On 26 March 2026, the Bundestag passed the Data Implementation Act (DADG). Germany has thus created the national legal framework required of member states by the EU Data Act – after a significant delay. Below we provide an overview of the background, content and fine regulations of the new law.
On 26 March 2026, the Bundestag passed the Data Implementation Act (DADG). Germany has thus created the national legal framework required of member states by the EU Data Act – after a significant delay. Below we provide an overview of the background, content and fine regulations of the new law.
Why is the law needed?
The EU Data Act (Regulation (EU) 2023/2854) has been directly applicable in large parts as an EU regulation since 12 September 2025. Material data access rights, obligations to provide data and rules for cloud migration therefore arise directly from the Data Act itself – we have reported on this in detail here(Bring on the data) and here(Your questions, our answers).
What the regulation does not regulate, however, are the institutional questions: Which authority is responsible? What is the complaints procedure? What sanctions can be imposed for infringements? This must be regulated by the member states at national level. The DADG is therefore not an independent data law, but the implementing legislation for the directly applicable EU Regulation.
Key content of the DADG
The law is deliberately kept lean. At its core, it contains
- the designation of the competent authorities (Sections 2, 3 DADG),
- regulations on cooperation between these authorities and with sectoral specialised authorities (Sections 3, 4 DADG),
- provisions on the authorisation of private dispute resolution bodies (Section 5 DADG),
- investigative and enforcement powers of the Federal Network Agency (Sections 7-12 DADG),
- rules on electronic communication and public information (Sections 13, 14 DADG) and
- a comprehensive catalogue of fines (Sections 15, 16 DADG).
In addition, Art. 2 of the Act amends the Copyright Act: The sui generis property right in databases (Section 87b UrhG) does not apply if data has been obtained by means of a networked product or connected service covered by the Data Act.
Who is responsible?
The Federal Network Agency as the central supervisory body
The Federal Network Agency (BNetzA) is designated as the sole competent authority in accordance with Art. 37 Para. 1 of the Data Regulation. It is thus:
- the central point of contact for all questions relating to the Data Act,
- responsible for complaints and their processing in accordance with Art. 38 of the Data Regulation,
- responsible for the authorisation of dispute resolution bodies,
- responsible for reviewing data requests from public bodies of the federal government in accordance with Chapter V of the Data Regulation and
- Fining authority pursuant to Section 36 (1) No. 1 OWiG.
A separate data coordinator is not appointed; the BNetzA also assumes this task.
BfDI as data protection supervisory authority – a special responsibility
Contrary to the usual allocation of responsibilities under Section 40 BDSG, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) is responsible for the protection of personal data within the scope of the Data Act, not the respective state data protection authority – even for non-public bodies.
This is not without political controversy: The Bundesrat and also the data protection authorities of the federal states had called for the responsibility to remain with the state data protection authorities. The Federal Government rejected this, citing efficiency and coherence.
In practice, this results in a multi-stage procedure: The BNetzA examines the facts of the case, involves the BfDI where data protection law is involved and is bound by its findings. The BfDI’s data protection assessment cannot be contested in isolation, but only together with the BNetzA’s overall decision.
What has changed in terms of responsibility in the legislative process?
The government draft had assigned the BNetzA comprehensive responsibility without restriction – including for the examination of data requests from the state authorities in accordance with Chapter V of the Data Ordinance. The Bundesrat saw this as an interference with federal principles of organisation and demanded an exception. The demand was taken up in the parliamentary procedure: The BNetzA now only examines data requests under Chapter V for federal authorities; for state authorities, the responsibility remains with the respective state law.
The BfDI’s special responsibility for data protection supervision of non-public bodies (Section 3 (1) DADG), on the other hand, remained unchanged despite criticism. However, the coalition parties have recommended a broad teleological interpretation: The BfDI’s jurisdiction should also extend to data protection issues that lie within the same legal relationship, insofar as it is characterised by the Data Act – in order to avoid splitting into parallel supervisory procedures.
In addition, the BNetzA’s powers of investigation and enforcement were structured more clearly: Sections 7-9 have been reorganised (first investigations and information, then enforcement), and in Section 9 (1) it has been clarified that the BNetzA only checks compliance with the Data Ordinance „within the scope of its competence“.
Fines: What are the penalties for infringements?
The catalogue of fines in Section 15 DADG covers breaches of key obligations under the Data Act. The fines are divided into four levels:
Level 1: Up to €5 million (or 2% of total turnover for turnover > €250 million)
| Norm Data Act | Mandatory | Max. Fine |
|---|---|---|
| Art. 5 para. 3 lit. a, b | Prohibition for gatekeepers to request users to provide data to the data recipient or to induce them to do so through business incentives | up to € 5 million / 2 % |
Level 2: Up to 500,000 euros
| Norm Data Act | Mandatory | Max. Fine |
|---|---|---|
| Art. 3 para. 1 | Networked products/connected services must be designed in such a way that data is accessible | up to € 500,000 |
| Art. 4 para. 1 sentence 1 / Art. 5 para. 1 sentence 1 | Obligation to provide data to users or third parties | up to € 500,000 |
| Art. 4 para. 10 | Prohibition of unauthorised use or disclosure of data by the user in certain cases | up to € 500,000 |
| Art. 4 para. 13 sentence 2 / Art. 5 para. 6 | Prohibition of the use of data to infer the economic situation of the data owner | up to € 500,000 |
| Art. 6 para. 2 lit. c, d | Prohibition of the provision of received data to other third parties | up to € 500,000 |
| Art. 6 para. 2 lit. e | Prohibition of the use/disclosure of received data for the development of competing products | up to € 500,000 |
Level 3: Up to 100,000 euros
| Norm Data Act | Mandatory | Max. Fine |
|---|---|---|
| Art. 4 para. 14 p. 1 | Prohibition of the provision of product data to gatekeepers | up to € 100,000 |
| Art. 6 para. 1 sentence 2 | Obligation to delete data that is no longer required | up to € 100,000 |
| Art. 6 para. 2 lit. b | Prohibition of data use for profiling | up to € 100,000 |
| Art. 6 para. 2 lit. h | Prohibition of preventing users from sharing data | up to € 100,000 |
| Art. 11 para. 1 sentence 2 | Prohibition of discrimination against data recipients | up to € 100,000 |
| Art. 11 para. 2 | Obligation to comply with an official request | up to € 100,000 |
| Art. 14 | Obligation to comply with an order (business secrets) | up to € 100,000 |
| Art. 23 p. 2 | Prohibition to impose barriers to switching for cloud services | up to € 100,000 |
| Art. 30 para. 2 sentence 1 | Obligation to provide interfaces when switching to the cloud | up to € 100,000 |
| Art. 30 para. 3 | Obligation to guarantee compatibility (12 months after publication of the specification) | up to € 100,000 |
| Art. 31 para. 3 | Obligation to inform the customer | up to € 100,000 |
| Enforceable order of the BNetzA (Art. 9 para. 3 DADG) | Violation of an enforcement order | up to € 100,000 |
| § Section 5 (2) sentence 3 DADG | Obligation to inform the BNetzA of changes to dispute resolution centres | up to € 100,000 |
| Art. 6 para. 1 sentence 1 (via Section 15 para. 3) | Obligation to process in accordance with agreed purposes and conditions | up to € 100,000 |
Level 4: Up to 50,000 euros
| Norm Data Act | Mandatory | Max. Fine |
|---|---|---|
| Art. 4 para. 5 p. 1 / Art. 5 para. 4 p. 1 | Prohibition to request unauthorised information from the user | up to € 50,000 |
| Art. 4 para. 7 p. 2 / Art. 5 para. 10 p. 2 / Art. 25 para. 4 p. 1 / Art. 32 para. 5 | Notification obligations (refusal, change, international transfer) | up to € 50,000 |
| Art. 4 para. 8 sentence 2 / Art. 5 para. 11 sentence 2 | Obligation to provide evidence in the event of refusal to disclose data | up to € 50,000 |
| Art. 9 para. 7 | Duty to inform in case of negotiation of consideration | up to € 50,000 |
| Art. 25 para. 1 sentence 2 in conjunction with para. Para. 2, 3 | Obligation to provide a cloud switching contract | up to € 50,000 |
| Art. 26 | Duty to provide information upon conclusion of contract (cloud services) | up to € 50,000 |
| Art. 30 para. 5 | Obligation to export data when switching to the cloud | up to € 50,000 |
| Art. 37 para. 11 | Obligation to appoint a representative | up to € 50,000 |
| Art. 37 para. 12 sentence 1 | Obligation to appoint a representative | up to € 50,000 |
What has changed with regard to fines in the legislative process?
The fine amounts (€ 5 million, € 500,000, € 100,000, € 50,000 and the turnover-related 2% threshold) have remained unchanged compared to the government draft.
However, the scope of the catalogue has changed: The government draft still contained 35 fines in Section 15 (2), whereas the adopted version only contains 27:
- Violations of obligations to provide information pursuant to Art. 3 para. 2 and 3 DA
- Violations of notification obligations to the competent authority pursuant to Art. 4 para. 7 sentence 3, Art. 5 para. 10 sentence 3 and Art. 4 para. 8 sentence 3, Art. 5 para. 11 sentence 3 DA
- the offence of using data pursuant to Art. 4 para. 13 sentence 1 DA (whereby the continued use of the data by the manufacturer in Germany cannot be sanctioned by the authorities)
- the prohibition of data use according to Art. 6 para. 2 lit. f DA
- the offence of changing/removing technical protection measures pursuant to Art. 11 para. 1 sentence 3 DA
- breaches of information obligations for cloud services pursuant to Art. 28 para. 1 and 2 DA
- the offence relating to smart contracts pursuant to Art. 36 para. 1 DA
The coalition parties‘ justification clarifies that the deletion serves to maintain proportionality and reduce the compliance burden, particularly with regard to SMEs and start-ups. It is not necessary to penalise pure information and notification obligations. This is correct and makes sense for information obligations. However, the cancellation of violations of Art. 4 para. 13 has nothing to do with this and benefits manufacturers who simply want to continue using the data. In this case, it will be important for the BNetzA to prohibit use in response to complaints and then, if necessary, to impose fines if manufacturers do not comply with the order.
Practical note: The BNetzA is initially focusing on dialogue
In episode #37 of the Data Navigator podcast, Andrea Sanders-Winter, Head of the Digital Department at the Federal Network Agency, made it clear that the BNetzA does not want to rush ahead with fines. The focus is initially on providing information, advice and support for practitioners. Fines are the last resort. This also fits in with the system of the DADG: Before issuing an order, the BNetzA must first issue a request for remedial action and set a reasonable deadline. Only if this is not complied with can it order measures and impose fines of up to 500,000 euros.
Conclusion
The DADG does not change the material obligations arising from the Data Act – these apply directly anyway. However, it creates the institutional infrastructure for their enforcement in Germany. Companies should take the law as an opportunity to review their Data Act compliance: Have information obligations towards users been fulfilled? Do data licence agreements exist? Have cloud contracts been adapted? The BNetzA will not immediately start throwing fines around – but the legal basis for this is now in place.
Still have questions about the Data Act and its implementation? Please feel free to contact us.