Regulating Data: EU Data Act & More - April 2026 Edition

Welcome to the eighth edition of Regulating Data: EU Data Act & More.

The implementation phase of the EU’s data regulatory framework is in full swing. While the EU Data Act has been in force since September 2025, recent developments clearly show a shift from legislative design to practical and institutional fine tuning at both an EU and Member State level. In particular:

• At EU level, Council negotiations on the Digital Omnibus are refining key concepts under the Data Act, including cloud switching, data intermediation and public sector data re use, with targeted clarifications likely to shape enforcement practice.
• In Germany, parliament (Bundestag) has adopted the national Data Act implementation law, introducing practical adjustments on supervisory competences and narrowing the scope of sanctionable infringements.
• Across other Member States, Belgium and Ireland have advanced preliminary national Data Act implementation drafts, underlining that enforcement structures are now being operationalised ahead of full application.
• In the health data space, the European Commission has moved the EHDS into its technical implementation phase by publishing draft rules on mandatory metadata standards for the secondary use of health data.

Considered together, these developments show that compliance risks and opportunities are increasingly determined by targeted amendments and national laws rather than by new flagship legislation. This edition highlights the most relevant recent developments and points to where companies should reassess existing governance, contractual frameworks and compliance strategies.

1. Digital omnibus: Council presidency circulates revised compromise text

Following the publication of the European Commission’s Digital Omnibus proposal of 19 November 2025, which we analysed in detail in our November 2025 edition of this newsletter, the legislative process has now entered a more technical phase at Council level. On 15 April 2026, the EU Council Presidency (currently Cyprus) circulated a revised compromise text of the Digital Omnibus intended to reconcile Member State positions ahead of further discussions.

The text is not final and has not been made publicly available, so further amendments remain possible. While the compromise text does not fundamentally alter the Commission’s overall approach, it introduces a number of targeted clarifications and adjustments across different parts of the EU Data Act, including data processing services, data re use by public sector bodies, governance structures and definitions.

1.1 New elements in the Council Presidency’s text (compared to the Commission proposal of 19 November 2025)

Several amendments have been introduced, with the most significant being the following:

(a) Refined notion of “custom made” data processing services

Recital 17 is amended. Custom made data processing services are now described as “services not provided off-the-shelf and are personalised to the needs of a customer to provide a tailored solution where the majority of features and functionalities of the data processing service has been adapted by the provider to the specific needs of the customer."

Compared to the Commission proposal, the additional requirement that these features and functionalities would not be usable for other customers without prior adaptation has been removed.

(b) Early termination penalties expressly permitted

A newly added paragraph (Article 31(1c) Data Act) states:

“A provider of a data processing service may include provisions on proportionate early termination penalties in a contract of fixed duration on the provision of data processing services.”

This puts Recital 18 into practice and confirms that early termination fees are generally permissible in fixed term contracts, provided they are proportionate and do not constitute an obstacle to switching.

(c) Further specification of “very large enterprises” for public sector data reuse

Building on Recital 25 of the Commission proposal, the Council Presidency now adds that Member States may further specify the criteria for determining what constitutes a very large enterprise for the purpose of introducing special conditions in licences pertaining to the re-use of data and documents.

(d) Governance adjustments: European Data Innovation Board

A new Recital 26a addresses the role of the European Data Innovation Board (EDIB). While confirming its consultative character for the implementation and enforcement of the Data Act, the Presidency text proposes a simplified structure that allows for more strategic discussions.

e) No legal basis for processing personal data under new chapters

The compromise text adds a clarification in Article 1(5), stating explicitly that the via the EU Commission’s Digital Omnibus proposal introduced Chapters VIIa and VIIc do not create a legal basis for the processing of personal data.

(f) Definitions and structural clarifications

Several technical adjustments are included, e.g.:

• the definition of “access” is deleted;
• a new definition of “common specifications” is inserted, referring to technical requirements other than standards that provide a means of complying with specific obligations under the Data Act.

(g) Data intermediation services: clarified obligations

The Presidency text adds and refines obligations for data intermediation services, including an explicit requirement that providers ensure fair, transparent and non discriminatory access procedures for data subjects, data holders and data users, including with respect to pricing and terms of service (Article 32c(f) Data Act).

(h) Re use of public sector data

Finally, the compromise text contains several adjustments to Chapter VIIc on the re use of data and documents held by public sector bodies, aligning this chapter more closely with the broader structural and governance changes introduced by the Digital Omnibus.

1.2 Looking ahead

The Council Presidency’s revised compromise text is scheduled for discussion by the Member States on 24 April 2026.

We will continue to monitor developments closely and report on any material shifts in the Council’s position, as well as the interaction with the ongoing legislative process in the European Parliament.

2. German Parliament adopts Data Act Implementation Law

Following the Federal Cabinet’s adoption of the governmental draft bill in October 2025, which we analysed in detail in our November 2025 edition, Germany’s Data Act Implementation Law (Datenverordnung-Anwendungs-und-Durchsetzungs-Gesetz, hereinafter “DADG”) has progressed through the legislative process in the parliament (Bundestag) on 26 March 2026. While the core structure and enforcement approach remain unchanged, the Bundestag introduced targeted amendments that are relevant in practice, in particular with respect to supervisory competences and the scope of administrative offences.

2.1 Changes from the Federal Cabinet’s draft bill

(a) Clarified competence for data requests by public authorities

A key clarification concerns the supervision of data access requests by public sector bodies under Chapter V of the EU Data Act.

Under the amended text, the Federal Network Agency (Bundesnetzagentur, hereinafter “BNetzA”) is expressly designated as the competent authority for reviewing data requests submitted by federal public authorities. By contrast, responsibility for reviewing data requests by public authorities of the German states remains with the authorities designated under the respective state laws.

This clarification addresses concerns raised during the legislative process about potential overlaps and uncertainty in the allocation of competences between federal and state levels. It preserves the federal structure for public sector data access, while ensuring that requests originating at federal level are subject to a uniform supervisory approach by the BNetzA.

(b) Narrowing the scope of administrative offences

The Bundestag also adjusted the catalogue of administrative offences under the DADG. Certain infringements of the Data Act will no longer qualify as administrative offences. This applies primarily to breaches of information and notification obligations, including, by way of example:

• failures to provide information under Article 3(2) or (3) of the Data Act, or
• certain notification obligations, such as under Article 4(7), third sentence of the Data Act.

As a result, not every breach of the Data Act will automatically expose companies to administrative fines under the German enforcement regime. This adjustment reflects a more differentiated sanctioning approach, while leaving the sanctioning framework for substantive infringements unchanged.

Importantly, this does not affect the applicability of other enforcement mechanisms under the Data Act, including dispute settlement provisions mechanisms and civil law remedies.

2.2 Next steps

Following adoption in the Bundestag, the draft law has been submitted to the Bundesrat, an independent constitutional body that involves the federal states in national legislation, although its consent is not required.

Once the Bundesrat consents to the law or fails to make a demand or to enter an objection, and the law is promulgated in the Federal Law Gazette, it will enter into force on the day following its publication (Article 3 DADG).

2.3 Outlook

The amendments adopted by the Bundestag do not alter Germany’s overall approach to implementing the EU Data Act, which remains closely aligned with the Regulation and avoids national gold plating. However, the clarified allocation of supervisory responsibilities for public sector data requests and the narrowing of sanctionable offences are relevant practical adjustments that should be taken into account when assessing compliance exposure and interaction with public authorities.

Businesses should therefore review their internal processes in light of the final enforcement framework, particularly where data access requests by public bodies or certain breaches under the Data Act are concerned.

3. Data Act implementation laws in other EU Member States

Recently, Belgium and Ireland have taken further steps towards implementing the EU Data Act by adopting preliminary national implementation drafts at government level.

In Belgium, on 27 March, the Council of Ministers approved a draft law to implement the Data Act, which has now been transmitted to the other institutions involved in the legislative process.

In parallel, the Irish Government has approved and published the General Scheme of the Data Bill 2025 on 4 February 2026, setting out the proposed framework for national enforcement and the designation of competent authorities under the Data Act. The General Scheme has been formally laid before the parliament (Oireachtas) and will now progress through the parliamentary process.

These developments underline that Member States are continuing to operationalise the Data Act’s enforcement architecture ahead of full application. While the Data Act applies directly as an EU Regulation, national legislation remains necessary in key areas, including supervisory competences, procedural powers and sanctions, making the ongoing implementation process closely watchable for affected businesses.

4. EHDS: Commission publishes draft implementing regulation on dataset metadata for secondary use

On 14 April 2026, the European Commission published a draft implementing regulation specifying the minimum metadata elements that health data holders must provide when describing datasets available for the secondary use of electronic health data under the European Health Data Space (EHDS). The draft implements Article 77(1) of Regulation (EU) 2025/327 and is intended to ensure that dataset catalogues are standardised, machine‑readable and interoperable across the EU.

The draft establishes the HealthDCAT‑Application Profile (HealthDCAT‑AP) as the mandatory metadata framework and requires health data holders to describe datasets using harmonised definitions, structures, cardinalities and controlled vocabularies. These metadata descriptions must be provided to health data access bodies, verified at least annually and will feed into national catalogues and the EU‑level dataset catalogue for secondary health data use. Additional metadata may be provided on a voluntary basis.

The implementing regulation will enter into force 20 days after publication and will apply from 26 March 2029, giving stakeholders time to adjust their data inventories and metadata governance. Once adopted, it will represent a key technical building block of the EHDS, translating the regulation’s access framework into operational, cross‑border‑ready data infrastructure.