Data Act Implementation in Germany: Enforcement Could be Around the Corner – Organisations Should Act Now

Germany has taken a decisive step towards implementing the EU Data Act. On 26 March 2026, the Bundestag passed the Data Act-Durchführungsgesetz (DADG), establishing the national framework for enforcement. While further legislative steps may still follow before the law formally enters into force, the direction is now clear.

For organisations operating in Germany, this marks a turning point. While the EU Data Act has been on the horizon for some time, the absence of a defined national enforcement structure created uncertainty around timing and practical exposure. That uncertainty is now largely resolved.

Enforcement and supervisory activity may follow in the near term. Organisations should act accordingly.

Enforcement Structure in Place

The DADG designates the Bundesnetzagentur (BNetzA) as the competent authority and equips it with investigative and enforcement powers, alongside a defined penalty regime.

Fines may reach up to EUR 5 million, depending on the nature and severity of the infringement. For organisations with a global annual turnover exceeding EUR 250 million, an alternative maximum of up to 2% of worldwide turnover may apply. Lower tiers of EUR 500,000, EUR 100,000 and EUR 50,000 are provided for less severe breaches. In addition, the BNetzA may impose penalty payments of up to EUR 500,000 in cases of non-compliance with its orders.

In parallel, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) is designated as responsible for data protection aspects within the scope of the Data Act, including for private entities. In practice, this establishes a coordinated approach, with the BNetzA leading proceedings and involving the BfDI where personal data is concerned.

Who Should Pay Attention

The EU Data Act is relevant for a broad range of organisations. This includes manufacturers of connected products that generate usage data, such as industrial equipment, vehicles, medical devices and consumer devices, as well as providers of related digital services including apps, platforms and analytics tools.

It also captures organisations that rely on access to such data, as well as cloud and edge providers, which face specific obligations around switching and data portability.

Even organisations not directly in scope may be affected through contractual data-sharing arrangements.

Priorities for Organisations

With the enforcement framework taking shape, the BNetzA will be in a position to exercise its powers once the legal framework is fully in force. Organisations should expect increased scrutiny of data-sharing practices, contractual arrangements and access rights, as well as how data generated by connected products is made available.

Where EU Data Act compliance has not yet been operationalised, this is likely to become visible quickly. Organisations should also be prepared to handle individual data access and sharing requests, as non-compliance may trigger complaints and lead to regulatory exposure once enforcement becomes active.

In practical terms, organisations should prioritise mapping data flows and ownership, aligning contractual frameworks with Data Act requirements, ensuring data access and portability capabilities, and assigning clear internal responsibility. Delays in addressing these areas will increase exposure as enforcement activity develops.

Conclusion

The DADG does not introduce new substantive obligations under the EU Data Act. However, it establishes the national structures required for enforcement.

For organisations in scope, the Data Act should now be treated as an active compliance priority. While final legislative steps remain, the foundations for enforcement are in place and expectations around readiness are already forming.