Artifact GuideEU

EU Data Act: Fair Access to Connected Product Data and Cloud Switching Trade Secrets and Protection

Share the data you must share-without giving away your trade secrets.

A practical playbook: identify trade secret fields, agree safeguards, implement technical controls, and keep a defensible audit trail.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

The EU Data Act expects data holders to make certain data available even when parts of the dataset qualify as trade secrets. The compliance strategy is not "refuse to share"-it's "share with safeguards". That means: identify trade secret fields up front, agree the necessary confidentiality measures with the recipient, apply technical controls, and keep evidence. If the parties cannot agree the necessary measures, or if the recipient undermines confidentiality, the Data Act's trade secret mechanism allows withholding or suspension for the trade secret parts under specific conditions.

Section 1

1) The core principle: 'share, but preserve trade secret protection'

Trade secret protection still matters. The practical expectation is that data holders can require users and third parties to preserve confidentiality and can require measures that make that requirement enforceable.

The implementation mistake is binary thinking (share everything vs refuse). The correct implementation is controlled disclosure with enforceable safeguards.

  • Identify trade secret fields/derivations before disclosure
  • Agree minimum necessary measures to preserve confidentiality (contractual + technical)
  • Disclose only what is necessary for the request purpose, with safeguards and audit logs
Section 2

2) Build a trade secret classification workflow (so engineers can execute)

Trade secret protection fails when it's ad hoc. Build a repeatable classification workflow that engineers can run, with business owner accountability and legal review triggers.

Treat trade secret marking like data classification: predictable labels, consistent enforcement, and versioned decisions.

  • Field-level classification in the exportable dataset (trade secret / confidential / public)
  • Justification per trade secret field: why it qualifies and what harm disclosure would cause
  • Release rules: which fields are shareable by default vs requiring elevated approvals
Section 3

3) Safeguards menu: contractual measures that actually work

Your goal is enforceability: the recipient must be bound to confidentiality, and you must be able to prove what you required and what they accepted.

Avoid vague clauses. Tie safeguards to concrete controls and evidence.

  • Confidentiality + use limitation: purpose restriction aligned to the request
  • Onward sharing controls: flow-down obligations and prohibited onward disclosure without approval
  • Security baseline: encryption, access control, secure storage, incident notification
  • Auditability: logging obligations and audit rights for suspected misuse
Section 4

4) Safeguards menu: technical controls for controlled disclosure

Technical controls are your strongest evidence. They make confidentiality measurable and reduce the blast radius of a mistake.

Prefer least-privilege and data minimisation controls that can be proven with logs and configurations.

  • Minimisation: smallest dataset/time window that satisfies the request
  • Redaction/aggregation where compatible with the purpose
  • Secure delivery: encrypted export, short-lived links, per-request tokens, and rate limiting
  • Controlled environments for sensitive analytics (segmented storage and compute)
  • Traceability: checksums + immutable access logs (who accessed what, when, and why)
Section 5

5) Withholding or suspension conditions - the 'handbrake' with an audit trail

The trade secret mechanism is not a blanket refusal. It is a targeted control for trade secret parts of the dataset where safeguards are missing or breached.

If you use it, you need a case file: what was requested, what measures were proposed, what failed, and what was withheld/suspended.

  • Trigger A: no agreement on necessary confidentiality measures
  • Trigger B: recipient fails to implement agreed measures or undermines confidentiality
  • Documentation: decision in writing without undue delay; keep a record suitable for regulator review
  • Scope control: withhold/suspend only the trade secret-identified parts, not unrelated data
Section 6

6) Apply the same playbook to Chapter V (B2G) requests

Chapter V requests explicitly expect trade secret protection and proportionate safeguards. Build trade secret marking and confidentiality controls into your B2G disclosure pipeline the same way you do for Chapter II/III disclosures.

Public-sector disclosure still needs: minimisation, secure transfer, strict access, and logs.

  • Mark trade secret fields in the dataset manifest and metadata
  • Require confirmation of safeguards before disclosure
  • Log disclosure, access, onward sharing, and deletion/erasure outcomes
Section 7

Evidence pack - what to keep (and why it wins disputes)

Trade secret disputes are evidence disputes. Keep artifacts that show you identified trade secrets, proposed measures, and shared responsibly.

If you withheld or suspended sharing, keep the full case file and decision rationale.

  • Trade secret register: fields, rationale, owners, and review dates
  • Recipient safeguards: executed NDAs/terms, security attestations, and access protocol acknowledgements
  • Technical evidence: logs, access control configs, encryption settings, export manifests and checksums
  • Withholding/suspension case file: communications and decision memo
Recommended next step

Use EU Data Act: Fair Access to Connected Product Data and Cloud Switching Trade Secrets and Protection as a cited research workflow

Research Copilot can take EU Data Act: Fair Access to Connected Product Data and Cloud Switching Trade Secrets and Protection from getting cited answers and faster research on this topic to a reusable workflow inside Sorena. Teams working on EU Data Act: Fair Access to Connected Product Data and Cloud Switching can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Trade Secrets and Protection

Start from EU Data Act: Fair Access to Connected Product Data and Cloud Switching Trade Secrets and Protection and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU Data Act: Fair Access to Connected Product Data and Cloud Switching

Review your current process, evidence gaps, and next steps for EU Data Act: Fair Access to Connected Product Data and Cloud Switching Trade Secrets and Protection.

Explore next step
Primary sources

References and citations

European Commission - Data Act FAQs (library page)
digital-strategy.ec.europa.eu
Referenced sections
  • Practical clarification often summarised as the 'trade secrets handbrake': share with safeguards, and use withholding/suspension only when safeguards aren't agreed or are breached.
Related guides

Explore more topics

Access Rights and Portability | EU Data Act: Fair Access to Connected Product Data and Cloud Switching
EU Data Act access rights and portability (Chapter II) made practical: direct vs indirect access, "readily available" data.
Applicability Test | EU Data Act: Connected Products, B2B Data Sharing, B2G Exceptional Need, Cloud Switching
A practical EU Data Act applicability test you can run in 15 minutes: determine if Chapter II IoT access rights apply (connected products + related services).
B2B Data Sharing Contract Clauses | EU Data Act: Mandatory Sharing, Unfair Terms, Trade Secrets
EU Data Act contract clauses for B2B data sharing made practical: clause library for Chapter III access/use (purpose limits, compensation, security.
B2B Data Sharing Contract Template | EU Data Act: Data Access and Use Agreement (Drafting Checklist)
A practical EU Data Act-aligned B2B data sharing contract template: sections, annexes, and drafting checklist for dataset definition, permitted use.
B2G Exceptional Need Requests | EU Data Act: Public Emergency Data Requests, Safeguards, Compensation
EU Data Act Chapter V B2G 'exceptional need' requests made practical.
Cloud Switching and Exit Plans | EU Data Act Chapter VI: Switch Providers, Port Data, Remove Egress Barriers
EU Data Act Chapter VI cloud switching made practical: Article 23 obstacle removal, Article 25 required contract terms (max 2-month notice, 30-day transition.
Cloud Switching Compliance Checklist | EU Data Act Chapter VI: Contracts, Exportable Data, Fees, Transparency
A detailed EU Data Act Chapter VI cloud switching compliance checklist: Article 25 contract terms (max notice period, 30-day transition, retrieval period).
Compliance Program | EU Data Act Implementation Playbook: Governance, Controls, Evidence, Operating Cadence
Turn the EU Data Act into an implementation program: chapter scoping, roles and ownership, product workflows for Chapter II access.
Deadlines and Compliance Calendar | EU Data Act
Plan EU Data Act delivery with real dates: Regulation applies from 12 Sep 2025.
EU Data Act Checklist | Chapter II Access, B2B Sharing, Unfair Terms, B2G Requests, Cloud Switching
A comprehensive EU Data Act checklist organized by roles and chapters: Chapter II connected product data access (direct vs indirect access).
EU Data Act vs GDPR | Differences, Overlap, Portability, Lawful Basis, Implementation Playbook
EU Data Act vs GDPR made practical: how Chapter II access/portability for connected product data differs from GDPR data subject rights.
FAQ | EU Data Act Explained: Key Dates, Access Rights, Trade Secrets, B2G Requests, Cloud Switching
EU Data Act FAQ with practical answers grounded in official sources: when the Data Act applies (Article 50), direct vs indirect access.
Penalties and Fines | EU Data Act Enforcement: Member State Penalties, GDPR-Linked Fines, Risk Controls
EU Data Act penalties and fines made practical: how Member States set penalties (Article 40), the criteria authorities must consider.
Requirements | EU Data Act Obligations Explained: Chapter II Access, Chapter IV Unfair Terms, Chapter V B2G, Chapter VI Switching
A structured EU Data Act requirements breakdown across Chapters II-VI: connected product data transparency and access workflows.
Scope, Connected Products and Data Types | EU Data Act: Fair Access to Connected Product Data and Cloud Switching
EU Data Act scope explained: connected products vs related services, product data vs related service data, readily available data.