The Digital Omnibus proposal aims primarily to reduce regulatory complexity and compliance costs for digital businesses - particularly SMEs - while fostering innovation, competitiveness. A central tenant of this is to develop of a genuine single market for data (for more on other aspects of the proposal see here).
The Digital Omnibus seeks (among other things) to streamline the EU data regulatory framework by integrating the Free Flow of Non‑Personal Data Regulation (FFDR), the Data Governance Act (DGA) and the Open Data Directive (ODD) into the Data Act. The overarching objective of this reform is to establish a single, simplified and coherent framework governing the use and sharing of data within the European Union.
Strengthened protection of trade secrets
The Data Act establishes rights of access to and portability of data generated by connected products and related services. It already allows data holders, in exceptional circumstances, to refuse to share data where they can demonstrate that disclosure would be highly likely to cause serious economic damage, notably through the exposure of trade secrets.
The Digital Omnibus goes a step further. It allows data holders to refuse disclosure where they can demonstrate a high risk of unlawful acquisition, use or disclosure of the data by third‑country entities, or by EU‑established entities that are directly or indirectly controlled by such entities and subject to jurisdictions offering weaker or non‑equivalent protection compared to EU law.
To preserve an appropriate balance, any such refusal must be duly substantiated on the basis of objective elements. These include, in particular, the enforceability of trade secret protection in the relevant third country, the nature and level of confidentiality of the requested data, and the uniqueness and novelty of the connected product. In addition, the data holder must notify the competent supervisory authority of its refusal.
Removal of requirements applicable to smart contracts
The Data Act establishes a set of requirements applicable to vendors of applications using smart contracts, as well as to any person whose activities involve the deployment of smart contracts for others in the context of the execution of a data-sharing agreement. These requirements include robust access controls, the archiving of transactional data and smart‑contract code, mechanisms for safe termination or interruption, and consistency between the smart contract and the underlying data‑sharing agreement.
The Digital Omnibus proposes removing these requirements. In practice, this reflects the fact that the use of smart contracts in data‑sharing arrangements remains limited and largely experimental. Industry stakeholders have also highlighted the lack of clear definitions and harmonised standards for key concepts such as “robustness”, “access control” and “consistency with contractual terms”.
Moreover, these obligations are seen as difficult to reconcile with core characteristics of certain blockchain technologies, notably immutability, decentralisation and cryptographic transparency. Requirements to allow suspension of smart contracts or privileged access for specific actors could undermine these features.
Adjustments to switching and cloud portability obligations
Chapter VI of the Data Act imposes a range of obligations on providers of data processing services to facilitate switching between providers. The Digital Omnibus introduces a more flexible approach for certain services and providers.
First, custom‑made services, other than Infrastructure‑as‑a‑Service (IaaS), provided under contracts entered into before 12 September 2025 will be exempt from the switching obligations. Given that such services typically result from potentially lengthy negotiations, bringing existing contracts into compliance with the switching rules could require costly renegotiations. The only exception concerns Article 29 of the Data Act on the gradual removal of switching charges, which would continue to apply.
The same exemption would also apply to providers of data processing services, other than IaaS, that qualify as SMEs or small mid-caps.
Although providers benefiting from these exemptions will not be required to renegotiate or amend their contracts, any contractual clauses contrary to Article 29 of the Data Act will be deemed null and void.
The proposal also clarifies that fixed‑term contracts for data processing services may include provisions for early termination penalties, provided that such penalties remain reasonable. This clarification seeks to preserve the economic models of service providers - particularly SMEs - by reducing the financial uncertainty associated with premature contract termination.
Narrowing the scope of business‑to‑government data sharing
Chapter V of the Data Act grants public sector bodies, the European Commission, the European Central Bank and other Union bodies a right of access to data generated by connected products and related services where they can demonstrate an exceptional need to use such data in the public interest.
The Digital Omnibus narrows this right. Access will be limited to situations of public emergency. Under the revised approach, access to data is permitted only where it is necessary to respond to, mitigate or support recovery from a public emergency.
Where the requested data is necessary to respond to a public emergency, the request must primarily concern non-personal data. Personal data may be requested only where access to non-personal data is insufficient to address the public emergency and, where possible, must be made available in pseudonymised form, subject to appropriate technical and organisational safeguards.
Where the requested data is necessary to mitigate or support recovery from a public emergency, the requesting body may request specific non-personal data, the absence of which would prevent them from fulfilling their statutory duties. Such requests may not be addressed to micro‑enterprises or small enterprises.
A single legal instrument for the re‑use of public sector data
The Digital Omnibus aims to establish a single legal instrument governing the re-use of public sector information by integrating Chapter II of the Data Governance Act and the Open Data Directive into a new single chapter of the Data Act.
The core principles of the existing framework are preserved, including the principle of non‑discrimination. Conditions for re‑use must therefore remain transparent, proportionate and objectively justified, and exclusive arrangements granting preferential access to certain entities remain prohibited.
The proposal also harmonises the rules governing charges for access to and re‑use of public sector data. As a general rule, such access should be free of charge. Public sector bodies may, however, recover marginal costs incurred for the reproduction, provision and dissemination of such data or documents as well as for anonymisation of personal data and measures taken to protect commercially confidential information.
One notable addition is the ability to impose higher charges on very large enterprises, based on objective criteria such as economic power or designation as a gatekeeper under the Digital Markets Act (Regulation (EU) 2022/1925). This measure seeks to ensure that public sector data remains broadly accessible and does not reinforce existing market dominance. Public sector bodies must also ensure that charges can be paid online using widely available cross‑border payment services.
More flexible rules for data intermediation services
Under the current DGA framework, providers of data intermediation services are subject to a mandatory notification regime. This has been seen by some market players as unnecessarily rigid. The Digital Omnibus replaces this with a voluntary registration regime, under which only registered providers may use the label “data intermediation services provider recognised in the Union” and the associated logo.
The obligation to keep data intermediation services legally separate from any other service a company may want to offer will be replaced by an obligation to keep services functionally separate.
Under the revised rules, providers may only use the data for the purpose of making it available to users and may not exploit activity‑related data beyond what is necessary to operate the intermediation service. Any additional tools facilitating data exchange may be used only at the explicit request of, or with the approval of, the data holder or data subject.
In addition, data intermediation services providers (other than micro‑enterprises and small enterprises) may offer value-added services only under strict conditions, including that such services are explicitly requested, provided through a functionally separate entity, and independent from any gatekeeper activities.
Continued prohibition of data localisation requirements
The FFDR was originally intended to support the development of a single market for cloud services. Its scope has since been largely absorbed by Chapter VI of the Data Act, which governs switching between data processing services.
Following conclusion of the Digital Omnibus, one core principle of the FFDR would remain, incorporated into the Data Act: the prohibition of data localisation requirements, except where they are justified on grounds of public security.
Next steps
The Digital Omnibus proposal has politically contentious elements but these mostly tend to concern the changes to the GDPR and the AI Act. Attempts to streamline the data acquis have been greeted largely with relief. Whether or not all the proposed changes will make it through to legislation and exactly when they may take effect remains to be seen.
