The Data Act entered into force on September 12, 2025, as directly applicable EU law. In paral-lel, Germany is implementing the Data Act Implementation Act (DADG) to establish national enforcement structures, supervisory authorities, and sanctions. This roadmap summarizes the key regulatory milestones of 2025 and the resulting mandatory compliance requirements for businesses.
Key Milestones in 2025
 |
EU – public consultation on MCTs and SCCsThe European Commission published the final report of the expert group on B2B data sharing and cloud computing contracts. This report included non-binding model contractual terms (MCTs) for data access and use, as well as Standard Contractual Clauses (SCCs) for cloud agreements pertaining to switching, exit processes, and fair commercial conditions. These templates initially served as crucial guidance for companies in their compliance preparation and contract drafting. |
 |
Preparation for national implementationIntensive discussions are ongo-ing between industry stakeholders and regulatory authorities in Germany regarding the practical execution, particularly concerning jurisdictional assignments and the sanctions regime. The Federal Network Agency (BNetzA) positioned itself as the central point of contact for enforcement. For businesses, this phase required completing impact assessments and developing documentation as well as playbooks to ensure compliance by the September deadline. |
 |
Data Act enters into forceThe core provisions of the EU Data Act entered into force and became immediately binding across all EU member states. This direct applicability primarily concerned data access rights for users of connected products: Users gained the right to access data generated by their IoT devices and to share this data with third parties of their choice. Manufacturers and data holders became obligated to make such data available promptly, free of charge, and in a commonly used format. Businesses were obligated to review and align their contracts (IoT, cloud, data access), technical interfaces, and export functionalities with these new mandates. However, in Germany, the absence of a designated supervisory authority at this stage complicated enforcement of these new obligations.
|
 |
Resolution on the DADG draftThe Federal Cabinet approved the draft of the Data Act Implementation Act (DADG). This draft designated the BNetzA as the central supervisory authority with respect to the Data Act. Crucially, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) was granted special jurisdiction over data protection matters, and their assessments are binding for the BNetzA. |
|
DADG Draft submitted to the BundestagThe DADG draft proceeded to the parliamentary deliberation to supplement the EU requirements with national procedural, jurisdictional, and sanction rules. The proposed staggered sanctions framework includes fines up to €500.000 for violation of data access and use obligations, and up to €5 million or 2% of the worldwide annual turnover for severe breaches. Concurrently, the EU's broader Digital Omnibus Package – which consolidates the Data Governance Act and the Open Data Directive into the Data Act – continued to shape the legislative landscape. This signals ongoing efforts toward digital regulatory harmonization. |
Outlook for 2026 and Beyond
 |
DADG enters into force and guidelines issuedFollowing the conclusion of the parliamentary procedure, the DADG will enter into force. The BNetzA will become the official enforcement body and is expected to publish initial guidelines for practical implementation and establish complaint portals. Enforcement will become concrete, necessitating adjustments to corporate processes based on these forthcoming guidelines. |
 |
Digital Fitness Check and ongoing regulatory harmonizationThe European Commission will launch a Digital Fitness Check – a comprehensive review of the effectiveness of digital regulations. Stakeholders are invited to contribute their views until March 11, 2026. This will offer companies the opportunity to actively participate and shape the final implementation. Simultaneously, the broader regulatory harmonization efforts (the Digital Omnibus Package) will continue to define and consolidate existing digital regulations. |
The year 2025 has set the stage for a new data economy in Europe. Businesses are well-advised to closely monitor these developments, maintain flexible compliance processes, and actively leverage the opportunities arising from the new regulations. Acting now ensures not only adherence to regulatory requirements but also creates the necessary foundation for innovation and sustainable growth in the evolving digital landscape.
About us
YPOG stands for You + Partners of Gamechangers – forward-thinking legal and tax advice. Supporting companies that are focused on emerging technologies, YPOG embraces change as an opportunity to develop cutting-edge solutions. The YPOG team offers comprehensive expertise in the areas of Funds, Tax, Transactions, Corporate, Banking, Regulatory + Finance, IP/IT/Data Protection, Litigation, and Corporate Crime + Compliance + Investigations. YPOG is one of the leading law firms in Germany for venture capital, private equity, fund structuring, and the implementation of distributed ledger technology (DLT) in financial services. Both the firm and its partners are regularly recognized by renowned national and international publications such as JUVE, Best Lawyers, Chambers and Partners, Leaders League, and Legal 500. YPOG is home to more than 180 experienced attorneys, tax advisors and tax specialists as well as a notary, working across offices in Berlin, Cologne, Hamburg, Munich, Cambridge and London.
Further information: www.ypog.law/en/ and www.linkedin.com/company/ypog