The issue, in brief
The Digital Omnibus — the legislative package through which Brussels is streamlining the EU’s digital rules — has been moving in the same direction for years: more sharing, more portability, fewer silos. A legitimate objective, but one with a side effect that many companies have not yet fully grasped: every data-sharing obligation creates an additional window through which know-how that has not been — or cannot be — patented may escape.
The package includes two main texts: one amending existing rules on data, cybersecurity, and privacy (the “digital acquis”), still under negotiation; and another concerning artificial intelligence, for which a provisional political agreement was reached on 7 May 2026. The dates of official publication remain subject to completion of the formal process.
What changes in practice
The most relevant amendments to the digital acquis for those handling sensitive information include:
– Public data and large operators. Public administrations may impose special conditions on Very Large Enterprises and DMA gatekeepers reusing public-sector data, in order to prevent privileged access to data from reinforcing already dominant positions.
– Data intermediaries. The mandatory regime under the Data Governance Act would become voluntary, with lighter separation requirements. More actors in the chain means more points of contact.
– Cloud switching. Simplified regimes for certain categories, but with explicit safeguards regarding trade secrets and risks of exposure to third-country jurisdictions.
– Smart contracts for data sharing. The essential requirements under Article 36 of the Data Act would be removed: fewer technical constraints, greater reliance on contractual governance.
The starting point: the Data Act
Already applicable since 12 September 2025, the Data Act grants users of connected devices the right to have their data shared with third parties. For manufacturers, this exposes a delicate perimeter: the data may contain operational logic, configuration parameters, performance information — everything that makes up know-how without ever having been labelled as such. Moreover, the Data Act disapplies the sui generis protection of databases in this context, shifting the burden of protection onto trade secrets.
Consider a practical example. A manufacturer of connected industrial equipment receives a request from a customer to share 18 months of operational logs with an independent maintenance provider that directly competes with its after-sales service. Those logs contain calibration parameters and control sequences developed over years of R&D and never patented. The Data Act does not allow for a blanket refusal, but it does permit the manufacturer to require proportionate technical measures before sharing the data (Article 4(6)): NDAs with anti-reverse-engineering clauses, sensitive data disclosed only in aggregated form, and contractual prohibitions on using the data to develop competing services (Article 6(2)(e)). If the third party refuses those measures, the manufacturer may block the sharing, but must provide written reasons and notify the competent authority. These two steps are not optional: they are the formal conditions for a lawful refusal.
The Regulation also provides for the possibility of refusing disclosure where sharing would make serious economic harm highly likely. The threshold is high, and the practical problem is that the harm must be demonstrated before the disclosure occurs, based on data that has not yet left the company. Those who have not documented the value of their trade secrets will find themselves without arguments when they are most needed.
The Digital Omnibus novelty: the jurisdictional factor
If approved in its proposed form, the amendment to the Data Act would introduce a new basis for refusing disclosure: the risk of unlawful acquisition by entities operating in third countries with insufficient safeguards — or with formally equivalent safeguards lacking effective enforcement.
This represents a concrete shift in perspective. Today, many leaks do not originate from cyberattacks or disloyal employees: they arise because data lawfully shared reaches a legitimate recipient operating in a jurisdiction where a local authority may require disclosure — and where obtaining an injunction is slow or impossible. The secret is lost because of a structural systemic issue, not because of malicious intent. The proposal seeks to turn this asymmetry into a legal lever: refusal is legitimate, but it must be justified in writing and notified to the competent authority.
Five things to do now
– Map data from a competitive standpoint. Not for GDPR purposes: which datasets, if analysed, reveal proprietary processes or logic? Which fall within the scope of the Data Act?
– Build a trade secret registry. A trade secret exists if it is not generally known, has economic value because it is secret, and is protected through reasonable measures. NDAs, access controls, audit logs, internal policies: everything documented and updated.
– Structure responses to data-sharing requests. What is needed is a process, not a case-by-case assessment. Clear criteria are required regarding when to refuse disclosure, how to justify the refusal, and how to notify it.
– Conduct a jurisdictional assessment of data flows. Who receives the data? Where do they operate? Where are their subcontractors located? What is the actual level of enforcement in those jurisdictions?
– Monitor the legislative process. The Digital Omnibus for the digital acquis will evolve. Those working with sensitive data need to know how, and when.
The direction of the Digital Omnibus will not change: more circulation, more portability. But companies that have built their competitive advantage on data and unpatented processes cannot wait for the legislation to stabilise. The trade secret that survives is the one already structured as such before someone asks for it to be shared.
