Germany's Data Implementation Act (DADG): Practical Compliance & Investigations Guide for Businesses

Last reviewed: 14 May 2026

On 26 March 2026, the German Bundestag passed the Data Act Implementation Act (Datengesetz-Durchführungsgesetz, or DADG), creating the national legal framework that every company operating in Germany needs to comply with the EU Data Act. The DADG establishes the Federal Network Agency (Bundesnetzagentur) as the single competent enforcement authority, introduces administrative sanctions for non-compliance, and fills critical gaps around jurisdiction, inter-authority cooperation and procedural rules that the EU regulation left to Member States. For General Counsel, Data Protection Officers and compliance leads, the new data act Germany regime demands immediate changes to data-access workflows, contractual frameworks, cross-border transfer protocols and, crucially, the way internal investigations collect, preserve and share digital evidence. This guide provides the operational playbook.

What to Do Now, Five Priority Actions

• Map all connected-product and IoT data flows against DADG scope to identify which datasets trigger access obligations.
• Update data-sharing contracts with access, portability and liability clauses that reflect the new statutory duties.
• Implement technical logging and access controls so that every data-access request can be fulfilled, and audited, within statutory timeframes.
• Brief your investigations team on the interplay between DADG data-access rights and GDPR-based evidence-preservation requirements.
• Register the Bundesnetzagentur reporting channel and designate an internal DADG liaison point for enforcement correspondence.

What the Data Implementation Act Is, Scope and Key New Duties

The DADG is Germany’s national implementing legislation for Regulation (EU) 2023/2854, the EU Data Act. While the EU Data Act is directly applicable across Member States, it requires each country to designate competent authorities, define administrative procedures and set penalties. The DADG fulfils those mandates for Germany. It does not replicate the substance of the EU Data Act; instead, it layers enforcement infrastructure and procedural clarity on top of it.

Key Definitions Under the DADG

Practitioners should note several terms the DADG operationalises at national level:

• Data holder. Any natural or legal person that has the right or obligation to make data available under the EU Data Act, typically manufacturers, designers or providers of connected products and related services.
• Data recipient. The user or third party entitled to access, use or receive data generated by a connected product or related service.
• Competent authority. The Bundesnetzagentur, designated as the single authority responsible for supervising and enforcing the Data Act in Germany.
• Administrative offence. A violation of specified EU Data Act obligations, made enforceable in Germany through the DADG’s penalty provisions and administrative-procedures framework.

Which Entities Are in Scope

The DADG applies to all businesses that fall within the EU Data Act’s material scope and operate in Germany, regardless of size. However, certain obligations are calibrated differently for SMEs. The table below summarises the practical impact by entity type.

Industry observers expect that the most immediate compliance burden will fall on manufacturers of connected devices and cloud-based service providers, where data flows are complex and multi-jurisdictional.

Enforcement and Competent Authorities Under the Data Act Germany Framework

Germany has established a dual-track enforcement model. The Bundesnetzagentur serves as the single competent authority for Data Act supervision, while sector-specific regulators retain their existing mandates, creating cooperation obligations that businesses must navigate carefully.

The Bundesnetzagentur’s Role and Cooperation Channels

The DADG formally designates the Bundesnetzagentur (BNetzA) as the authority responsible for monitoring compliance with the EU Data Act across all sectors in Germany. This is consistent with the agency’s expanding digital-regulation portfolio, which already includes oversight under the Data Usage Act (DNG) and the Digital Markets Act coordination role. The DADG establishes formal cooperation procedures between the BNetzA and other authorities, notably data-protection supervisory authorities and sector regulators, to avoid overlapping enforcement and to enable information-sharing during investigations.

Practical Enforcement Risk

The DADG introduces administrative-offence provisions (Ordnungswidrigkeiten) for violations of specified EU Data Act obligations. The DADG specifically regulates the jurisdiction of authorities, cooperation among authorities, administrative procedures and sanctions. For compliance teams, this means that a failure to respond to data-access requests, an unlawful restriction of switching rights, or a breach of interoperability duties can now trigger formal enforcement proceedings and financial penalties under German administrative law. Early indications suggest that the BNetzA will initially focus on building industry dialogue and guidance, but businesses should not assume a grace period, the EU Data Act obligations have been directly applicable since 12 September 2025, and the DADG now provides the enforcement teeth.

Cross-Border Data Access and Transfer Rules Under the DADG

For multinational businesses, the data act Germany framework creates new obligations at the intersection of data access, cross-border transfers and GDPR compliance. The DADG does not replace GDPR transfer rules; it layers additional access-and-sharing duties on top of them.

When a data holder receives a lawful access request under the EU Data Act, it must make the relevant data available without undue delay. Where that data includes personal data, the transfer must additionally comply with GDPR requirements, including the need for a lawful basis, data-minimisation principles and, for transfers outside the EEA, appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions.

The practical effect is that compliance teams must manage a dual-track analysis for every cross-border data access request: first, whether the request meets EU Data Act / DADG criteria; and second, whether the transfer itself satisfies GDPR.

Technical Controls Checklist for Cross-Border Transfers

Contract Clauses and Model Terms

Data sharing compliance under the DADG requires contracts that go beyond standard GDPR data-processing agreements. Industry observers expect that the following clause categories will become standard annexes to data-access agreements:

• Data-access scope clause. Specifying which datasets are subject to the EU Data Act access right, the format in which data will be provided, and the response-time commitments.
• Portability and switching clause. Confirming the data holder’s obligations around service switching, including timeframes, data-export formats and charges (which the EU Data Act progressively restricts).
• Liability-allocation clause. Addressing which party bears risk for data-quality issues, missed deadlines, and onward-transfer violations, particularly relevant where cloud providers act as intermediaries.

Internal Investigations, Evidence Preservation, Privilege and Data Access

The DADG creates an additional compliance dimension for internal-investigations teams. Where an investigation requires access to data generated by connected products or IoT devices, the investigation team must now consider whether that data is subject to a third party’s access rights under the EU Data Act, and whether collecting or sequestering it could conflict with the data holder’s obligations to make it available.

Balancing Investigation Needs and Data-Access Obligations

Under German law, a company may process personal data for internal investigation purposes where it has a legitimate interest in doing so, typically under Article 6(1)(f) GDPR or § 26 BDSG (for employee data). The DADG does not override this framework. However, it introduces a new variable: if the internal investigations data was generated by a connected product, a data recipient may simultaneously have a statutory right to access that same data. The likely practical effect will be that investigation teams must coordinate closely with compliance to avoid inadvertent breaches of access-sharing duties while preserving evidence integrity.

Privilege and Internal Legal Privilege Considerations

Evidence preservation in a DADG environment requires careful handling of privileged materials. Practitioners should adopt the following protocol:

• Tag and segregate privileged communications before any data is made available under an access request. The EU Data Act permits data holders to withhold trade secrets subject to proportionate safeguards, extend this logic to privileged legal analysis.
• Document the legal basis for any hold or restriction placed on data that would otherwise be subject to an access request. This documentation is essential if the BNetzA later queries why data was not shared.
• Use forensic-grade collection protocols that maintain chain-of-custody integrity, even for non-personal machine data. Courts and regulators increasingly expect immutable timestamps and hash-verified copies.
• Coordinate cross-border interviews and evidence gathering with local privilege rules. German in-house counsel privilege remains limited compared to common-law jurisdictions; involve external counsel where cross-border privilege conflicts are foreseeable.

Evidence Preservation Checklist

• Issue a litigation hold covering all connected-product data relevant to the investigation scope.
• Map data-access obligations that apply to the preserved datasets and assess whether a hold conflicts with any pending access request.
• Engage forensic specialists to image and hash relevant data stores within 48 hours of identification.
• Maintain a privilege log that specifically addresses DADG-relevant data withheld from access requests.
• Brief the BNetzA liaison if enforcement proceedings or regulatory inquiries overlap with the investigation timeline.

Operational Compliance, 12-Point Immediate Data Governance Checklist

Organisations should prioritise the following actions to align with the data act Germany requirements. This checklist is designed for cross-functional use by legal, compliance, IT and procurement teams.

1. Inventory connected products and IoT devices across all business units, identify every data-generating asset.
2. Map data flows end-to-end, document who generates, stores, processes and transfers machine data and under what contractual or legal basis.
3. Classify data by category: personal data (GDPR), trade secrets, non-personal machine data (EU Data Act).
4. Update all data-sharing and data-processing agreements to include DADG access, portability and switching clauses.
5. Implement access-request handling procedures, assign ownership, define SLAs and create escalation paths.
6. Deploy technical access controls and logging, ensure audit-ready records for every data-access event.
7. Review and refresh SCCs and transfer safeguards for any cross-border data flow involving access-right data.
8. Conduct vendor and supplier due diligence, confirm that third-party processors can support your DADG obligations.
9. Update incident-response and investigations playbooks to address DADG-specific scenarios.
10. Train relevant staff: legal, compliance, IT operations, procurement and investigation teams.
11. Designate a DADG liaison, a named individual responsible for BNetzA correspondence and regulatory reporting.
12. Schedule a 90-day compliance review, reassess readiness once initial implementation is complete and BNetzA guidance evolves.

Contracts, Third Parties and Data Sharing Compliance

The DADG reinforces the EU Data Act’s expectation that data sharing occurs on fair, reasonable and non-discriminatory (FRAND) terms. For procurement and legal teams, this means existing supplier agreements may need material amendments.

Sample Clause Structures

The following clause structures reflect the minimum provisions that industry observers expect will become standard under the new regime:

• Data-access clause. “The Data Holder shall make Available Data accessible to the User in a structured, commonly used and machine-readable format, without undue delay following a valid request, and in any event within the timeframe specified by Article 4(1) of the EU Data Act.”
• Data-portability clause. “Upon termination or expiry of this Agreement, the Service Provider shall export all User Data in the format specified in Annex [X], free of charge, and shall delete all copies within [30] days unless retention is required by law.”
• Liability-allocation clause. “The Data Holder shall be liable for any failure to provide access in compliance with the EU Data Act and the DADG. The Data Recipient shall be liable for any use of received data that exceeds the scope authorised by law or this Agreement.”

Supplier due-diligence questionnaires should be updated to include questions on DADG readiness, data-export capabilities, API documentation, and the supplier’s own BNetzA registration status.

Comparative Table: Data Act Germany Obligations by Entity Type

Quick Enforcement Scenarios and Recommended Responses

The following scenarios illustrate how DADG enforcement may materialise in practice. Early indications suggest that the BNetzA will take a proportionate but firm approach.

• BNetzA information request. You receive a formal request for information about your data-access practices. Response: Activate the DADG liaison, collate access-request logs and respond within the specified deadline. Engage external counsel if the scope is broad.
• Cross-border regulator inquiry. A non-German EU authority contacts you about a data-sharing complaint from a user in another Member State. Response: Confirm whether the BNetzA is coordinating; ensure any data you share with the foreign authority also satisfies GDPR transfer rules.
• Internal data leak involving IoT data. Machine-generated data subject to a third party’s access rights is inadvertently disclosed. Response: Trigger your incident-response playbook; notify the BNetzA if the leak affects a data recipient’s rights; assess GDPR breach-notification obligations separately.
• Refusal to share data based on trade-secret claim. A data recipient challenges your withholding of data. Response: Document the trade-secret classification with specificity; apply the EU Data Act’s proportionality test; be prepared to demonstrate to the BNetzA that less restrictive measures were considered.
• Employee raises DADG access request during investigation. An employee whose device data is under a litigation hold submits an access request. Response: Coordinate between investigations counsel and the DADG liaison; consider whether a temporary restriction is lawful and document the legal basis in the privilege log.
• Vendor fails DADG audit. A cloud provider cannot demonstrate portability or switching readiness. Response: Issue a formal remediation notice under the contract; assess alternative providers; document the vendor’s non-compliance for your own regulatory defence file.

Conclusion and Next Steps for Data Act Germany Compliance

The DADG transforms the EU Data Act from a framework regulation into an enforceable reality for every business operating in Germany. The Bundesnetzagentur now has the tools to investigate, sanction and compel compliance, and the regulatory learning curve will be steep for organisations that delay preparation. Industry observers expect enforcement activity to ramp up in the second half of 2026.

A five-step plan for the next 90 days:

1. Complete a full data-flow inventory and classification exercise.
2. Update all data-sharing, processing and switching agreements.
3. Deploy technical controls (logging, encryption, access management).
4. Train cross-functional teams, legal, IT, compliance, investigations.
5. Engage specialist regulatory counsel to stress-test your readiness and manage BNetzA correspondence.

The data act Germany compliance landscape is moving fast. Businesses that act now will be best positioned to turn data-access obligations into competitive advantage rather than regulatory risk.

Sources

1. HÄRTING Rechtsanwälte, Implementing law for the EU Data Act
2. Bundesregierung, Fragen und Antworten zum EU Data Act
3. Bundesnetzagentur, Information about the Data Act
4. DLA Piper, Germany’s Data Act enforcement architecture
5. datenschutz-notizen, Data Act Implementation in Germany
6. Heuking, German Parliament Passes Data Act Implementation Act
7. European Data Protection Board (EDPB)
8. IHK München, Data Act: das müssen Unternehmen wissen