Data Act & DA-DG: The New Rules of the Game for Germany's Digital Economy

Although the EU Data Act as a regulation applies directly, it leaves member states room for institutional design. The German Implementation Act fills these gaps. It primarily governs three areas:

• Jurisdiction: It designates the Federal Network Agency (BNetzA) as Germany's central data coordinator.
• Sanctions: It defines the fine levels and enforcement powers for violations.
• Procedures: It establishes how complaints from users and companies are submitted and processed.

The law ensures that the theoretical rights to data access can also be legally enforced in Germany.

The reach of the law is often underestimated. It affects virtually every company that uses or provides digital interfaces:

• Manufacturers of Connected Products (IoT): From networked machine tools and intelligent fleet vehicles to medical analysis devices. Anyone who builds hardware that captures data becomes a "data holder."
• Providers of Connected Services: Software companies whose programs communicate directly with IoT devices and generate or process data in the process.
• Cloud and Edge Providers: Providers of computing capacity and storage solutions must radically simplify the migration of data and applications.
• B2B End Users: Companies that lease or purchase connected technology. They are the biggest beneficiaries, as they now have a genuine legal right to "their" data for the first time.

The centerpiece of the regulation is the right of data access. Users now have the right to access the data they generate — without unnecessary barriers.

Technical Access by Design

Companies can no longer cite technical inability as an excuse. Products must be designed so that data exports are possible "by design." In practice, this means:

• Providing standardized APIs (interfaces)
• Providing data in real time, where technically feasible
• Clear documentation of which data categories are actually collected

Fairness in B2B Compensation

Data disclosure does not have to be free, but it must be fair. The DA-DG and the Data Act specifically protect SMEs: when a large corporation discloses data to an SME, the compensation may only cover the direct costs of provision. A profit margin on top is prohibited when dealing with SMEs.

One of the biggest concerns of German industry is the leakage of know-how. The DA-DG offers important protective mechanisms here. Data disclosure can be refused or restricted under certain conditions when trade secrets are demonstrably at risk.

However, companies must act proactively: a general reference to "business secrets" is not sufficient. A detailed classification is required. Companies that do not properly document their data assets and demonstrate protective measures (such as encryption or confidentiality agreements) will have a hard time defending a refusal before the Federal Network Agency.

Switching cloud providers was often a costly and technically complex undertaking in the past. The law sets clear limits here:

• Elimination of switching fees: The notorious "data egress fees" — charges for withdrawing your own data — are a thing of the past.
• Interoperability obligation: Providers must ensure that their services can work together with those of other providers.
• Contractual standards: Notice periods and migration support obligations must be explicitly anchored in contracts.

This massively strengthens the negotiating position of companies vis-à-vis global hyperscalers and enables a more flexible multi-cloud strategy.

With the DA-DG, the Federal Network Agency (BNetzA) receives far-reaching powers. It acts as the "watchdog" of the data economy. Companies must prepare for the following scenarios:

• Information requests: The authority can demand access to technical documentation and contracts.
• Mediation: In disputes between data holders and users, the BNetzA acts as mediator.
• Sanctions: Fines are substantial and are modeled on the GDPR. Up to €20 million or 4% of global annual turnover is at stake. This makes data compliance a matter for the C-suite.

To operate in a legally compliant and competitive manner in 2026, companies should follow this roadmap:

1. Conduct a data audit: Identify all products and services that generate data within the meaning of the Data Act. Who is the legal user?
2. Update the contract landscape: Review your terms and conditions, purchasing terms, and service agreements. Clauses that unilaterally exclude data access are often invalid.
3. Implement an API strategy: Invest in technical interfaces that enable automated and secure data flows.
4. IP protection management: Create a register of your trade secrets. Define clear criteria for when data disclosure must be halted to protect intellectual property.
5. Establish governance structures: Designate a responsible person for data access requests (similar to a data protection officer) to meet deadlines and documentation obligations.
6. Break the cloud lock-in & run a switch check: Review your cloud contracts for technical or financial barriers. The Data Act puts an end to "vendor lock-in" - you must be able to switch providers without hassle. Make sure your exit strategy is in place and no hidden cancellation barriers are holding you back.

Pro tip from heyData: Use the Vendor Risk Management Tool in the heyData platform to check your current cloud providers directly for "Data Act Ready" compliance. You'll immediately see where potential obstacles might arise during your next provider switch!

The Data Act Implementation Act certainly brings new regulatory obligations. But looking at the opportunities is worthwhile: opening up data silos enables new business models such as predictive maintenance by third-party providers, data-driven insurance models, or efficient resource management in the supply chain.

It ensures that the German Mittelstand (SME sector) is not reduced to a mere data supplier for global platforms, but retains control over its digital assets. Companies that embrace transparency and portability today as part of their quality proposition will earn the trust of their customers and lay the foundation for the industrial AI applications of tomorrow.

Does the DA-DG apply retroactively to older machinery? 

As a general rule, the disclosure obligation applies to products placed on the market after the 2025 cut-off date. However, for significant software updates to older systems, certain aspects may still apply.

How does the Data Act differ from the GDPR? 

The GDPR protects natural persons and their privacy. The Data Act (and the DA-DG) primarily governs the commercial use of (mostly non-personal) data. Where the two areas overlap (e.g., telematics data from a driver), the GDPR always takes precedence.

May data be shared with non-European companies? 

Yes, provided that the security standards are maintained - particularly regarding access by third-country authorities. Here, the Implementation Act, in line with EU requirements, draws strict boundaries to protect European data sovereignty.