets will be unlawfully used or disclosed to entities outside the EU (or to EU-based companies that are directly or indirectly controlled by such entities) that are subject to legal systems offering weaker protection than EU law.
The same right of refusal applies where a third party is the recipient. The refusal must be substantiated in writing with concrete facts, and the competent supervisory authority must be informed. While this is a useful addition to the existing framework, the threshold is high: demonstrating a “high risk” requires thorough preparation and a well-defined internal policy.
These three proposed changes show that the proposal moves in two directions at once: on the one hand, simplification and reduction of administrative burdens; on the other, stricter rules where the current framework appears insufficient. The consolidation of three EU instruments into a single regulation is the most structural change and requires a reassessment of existing compliance programmes. The stricter rules on government access to data and the enhanced protection of trade secrets provide companies with greater clarity. Although the proposal has not yet been adopted, it is advisable to closely monitor developments and, where possible, begin preparing for the new rules.
If you have any questions, please contact Hieke van Druten, Attorney at Law IT, Privacy & Cybersecurity, or one of our other specialists within the IT, Privacy & Cybersecurity team.
Would you like a monthly overview of updates and blogs in your inbox? Click here to subscribe to the newsletter!
