Germany’s Data Act enforcement architecture: what practitioners need to know now

Germany has settled on a dual-track enforcement model for the EU Data Act (Regulation (EU) 2023/2854): the Federal Network Agency (Bundesnetzagentur - BNetzA) as the single competent authority and single point of contact, and the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit - BfDI) for General Data Protection Regulation (GDPR)-aligned sanctions where personal data are at issue. Following the committee’s final recommendation, the Federal Parliament (Bundestag) adopted the bill on 26 Mar 2026.

This article is a follow-up to our recent publication surveying enforcement structures and sanctions regimes and focuses on the final national enforcement architecture according to the adopted act.

 

Germany’s enforcement architecture

Germany’s model designates the BNetzA as both the single competent authority for the application and enforcement of the Data Act and the single point of contact for stakeholders. In that role, BNetzA receives and handles complaints, conducts investigations, issues remedial and final measures, and coordinates with sectoral authorities where their expertise is relevant. The law permits BNetzA to consolidate similar complaints with party consent, and to inform the public about its activities and selected enforcement outcomes while protecting personal data and trade secrets. It also commits the administration to digital‑by‑default communications and secure electronic procedures for submissions, again with safeguards for personal data and trade and business secrets.

Running alongside BNetzA’s competence, the adopted act assigns the BfDI a special competence for the supervision of the protection of personal data within the Data Act’s scope in relation to non‑public bodies. This is contrary to Section 40 of the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), according to which the supervisory authorities of the States (Länder) would be competent. BNetzA must involve BfDI where a decision requires an assessment of the lawfulness of personal data processing and is bound by BfDI’s determination on that point. BfDI becomes a necessary party to any subsequent judicial review of such a composite decision. It remains to be seen whether BfDI's competence also extends to data protection issues arising within the same legal or contractual relationship, provided that this relationship is shaped by the rights and obligations established under the Data Act. Ultimately, practice will reveal the extent to which the BfDI exercises this supervisory role and how the supervisory authorities at the State level will interpret their own competences in this context.

This allocation implements Article 37 of the Data Act by anchoring a single national authority for general enforcement while respecting the Data Act’s call‑out in Article 40(4) that sanctions concerning the protection of personal data align with the GDPR.

The adopted act also situates inter‑authority cooperation within established German practice. BNetzA is required to work cooperatively with upper federal authorities where sectoral expertise is engaged, for example with the Federal Motor Transport Authority (Kraftfahrt‑Bundesamt - KBA) on vehicle data questions. Information exchange provisions preserve the protection of trade and business secrets and personal data and build on existing cooperation rules in competition and digital‑services law. The explanatory part of the adopted act stresses loyal cooperation and procedural efficiency without diluting BNetzA’s independence in individual cases, consistent with Article 37(5, 8) of the Data Act.

 

The administrative offences and fines regime

For practitioners tracking the evolution from the October 2025 cabinet draft to the March 2026 adopted act, the operative enforcement and sanctions provisions are materially unchanged:

The offence catalogue in § 15 of the German adopted act mirrors the obligations imposed by the Data Act and adds two national procedural offences. The national procedural offences are failure to inform BNetzA when required under the adopted act and breach of an executable order issued by BNetzA. The Data Act‑linked offences are mapped to specific provisions and cover, among others, product and related service design and information duties under Article 3, user and data recipient access and provision under Articles 4 and 5, processing in line with agreed purposes under Article 6, negotiation transparency under Article 9(7), compliance with orders under Article 14, the prohibition on obstacles under Article 23, contractual transparency and pre‑contract information under Articles 25 and 26, interoperability and interface obligations for switching and parallel use under Articles 30 and 34, customer information duties under Article 31(3), smart‑contract requirements under Article 36(1), and representative‑appointment obligations for entities established outside the Union under Article 37(11) and (12).

Fine levels are structured in four tiers designed to be effective, proportionate and dissuasive:

• The top tier applies to a specific offence linked to Article 5(3)(a) and (b) and carries a maximum administrative fine of EUR 5,000,000. For legal persons or associations whose worldwide turnover exceeded EUR 250,000,000 in the financial year preceding the authorities’ decision, an alternative maximum of up to 2% of global turnover applies to that offence, with estimation of turnover permitted.
• The second tier, capped at EUR 500,000, covers breaches of executable orders and a set of serious Data Act infringements including selected access, use and non‑use obligations.
• The third tier, capped at EUR 100,000, applies to defined medium‑level infringements, including failures under specific obligations such as Article 6(1).
• All remaining listed infringements are capped at EUR 50,000. The explanatory materials note that warnings may be used as a milder sanction for minor infringements and that the general criteria for sanction‑setting allow calibration to the circumstances of the case, echoing Recital 109 of the Data Act.

In addition to administrative fines, the law empowers BNetzA to secure compliance with orders or prohibitions through coercive fines (Zwangsgeld) of up to EUR 500,000 per enforcement instance. This tool sits within the general administrative‑enforcement framework and is distinct from the administrative offences regime.

Competent sanctioning authorities are delineated to avoid overlap with data‑protection enforcement. BNetzA is the competent administrative‑offence authority for the national § 15 offences. Separately, § 16 of the adopted act confirms that the sanctioning regime referred to in Article 40(4) of the Data Act, aligned with Article 83 of the GDPR, remains untouched, and that BfDI is the competent supervisory authority for imposing such GDPR‑aligned administrative fines where infringements concern the protection of personal data.

 

Practical implications for Data Act stakeholders

Data holders of product data or related service data should ensure they can make data available to the user of a connected product or related service without undue delay. They should be ready to provide data to a designated data recipient on the user’s request under fair, reasonable and non‑discriminatory terms. Internal controls must prevent any use of data that would conflict with the Article 6 obligations applicable to third‑party recipients, and contractual or technical measures must not unduly hinder the user’s exercise of rights under Articles 5 and 6, nor the designated recipient’s ability to receive data under Article 5. Transparent access and pre‑contract information should be standardised, documentation of decisions retained internally, and complaint‑handling and regulatory engagement processes prepared for BNetzA’s information requests, remedial demands and orders. Where personal data are implicated, data‑protection governance must be integrated, particularly given the GDPR‑aligned sanction exposure.

Manufacturers of a connected product should design and build connected products so the user can readily access data generated by their use, securely and, where appropriate, directly from the product by default. Product and customer documentation must clearly set out what data are generated, in what forms, and how the user can exercise their rights. Pre‑contract information duties must be met before sale or supply. Engineering decisions should anticipate BNetzA scrutiny, with logs and rationales maintained to demonstrate conformity with Article 3 design and information duties.

Providers of a data processing service should prepare for switching and parallel‑use scenarios by maintaining well‑documented interfaces and achieving functional equivalence and interoperability in line with the Regulation’s timelines and any common specifications. Pre‑contract disclosures on portability, switching conditions and charges, technical dependencies and data‑location must be complete and current. During switching, providers should offer export tools and assistance to enable retrieval of exportable data, digital assets and relevant metadata in the prescribed formats and within deadlines, and refrain from obstacles or charges that the Data Act prohibits. Operational runbooks for migrations, training for frontline and technical teams, and regulatory‑response procedures are essential to mitigate exposure under the administrative‑offence catalogue.

 

Legislative Timeline and Entry into Force

The remaining steps prior to entry into force follow the ordinary legislative procedure are as follows: The Federal Council (Bundesrat) considers the adopted act under Article 77 German Basic Law (Grundgesetz - GG). Because this is not framed as a consent law (Zustimmungsgesetz), the Bundesrat’s remaining levers are to call the Mediation Committee (Vermittlungsausschuss) within three weeks. Once the bill has cleared the Bundesrat stage, it proceeds to countersignature by the Chancellor (Bundeskanzler) or competent Federal Minister, signature by the Federal President (Bundespräsident), and promulgation in the Federal Law Gazette (Bundesgesetzblatt). Entry into force is expected to take place on the day after promulgation.