Regulating Data: EU Data Act & More - November Edition

Welcome to the third edition of Regulating Data: EU Data Act & More.

The EU is fundamentally reshaping its digital legal landscape, reducing complexity and creating new opportunities for businesses across Europe. In this rapidly evolving environment, understanding the latest legal and regulatory changes is essential for making informed decisions and staying ahead of the curve. This newsletter summarises the key developments and practical implications for your organisation, including:

• The Digital Omnibus Proposal: How the Commission plans to streamline and unify the EU’s digital legal regime.
• Data Union Strategy: How the Commission aims to simplify compliance with the Data Act, support businesses with practical tools, and strengthen EU data sovereignty in the context of AI and global.
• National Implementation Laws: The current status of Data Act implementation laws across Member States, including enforcement authorities and sanctions.
• Standardisation and Interoperability: The latest on technical standards and interoperability requirements that will affect your business strategy.

Please also check out our webinar series on the Data Act.

1. The Digital Omnibus Proposal: Reshaping the EU’s Digital Legal Landscape

The Digital Omnibus proposal represents a significant step towards consolidating and harmonising the EU’s digital framework. By merging key regulatory acts, the Commission aims to reduce overlaps and inconsistencies in existing legislation. The proposal is intended to provide clearer rules and facilitate compliance for both businesses and public authorities.

1.1 Background

The European Union’s regulatory framework has become increasingly complex, sometimes hindering competitiveness and innovation. In response, the European Commission initiated a call for evidence as part of the Digital Omnibus process, as detailed in our previous newsletter. Stakeholders provided their feedback and suggestions until 14 October 2025.

1.2 Stakeholder Perspectives

The German Federal Government (Bundesregierung) and over 500 other stakeholders provided feedback on the Digital Omnibus, emphasising the need for simplification, legal clarity, and a more innovation-friendly regulatory environment.

(A) German Priorities for the Digital Omnibus

Germany emphasised the need for a coherent and simplified regulatory framework. It called for robust impact assessments, including growth forecasts and an annual KPI dashboard, so that digital legal acts could be adjusted if targets were not met. National competent authorities should be appointed only where strictly necessary, such as for fundamental rights, while private disputes are more efficiently resolved privately. Germany also urged the Commission to support regulatory sandboxes and further streamline EU governance.

Furthermore, the Bundesregierung advocated for unified and clearer definitions in the Data Act, noting that current terms remained too vague. The government supported reducing information and notification obligations, reviewing contractual requirements for non-personal data sharing, and granting medium-sized and small mid-cap companies more time to adapt. It also called for the removal of certain provisions, such as those on smart contracts and excessive information duties, to lower compliance burdens and foster innovation.

(B) Broader Stakeholder Input

Other stakeholders, such as the Austrian Federal Economic Chamber, highlighted the importance of reducing burdens for smaller businesses and practical digitalisation, while France Digitale (Europe’s biggest Startup Association) requested clarification on whether the Data Act applies both to SaaS offered directly by cloud providers and to SaaS provided by third-party service startups.

(C) Overall Feedback

Across the board, there was strong support for reducing overlaps between digital laws, harmonising reporting obligations, and ensuring legal clarity.

1.3 European Commission’s Proposal

On 19 November 2025, the European Commission has launched the Digital Omnibus proposal as part of a broader effort to simplify, clarify, and harmonise digital legislation. This initiative aims to streamline the rules, reduce the number of laws and harmonise provisions. The Digital Omnibus introduces targeted technical amendments across key areas such as data sharing, cybersecurity, and artificial intelligence, ultimately fostering a more predictable and business-friendly digital environment.

Notably, the Commission mentioned the tabling for its proposal for a European Business Wallets Regulation to simplify digital compliance for companies and is conducting a Digital Fitness Check to assess and further align the cumulative impact of digital rules, including the Data Act, on EU competitiveness.

(A) Due to the fragmented EU’s data legislation including certain overlaps, inconsistencies in definitions, and uncertainties regarding how the different instruments interact, the Digital Omnibus proposal aims to incorporate the following frameworks into the Data Act:

• Regulation (EU) 2018/1807 (Free Flow of Non-Personal Data Regulation): Most of its provisions, except for those on data localisation, will be repealed. The prohibition of localisation requirements for non-personal data withing the Union will be integrated in Chapter VIIb of the Data Act.
• Regulation (EU) 2022/868 (Data Governance Act): Rules on data altruism and data intermediation services are merged into the Data Act to make these mechanisms more attractive and effective.
• Directive (EU) 2019/1024 (Open Data Directive): The Open Data Directive will be repealed, noting that its substantive provisions are incorporated the Data Act without significantly altering the powers granted to Member States.

As a result, the Data Act becomes the single, consolidated legal instrument for Europe’s data economy, with the above regulations and directive being repealed. This consolidation aims to reduce legal complexity, harmonise definitions, and make compliance easier for businesses and public administrations.

1.4 Key Substantive Amendments to the Data Act

The Digital Omnibus introduces a series of targeted amendments to the Data Act. The following section outlines the most relevant changes and their practical implications.

• Expanded and Harmonised Definitions. The proposal amends and supplements the definitions in the Data Act (Article 1(2) Data Act), introducing new terms and clarifying existing ones. This aims to ensure consistency across the consolidated legal framework. For example, the terms “access”, “data holder” and “data intermediation service” and “anonymisation” will be (newly) defined.
• Stronger Safeguards for Trade Secrets. New Articles 4(8) and 5(11) of the Data Act will allow data holders to refuse disclosure of trade secrets to users or third parties if there is a high risk of unlawful acquisition, use, or disclosure to third countries with weaker protections. Such refusals must be “duly substantiated” and notified to the competent authority. This addresses concerns about the leakage of sensitive business information in the context of mandatory data sharing.
• Narrowed Scope for Business-to-Government Data Requests. The scope of Chapter V (making data available to the administration) is narrowed from “exceptional needs” to “public emergencies” only. Articles 14 and 15 of the Data Act are to be deleted, and a new Article 15a will be introduced, which sets out that public sector bodies may only request data from businesses when necessary to respond to, mitigate, or recover from a public emergency (e.g., natural disasters or major cybersecurity incidents). This reduces the risk of overbroad government access to business data.
• Exemptions for Cloud Switching Rules. The rules on switching between data processing services (Chapter VI) will be softened. Through Article 31 Data Act, a lighter regime is targeted, if “the majority of features and functionalities of the data processing service has been adapted by the provider to the specific needs of the customer” (= custom made software) and for services provided by SMEs and SMCs (250— 749 employees) under contracts concluded before 12 September This is accompanied by a clarification that the abovementioned providers “can include early-termination penalties in fixed-term contracts“. Overall, these exemptions consider the specificities of smaller or highly customised service providers. The Staff Working Document accompanying the Digital Omnibus proposal estimates that these exemptions could save businesses around 1 billion euros for custom-made contracts and 500 million euros for SME and SMC contracts across the EU.
• Removal of Smart Contract Requirements. The obligation for providers of smart contracts to comply with essential requirements (Article 36 Data Act) is to be removed completely. As explained in the Staff Working Document, Article 36 was criticised by industry stakeholders for its unclear scope and the risk of unintentionally covering a wide range of DLT-based smart contracts and automated software features. The Staff Working Document highlights that, given the early and experimental stage of smart contract development, detailed regulatory requirements could stifle innovation and lock in specific technologies. The removal is therefore intended to reduce regulatory complexity and maintain flexibility for future innovation.
• Extended Support for SMEs and SMCs. Already existing support measures for SMEs are extended to also cover SMCs, reducing compliance burdens and facilitating participation in the data economy. Beyond the eased cloud switching rules, SMEs and SMCs shall benefit from simplified procedures and targeted incentives, making it easier for them to access and re-use data under the Data Act (Article 32ab).

2. The Data Union Strategy

The European Commission’s “Data Union Strategy”, presented on 19 November 2025, addresses the EU’s ambition to unlock high-quality data for artificial intelligence and to strengthen Europe’s competitiveness in the global digital economy. While much of the strategy is dedicated to scaling up data access for AI and supporting innovation, it also introduces several proposals directly relevant to the Data Act, aiming to simplify compliance, harmonise rules, and enhance legal certainty for businesses and public authorities.

2.1 One-Click Compliance and Digital Business Wallets

A central Data Act-relevant initiative is the move towards “one-click compliance.” The Commission recognises that companies currently spend significant resources on compliance, often duplicating efforts across authorities. Building on pilot projects and digital product passports, the strategy proposes machine-verifiable regulatory requirements and standardised digital compliance certificates.

The forthcoming European Business Wallets Regulation (see above) will be a key enabler, providing a secure digital environment for storing and sharing verifiable credentials, including those required under the Data Act. This infrastructure is intended to streamline regulatory reporting and reduce administrative burdens, especially for SMEs and SMCs.

2.2 Support Measures for Data Act Implementation

The Commission highlights the Data Act as the central set of rules for data use and sharing in the EU. To ensure that companies can focus on innovation, the Commission has already published FAQs (as mentioned in October’s edition of our newsletter) and will roll out further support measures. These include model contractual terms for data sharing, standard contractual clauses for cloud services, guidelines on reasonable compensation, and a dedicated Data Act legal helpdesk. These tools are designed to reduce legal complexity, cut transaction costs, and provide legal certainty for both data holders and data recipients.

2.3 Data Sovereignty and International Data Flows

The Data Union Strategy also addresses the protection of EU data sovereignty, which is closely linked to the Data Act’s provisions on data access, use, and cross-border transfers. The Commission will issue guidelines to assess the fair treatment of EU data abroad and develop an anti-data-leakage toolbox to counter unjustified localisation, exclusion, and weak safeguards. These measures are intended to ensure that European companies can compete globally while sensitive EU data remains protected.

3. German Federal Cabinet Adopts Data Act Implementation Law: What Businesses Need to Know

On 20 October 2025, the Federal Government of Germany (Bundesregierung – in the following also “Cabinet”) adopted the governmental draft bill (Gesetzesentwurf) for the national implementation of the EU Data Act, marking a significant milestone for competences and fines under the Data Act in Germany. The governmental draft bill remains substantively unchanged from the ministerial draft bill (Referentenentwurf), dated 5 February 2025. The Federal Ministry for Digital Transformation and Government Modernisation has stated in a press release, that this will bring an end to so-called “gold-plating”, meaning Germany will refrain from imposing additional national requirements beyond those established by the EU Data Act.

3.1 Subtle Changes from the February Draft

A close comparison of the governmental draft bill and the earlier ministerial draft bill reveals that the core provisions and the underlying reasoning remain consistent. The structure, scope, and key enforcement mechanisms are unchanged, and the explanatory notes at the end of both documents confirm this continuity. Although subtle, some changes deserve closer scrutiny.

• Central Authority: Both drafts designate the Federal Network Agency (Bundesnetzagentur. hereinafter “BNetzA”) as the main competent authority for the application and enforcement of the Data Act (section 2 Data Act-Durchführungsgesetz-Entwurf, hereinafter “DA-DG-E”), including complaint handling, market monitoring, and the approval of dispute resolution bodies.

• Data Protection Supervision: Insofar as the protection of personal data falls within the scope of the Data Act, the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, hereinafter “BfDI”) is designated as the sole competent authority (section 3 DA-DG-E). According to the explanatory memorandum, the rationale for this approach is to avoid a situation where responsibility for supervising data protection in the private sector would remain with the various state data protection authorities, which could lead to a multiplication of legal questions and divergent legal opinions among the supervisory authorities.

  This is a significant decision, as Article 37(3) of the Data Act provides that the authorities responsible for monitoring the application of the GDPR shall also be responsible for monitoring the application of the Data Act. In Germany, however, the federal structure means that supervisory responsibilities are typically divided: for private companies and state authorities, the competent authority is the respective state data protection authority (e.g., in Bavaria: Secs. 15, 18 BayDSG), while for federal authorities, the BfDI is responsible (Section 9 BDSG). The Bavarian Data Protection Authority has already declared itself competent and has based its competence directly on Article 37(3) of the Data Act.

  As a result, there will be a conflict in supervisory competence. It remains unclear how this will work in practice. Additionally, potential conflict may arise in cases where it is not immediately apparent whether data should be classified as personal or non-personal. The authorities will need to cooperate closely and establish clear procedures for determining competence and managing joint cases. The further development of this allocation should be monitored carefully.

• Coercive Fines: A further change in the governmental draft concerns the maximum amount of a coercive fine (Zwangsgeld) that the Federal Network Agency may impose to enforce orders or prohibitions. While the ministerial draft allowed for coercive fines of up to 10 million euros, the governmental draft now limits this amount to a maximum of 500,000 euros (Section 7(6) DA-DG-E). This represents a significant reduction in the potential financial pressure that can be applied in enforcement proceedings.

• Sanctions: Under section 15(4)—(5) DA-DG-E, the governmental draft provides for significant administrative fines for violations of the Data Act.

  • (A) A notable change between the ministerial draft bill and the governmental draft bill concerns the calculation and applicability of maximum fines for gatekeepers. Although the general maximum fine of up to 5 million euros remains unchanged, there are some changes concerning fines resulting from the gatekeeper’s percentual turnover.

    In the ministerial draft bill, there was no turnover threshold for the application of higher fines. The maximum fine could reach up to 4% of the gatekeeper’s annual turnover generated in the European Union in the preceding financial year, whichever amount was higher.

    By contrast, the governmental draft bill introduces a specific turnover threshold: only gatekeepers with a total worldwide turnover exceeding 250 million euros are subject to the higher fine regime. For these entities, the maximum fine is set at up to 2% of their worldwide turnover in the preceding business year.

    Consequently, the accounting of profits outside the European Union has no influence on the amount of the maximum possible fine.

  • (B) For violations involving connected products in the various scenarios specifically listed in the governmental draft, the maximum fine is set at 500,000 euros. This applies, for example, to breaches of obligations regarding the design or manufacture of connected products and related services.

  • (C) In other cases, particularly those relating to data processing services, the maximum fine is set at 100,000 euros. This category covers a range of scenarios mainly associated with the handling and processing of data under the Data Act.

  • (D) For all remaining infringements not covered by the above categories, the upper limit for fines is 50,000 euros.

  • (E) Importantly, the explanatory memorandum concerning section 15(4)—(6) clarifies that the general provision of section 17(4) of the German Act on Regulatory Offences (OWiG) remains unaffected. § 17(4) OWiG provides that a fine must be set at a level that exceeds any economic advantage gained from the offence, even if this means surpassing the statutory maximum fine. This ensures that committing an administrative offence is never financially worthwhile, serving both special and general preventive purposes. When determining the economic advantage to be disgorged, the so-called net principle applies: only the profit remaining after deducting costs and expenses related to the offence is relevant. The netted economic benefit forms the lower limit of the fine, which may be increased as appropriate based on the seriousness of the offence and other relevant factors.

  • (F) Newly added, section 16 DA-DG-E clarifies that, in accordance with Article 40(4) of the Data Act and Article 83 of the GDPR, the BfDI is the competent authority for imposing administrative fines relating to the protection of personal data.

3.2 BNetzA already providing Guidance

The BNetzA has already published guidance on the EU Data Act, providing practical orientation for businesses and explaining the Act’s key provisions. A particular emphasis is placed on the new cloud switching rules: from the start of application on 12 September 2025, both existing and new contracts must comply with the requirements set out in Chapter 6 of the Data Act.

Notably, the agency’s website already features a button for submitting complaints about violations, with a notice stating that complaints can only be lodged once the German implementing law enters into force – suggesting that the complaints portal is technically already in place.

3.3 Next Steps in the Legislative Process

The draft law will now proceed to the parliament (Bundestag) for parliamentary deliberation. It will undergo three parliamentary readings. Subsequently, the Bundesrat – an independent constitutional body that involves the federal states in national legislation – participates in the legislative process as well, although its consent is not required.

Once the draft bill is adopted and published in the Federal Law Gazette, the act enters into force on the following day (Article 3 DA-DG-E).

3.4 Conclusion

The Cabinet’s decision is a clear signal of Germany’s readiness to implement the EU Data Act. While the legislative text is stable, the practical implications, especially regarding the allocation of supervisory authority, remain an area to watch. Businesses should stay informed and seek advice to ensure compliance as the new rules take effect.

4. Status of EU Data Act, National Implementation Laws Across EU Member States

Several EU Member States have made significant progress in implementing the Data Act, with approaches varying in terms of designated authorities and sanction regimes.

See the current status of Data Act implementation laws across Member States, including enforcement authorities and sanctions in our tracker.

5. ETSI’s Interoperability Feedback Relating to the EU Data Act

In October 2025, ETSI (European standardization institution) published its report ETSI TR 104 410, offering standardisation proposals to support Article 33 of the Data Act, which focuses on interoperability requirements for participants in Data Spaces. According to ETSI, Data Spaces “include cloud environments. The report underscores the importance of common technical and semantic standards such as NGSI-LD, SAREF and oneM2M, to enable seamless data exchange across platforms.

Additionally, ETSI recommends introducing quality and trust metrics, including accuracy, integrity, and bias, to ensure reliable and trustworthy data sharing. ETSI also confirms its ongoing collaboration with CEN and CENELEC to develop harmonised European standards in line with the EU Commission’s mandate.

6. EU Data Act Webinar Series

Don’t forget to check out our EU Data Act webinar series.

7. Upcoming Events Surrounding the EU Data Act

• Webinar: The EU Data Act – How should Israeli companies prepare
• Digital Rules & Data Drama, an in person legal update from San Francisco