Skip to content
Post

Data Act Implementation Act (DADG) – What businesses need to know now

Data protection law IT law

On 26 March 2026, the Bundestag passed the Act Implementing the Data Regulation (DADG), which was published in the Federal Law Gazette on 29 May. Germany has thus – albeit with a significant delay – established the national legal framework required of Member States under the EU Data Act. Below, we provide an overview of the background, content and penalty provisions of the new Act.

Why is this law needed?

The EU Data Act (Regulation (EU) 2023/2854) has been directly applicable as an EU regulation in large parts since 12 September 2025. Substantive data access rights, obligations to provide data and rules for switching cloud providers therefore arise directly from the Data Act itself – we have reported on this in detail here (Hand over the data) and here (Your questions, our answers).

However, the Regulation does not address institutional issues: Which authority is responsible? How do complaint procedures work? What sanctions apply in the event of infringements? Member States must regulate these matters at national level. The DADG is therefore not a standalone data law, but rather the implementing legislation for the directly applicable EU Regulation.

Key provisions of the DADG

The Act has been deliberately kept concise. At its core, it contains:

  • the designation of the competent authorities (Sections 2, 3 DADG),
  • provisions on cooperation between these authorities and with sector-specific authorities (Sections 3, 4 DADG),
  • provisions on the accreditation of private dispute resolution bodies (Section 5 DADG),
  • investigative and enforcement powers of the Federal Network Agency (Sections 7–12 DADG),
  • rules on electronic communication and public information (Sections 13, 14 DADG) and
  • a comprehensive catalogue of administrative fines (Sections 15, 16 DADG).

In addition, Article 2 of the Act amends the Copyright Act: the sui generis right of protection for databases (Section 87b UrhG) does not apply if data has been obtained by means of a networked product or associated service falling under the Data Act.

Who is responsible?

The Federal Network Agency as the central supervisory authority

The Federal Network Agency (BNetzA) is designated as the sole competent authority under Article 37(1) of the Data Regulation. It is therefore:

  • the central point of contact for all matters relating to the Data Act,
  • responsible for complaints and their handling under Article 38 of the Data Regulation,
  • responsible for the accreditation of dispute resolution bodies,
  • responsible for reviewing data requests from federal public bodies in accordance with Chapter V of the Data Regulation, and
  • the authority responsible for imposing administrative fines under Section 36(1)(1) of the Administrative Offences Act.

No separate data coordinator is appointed; the BNetzA also assumes this role.

The BfDI as data protection supervisory authority – a special competence

Contrary to the usual division of responsibilities under Section 40 of the Federal Data Protection Act (BDSG), the Federal Commissioner for Data Protection and Freedom of Information (BfDI) – rather than the respective state data protection authority – is responsible for the protection of personal data within the scope of the Data Act, including for non-public bodies.

This is not without political controversy: the Bundesrat and the state data protection authorities had called for responsibility to remain with the state data protection authorities. The Federal Government rejected this, citing efficiency and consistency.

In practice, this results in a multi-stage procedure: the BNetzA examines the facts of the case, involves the BfDI where data protection law is concerned, and is bound by the BfDI’s findings. The BfDI’s assessment under data protection law cannot be challenged in isolation, but only in conjunction with the BNetzA’s overall decision.

What has changed regarding jurisdiction in the legislative process?

The government draft had assigned the BNetzA comprehensive jurisdiction without restriction – including for the examination of data requests from state authorities under Chapter V of the Data Regulation. The Bundesrat viewed this as an encroachment on federal principles of organisation and called for an exception. This demand was taken up during the parliamentary process: the BNetzA now reviews data requests under Chapter V only for federal authorities; for state authorities, jurisdiction remains with the respective state law.

The BfDI’s special jurisdiction for data protection supervision of non-public bodies (Section 3(1) DADG), however, remained unchanged despite the criticism. The coalition parliamentary groups have, however, recommended a broad teleological interpretation: the BfDI’s jurisdiction should also extend to data protection issues falling within the same legal relationship, insofar as it is governed by the Data Act – in order to avoid a split into parallel supervisory proceedings.

In addition, the BNetzA’s investigative and enforcement powers were structured more clearly: Sections 7–9 were rearranged (first investigations and information, then enforcement), and Section 9(1) clarified that the BNetzA only verifies compliance with the Data Regulation “within the scope of its competence”.

Fines: What are the penalties for breaches?

The list of fines in Section 15 of the DADG covers breaches of key obligations under the Data Act. The fines are divided into four tiers:

Level 1: Up to €5 million (or 2% of total turnover where turnover exceeds €250 million)

Data Act provision Obligation Max. fine
Art. 5(3)(a), (b) Prohibition on gatekeepers requesting users to provide data to the data recipient or inducing them to do so through commercial incentives up to €5 million / 2%

Level 2: Up to €500,000

Data Act Obligation Max. fine
Art. 3(1) Connected products/services must be designed in such a way that data is accessible up to €500,000
Art. 4(1) sentence 1 / Art. 5(1) sentence 1 Obligation to provide data to users or third parties up to €500,000
Art. 4(10) Prohibition on unauthorised use or disclosure of data by the user in certain cases up to €500,000
Art. 4(13) sentence 2 / Art. 5(6) Prohibition on the use of data to deduce the financial situation of the data owner up to €500,000
Art. 6(2)(c), (d) Prohibition on making received data available to further third parties up to €500,000
Art. 6(2)(e) Prohibition on the use/disclosure of received data for the development of competing products up to €500,000

Level 3: Up to €100,000

Data Act Obligation Max. fine
Art. 4(14) sentence 1 Prohibition on providing product data to gatekeepers up to €100,000
Art. 6(1) sentence 2 Obligation to delete data no longer required up to €100,000
Art. 6(2)(b) Prohibition on the use of data for profiling up to €100,000
Art. 6(2)(h) Prohibition on preventing users from sharing data up to €100,000
Art. 11(1) sentence 2 Prohibition on discriminating against data recipients up to €100,000
Art. 11(2) Obligation to comply with an official request up to €100,000
Art. 14 Obligation to comply with an order (trade secrets) up to €100,000
Art. 23(2) Prohibition on imposing barriers to switching cloud services up to €100,000
Art. 30(2) sentence 1 Obligation to provide interfaces when switching cloud services up to €100,000
Art. 30(3) Obligation to ensure compatibility (12 months after publication of specifications) up to €100,000
Art. 31(3) Obligation to inform the customer up to €100,000
Enforceable order by the BNetzA (Section 9(3) DADG) Breach of an enforcement order up to €100,000
Section 5(2) sentence 3 DADG Obligation to inform the BNetzA of changes to dispute resolution bodies up to €100,000
Article 6(1), first sentence (via Section 15(3)) Obligation to process data in accordance with agreed purposes and conditions up to €100,000

Level 4: Up to €50,000

Data Act Obligation Max. fine
Art. 4(5) sentence 1 / Art. 5(4) sentence 1 Prohibition on requesting unauthorised information from the user up to €50,000
Art. 4(7) sentence 2 / Art. 5(10) sentence 2 / Art. 25(4) sentence 1 / Art. 32(5) Duty to notify (refusal, change, international transfer) up to €50,000
Art. 4(8) sentence 2 / Art. 5(11) sentence 2 Obligation to provide evidence in the event of refusal to transfer data up to €50,000
Art. 9(7) Duty to provide information when negotiating consideration up to €50,000
Art. 25(1) sentence 2 in conjunction with (2), (3) Obligation to provide a cloud migration contract up to €50,000
Art. 26 Duty to provide information upon conclusion of the contract (cloud services) up to €50,000
Art. 30(5) Obligation to export data when switching cloud providers up to €50,000
Art. 37(11) Obligation to appoint a representative up to €50,000
Art. 37(12) sentence 1 Obligation to appoint a representative up to €50,000

What has changed regarding fines in the legislative process?

The levels of fines (€5 million, €500,000, €100,000, €50,000 and the turnover-based 2% threshold) have remained unchanged from the government draft.

However, the scope of the catalogue has changed: the government draft still contained 35 offences subject to fines in Section 15(2) – the adopted version now contains only 27. – In particular, the following have been deleted:

  • breaches of the duty to provide information under Article 3(2) and (3) DA
  • breaches of the duty to notify the competent authority under Article 4(7) sentence 3, Article 5(10) sentence 3, as well as Article 4(8) sentence 3 and Article 5(11) sentence 3 DA
  • the offence relating to the use of data under Article 4(13), first sentence, DA (meaning that the continued use of the data by the manufacturer in Germany cannot be sanctioned by the authorities)
  • the prohibition on the use of data pursuant to Article 6(2)(f) DA
  • the offence of altering or removing technical protection measures under Article 11(1), sentence 3 DA
  • breaches of information obligations in relation to cloud services under Article 28(1) and (2) of the Data Act
  • the offence relating to smart contracts under Article 36(1) DA

The explanatory memorandum from the coalition parties makes it clear: the deletion serves to uphold the principle of proportionality and reduce the compliance burden, particularly with regard to SMEs and start-ups. It is not necessary to impose fines for mere information and notification obligations. This is correct and sensible in relation to information obligations. However, the deletion of infringements of Section 4(13) has nothing to do with this and benefits manufacturers who simply wish to continue using the data. Here, it will be crucial that the BNetzA, upon receiving relevant complaints, prohibits such use and then, if necessary, imposes penalty payments if manufacturers fail to comply with the order.

Practical note: The BNetzA is initially focusing on dialogue

In episode #37 of the Data Navigator podcast, Andrea Sanders-Winter, Head of the Digital Department at the Federal Network Agency, made it clear that the BNetzA does not wish to rush into imposing fines. The focus is initially on providing information, advice and practical support. Penalty proceedings are a last resort. This is also in line with the DADG framework: before issuing an order, the BNetzA must first issue a request for remedial action and set a reasonable deadline. Only if this is not complied with can it order measures and impose penalty payments of up to 500,000 euros.

Conclusion

The DADG does not alter the substantive obligations under the Data Act – these apply directly in any case. However, it creates the institutional infrastructure for their enforcement in Germany. Companies should use the Act as an opportunity to review their Data Act compliance: Have information obligations towards users been met? Are there data licence agreements in place? Have cloud contracts been adapted? The BNetzA will not immediately start handing out fines – but the legal basis for doing so is now in place.

Any questions about the Data Act and its implementation? Please feel free to contact us.