On 19 December 2025, the European Commission unveiled the EU Digital Omnibus Regulation Proposal, a proposal aimed at making Europe more competitive in the digital economy and reducing the regulatory hurdles that slow innovation. Among its measures are targeted changes to the EU Data Act that could reshape how companies protect trade secrets in an era of mandatory data sharing. For companies manufacturing or providing connected medical devices, wearable health products, or digital health solutions, these changes touch the heart of how valuable know-how is managed and safeguarded.

The Data Act requires companies collecting data generated by connected products and related services to provide the user – and, in some cases, third parties selected by the user – access to that data. This data can contain trade secrets or could be used to reverse-engineer products or algorithms. The Data Act establishes a tiered approach to sharing trade secrets:

• Disclosure with safeguards. Data should be shared under agreed technical and organizational protective measures.
• Temporary withholding or suspension. Access may be withheld or suspended if protective measures are not agreed upon or effectively implemented, with appropriate justification and notification.
• Refusal. In exceptional circumstances, access may be denied if disclosure would have a high likelihood of serious economic damage.

The Digital Omnibus Regulation Proposal recognizes a real concern: mandatory data sharing can inadvertently expose sensitive know-how, particularly outside the EU. Thus, the proposal adds a new safeguard: companies may refuse to share trade secrets when disclosure carries a high risk of unlawful acquisition, use, or onward transfer, especially in jurisdictions with weaker protections. This refusal would be case-by-case, applying to both direct users and third-party recipients.

While the proposal is not yet law, we recommend that companies take the following steps for future-proofing trade secrets protection:

• Map and classify data. Identify data flows across all connected products, applications, and services. Document the commercial value, confidential nature, and protective measures for any data qualifying as trade secrets, including aggregated datasets.
• Strengthen safeguards. Review and enhance contractual, technical, and organizational safeguards for data access, use, and onward sharing with users and third parties. Implement robust access controls, encryption, monitoring, and secure sharing protocols.
• Embed trade secret considerations into compliance processes. Integrate procedures for withholding or refusing data access, ensuring decisions are supported by legal and technical documentation and arguments. Align these steps with existing personal data portability workflows and notify authorities where required. As part of this, identify and assess third parties and countries that would carry a high risk to the company's trade secret protection framework.