Art. 32.1 of the Data Act stipulates that providers of data processing services shall take all adequate technical, organisational and legal measures, including contracts, in order to prevent international and third-country governmental access and transfer of non-personal data held in the EU where such transfer or access would create a conflict with EU law or with the national law of the relevant Member State. Certain exceptions to this obligation are envisaged, such as compliance with a binding court order issued in the receiving country under existing mutual legal assistance agreements to which the EU is a party.
It is reported that this provision may place onerous obligations on non-EU service providers and could potentially hinder their capacity to compete effectively within the European market. A particularly complex issue arises in relation to cloud service providers handling mixed data sets, as they must navigate the constraints imposed by Art. 32 of the Data Act alongside the limitations on personal data transfers set out in Chapter V of the EU General Data Protection Regulation (GDPR). In practice, cloud providers may be required to conduct a separate risk assessment under the Data Act, in addition to any transfer impact assessment necessitated by the GDPR.

The European Union has joined agreements with binding commitments to open transfers of data across borders: the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the One Part, and the United Kingdom of Great Britain and Northern Ireland, of the Other Part (Art. 201), the Agreement between the European Union and Japan for an Economic Partnership (Art. 8.81), and the EU-New Zealand Free Trade Agreement (Chapter 12, Art. 12.4).

Since May 2018, the General Data Protection Regulation (GDPR) requires that organisations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale must appoint a Data Protection Officer (DPO). Previously, only European institutions and bodies were required to appoint at least one person as a DPO, with some Member States also imposing such requirements on private companies. In addition, under the GDPR, Data Protection Impact Assessments (DPIAs) are mandatory for data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons.

The Trade Secrets Directive (EU) 2016/943 protects trade secrets while also allowing for disclosure of trade secrets for reasons of public interest, either to the public or to public authorities in the performance of their duties. Art. 1.2 states that "this Directive shall not affect: [..] (b) the application of Union or national rules requiring trade secret holders to disclose, for reasons of public interest, information, including trade secrets, to the public or to administrative or judicial authorities for the performance of the duties of those authorities."
Moreover, Art. 5 stipulates that Member States shall ensure that an application for the measures, procedures and remedies provided for in this Directive is dismissed where the alleged acquisition, use or disclosure of the trade secret was carried out in any of the following cases for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest.

Regulation EU 2019/1150 on promoting fairness and transparency for business users of online intermediation services (the Platform to Business Regulation) requires the disclosure of certain features of algorithms, which may constitute trade secrets. Art. 5 stipulates that online intermediation services must disclose the main ranking parameters and their relative importance to business users through terms of service, while online search engines need to make similar disclosures publicly. The Commission's December 2020 guidance on ranking (§82) argues that providers cannot refuse to disclose the main parameters based on the sole argument that these constitute a trade secret.

The Digital Services Act (DSA) envisages research access to data under confidentiality obligations, as well as access to algorithms and explanations by regulators. It is reported that certain requirements in the DSA create uncertainty in relation to trade secret protection, as very large online platforms can be under an obligation to open access to their (confidential) data. Art. 25 defines very large online platforms as those platforms that reach an average monthly active recipient of the service in the Union equal to or higher than 45 million.
Art. 31 of the DSA provides a framework for compelling access to data from very large online platforms to competent national authorities (“Digital Services Coordinators”) to monitor and assess compliance with the Regulation. The Digital Services Coordinator may also request large online platforms to provide access to data to vetted researchers for researching and identifying systemic risks as set out in Art. 26(1). Such a requirement may include, for example, data on the accuracy, functioning and testing of algorithmic systems for content moderation. All requirements for access to data under the framework should be proportionate and appropriately protect the rights and legitimate interests, including trade secrets and other confidential information.
Moreover, according to Art. 31(6), a platform may apply to amend the data request if it will lead to “significant vulnerabilities for the protection of confidential information.”

In November 2021, The European Commission imposed a definitive anti-dumping duty under the Implementing Regulation (EU) 2021/2011 on imports of optical fibre cables (CN code ex: 8544 70 00) from China. The original duty of 44% was amended in January 2022 by the Implementing Regulation (EU) 2022/72, establishing a duty on imports of 33.7%, applicable until November 2026.

In January 2022, the European Commission imposed a countervailing duty under the Implementing Regulation (EU) 2022/72 for imports of optical fibre cables (CN code ex: 8544 70 00) from China. The rate of duty on imports from China is 10.3%, applicable until January 2027.

In January 2022, the European Commission imposed a minimum import price and anti-dumping duties on flat-rolled products of grain-oriented silicon magnetic steel, which is an important material in the production of energy-efficient transformers and large high-performance generators. The measures apply to imports from China, Japan, the Republic of Korea, the Russian Federation, and the United States of America. This is a continuation of measures first introduced in May 2015 by Implementing Regulation (EU) 2015/1953. The minimum import prices (MIPs) currently in force range between 1,536 EUR/tonne to 2,043 EUR/tonne. They apply to the individually named exporting producers for which individual dumping margins were established from all the countries concerned. If the CIF Union border price is equal to or above the MIP, no duty is payable. Only if import prices are below this level are anti-dumping duties imposed, set at the difference between the import price and the minimum import price, up to a maximum ranging from 21.5% to 39% of the import price. The system of minimum import prices and anti-dumping duties was introduced in 2015, while the level of duties was adjusted in 2022.

In July 1990, the European Commission imposed a definitive anti-dumping duty on imports of silicon metal (HS Code: 280469) from China, which is also used in the production of silicon compounds and silicon wafers for electronic semiconductors. This measure was first extended to imports from the Republic of Korea, regardless of their declared origin, under Council Regulation (EC) No 42/2007. In 2013, it was further extended to imports from Taiwan, again irrespective of their declared origin, by Council Implementing Regulation (EU) No 311/2013. This measure was last extended in August 2022. The rate of duty is 16.8% of the net free-at-Union-frontier price, with the exception of the company Datong Jinneng Industrial Silicon Co., whose exports are subject to a duty of 16.3% of the net free-at-Union-frontier price.

In December 2024, the European Commission adopted Implementing Regulation (EU) 2024/3014, thereby imposing a definitive anti-dumping duty on imports of optical fibre cables (CN code ex 8544 70 00) originating from India. The applicable duties range from 6.9% to 11.4%, with two categories of products explicitly excluded from the scope of the measure:
- cables shorter than 500 metres in which all optical fibres are individually equipped with operational connectors at one or both ends, and
- submarine-use cables, plastic-insulated, containing a copper or aluminium conductor, with fibres enclosed in metal modules.
This definitive measure followed the imposition of provisional anti-dumping duties in June 2024, which applied to single-mode optical fibre cables imported from India. The provisional duties ranged from 8.7% to 11.4% and covered cables exceeding 500 metres in length, while similarly excluding cables fitted with connectors and submarine cables.
The European Commission initiated its investigation in November 2023 in response to a complaint lodged by Europacable, the industry association representing European cable producers, alleging that Indian exporters were engaging in dumping practices that caused material injury to the Union industry.

The International Procurement Instrument (IPI) introduces measures limiting the access to open EU public procurement tenders of non-EU companies from countries that do not offer similar access to EU companies. The measures apply to tenders worth at least 15 million Euros for works and concessions and 5 million Euros for goods and services, such as the purchasing of computers.
Pursuant to Art. 5, the IPI enables the Commission to investigate third-country measures or practices adopted or maintained by public authorities or individual contracting authorities, which result in a serious and recurrent impairment of access of Union economic operators, goods or services to the public procurement or concession markets of that third country. When the Commission finds that a third-country measure or practice exists, it may adopt an IPI measure that requires contracting authorities or contracting entities to impose a score adjustment on tenders submitted by economic operators originating in that third country or exclude tenders submitted by economic operators originating in that third country.
The Regulation is yet to be implemented by EU Member States. Typically, the implementation by Member States takes 18–24 months on average after adoption.

Although the European Union is a signatory to the WTO Government Procurement Agreement (GPA), its coverage schedules do not include "telecommunications-related services" (CPC 754), which is an important sector for digital trade.