Welcome to the latest edition of Regulating Data: EU Data Act & More.
The EU's data regulatory framework is entering a defining phase – one where legislative ambition and practical implementation are unfolding in parallel. This edition takes a closer look at both dimensions.
At the centre of this issue stands the ongoing discussion on the Digital Omnibus covering the Data Act. The debate has gained considerable momentum in recent weeks, with Council and Parliament each staking out distinct positions, and stakeholders weighing in on issues ranging from trade secret protection to switching rights for data processing services. We summarise the key institutional and stakeholder positions to help you navigate where the negotiations currently stand.
Beyond the Digital Omnibus, we turn to the measures now shaping how data regulation is applied on the ground: Germany's new enforcement framework, the emerging role of secure processing environments, and the Commission's intensified scrutiny of the cloud market.
In this edition, we cover:
- The Data Act in the Digital Omnibus gives rise to discussions – policymakers and business stakeholders exchange opinions on the recalibration of the Data Act, in particular with regards to the trade secret and data processing service provisions.
- Germany’s Data Act Implementing Law enters into force – Germany has completed its national Data Act implementation, with the DADG establishing the country’s enforcement framework.
- ETSI highlights the infrastructure layer of the data economy – a new technical specification underlines the growing relevance of secure processing environments and data protection at infrastructure level.
- The DMA cloud market investigation moves into a more technical phase – the Commission is turning its attention to cloud interoperability, pricing and contractual conditions.
1. Data Act in the Crossfire: Trade Secrets and Cloud Switching at the Heart of the Digital Omnibus Fight
The European Commission's Digital Omnibus proposal of 19 November 2025 has set off one of the most contested simplification debates of this legislative cycle. Six months in, the Data Act – which only became applicable on 12 September 2025 – has emerged as a central point of discussion. With the Cypriot Council Presidency tabling its revised mandate for the Council of the European Union on 22 June 2026 and three parallel European Parliament draft reports landing within very short time, the contours of the discussion are now visible. Two issues stand out as exceptionally relevant to business stakeholders: the protection of trade secrets and the switching regime for data processing services (which in practice covers cloud services and similar offerings). Both go to the heart of how the European Union regulates the data economy.
1.1 The State of Play
The Commission proposes to consolidate the Data Governance Act, the Open Data Directive and the Free Flow of Non-Personal Data Regulation into the Data Act, with targeted amendments. The current state of the legislative process can be summarised as follows:
(A) Cypriot Council Presidency: First data-specific compromise text on 15 April 2026, a third compromise on 21 May 2026, and a revised mandate text on 22 June 2026 seeking the green light for trilogue negotiations.
(B) European Parliament: Three draft committee reports tabled within very short time – the Committee on Legal Affairs draft opinion of 5 June 2026 (Rapporteur Brando Benifei), the Committee on the Internal Market and Consumer Protection draft opinion of 8 June 2026 (Rapporteur Alex Agius Saliba) and the joint draft report of the Committee on Industry, Research and Energy together with the Committee on Civil Liberties, Justice and Home Affairs of 22 June 2026 (Rapporteurs Aura Salla, Marina Kaljurand).
(C) Timing: According to an open letter of the European industry confederations of 3 June 2026, the European Parliament is not expected to adopt its negotiating position before early 2027, which would create a significant gap between any early Council mandate and the start of meaningful trilogue work.
1.2 Trade Secrets: The Defining Battle
The protection of trade secrets under Art. 4(8) and 5(11) Data Act has emerged as a central conflict – and one on which the Cypriot Council Presidency itself sought political guidance from the Permanent Representatives Committee of the Council.
The Commission's proposal introduces a new ground for data holders to refuse data access where disclosure would create a “high risk of unlawful acquisition, use or disclosure” to entities established in or controlled from third-country jurisdictions offering weaker or non-equivalent protection than European Union law. This goes beyond the existing refusal ground (serious economic damage) and is presented as a safeguard against leakage of European industrial know-how.
Within the Council, positions diverge sharply:
(A) The 22 June Council compromise text retains the Commission's new refusal ground but adds a mandate for the Commission, in consultation with the European Data Innovation Board, to issue guidance on how to demonstrate “serious economic damage” and on the enforceability of trade secret protection in third countries.
(B) Several delegations go further: as documented in the discussion note for the Permanent Representatives Committee (dated 1 June 2026), they want to expand the refusal possibilities and remove the automatic obligation to notify the competent national authority of any refusal, considering this requirement “overly bureaucratic and burdensome for the data holder”.
The European Parliament committees pull in the opposite direction:
(A) The Committee on Legal Affairs proposes (in its draft opinion dated 5 June 2026) to delete the Commission's new refusal grounds in their entirety and to restore the original Data Act logic, under which trade secret protection is primarily ensured through confidentiality measures agreed between the parties, with refusal as a measure of last resort. The Commission, in consultation with the European Data Innovation Board, would issue guidance instead.
(B) The Committee on the Internal Market and Consumer Protection goes further still. Under its draft proposal (dated 8 June 2026), data holders may not rely on “generalised assumptions” about a third country, ownership structure, technology provider or category of recipient; refusal is only available where proportionate technical, organisational, contractual or secure-access measures would be insufficient to address a specific risk; and competent authorities must conduct an expedited review of any refusal.
(C) The joint draft report of the Committee on Industry, Research and Energy and the Committee on Civil Liberties, Justice and Home Affairs of 22 June 2026 does not address the trade secrets question at all, which suggests that the two leading committees are content with the Commission's proposed wording. The political fight on this point will therefore most likely be carried by the Committee on Legal Affairs and the Committee on the Internal Market and Consumer Protection on the Parliament side, with the Council as the main driver of any substantive recalibration.
1.3 Industry is similarly split:
(A) A coalition of European industry confederations – including the Federation of German Industries, the Movement of the Enterprises of France, the Confederation of German Employers' Associations, Confindustria, the Federation of Austrian Industries, the Polish Confederation Lewiatan, the Confederation of Swedish Enterprise, and others – sent an open letter to the Council on 3 June 2026 warning that the Cypriot compromise “risks diluting the Commission's proposal to the point where it no longer delivers meaningful relief for European industry” and calling on Member States to actively oppose any attempt to fast-track a political agreement, on the ground that “the experience with recent files such as the Data Act and the Artificial Intelligence Act has shown that time pressure leads to unresolved legal questions and significant implementation challenges”.
(B) A parallel joint statement of 20 May 2026 signed by the Business Software Alliance, DOT Europe, the Computer and Communications Industry Association, the Information Technology Industry Council and others insists that “trade secrets must be adequately protected, with clear safeguards against unlawful use, loss of proprietary know-how, and safety risks”, reflecting the perspective of trade-secret-rich technology providers.
1.4
What is at stake here is the balance struck in 2023 between the protection of trade secrets and the provision of sufficient good-quality data for artificial intelligence, research and innovation – a balance the Cypriot Council Presidency itself acknowledges in its discussion note. Whichever way the wording lands, it will directly shape how connected-product manufacturers, Internet-of-Things providers and platform operators design their data-access architectures, how they document refusals, and how robustly they can resist disclosure requests from users, third parties and ultimately competent authorities. For data-driven business models – particularly those relying on aftermarket access to product and related service data – this is arguably the single most consequential provision of the entire Digital Omnibus.
1.5 Data Processing Services: Heated discussions about Cloud Switching rights
The second major discussion concerns Article 31 of the Data Act and the switching obligations for data processing services more broadly (in practice, cloud services and similar offerings).
The Commission proposes to carve out two categories of services from the bulk of obligations applicable to the data processing services, laid down in Chapter VI:
(A) Custom-made services where the majority of features and functionalities have been adapted by the provider to the specific needs of the customer, where the contract was concluded on or before 12 September 2025.
(B) Services provided by small, medium-sized or small mid-cap enterprises under contracts concluded by the same date.
In both cases, providers would not be required to renegotiate existing contracts before their expiry, although contractual provisions contrary to the gradual withdrawal of switching and egress charges would still be void. The 22 June Council compromise also adds an explicit permission for providers to include proportionate early-termination penalties in fixed-term contracts.
Both the Committee on Legal Affairs and the Committee on the Internal Market and Consumer Protection propose to delete these carve-outs altogether. Their concerns are similar:
(A) The exemptions risk creating long-lasting lock-in effects favouring incumbents.
(B) They open the door to circumvention by providers reclassifying off-the-shelf services as “custom-made” in order to escape the switching regime.
(C) Article 31(1) of the existing Data Act already addresses genuinely custom-built services, so the Digital Omnibus amendments go beyond the careful balance found in Chapter VI and its objectives to facilitate switching.
(D) The temporal exemption for contracts concluded up to 12 September 2025 creates a dual regime that will persist for many years, weakening interoperability incentives and leading to fragmentation.
Taken together, these positions indicate a clear tendency to keep custom-made services within the scope of the switching regime, rather than allowing them to be excluded as a separate category of legacy services.
For the stakeholders on both sides of the contractual relationship – cloud customers seeking to exercise switching rights, and providers managing legacy portfolios – the practical implications are very different depending on which version prevails:
(A) If the Council line holds, a substantial share of existing contracts will remain outside the full switching regime until expiry, and providers retain meaningful contractual flexibility on early termination.
(B) If the Parliament line prevails, switching obligations apply across the board and the carve-outs disappear.
1.6 Outlook
The “simplification” framing of the Digital Omnibus is unravelling on the Data Act. What was presented as a technical exercise might – in the areas of trade secrets and cloud switching in particular – turn into a substantive recalibration of the regulatory balance struck only in 2023. In March 2026 the European Council called for all pending omnibus packages to be concluded by the end of 2026 with the artificial intelligence package targeted for July 2026. On the Data Act, however, the gap between an early Council general approach and the European Parliament's expected 2027 position creates a real risk of a rushed and unbalanced trilogue – exactly the scenario the industry letter of 3 June warns against.
The practical message is clear: the Data Act should not be treated as a settled file. Contractual architectures around connected products, data access, trade secret protection and cloud switching may need to be revisited depending on the final wording. We will continue to monitor the trilogue dynamics closely, with particular focus on Articles 4(8), 5(11) and 31 of the Data Act, and provide further updates ahead of the autumn negotiations.
2. Germany’s Data Act Implementing Law Enters into Force
Germany has now completed its national implementation of the EU Data Act. On 30 May 2026, Germany’s Data Act Implementing Law (Datenverordnung-Anwendungs-und-Durchsetzungs-Gesetz, “DADG”) entered into force, establishing the domestic procedural and enforcement framework for the Data Act (Regulation (EU) 2023/2854).
The DADG does not alter the substantive obligations of the Data Act itself, which have applied across the EU since 12 September 2025. Instead, it provides the German enforcement architecture required under the Regulation, including the designation of the Federal Network Agency (Bundesnetzagentur, “BNetzA”) as the competent authority for the application and enforcement of the Data Act in Germany. The BNetzA will also act as the central contact point for complaints, dispute settlement matters and supervisory cooperation, including in cross-border cases.
This marks an important step in the operationalisation of the Data Act in one of the EU’s largest markets. For businesses active in Germany, the entry into force of the DADG means that the Data Act is now backed by a fully functioning national enforcement framework, including investigatory powers, supervisory coordination and sanctioning mechanisms.
For a more detailed overview of the German implementation framework, please see the April 2026 edition of our newsletter.
3. ETSI highlights the infrastructure layer of the data economy
On 2 June 2026, ETSI announced the release of ETSI TS 104 033, a new technical specification defining security requirements for AI computing platforms, i.e. the underlying computing environments used for model training and inference.
Although the specification is presented in the context of AI, its relevance extends more broadly to the protection of data processed in complex digital environments. ETSI describes the computing platform as a “critical infrastructure layer” that provides the execution environment and associated resources for AI services and is intended to enable a “secure by default” platform. The specification therefore focuses not only on the platform itself, but also on the protection of its assets, including models and data.
According to ETSI, the new specification sets out security requirements and associated functions for AI computing platforms, together with the security components to be implemented and their interfaces. It also expressly addresses the protection of data in dynamic states, such as in use and in transit, as well as in static state, that is, at rest. ETSI notes that this is intended to mitigate threats to the platform and its assets, including risks such as data leakage and model extraction.
The release of ETSI TS 104 033 is therefore a useful reminder that the effective regulation of data-driven systems does not depend only on legal rights and contractual mechanisms. It also depends on whether the underlying infrastructure meets an adequate security baseline. In that sense, the ETSI specification reflects the growing importance of the infrastructure layer of the data economy, where questions of data access and use increasingly intersect with the need for secure processing environments.
4. Cloud market investigation (under DMA) moves into a more technical phase
On 13 May 2026, the European Commission announced the next step in its Digital Markets Act (DMA) market investigation into cloud computing services by convening a series of thematic roundtables for 1 July 2026. The roundtables are intended to gather further expert input on how the DMA may apply in cloud markets, with a particular focus on issues that are also central to the broader debate on data governance and digital infrastructure.
According to the Commission, the discussions will cover three core areas: interoperability between and with cloud computing services and other technical features, the financial conditions applying to the procurement of cloud services, and other contractual conditions between customers and cloud providers. The Commission will in parallel engage separately with the gatekeepers currently designated under the DMA, including Microsoft, Amazon and Google, as well as the other designated gatekeepers.
Although this initiative formally sits within the DMA, it is relevant beyond classic platform regulation. The Commission’s focus on interoperability, pricing and contract terms shows how cloud services are increasingly being assessed not only as digital markets, but also as critical infrastructure for the data economy. In that sense, the investigation touches on issues that closely overlap with the EU’s wider data-regulation agenda, including switching, portability and the conditions under which users can effectively move and use data across services. The Commission has indicated that the market investigation will culminate in a final report by May 2027.






_11zon.jpg?crop=300,495&format=webply&auto=webp)

.jpg?crop=300,495&format=webply&auto=webp)


.jpg?crop=300,495&format=webply&auto=webp)

.jpg?crop=300,495&format=webply&auto=webp)


.jpg?crop=300,495&format=webply&auto=webp)



