On September 12, 2025, the EU Data Act (Regulation (EU) 2023/2854) entered into force, imposing far‑reaching requirements on the access to, and use of, data across the European Union and the European Economic Area. The EU Data Act establishes a comprehensive, cross‑sector framework for data access and usage, covering both personal and non‑personal data and granting users of connected products and associated services broad rights to use and exploit data. The design of national enforcement rules for this new data regime is left to the Member States, including the necessary institutional structure and provisions for imposing effective, proportionate, and dissuasive sanctions modeled on the GDPR. In the government draft of the Law on the Application and Enforcement of the EU Data Act (Draft), the German federal government sets out the planned supervisory structure, procedures, and grounds for administrative fines.
Supervisory Authorities: BNetzA Designated as Central Competent Authority
The Draft designates the Federal Network Agency (Bundesnetzagentur — BNetzA) as the competent authority under Article 37(1) of the EU Data Act. Under Section 2 of the Draft, the BNetzA would serve as the central point of contact and supervisory authority, and its roles would include accrediting dispute resolution bodies and exercising national oversight of the Regulation’s application and enforcement. The BNetzA may issue interim orders and impose penalty payments of up to €500,000 in case of non-compliance. The Draft also sets requirements for notification and publication mechanisms; accordingly, the BNetzA must inform the public regularly about its activities and publish guidance and recommendations on the practical implementation of the EU Data Act.
Data Protection: Special Competence Assigned to BfDI
Regarding monitoring the protection of personal data within the scope of the EU Data Act (see Article 37(3)), the Draft assigns special competence not to the state-led data protection authorities, but to the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit — BfDI). According to the Draft’s explanatory memorandum, this centralization is intended to ensure shorter complaint-handling procedures and consistent decisions, and to avoid divergent enforcement practices among Germany’s 17 data protection supervisory authorities.
However, the BfDI’s competence may give rise to new uncertainties in practice. The GDPR remains fully applicable to any processing of personal data, even in the context of the EU Data Act. General responsibilities under the GDPR are not displaced by the new provisions; and without additional statutory clarification, there is a risk of parallel assertions of competence if state-led authorities claim general GDPR enforcement not grounded solely in Article 37(3) of the EU Data Act.
Interplay Between BNetzA and BfDI: Binding Effect and Mandatory Joinder
The Draft provides for close administrative coordination in matters at the intersection of the EU Data Act and the GDPR: If the BNetzA determines that “its decision or other action [requires] an assessment of the lawfulness of processing personal data,” it must involve the BfDI (Section 3(4) of the Draft). BNetzA is bound by the BfDI’s data protection assessment; that assessment is incorporated with binding effect into the BNetzA’s final decision. The BfDI’s data protection assessment can only be challenged in tandem with the BNetzA’s decision (Section 3(5), sentence 2 of the Draft). In such cases, the BfDI must be subpoenaed to the court proceedings (Section 3(5), sentence 3 of the Draft).
Sanctions: Administrative Fines and Disgorgement of Economic Benefits
The current ministry draft establishes a tiered catalog of administrative fines for violations of the EU Data Act. In certain cases, fines of up to €5 million are possible. This applies to specific infringements; in particular in the event of unlawful incentives offered to users to provide data via “gatekeepers” under Article 3 of the EU Digital Markets Act (Regulation (EU) 2022/1925). For such an infringement, the BNetzA may impose on companies or groups with prior‑year global turnover exceeding €250 million a higher fine of up to 2% of global turnover. For other offenses, the Draft sets lower maximum amounts; however, in practice those caps can be exceeded to disgorge economic benefits pursuant to Section 17(4) of the German Administrative Offenses Act (Gesetz über Ordnungswidrigkeiten — OWiG), which allows authorities to exceed statutory maximum fines to the extent necessary to strip illicit gains.
Many EU Data Act violations will be business‑related and aimed at generating profits or gaining other commercial advantages. In such cases, the economic risk from infringements may significantly exceed the fixed fine thresholds set in the Draft. The Draft’s explanatory memorandum directly recommends that authorities pursue this route where profits were earned by violating the EU Data Act. The question of what qualifies as an “economic benefit” and how it should be quantified therefore becomes particularly relevant in practice. Estimating the gains to be disgorged lies largely within the discretion of the authorities, which in practice may result in affected companies bearing the burden of substantiation and proof to show that the actual benefits were lower than assumed by the authority. The federal government has clearly taken seriously the requirement in Article 40(1) of the EU Data Act that sanctions for violations must be effective and dissuasive.
GDPR Fines Remain Unaffected
For infringements relating to the protection of personal data within the meaning of Article 40(4) of the EU Data Act, the BfDI is designated as the competent authority to impose administrative fines (Section 16 of the Draft). The GDPR’s fining framework remains unaffected and, depending on the circumstances, the BfDI could also rely on the GDPR’s corrective powers and fining provisions. However, neither Section 16 of the Draft nor Article 40(4) of the EU Data Act provide a clear delimitation of competences or of the applicable fining regime in a given case, which may pose practical coordination challenges.
Dispute Resolution and Sectoral Cooperation
The BNetzA may authorize private dispute resolution bodies under Article 10 of the EU Data Act, as the agency maintains a register of authorized bodies and may limit authorizations, impose conditions, or revoke them (Section 5 of the Draft).
On specific sectoral questions concerning data access and use, the BNetzA would decide with the concurrence of the respective subject matter-competent higher federal authorities. This is intended to leverage sector-specific expertise, e.g., in the area of vehicle data, while preserving the BNetzA’s decision-making authority.
Practical Implications for Companies
The Draft aims to establish a single point of contact, consolidate data protection oversight, and ensure effective and dissuasive enforcement in case of violations — including administrative fines and the disgorgement of unlawfully obtained economic benefits.
Companies that offer connected products, digital services, or data processing services should now ensure compliance with the EU Data Act — which should also be coordinated with the GDPR and other digital regulatory instruments. In particular, this practice includes:
- designing technical interfaces and processes for data access and sharing in a GDPR‑compliant manner;
- updating existing contractual frameworks (including template agreements and terms); and
- aligning internal workflows for efficient engagement with the BNetzA and the BfDI.
Next Steps in the Legislative Process
The government draft will now undergo the parliamentary process. No specific timelines have been set as of yet. Possible substantive adjustments, particularly separating the BfDI’s EU Data Act-specific data protection oversight from the state-led authorities’ general GDPR competence, remain politically sensitive.
Conclusion and Outlook
Designating the BNetzA as the central supervisory authority was an expected decision. More noteworthy is the model of centralized data protection oversight for a single EU digital regulation. Whether this will work in practice, or even foreshadow a broader reform of the data protection supervisory structure, remains to be seen. Industry participants, however, should not expect a lenient approach to enforcement: The BNetzA, led by a former consumer protection advocate, is not known for a lax approach, and the highest (final) GDPR fine in Germany to-date was imposed by the BfDI.
For companies, the potential disgorgement of economic benefits constitutes a material risk. Given the complexity and, in particular, the extensive requirements of the EU Data Act and the proposed implementing act for the digital economy, affected companies should anticipate potential claims, civil litigation, and the need to defend against administrative fines for potential violations. To minimize enforcement and liability risk in Germany, companies are advised to tightly align their EU Data Act compliance with GDPR compliance — especially with respect to technical interfaces, processes, and documentation. In particular, any records and other documentation should be prepared with a view to serve as persuasive evidence in administrative and court proceedings.
