Trade secrets and the Digital Omnibus: key risks and safeguards

Introduction

As set out in the introductory article to this series, the Digital Omnibus package published by the EU Commission in November of last year aims to streamline the EU’s digital rules and seeks to enhance transparency, accountability and consumer protection. It includes two proposed Regulations: a Digital Omnibus for the digital acquis (covering data, cybersecurity and privacy); and a Digital Omnibus on AI, (together, the Omnibus). The latter has progressed rapidly and is now subject to a provisional political agreement by the European Parliament and Council reached on 7 May 2026.  It must now be formally adopted by these bodies and published in the Official Journal, expected to be completed before 2 August 2026, and will enter into force three days later.  The former remains at an earlier stage of the legislative process.

This article examines the tension that arises between the data sharing obligations in the Omnibus and the protection of trade secrets. In particular, it considers how the Omnibus interacts with the existing safeguards in the EU Data Act, which became applicable on 12 September 2025, (the Data Act), the extent to which those safeguards may be strengthened and the practical implications for businesses that rely on trade secrets to protect commercially sensitive information.

What does the Omnibus require in terms of data sharing, re-use and sovereignty?

Following the introductory article in this series, this section examines the Digital Omnibus for the digital acquis's initiative to streamline and consolidate the digital acquis by integrating specific provisions into the Data Act, and identifies five key elements:

• Reconfiguration of data access and re use to avoid reinforcing market power

The rules on re use of protected public sector data under the Data Governance Act (DGA) and the rules on access to public sector information under the Open Data Directive would be transferred into the Data Act and merged into a single, coherent chapter with aligned concepts and terminology.

The Regulation on a framework for the free flow of non-personal data in the EU would be repealed.

To give effect to this reconfiguration, the Digital Omnibus for the digital acquis enables public sector bodies to apply proportionate special conditions and higher fees when very large enterprises (VLEs) or digital gatekeepers designated under the Digital Markets Act (DMA) seek to reuse open or protected public sector data. This ensures that dominant market participants cannot leverage preferential access to public sector data in ways that would entrench or further extend their market position.

• Voluntary certification regimes for data intermediation and data altruism  

The DGA requirements applicable to data intermediation services and data altruism would be amended and moved into the Data Act. The current mandatory regime for data intermediation services under the DGA would be replaced by a voluntary, streamlined scheme.

In addition, legal separation requirements between data intermediation services and other value added services would be replaced by functional separation requirements and reporting obligations for data altruism organisations would be reduced.

• Calibration of cloud switching rules and strengthened safeguards

The Digital Omnibus for the digital acquis also recalibrates the cloud switching framework and reinforce associated safeguards, particularly around trade secrets and international exposure, while supporting governance through a strengthened European Data Innovation Board.

Lighter regimes would apply to custom‑made data processing services, meaning services that are not available “off the shelf” and that require prior adaptation to the user’s needs and ecosystem. They would also apply to SME and SMC providers of data processing services.

Most provisions of Chapter VI of the Data Act facilitating switching between data processing services would not apply in these situations, except for the obligations to reduce and ultimately eliminate switching and egress charges.

• Removal of essential requirements for smart contracts

The Digital Omnibus for the digital acquis would repeal article 36 of the Data Act, which sets out the essential requirements for smart contracts executing data sharing agreements. 

The objective is to address existing legal uncertainties arising from the lack of harmonised standards and clear definitions, which could otherwise hinder innovative business models.

• Repeal of the Platform to Business Regulation  

The Platform-to-Business (P2B) Regulation would be repealed, as its provisions would largely be covered by the Digital Services Act and the Digital Markets Act. This would help clarify compliance requirements for online intermediary service providers.

However, cross-references to the P2B Regulation in other EU laws would remain valid until those acts are individually amended. In any event, such cross-references will cease to have effect no later than 31 December 2032, which constitutes an outside transitional limit rather than a fixed repeal date (e.g., rules on restrictions and suspensions of online intermediation services, complaint handling systems for business users and enforcement provisions).

How will this impact trade secrets?

Trade secrets under the Data Act

Under the Data Act, users of connected devices, or recipients of services related to connected devices, now have the right to request (i) access to data generated by their use and (ii) that such data is made available to third parties. This is to allow them to easily switch to other providers through greater data portability, thereby increasing competition within the market. This is discussed in more detail in our previous article. Data holders, often original equipment manufacturers, feared that these provisions could be abused and the data used to produce competing products (which is prohibited under the EU Data Act) or to train AI models. This fear was exacerbated by the Data Act expressly disapplying database rights protection for data obtained from, or generated by, a connected product or related service within its scope. As a result, acts that would normally infringe database rights do not infringe where the data originates from such products or services.

In relation to trade secrets however, the Data Act provides that these shall only be disclosed to third parties to the extent necessary to fulfil the purpose agreed between the user and the third party. It also provides that trade secrets may be withheld:

• if the data holder requires the adoption of proportionate technical and organisational measures as a condition of disclosure and such measures are not agreed to by the relevant third party;
• if the disclosure would make it highly likely that they would suffer serious economic damage even if the measures referred to above are agreed to; or
• on grounds of public and national security (though the extent to which a refusal on this ground would be permitted is not clear cut).

These measures mean that trade secrets have become increasingly important to companies seeking to protect their know-how and confidential information now that the sui generis database right can no longer be relied upon for data falling within the scope of the Data Act. However, whilst trade secrets may help to mitigate the impact of disclosure obligations under the Data Act, in most cases it will be difficult to use trade secrets as a basis for avoiding disclosure completely in light of the ‘serious economic damage’ or public and national security thresholds described above.

Trade secrets under the Omnibus

The Digital Omnibus for the digital acquis acknowledges in its explanatory memorandum that “there is an urgent need to strengthen safeguards against the risk of trade secret leaks to third countries in the context of the mandatory IoT data-sharing provisions”. It strengthens the rights of data holders to refuse to disclose trade secrets through the creation of a new rule under Articles 4(8) and 5(11) of the Data Act, as currently proposed. The new rule allows refusals where there is a high risk of unlawful acquisition, use, or disclosure to third countries, or entities under their control, that are subject to jurisdictions with weaker protections than the EU. The new provision also covers instances where the third country legal framework has equivalent protection but lacks appropriate enforcement in practice. If refusing to disclose on these grounds, the data holder must substantiate its decision using objective elements and provide this substantiation to the user in writing without undue delay, as well as notify the designated competent authority.

In terms of data sharing necessitated by public and national security, the Digital Omnibus for the digital acquis, as currently proposed, narrows the scope of the Data Act Chapter V provisions from permitting access when there are “exceptional needs” to when it is necessary to respond to, mitigate or support recovery from “public emergencies”.

In summary, while the Digital Omnibus for the digital acquis proposal is expected to enhance trade secret protections beyond the current Data Act, the precise nature and extent of these enhancements remain subject to interinstitutional negotiation and may be refined in the final adopted text and businesses should monitor developments closely.

Will the UK be affected?

The Omnibus will not apply directly in the UK following Brexit, meaning the rules applicable to trade secrets could begin to diverge. The degree of divergence will likely depend on the extent to which the Omnibus enhances protections beyond the current EU Trade Secrets Directive (implemented in the UK through the Trade Secrets Regulations) and whether the UK chooses to adopt similar measures independently. The specific details of the enhancements to trade secret protections under the Digital Omnibus are not explicitly outlined in the provided documents. As such, UK businesses operating in the EU or engaging in cross-border trade will need to monitor developments in this area as once the Omnibus is in force, they will need to comply with the Omnibus when dealing with customers in the EU.

What should businesses do now?

The exact implications for trade secrets will depend on the final text of the Digital Omnibus for the digital acquis proposal and its implementation by Member States. In anticipation, businesses should (to the extent they are not doing so already):

• review and classify the data they hold (particularly machine-generated data and data from connected products that are likely to fall under the mandatory sharing obligations) and establish what they consider to be trade secrets;
• develop documentation to substantiate refusals to share such trade secrets (businesses will need to undertake foreign law exposure risk assessments and consider what evidence they can provide to support a claim that serious economic damage would be highly likely to result from disclosure of the requested data);
• update their internal processes for considering and responding to data requests and disclosing data where required; and
• continue to monitor the legislative journey of the Omnibus so that they are well-placed to ensure compliance with it.

Conclusion

The Omnibus has the potential to impact the protection of trade secrets in both the EU and the UK through its provisions on transparency and data-sharing. While it includes safeguards aimed at protecting commercially sensitive information and trade secrets, the way these provisions interact with the EU Trade Secrets Directive, as implemented in the UK by the Trade Secrets Regulations, will be critical. Careful alignment will be needed to ensure that enhanced transparency requirements do not undermine the existing framework for trade secret protection. Whilst the Digital Omnibus on AI has been provisionally agreed and is awaiting adoption, the Commission’s Digital Omnibus for the digital acquis proposals are not yet final and may be amended prior to adoption. These proposals will now be considered by the European Parliament and the Council of the EU, with further informal and formal negotiations expected before a final text is agreed. EU businesses and UK businesses trading with EU consumers must remain vigilant and ensure compliance with these evolving EU rules to avoid legal and regulatory challenges.