On 19 November 2025, the European Commission presented a new set of measures (the Digital Omnibus proposal) that should enable Europe's businesses to spend less time on administrative work and compliance and more on innovating and scaling up.
The Digital Omnibus proposal also introduces a number of changes to the current framework of the Data Act.
This policy monitor article covers the main changes relating to the rules governing data exchanges, as well as the switching of data processing services (including cloud services).
What: Legislative proposal
Impact score: 2
For whom: policy makers, businesses and governments
The proposal expands the definition of ‘data holder’.
The current definition: Data holder means a natural or legal person that has the right or obligation, […], to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service.
Proposed definition: Data holder means a natural or legal person that has the right or obligation, […] to use or make available data, including, where contractually agreed, product data or related service data, which it has retrieved or generated during the provision of a related service.
The current definition of data holder is considered to be fulfilled, if data is used and made available by the data holder. The proposal, however, converts this into a condition whereby it is sufficient to either use the data or make it available. This potentially allows natural or legal persons to be categorized as a data holder more swiftly and this will result in them having to comply with the corresponding obligations.
Expansion of the grounds for refusal in the case of trade secrets
Currently data holders may refuse to disclose trade secrets, when there is a high likelihood that they will suffer serious economic damage from the disclosure of trade secrets. The proposal adds an extra ground for refusal, namely a high risk that the data will be made accessible to an entity in a third country or an entity established in the EU under the direct or indirect control of such an entity, that offer weaker protection than the EU.
Current article: In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that it is highly likely to suffer serious economic damagefrom the disclosure of trade secrets, […], that data holder may refuse on a case-by-case basis a request for access to the specific data in question […].
Proposed article: In exceptional circumstances, where the data holder who is a trade secret holder is able to demonstrate that, […], it is highly likely to suffer serious economic damagefrom the disclosure of trade secrets or that the disclosure of trade secrets to the user poses a high risk of unlawful acquisition, use, or disclosure to third country entities, or entities established in the Union under the direct or indirect control of such entities, which are subject to jurisdictions offering weaker or non-equivalent protection compared to that under Union law, that data holder may refuse on a case-by-case basis a request for access to the specific data in question. […]
Narrowing of the scope of B2G data sharing in the EU context
Currently, data sharing from business to public actors is mandatory in the case of an exceptional need. The Data Act makes a distinction between public emergency situations and non-public emergencies.
The Digital Omnibus proposes that the obligations of data sharing in the B2G-relationship should only apply for public emergency cases.
Specifically the proposal makes a distinction between:
Data sharing requests in the context of responding to a public emergency;
Data sharing request in the context of mitigating or supporting the recovery from the public emergency situation.
In the context of responding to a public emergency, data holders aren’t permitted to ask any compensation for making the necessary data available, unless they are a small or micro-enterprise; in such cases, the data holder may ask for a fair compensation.
In the case of mitigating or supporting the recovery from a public emergency situation, data holders may ask for a fair compensation. Microenterprises and small enterprises are exempt from these kind of data sharing request.
Switching of data processing services
Where the data processing service provider is an SME or a small mid-cap, the obligations relating to switching to another data processing service, with the exception of, inter alia, Article 29 (phased removal of switching costs), do not apply to data processing services other than IaaS data processing services, if the provision of those services is based on an agreement concluded on or before 12 September 2025.
In addition, where the provider of a data processing service is an SME or a small midcap, the provider shall not be required to renegotiate or amend a contract for the provision of a data processing service (other than IaaS) before its expiry if that contract was concluded on or before 12 September 2025.
