Capgemini and CMS: German Data Act Implementation Act – German Federal Network Agency to become enforcement authority
The draft bill shows how the Data Act will be implemented in Germany. The draft also contains the "catalogue of fines" for violations of the Data Act for the first time.
On 11 January 2024, Regulation (EU) 2023/2854 of the European Parliament and of the Council (Data Act) came into force, setting out new rules on handling data. As of 12 September 2025, most provisions of the Data Act will be directly applicable. Member States are responsible for enforcing it, which is why national implementing laws are required. The initial draft bill of the German Data Act Implementing Act (Data Act-Durchführungsgesetz-Entwurf – draft DA-DG) shows how Germany plans to implement and monitor the Data Act.
This blog post outlines the main contents of this bill and highlights key points of the planned implementing act.
German Federal Network Agency as the central supervisory authority
According to the draft DA-DG, the German Federal Network Agency (BNetzA) will in future act as the central supervisory authority for the Data Act's implementation and enforcement. It will thereby assume responsibility for all issues relating to the Data Act's application and for handling complaints. This new task will considerably expand the BNetzA's area of responsibility: It will become a central supervisory authority that monitors compliance not only with the Data Act, but also with the AI Act (in accordance with the first German AI Market Surveillance Act (KIMÜG) draft bill), the Digital Services Act (DSA) and the Data Governance Act (DGA).
The BNetzA will work closely with other authorities to monitor and enforce the Data Act. This applies in particular to sector-specific matters where a final decision is made in consultation with the relevant competent specialist authority – i.e. following prior consultation and agreement.
Important role of the supervisory authority
The supervisory authority will have to play a central role in the near future, particularly due to the wide scope for interpretation of some provisions. Interesting decisions can be expected, for example, in the interaction between the Data Act and the General Data Protection Regulation (GDPR), as well as in the interpretation of the definition of "derived data".
It remains to be seen whether the initial signs of less strict enforcement will bear out. Irrespective of this, a clear and swiftly established line from the supervisory authority will be crucial in order to avoid legal uncertainties and enable efficient implementation.
Relationship with data protection supervision
The German Federal Data Protection and Freedom of Information Officer (BfDI), who is responsible for compliance with data protection within the framework of the Data Act, plays a special role. Collaboration with the BNetzA should be cooperative and based on trust. The explanatory memorandum to the draft DA-DG provides an initial insight into how the legislature envisages this collaboration: Firstly, the BNetzA will examine whether a data protection assessment by the BfDI is necessary. If so, the relevant documents will be passed on to the BfDI for further investigation. The BfDI will then carry out the review and assessment, thereby assuming special responsibility. The assessment carried out by the BfDI will then become part of the BNetzA's decision. It should not be possible to challenge the data protection part of the decision in isolation.
The envisaged mechanism is likely to be used frequently in practice. In view of recital 34 of the Data Act, which stipulates that sets of data containing both personal data and non-personal data must be regarded as personal data if it is not possible to separate the different components, it is clear that in future the majority of cases will have to be handled by both the BNetzA and the BfDI.
Comprehensive investigative powers
The BNetzA will be given extensive powers to monitor and enforce the Data Act. This means it can exercise its powers not only in the context of complaints, but also when collecting data for market observation purposes and acting in accordance with the "inquisitorial principle" (Amtsermittlungsgrundsatz).
This includes the right to carry out comprehensive investigations and secure evidence, be it through visual inspection, testimonies or expert reports. It also has instruments such as requests for information, searches and seizures at its disposal. It is clear that the legislature has closely aligned the provisions on powers with the Act against Restraints of Competition (GWB). The BNetzA will have investigatory powers that are similarly far-reaching to those of the competition authority. Many provisions appear to have been adopted almost word for word.
Test case to speed up proceedings
The draft DA-DG provides for a mechanism to increase the efficiency of and accelerate the proceedings: The BNetzA can initiate a so-called "test case" at its own discretion. This is possible if the authority receives at least three complaints on the same issue.
In such an event, the BNetzA can initially prioritise one case while the others are temporarily suspended. According to the explanatory memorandum to the Act, this approach is particularly relevant if the complaints relate to the same manufacturer or data owner or if there are similar sector-specific circumstances. This is intended to create a standardised basis for decision-making and to make handling cases more efficient overall.
However, before the BNetzA officially merges the cases, it must obtain the consent of the parties involved. However, the parties concerned can also take a proactive approach and make a request themselves for the cases to be merged.
Protection of business and trade secrets
Like the Data Act, the draft DA-DG does not contain clear provisions on the protection of trade secrets. The Data Act already stipulates that the existence of trade secrets does not constitute a general right to refuse a data disclosure request.
The draft DA-DG is limited to provisions on the protection of trade secrets vis-à-vis the BNetzA. In official proceedings, the owner of the secret is permitted to submit a redacted copy of the documents in order to prevent them from being passed on to other parties involved in the proceedings. However, there is no standardised protection mechanism for officially classifying information as confidential and obliging the parties involved to maintain confidentiality. The BNetzA will decide whether the parties to the proceedings are given access to the information. It will check whether the information is worthy of protection – a decision that is crucial for the owner of the secret.
Fines and periodic penalty payments
The planned "catalogue of fines" for violations of the Data Act will also be published for the first time with the draft bill. While minor violations are punishable by up to EUR 50,000, moderate violations can result in fines of up to EUR 100,000 and serious violations can even be penalised with up to EUR 500,000.
Particularly strict requirements apply to so-called "gatekeepers" – companies that control key positions in digital markets and have been designated as "gatekeepers" by the EU Commission. The Data Act sets out special obligations for them. Violations can result in fines of up to EUR 5 million or up to 4 % of the EU-wide annual turnover of the previous financial year, whichever is higher.
According to the draft DA-DG, the EU-wide annual turnover of the previous financial year must be taken into account when fixing the fine. For gatekeepers in particular, this may mean that turnover is taken into account twice.
In addition to fines, periodic penalty payments of up to EUR 10 million can also be imposed to enforce an order issued by the BNetzA.
Different legal channels
The competent courts differ depending on the type of penalty. Legal action against periodic penalty payments can be taken before the administrative courts. If, on the other hand, fines are imposed – regardless of their amount – the local courts have jurisdiction as criminal courts. This means that even fines of over EUR 5 million are heard by a single judge at the local court, which marks a clear difference to GDPR proceedings.
However, the proceedings themselves are likely to be similar to those conducted for GDPR violations: The calculation of the fine is at the discretion of the person handling the case or the judge. For this purpose, they must gain a comprehensive picture of both the offence and the offender. When determining the amount of the fine, the offender's financial circumstances may be taken into account in addition to the personal accusation made against the offender.
Outlook: Putting the Implementing Act into effect
Although the draft bill of the DA-DG offers a solid initial approach for implementing the Data Act in Germany, many questions remain unanswered. In particular, the organisation of interdisciplinary cooperation and the powers of the BNetzA still offer scope for further specification by the legislature. It therefore remains to be seen whether and in what form this draft will ultimately be implemented.
However, the proposed role of the BNetzA as the competent supervisory authority seems promising. In view of its future responsibility for numerous European regulations, the BNetzA should – in future – have the necessary expertise to effectively monitor and enforce the complex and overarching provisions of the Data Act.
With our German CMS blog series "#CMSdatalaw" we provide an overview of data law, such as the Data Act and the Data Governance Act. You can find the introductory article to our blog series here. Please also visit our CMS Insight page "Data Law“.
This blog post is the result of a co-operation between Capgemini and CMS. Capgemini Invent as a leading strategy and management consultancy and CMS as a major international law firm advise on all aspects of digital transformation.
