Major contract update project attaches to EU digital omnibus reforms

David Halliwell and Stephan Appt of Pinsent Masons said the proposals for a Digital Omnibus Regulation and Digital Omnibus on AI Regulation that the European Commission published in November last year contain wide-ranging reforms that will have an impact on commercial contracts.

The proposals envisage reform of a raft of EU digital and data laws including the General Data Protection Regulation (GDPR), ePrivacy Directive, AI Act, Data Act, second Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA). Scrutiny of the plans by EU law makers is expected to increase over the coming months: both the European Parliament and Council of Ministers need to agree on the wording of reforms before any of the changes come into force.

Halliwell said: “The proposed reforms will make compliance across the EU data framework easier, but it requires preparation and thorough review of the contractual arrangements across multiple business functions.”

“Businesses will face simultaneous rewrites of digital, privacy, cyber, cloud, IoT, supply chain, and public sector contracts. If they do not act, there will be a risk of legal uncertainty, increased exposure to regulatory penalties, and slower commercial operations,” he said.

Appt said the proposed changes to the EU Data Act are particularly notable as these will have extraterritorial impact. It means businesses based outside of the EU, in countries such as the UK and US, could be impacted. This includes manufacturers of connected products and providers of related services, cloud service providers, and data‑processing service providers.

“The proposed draft may change the contractual and operational baseline for Data Act compliance, so the businesses must now interpret the Data Act considering the omnibus’ refined trade secret protections, expanded refusal grounds, updated definitions, and cloud switching modifications,” Appt said. “In effect, it may require cross‑framework realignment of the data governance and legal instruments, warranting contract review.”

Halliwell said businesses should not wait until the omnibus reforms are in force to act.

“The review and identification of the contracts impacted by these reforms will take a lot of time,” Halliwell said. “In any event, the current Data Act regime is not suspended by talk of reform, so action is required on the basis of the current framework: in this regard, the Commission‑issued templates for Data Act model contractual terms (MCTs) and standard contractual clauses (SCCs) are already available.”

“Implementing reform of the kind imagined under the Commission’s proposals requires deep sector knowledge in technology, digital regulation, infrastructure, and complex contracting. The scale of the contract remediation project ahead should spur businesses to explore alternative, cost-effective and creative solutions. Managed legal services can help companies update their contracts in line with the new framework in a scalable and cost-effective manner,” he said.