Regulating Data: EU Data Act & More - February 2026 Edition

Welcome to the sixth edition of Regulating Data: EU Data Act & More.

Europe’s digital regulatory environment continues to advance rapidly, presenting both complex compliance requirements and significant strategic opportunities for organisations across all sectors. Remaining alert and adaptable is crucial to maintaining a competitive edge and meeting evolving legal standards. In this edition, we examine several key developments with immediate relevance for your business:

• EU Data Act: The Commission’s newly published Draft Guidelines on “reasonable compensation” and their implications for B2B data sharing arrangements.
• German NIS2 Regime: The critical phase of Germany’s NIS2 implementation, including the statutory registration deadline and sector-specific impacts.
• Digital Omnibus Proposal: The EDPB and EDPS Joint Opinion.

For further context, including previous analyses of the Digital Omnibus Proposal and Germany’s NIS 2 Implementation Act, please refer to earlier editions of our newsletter.

Please also check out our webinar series on the Data Act.

1. EU Data Act: Commission Issues Draft Guidelines on “Reasonable Compensation”

On 2 February 2026, the European Commission published Draft Guidelines on the calculation of “reasonable compensation” under Article 9 of the Data Act, accompanied by a short consultation window from 30 January to 20 February 2026. The Guidelines aim to clarify one of the more commercially sensitive aspects of the Data Act’s mandatory B2B data sharing regime and are intended to operate as a non-binding good practice reference for market participants.

1.1 Background

Article 9 of the Data Act allows data holders to charge compensation for making data available in B2B constellations, subject to the overarching requirements of reasonableness and non-discrimination and, in some cases, the possibility of including a margin. With most provisions applicable since September 2025, the Commission’s objective is to provide a clearer framework for calculating allowable costs and margins, thereby reducing ambiguity and potential disputes in B2B negotiations.

1.2 Core Elements of the Compensation Framework

• (A) Non-Discrimination
  Compensation must not discriminate between similarly situated data recipients. However, the Commission acknowledges that differentiation may be justified where it reflects objective requirements, such as additional costs linked to necessary security, compliance or confidentiality measures, or technical burdens arising from data format, volume, frequency or preparation. Any such differentiation must remain proportionate and pursue legitimate aims, including protecting innovation and trade secrets and preserving a level playing field.

• (B) Compensable Cost Categories
  The draft enumerates specific direct, incremental and objectively measurable costs that are “indicative elements for the calculation of compensation”, including:

  • Cost of preparing and formatting the dataset
  • Cost of dissemination
  • Cost of storage

  Importantly, overhead, sunk costs, speculative risks and ordinary business expenses remain outside the scope of recoverable items. Only costs occasioned by the specific request, and necessary to satisfy the data sharing obligation, may be included.

• (C) Investments and Margin
  As set out in Article 9(1) and Recital 47, reasonable compensation may include a margin, provided that the margin reflects investments made in the collection or production of the data. In determining such a margin, the relevant investment elements to be considered include:

  • Collection of already existing data, which covers, according to the Guidelines: “Investments to obtain, source, intake, or seek out data that already exists.”

  • Production or generation of new data, which contains: “Investments whose primary purpose is to create original datasets, rather than source what already exists.”

    When assessing the extent to which investments should be reflected in the margin, it follows from the wording “shall take into account in particular” (as stated in Article 9(2)(b), that several factors may influence the calculation, while any margin must remain within reasonable limits and balance affordable access with the protection of data holders’ economic interests.

    A margin may be added for items qualifying as “investments in the collection and production of data,” and Recital 47 clarifies that its level may vary depending on data‑related factors, the costs and impact of collection, and whether other parties contributed.

    The data holder may request information on the recipient’s intended use only to determine whether its own activities are affected and whether a margin is justified, but may not seek unrelated commercial or profitability details.
    As a general rule, investments made in data collection and production should be taken into account.

1.3 Implications for Businesses

The draft Guidelines are likely to become an important interpretative reference for negotiating and documenting data sharing arrangements across sectors. They provide:

• Greater clarity on which costs may legitimately be passed on;
• Guardrails against over recovery, particularly through the exclusion of overheads; and
• A structured approach to allocating investment-based components.

Given the Data Act’s broad horizontal reach, organisations should assess whether their existing pricing models, contractual frameworks and internal documentation processes align with the emerging expectations reflected in the draft Guidelines.

2. German NIS2 Regime Enters Critical Phase as Registration Deadline Takes Effect

Germany’s implementation of the EU NIS2 Directive represents a material tightening of the national cybersecurity regime. While the German NIS2 Implementation Act formally entered into force on 6 December 2025, 6 March 2026 marks the expiry of the statutory registration deadline for in-scope entities.

As highlighted in our newsletter from December 2025, the amended BSI Act (“BSIG”) significantly expands both the number of regulated organisations and the depth of applicable obligations, with immediate effect and without an extended transition period.

2.1 Why this matters now

NIS2 increases the number of regulated entities in Germany from approximately 4,500 to around 29,000 organisations, reflecting a deliberate policy shift towards economy-wide cyber resilience. Entities falling within scope must now be able to demonstrate effective cybersecurity risk management, robust incident handling and clear management accountability, backed by enhanced sanctions for non-compliance.

These developments are particularly relevant for Health & Life Sciences (HLS), Technology, Media & Telecommunications (TMT) and Financial Institutions / Alternative Investment Fund Managers (FI/AMIF), all of which are directly or indirectly addressed by the German NIS2 framework.

2.2 Impact on Health & Life Sciences (HLS)

HLS organisations, including healthcare providers, pharmaceutical companies, medical device manufacturers and digital health services, are likely to qualify as “important” or “particularly important entities” under the revised BSIG. The German legislator explicitly links cybersecurity resilience to patient safety and continuity of essential services.

Key implications include mandatory, documented cybersecurity risk management across clinical, R&D and manufacturing systems, strict incident reporting timelines (initial notification within 24 hours of becoming aware of an incident), and heightened scrutiny of third-party and supply chain risks, particularly where ICT services support critical healthcare functions.

2.3 Impact on Technology, Media & Telecommunications (TMT)

TMT entities sit at the core of NIS2. Telecommunications networks, cloud computing services, data centres, managed service providers and a wide range of other digital infrastructure and digital service providers are expressly within scope under the amended BSIG.

For these organisations, NIS2 introduces strengthened governance requirements, explicit senior management responsibility for cybersecurity measures, and far-reaching obligations relating to network security, incident response, business continuity and supply chain resilience. Enforcement risk is significant, with administrative fines potentially reaching EUR 10 million or a percentage of annual global turnover, depending on the entity's classification.

2.4 Impact on Financial Institutions / AMIF

While many financial institutions and alternative investment fund managers (AMIFs) are already subject to extensive ICT and operational resilience regimes, NIS2 is directly relevant in several respects.

First, certain financial market infrastructures and financial services providers are explicitly listed among the regulated sectors under the German NIS2 framework, bringing them within the scope of the Federal Office for Information Security (“BSI”) supervision where applicable size and activity thresholds are met. Secondly, even where a financial institution or AMIF is not itself classified as an “important” or “particularly important entity”, NIS2 has clear indirect effects through supply chain and outsourcing requirements. ICT service providers used by funds, managers and portfolio companies may themselves be NIS2-regulated, with contractual and operational consequences for regulated financial entities.

In practice, NIS2 reinforces regulatory expectations around governance, risk management and incident escalation, and will increasingly interact with existing financial services frameworks on ICT risk and outsourcing. Management bodies should therefore ensure that NIS2 considerations are reflected in group-wide cybersecurity strategies, third-party risk assessments and oversight of critical ICT dependencies.

2.5 What organisations should be doing

With 6 March 2026 imminent, organisations should ensure that required BSI registration has been completed, that their status under the German NIS2 regime has been clearly assessed and documented, and that cybersecurity, incident response and governance frameworks are aligned with the new statutory requirements and capable of withstanding regulatory scrutiny.

3. EDPB & EDPS Joint Opinion on the Digital Omnibus: Key Implications for the Data Act

In their Joint Opinion of 10 February 2026 on the European Commission’s Digital Omnibus proposal (analysed in the November edition of our newsletter), the EDPB and the EDPS assess several horizontal amendments to the EU’s digital regulatory framework. A significant part of the Opinion focuses on the implications for the Data Act, particularly where the proposal seeks to consolidate and streamline the existing “Data Acquis” comprising the Data Governance Act and the Open Data Directive.

3.1 Consolidation of the Data Acquis into a Single Framework

The authorities welcome the Commission’s intention to integrate substantial parts of the Data Governance Act and the Open Data Directive directly into the Data Act, noting that this approach could reduce fragmentation and improve legal certainty.

Furthermore, the EDPB and the EDPS recommend that the legal framework should continue to underline that it does not impose an obligation on public sector bodies to allow the re‑use of personal data and does not establish a legal basis for granting such access.

3.2 Personal Data in Public Emergencies: Maintaining Pseudonymisation

In relation to crisis‑related data access, the EDPB and EDPS caution against allowing access to non‑pseudonymised personal data for public emergencies. They recommend retaining the existing rule that personal data should only be shared in pseudonymised form and only where non‑personal data is insufficient to meet the exceptional need. The Opinion notes that the proposal does not justify departing from this safeguard and warns that easing these restrictions risks weakening the protection of individuals without demonstrating necessity.

3.3 Data Intermediation Services and Altruism Organisations

In the context of data intermediation services and data altruism organisations, the EDPB and the EDPS stress the need for reliable and responsible data‑sharing practices. They call for the preservation of key safeguards and emphasise the continued importance of transparency and oversight.