Regulating Data: EU Data Act & More - January 2026 Edition

Welcome to the fifth edition of Regulating Data: EU Data Act & More.

Data regulation in the EU is moving from legislative ambition to operational reality. As key frameworks enter their implementation phase, the focus is increasingly shifting toward contractual practice, technical feasibility and risk allocation.

In this edition, we examine three developments that are particularly relevant from a legal and commercial perspective:

• EU Data Act FAQs (Version 1.4): The Commission’s latest updates provide targeted clarifications, inter alia, on the scope, interoperability, model contractual terms and reasonable compensation, offering important guidance for organisations preparing for Data Act compliance and contract adjustments.
• Open Data Maturity Assessment 2025: While overall maturity levels continue to rise across Europe, the findings reveal where regulatory expectations are crystallising — and where public-sector data reuse, high-value datasets and technical implementation still present practical and legal challenges.
• ProtectEU Roadmap on Law Enforcement Access to Data: The roadmap signals a renewed policy focus on access to digital evidence, encryption and standardisation, with potentially far-reaching implications for service providers, platform operators and cross-border data governance.

Please also check out the previous edition of our newsletter.

1. FAQs on the Data Act – Key Updates in Version 1.4 (22 January 2026)

On 22 January 2026, the European Commission has published version 1.4 of its FAQs on the Data Act, updating and clarifying minor aspects compared to version 1.3 (12 September 2025). The most significant changes include:

• Section 5 (Level of Enrichment – Derived Data):
  Regarding the distinction between raw/pre-processed data and inferred/derived data, the new version deletes the previous clarification that “it is not, however, the complexity of processing that renders data out of scope – it rather depends on whether the inferred or derived data constitutes new, value-added insights going beyond the nature of information represented by the source data.” The rationale for this deletion and its legal consequences remain unclear.
• Section 8 (Scope – Blue Guide Example):
  An additional example from the Blue Guide was included to clarify when a product is considered “placed on the market” in the EU. The new example specifies that a product brought into the EU is only considered placed on the market if it has been released for free circulation (i.e., when it has the customs status of Union goods). According to the European Commission, this clarification is particularly relevant for products such as maritime vessels.
• Section 57 (Interoperability Repository):
  The timeline for mapping existing harmonised standards and open interoperability specifications was changed from a fixed past event (“the Commission has concluded a mapping...”) to a future-oriented statement (“the Commission will map existing harmonised standards...”), clarifying that this is a planned activity.
  Furthermore, it is now explicitly stated that providers must ensure that the interfaces they make accessible to customers are compatible with the standards/specifications referenced in the repository. The repository itself is described as a “living document” that will be continuously updated with new relevant harmonised standards and common specifications.
• Section 72 (Guidelines on Reasonable Compensation):
  The update specifies that the guidelines on calculating reasonable compensation for making data available (as required by Article 9(5) Data Act) are expected to be adopted by Q2/Q3 2026.
• Section 74 (Model Contractual Terms and Standard Contractual Clauses):
  The update reflects that the draft Model Contractual Terms (MCTs) for data sharing and Standard Contractual Clauses (SCCs) for cloud computing contracts were published by the Commission.

Simmons & Simmons continues to closely follow all regulatory developments relating to the Data Act. In this context, we’d like to note, that the European Commission hosted a webinar on 26 January 2026, during which the Commission indicated that certain definitions under the Data Act are expected to be reviewed and further clarified. We will keep you informed of any further developments through our newsletter.

2. Open Data Maturity Assessment 2025: Progress, Challenges, and Trends in Europe

The European Commission published the 2025 edition of the open data maturity (ODM) assessment in December 2025, providing a comprehensive overview of the state of open data across 36 countries, including all EU-27 Member States, three European Free Trade Association (EFTA ) countries, and six candidate countries. The ODM Assessment measures the development and implementation of open data policies, identifies best practices, and supports knowledge exchange between countries.

2.1 Overview and Key Results

In 2025, the average ODM score across all participating countries reached 81%, marking a one percentage point increase compared to 2024. The average for EU Member States rose to 86% (+3 pp). Notably, 23 countries improved their scores year-on-year, while only one country experienced a decrease. 21 out of 36 countries achieved a score above 80%, indicating a broad level of maturity in open data practices.

France leads the ranking with a perfect score of 100%, followed by Lithuania (98%) and Poland (97.8%). Among EFTA countries, Norway is the frontrunner with 92%, while Ukraine (97%) tops the candidate countries. The most significant climbers are Albania (+23 pp), Malta (+19 pp), and Germany (+11 pp).

2.2 The Four Dimensions of Open Data Maturity

ODM is defined by the assessment methodology using four dimensions:

• Policy: This dimension evaluates the “open data policies and strategies in place in the participating countries, the national governance models for managing open data and the measures applied to implement policies and strategies”. Policy remains the most mature dimension, with an average score of 93%. This growth is the result of continued enhancements to the framework for open data policies and steady progress in the implementation of open data initiatives.
• Portal: This dimension assesses the “functionality of national open data portals, the extent to which users’ needs and behaviour are examined to improve the portal, the availability of open data across different domains and the approach to ensuring the portal’s sustainability”. The portal dimension reached 85% in 2025 (+4 pp).
• Quality: This dimension analyses the “measures adopted by portal managers to ensure the systematic harvesting of metadata, the monitoring of metadata quality and compliance with the DCAT-AP metadata standard, and the quality of deployment of the published data on the national portal”. The quality dimension increased to 83% (+4 percentage points), with progress especially in metadata currency and completeness, as well as deployment quality and linked data.
• Impact: This dimension measures the “willingness, preparedness and ability of countries to measure both the reuse of open data and the impact created through this reuse”. With an average of 82%, it remains the least mature dimension, though it continues to improve. Almost all Member States (96%) define open data impact and foster collaboration with civil society and academia. However, the “created impact” indicator (77%) remains a challenge.

2.3 Focus on High-Value Datasets

A key focus of the 2025 report is the High-Value Datasets (HVDs) implementing regulation, effective since June 2024. The regulation establishes a legal framework to enhance the accessibility and usability of strategically important datasets.

Several Member States—most notably Lithuania, Latvia, Estonia, Denmark, Finland and France—have self reported as front runners in implementing the regulation’s requirements. Overall, Member States have made the greatest progress in relation to statistical (82%), geospatial (79%), and earth observation and environmental datasets (77%).

The most advanced areas of implementation concern organisational and legal measures, including the identification and cataloguing of HVDs (82%), the establishment of new roles and workflows (79%), and the resolution of legal challenges (76%). By contrast, technical aspects such as improving metadata quality (74%), enabling machine readable formats through APIs (73%), and providing bulk download functionalities (73%) remain comparatively less mature, although they have developed at a faster pace over the past year than organisational measures.

3. ProtectEU’s Roadmap: Modernising Law Enforcement Data Access in the Digital Age

The European Commission’s roadmap for lawful and effective access to data for law enforcement responds to increasingly complex security challenges from organised crime and terrorism to sophisticated online fraud and ransomware. The initiative seeks to strengthen the tools and frameworks available to EU law enforcement.

3.1 Background

Digitalisation has transformed crime and law enforcement. Today, around 85% of criminal investigations rely on electronic evidence, yet access to such data is often fragmented, temporary or technically difficult to secure. To address this, the Commission proposes coordinated action in six priority areas, setting out targeted actions and timelines to ensure that law enforcement can obtain, analyse and use digital evidence.

At the same time, any state access to encrypted communications directly affects fundamental rights, in particular, privacy and data protection and the rights of defence, including the right to a fair trial.

3.2 Objectives

The roadmap sets out the Commission’s objectives to ensure that law enforcement and judicial authorities can access digital evidence in a lawful, effective and proportionate manner, while fully respecting fundamental rights, data protection and cybersecurity.

• AI Solutions: Handling Data at Scale
  Investigations increasingly involve massive volumes of digital data that exceed human processing capacity. To address this, the Commission will foster the development and deployment of AI tools to help authorities filter, analyse and derive insights from large datasets lawfully and responsibly, with clear guidelines in line with the AI Act.
• Data Retention: Ensuring Availability of Digital Evidence
  Criminal investigations increasingly hinge on non-content communication data (e.g., metadata, location, timing). However, retention obligations in the EU are uneven following the invalidation of the 2006 Data Retention Directive. The roadmap calls for an impact assessment to consider updating EU data retention rules and harmonising frameworks across Member States. Europol and Eurojust are also encouraged to strengthen cooperation with service providers on accessing such data.
• Lawful Interception: Improving Cross-Border Cooperation
  The shift from traditional telephony to over-the-top (OTT) messaging services has made real-time lawful interception far more challenging. The roadmap envisages exploring measures to improve cross-border lawful interception by 2027, including assessment of existing instruments like the European Investigation Order and establishing secure information-sharing capabilities among Member States and EU agencies.
• Digital Forensics: Building Technical and Operational Capacity
  Effective investigation requires the ability to analyse and preserve digital evidence from devices and systems. The Commission and Europol will coordinate gap and needs analyses of digital forensics technologies and support tool development through EU funding and partnerships. Europol is encouraged to evolve into a centre of excellence in digital forensics, facilitating cooperation between authorities and the private sector.
• Decryption: Navigating Encryption Challenges Lawfully
  With strong encryption now pervasive, accessing encrypted data remains a major operational obstacle. The Commission plans to publish a Technology Roadmap on Encryption, identifying and assessing solutions that enable lawful access to encrypted data while safeguarding cybersecurity and fundamental rights. Subsequent support for research and development aims to equip Europol with next-generation decryption capabilities by
• Standardisation: Harmonising Technical Approaches
  Standards are critical for interoperability and ensuring lawful access mechanisms can function across diverse technologies and jurisdictions. The roadmap commits to developing a coordinated EU approach to standardisation for internal security issues, focusing on digital forensics, lawful disclosure and interception, in cooperation with stakeholders, industry experts and law enforcement practitioners.

3.3 Technical Approaches for Decryption

The question of how to enable targeted access under conditions of strong encryption remains contested. Current discussions point to a limited set of technical approaches, each associated with specific legal implications.

• Client-Side Scanning (CSS) involves analysing content directly on the user’s device before encryption or after decryption. Messages remain end-to-end encrypted in transit, but providers may be required to integrate scanning mechanisms into their applications to detect specific illegal content, such as terrorist propaganda, using hash matching or AI-based analysis. While proponents argue that CSS does not constitute decryption in the strict sense, critics view it as a functional circumvention of encryption and a form of generalised surveillance. European data protection authorities have warned that CSS would entail indiscriminate content monitoring, conflicting with principles of targeted surveillance and the confidentiality of communications under EU law.
• A more traditional concept is key escrow, whereby a master key is retained by a trusted third party or state authority and released upon judicial order. Although this provides “lawful access by design”, it creates significant security risks. Centralised key repositories represent highly attractive targets for abuse or cyberattacks, and any compromise could expose large volumes of communications.
• Another proposal involves security gateways or so-called “ghost users”. Under this model, a service provider could silently add an authorised third party as an additional recipient to an otherwise end-to-end encrypted communication. While this preserves the encryption algorithm itself, it relies heavily on secrecy and trust in the provider. Once such mechanisms exist, their scope is difficult to limit. The activation of such a gateway would have to be strictly limited to targeted orders. The question of subsequent user notification would be central to ensuring adequate judicial oversight and legal redress
• Finally, some jurisdictions pursue lawful device access through government hacking, rather than weakening encryption systems. By exploiting vulnerabilities in end-user devices, authorities may access communications at the source or endpoint. This approach avoids systemic backdoors and remains targeted, but it is technically complex and legally intrusive. It also creates tensions with broader cybersecurity goals, as the use of undisclosed vulnerabilities may leave systems exposed to criminal exploitation.

3.4 Conclusion

The roadmap reflects the EU’s drive to modernise its internal security capabilities for the digital era, recognising that nearly all serious crime now leaves a digital footprint. Its six-fold structure aims to equip law enforcement with the tools needed for effective action across borders, while affirming that lawful access must be proportional, necessary and respectful of fundamental rights such as privacy and data protection.

As the Commission and Member States move toward implementation, debates continue over how best to reconcile security imperatives with Europe’s strong legal protections for individuals. The period ahead will be critical in shaping how digital evidence regimes develop within the EU.