The Data Act is set to become the EU’s central data law and is being updated by the Commission for this purpose. We explain what the planned changes mean for businesses and whether they will really create more legal certainty.
Note: The draft amendment to the Data Act still has to go through the European Union’s legislative process and may be significantly changed in the course of this process.
Reforms through Omnibus IV
The EU is planning a far-reaching overhaul of its data regulation. The draft of the European Commission’s so-called digital Omnibus package (Omnibus IV), published on 19 November 2025, aims to adapt and better harmonise numerous existing regulations, from the Data Act to the AI Act to the GDPR, in a single step.
The adjustments are not intended to create new obligations, but rather to make existing rules simpler and thus more practical.
The planned changes to the Data Act
The draft digital omnibus package aims to further develop the Data Act in such a way that it creates a clear and reliable framework for improved data access. This expanded access, in turn, is intended to promote competition and enable innovation.
In this context, the following adjustments to the Data Act are planned:
Data Act becomes the main regulation for European data law
The Data Act will become the EU’s central data law. To this end, the European Commission is integrating several existing legal acts into the Data Act:
- the Open Data Directive (2019);
- the Data Governance Act – DGA (2022);
- the Regulation on the free flow of non-personal data – FFDR (2018).
The result is a uniform legal framework for data use, data access, and interoperability, which should contribute to greater legal certainty.
Important clarifications of terms in the Data Act
The harmonisation also affects key terms within the Data Act itself.
- For example, the term “data owner” has been redefined and its meaning clarified. Whereas previously a person was considered a data owner if they ensured both access to data and its availability, the Data Act now defines a data owner as a person who ensures data access and/or data availability. This significantly broadens the circle of those affected.
- In addition, the Data Act contains an explicit definition of the term “anonymisation” for the first time.
- In addition, the Data Act adopts key definitions from the GDPR, including those for “consent” and “pseudonymisation”, by referring directly to the GDPR.
Strengthening the protection of trade secrets
Companies are given additional protection mechanisms if they wish to deny access to trade secrets. Currently, they are allowed to do so if there is a risk of serious economic damage or if the data recipient refuses to take appropriate technical and organisational measures.
Under the Omnibus IV draft, refusal would also be possible if there were a high risk that data could be transferred to third countries without adequate protection or to companies under the control of such third countries.
Public emergency becomes sole legal basis for government data access
Even before, authorities were only allowed to demand the disclosure of data from data owners in cases of “exceptional necessity”, an approach that is now being further restricted in the draft of the digital Omnibus package.
The current Articles 14 and 15 of the Data Act are to be completely deleted. Instead, the Omnibus IV draft introduces the new Art. 15a Data Act. According to this, government access to data is only permissible for the purpose of managing or mitigating a public emergency.
At the same time, clear prioritisation is introduced. Non-personal data should be disclosed as a matter of priority. Only if this is not effective may authorities request personal data, and this should be in pseudonymised form wherever possible. This prioritisation concept was already found in the recitals and has now been incorporated into the law.
Despite this prioritisation, the tension between data access obligations and data protection remains. The disclosure of pseudonymised or even personal data in a crisis continues to raise questions about compatibility with the GDPR, purpose limitation, data minimisation, and the risks of re-identification. It therefore remains unclear for companies how they should act in accordance with data protection regulations in an emergency.
Another change is that metadata may now also be explicitly requested.
Micro and small enterprises remain unaffected by these obligations under Art. 14 et seq. of the Data Act, even under the draft digital Omnibus package.
Exceptions to cloud switching obligations
The Data Act contains extensive obligations for cloud providers, in particular the switching obligations under Art. 23 et seq. Data Act. These are somewhat mitigated by the Omnibus draft. The following two exceptions now apply:
- for existing contracts concluded before or on 12 September 2025 and relating to individually tailored services,
- for SMEs and SMCs with existing contracts concluded on or before 12 September 2025.
These contracts may continue unchanged until the end of their regular term, which is an important signal to smaller providers who would otherwise have had to make technical adjustments.
Data sandboxes and new support structures
In addition to the changes within the Data Act, the EU is also pursuing a so-called Data Union Strategy. According to this, member states may now officially set up so-called data sandboxes, i.e. controlled test environments in which companies can try out new data exchange models, interfaces, or interoperability solutions under regulatory supervision. The aim is to promote innovation and new business models without having to intervene directly in live operations.
In addition, the European Commission has announced that it will set up a Data Act Legal Helpdesk to answer questions about data access rights, obligations, and contract design. This is primarily aimed at SMEs.
In addition, there is already an official FAQ from the European Commission on the Data Act.
Conclusion
The digital Omnibus draft is intended to represent a further step towards harmonised and practical European data regulation. The upgrading of the Data Act to a central data regulation, more precise definitions, and relief in the area of data access and interoperability will certainly create a more practical legal framework.
At the same time, however, existing challenges remain, particularly when it comes to dealing with data protection requirements in the context of data access obligations.
Despite the adjustments envisaged in the digital Omnibus bill, therefore, it is likely that there will only be limited changes in practical application.