Germany has activated the national machinery behind the European Data Act, naming the Bundesnetzagentur as the country's enforcement authority and publishing a detailed set of guidance materials explaining how the regulation governs access to data from connected devices, cloud services, and public-sector data requests.

The German Data Act Implementation Act, known by its German abbreviation DADG (Datenverordnung-Anwendungs-und-Durchfuehrungs-Gesetz), was published in the German Federal Gazette and has entered into force, according to a LinkedIn post from Luis Alberto Montezuma describing the development. The post, addressed to Dr. Henrik Hanssen, stated that the law was published in the Bundesgesetzblatt the day before it took effect. The DADG is the domestic instrument that designates a competent national authority and sets the procedural rules through which the European Data Act operates inside Germany.

According to the Bundesnetzagentur, the agency is the competent authority in Germany for implementing the Data Act, acting on the legal basis of the DADG. That designation matters because the European Data Act, while uniform in its text across the bloc, depends on each member state to name an enforcement body, define complaint channels, and coordinate with sector regulators. Germany has now done so, and the regulator chosen is the same body that oversees electricity, gas, telecommunications, and postal markets.

What the Data Act actually does

The European Data Act sits at the center of a broader European strategy on data. According to the Bundesnetzagentur, the regulation creates new rules for the access, use, and sharing of data generated by devices connected to the internet, the category commonly described as Internet of Things or IoT devices. The stated aim is to break open existing data silos and improve the availability of data across the European Union.

The regulation reaches far beyond a narrow technical niche. The European Data Act entered into force on December 22, 2023, establishing comprehensive rules for accessing and sharing data generated by connected devices across the European Union, with most provisions becoming applicable on September 12, 2025. The covered objects include vehicles, health wearables, smart thermostats, industrial machines, and effectively any device that can transmit data electronically. For the marketing and advertising sector, the reach into wearables and connected vehicles is the part that draws attention, because those devices generate behavioral and contextual signals that feed audience insights and attribution work.

The Bundesnetzagentur frames the regulation's purpose in economic terms. According to the agency, the Data Act is intended to produce a competitive European data market that creates incentives for innovation while ensuring a fair distribution of the value of data. The agency states that the law offers opportunities for all companies, including start-ups and small and medium-sized enterprises, to participate in the data economy and develop new business models. Beyond device data, the regulation also contains rules designed to make switching between data processing services easier, a provision that primarily concerns cloud services.

Why Germany picked the Bundesnetzagentur

The choice of regulator is not incidental. National competent authorities with experience in electronic communications were identified early in the legislative process as well placed to enforce the switching and interoperability provisions, given their history of overseeing similar mechanisms in telecommunications markets. The Bundesnetzagentur, as Germany's network regulator, fits that profile. It already administers number portability and provider-switching rules in the telecoms sector, which are conceptually close to the cloud-switching obligations the Data Act introduces.

According to the Bundesnetzagentur, its role under the DADG involves several distinct functions. The agency has established a complaint portal through which individuals and organizations can submit grievances connected to the Data Act. It maintains a dedicated area where market participants subject to the regulation can fulfill their transmission and notification obligations. It provides information on out-of-court dispute resolution and on the authorization of dispute resolution bodies. And it covers the data protection dimension of the Data Act, alongside an online event series the agency runs under the name DATA ImpACT.

The agency has also indicated procedural strictness. According to the Bundesnetzagentur, the processing of complaints, applications for authorization as a dispute resolution body, the receipt of notifications such as those relating to the trade-secret or security mechanisms, and the transmission of data requests occur exclusively through the forms it provides. Inquiries on those matters sent by email cannot be accepted. The agency lists [email protected] as a general contact address while directing formal submissions to its structured forms.

The data protection split with the BfDI

One technical detail in the German implementation deserves particular note for anyone handling personal data. According to the LinkedIn post describing the law, the Federal Commissioner for Data Protection and Freedom of Information, known as the BfDI, holds special authority over personal data in the private sector. Where a Bundesnetzagentur decision requires evaluating the lawfulness of personal data processing, the network regulator is bound to follow the BfDI's assessment.

That division of labor creates a layered enforcement structure. The Bundesnetzagentur handles the broad Data Act mandate, but the moment a question turns on whether personal data is being processed lawfully, the data protection commissioner's judgment governs. For marketing technology providers, that split means a single Data Act matter could pull in two German authorities with different remits, a structure that adds procedural complexity to compliance planning.

Chapter V and the power to compel data

The most striking material in the published guidance concerns government access to private data. The factsheet released by the Bundesnetzagentur, titled "Datenzugang fuer oeffentliche Stellen" (data access for public bodies), explains the provisions of Chapter V of the Data Act. According to that factsheet, Chapter V permits public bodies, the European Commission, the European Central Bank, or a body of the European Union to access data when an exceptional need to use data exists.

The conditions are tightly drawn. According to the factsheet, data must be provided either when a public emergency exists, or when the provision of data is the only way to fulfill a task carried out in the public interest and provided for by law. The document defines a public emergency as a temporally limited exceptional situation that negatively affects the population and significantly and immediately raises the risk of serious and lasting consequences for living conditions or for economic or financial stability. Crucially, the factsheet states that such a data request may not serve law enforcement, customs, or tax administration, but must serve primarily statistical purposes. Examples of public emergencies named in the document include natural disasters, cybersecurity incidents, threats to public health, and situations where a public emergency has been declared under national or Union law.

What does this mean in practice for the entities that hold data? According to the factsheet, those obligated to provide data include private companies, freelancers, associations and foundations, and public companies and bodies governed by public law such as research institutions. Micro and small enterprises are obligated to provide data only to manage a public emergency. The document specifies that all metadata required to manage a public emergency or to fulfill a legally mandated task must be provided. Personal data may be requested only to manage a public emergency, and only in pseudonymized form, applicable when anonymization is not possible and non-personal data does not suffice. Business and trade secrets must be preserved.

The requirements on a government request

A public body cannot simply demand data on loose terms. According to the factsheet, a data request must be, among other things, in writing, comprehensible, proportionate, and justified, and must contain details on the deadline, the purpose, and the period of data provision. The public body must demonstrate that the data could not be obtained in another way in a timely manner and under equivalent conditions. That evidentiary burden is designed to prevent authorities from treating private data as a default resource.

What rights a data holder retains

The published guidance also sets out the defenses available to a company on the receiving end of a request. According to the factsheet, a data holder may refuse or seek modification of a data request when it has no control over the requested data, when the request does not meet the stated requirements, or when a request for the same purpose has already been made and the holder was not informed that data collected under the earlier request had been deleted.

Timing is specific. According to the factsheet, an application to refuse or modify a data request must be made without delay in cases involving a public emergency, at the latest within five working days. In other cases, it must be made without delay and at the latest within 30 working days of receipt of the request. The document also grants the right to lodge a complaint against the form or content of a data request or against the transfer of data to third parties.

There is also a compensation dimension. According to the factsheet, a data holder has a claim to fair compensation for providing data when the provision serves a task carried out in the public interest and provided for by law that does not consist of producing official statistics, and where the acquisition of data is permissible under national law. Micro and small enterprises hold a claim to fair compensation even in cases involving a public emergency. The amount of compensation is determined on a case-by-case basis and includes at minimum the technical and organizational costs incurred through data provision.

Why this matters for the marketing community

The Data Act is not a marketing regulation in the way the GDPR or the Digital Services Act are, but its mechanics intersect with the advertising sector at several points. For marketing professionals relying on connected device data for audience insights, attribution modeling, or campaign optimization, the regulation introduces mandatory data access regimes that reshape how that information moves. The same coverage notes that manufacturers must design connected products to make data directly accessible to users by September 12, 2026, that users can share that information with third parties, and that cloud providers must facilitate switching without fees by 2027.

Those switching provisions carry weight for ad tech infrastructure. A large share of advertising technology runs on cloud services, and the prospect of fee-free switching by 2027 alters the calculus for companies weighing vendor lock-in against the cost of migration. The German activation of the DADG puts a domestic enforcer behind those obligations for the first time.

The activation also lands in a crowded German regulatory environment. German data protection authorities established unified fine procedures in June 2025 to standardize GDPR enforcement across federal and state levels, a step that signaled more predictable but potentially stricter outcomes for the marketing community. German enforcement has shown teeth in adjacent areas too: the Hesse data protection authority fined an IT company 10,000 euros over an email marketing campaign, with the case underscoring that publicly available data does not grant blanket authorization for marketing outreach. The addition of a Data Act regulator extends the range of obligations a company operating in Germany must track.

Germany has simultaneously been pushing in the opposite direction on the wider rulebook. The federal government submitted a proposal in October 2025 calling for substantial GDPR modifications, including AI training exemptions and reduced access-rights obligations, extending beyond the European Commission's own simplification agenda. That agenda took shape when the Commission launched a major effort to simplify EU digital rules in September 2025, with data legislation receiving primary focus. The Data Act forms one pillar of the data framework that the Commission's Digital Omnibus exercise has since examined, and the Commission has proposed major GDPR changes for AI and data processing as part of that broader package.

The tension is visible. On one side, Germany has just stood up an active enforcement authority for a regulation that compels data sharing and grants public bodies access powers. On the other, Berlin is lobbying Brussels to lighten the data protection load. Both impulses coexist in the same regulatory moment, and marketers operating in the German market sit between them.

There is precedent for the Bundesnetzagentur taking on adjacent digital roles. Germany certified a dispute resolution body for Google platforms in late 2025, reflecting how German institutions are increasingly woven into the enforcement architecture of EU digital law. The dispute resolution function the Bundesnetzagentur now administers under the Data Act follows a similar institutional pattern, placing a national body at the center of cross-border data conflicts.

The DADG's split between the Bundesnetzagentur and the BfDI also mirrors a wider German conversation about how data authorities should coordinate. German data protection authorities have called for enhanced GDPR protections for children, an example of regulators moving to tighten rather than relax requirements in specific areas even as the broader simplification debate continues. The layered structure under the DADG, where the network regulator defers to the data protection commissioner on the lawfulness of personal data processing, reflects an attempt to keep those two strands of oversight aligned within a single statute.

What companies face now

For data-holding businesses, the immediate consequence is procedural readiness. Any company operating connected products or holding device-generated data in Germany now has a named authority to which complaints can be directed and through which government data requests under Chapter V may eventually arrive. The five-working-day window for objecting to an emergency request and the 30-working-day window for ordinary requests are short, and they require internal processes capable of assessing a request, checking it against the regulation's requirements, and responding through the Bundesnetzagentur's forms within tight deadlines.

For the cloud and ad tech layer, the switching provisions remain the headline issue, with the fee-free switching obligation scheduled for 2027 and manufacturer accessibility requirements due in September 2026. The German enforcement structure now gives those future obligations a domestic backstop.

The Data Act's arrival in active German form does not change the regulation's text, which was set at the European level in 2023. What it changes is the certainty that someone in Germany is responsible for enforcing it, fielding complaints about it, and channeling the government data requests it authorizes. That shift from a regulation on paper to a regulation with a named enforcer is the substance of the German development.

Timeline

Summary

Who: The Bundesnetzagentur, Germany's federal network regulator, named as the competent national authority for the European Data Act under the German Data Act Implementation Act (DADG), with the Federal Commissioner for Data Protection and Freedom of Information (BfDI) holding special authority over personal data in the private sector.

What: The DADG was published in the German Federal Gazette and entered into force, designating the Bundesnetzagentur as the Data Act enforcer and triggering the agency's release of guidance materials, including a factsheet on Chapter V data access for public bodies. The materials set out who must provide data, under what conditions public authorities can compel access, and what rights and compensation claims data holders retain.

When: The DADG was published and took effect in 2026, according to the LinkedIn post describing the development. The underlying European Data Act entered into force on December 22, 2023, with most provisions applicable from September 12, 2025.

Where: Germany, applying a European Union regulation. The Data Act operates across all member states, but the DADG and the Bundesnetzagentur's authority concern its implementation and enforcement within Germany.

Why: The European Data Act requires each member state to designate an enforcement authority and establish complaint and dispute resolution channels. Germany's activation of the DADG fulfills that requirement, giving the regulation a domestic enforcer for connected-device data rules, cloud-switching obligations, and government data requests that intersect with advertising data flows and ad tech infrastructure.

Share this article
The link has been copied!