Data Act Implementation Act: What German IoT Manufacturers Must Implement by September 2026
7 min read
On March 26, the Bundestag passed the Data Act Implementation Act, effectively activating the EU Data Act in Germany. German IoT manufacturers now have five months to adapt their products to “Access by Design” requirements. The Federal Network Agency (Bundesnetzagentur) will serve as the enforcement authority, with fines reaching up to €500,000. Small and medium-sized enterprises with fewer than 50 employees benefit from a key exemption-everyone else does not.
Key Takeaways
- Implementation Act Passed: On 26 March 2026, the German Bundestag adopted the Data Act Implementation Act, transposing EU Regulation 2023/2854 into national law (German Bundestag, Week 13).
- Federal Network Agency as Enforcer: The Bundesnetzagentur (BNetzA) serves as the central point of contact for implementation, supervision, and enforcement. Violations can trigger fines of up to €500,000 per case.
- Deadline: 12 September 2026: As of this date, new connected products must comply with “Access by Design” requirements-giving users direct access to their product data without having to go through the manufacturer (EU Data Act, Article 3).
- Cloud Switching in Effect Since 12 September 2025: Providers are already required to enable customer switching without blanket egress fees. Starting 12 January 2027, only verified direct costs may be charged.
- SME Exemption: Manufacturers with fewer than 50 employees and annual revenue below €10 million are exempt from data access obligations. Companies that grow beyond these thresholds will be phased into compliance with a time delay.
What the Implementation Act Has Regulated Since March 26
The EU Data Act has been applicable across Europe since September 12, 2025. The regulation determines who may access data generated by connected products and related services-from a milking robot in the Allgäu region and an office building elevator to a SaaS platform for fleet management. What the European framework previously left unaddressed were national implementation rules: which authority is responsible, how violations are penalized, and who funds enforcement.
That’s exactly what the German Bundestag finalized on March 26, 2026, during calendar week 13. The Data Act Implementation Act designates the Federal Network Agency (Bundesnetzagentur, or BNetzA) as the competent supervisory authority and establishes the legal basis for investigations, information requests, interim orders, and administrative fines. At the same time, the law resolves the long-standing dispute between the federal government and Germany’s states (Länder): BNetzA oversees data requests directed at federal authorities, while the Länder retain responsibility for their own institutions-a concession to Germany’s federal structure that shaped parliamentary debates.
During parliamentary hearings, critics highlighted the law’s reliance on numerous vague legal terms. It employs phrases like reasonable conditions, without undue delay, and immediately, which will only gain concrete meaning through BNetzA’s enforcement practice and future guidance documents. For businesses, this creates legal uncertainty in the initial months-but also flexibility, as the agency plans to steer compliance primarily through guidelines rather than immediate sanctions.
Definition
Access by Design refers to the technical obligation to build connected products in such a way that users-or third parties they authorize-can access the data generated without requiring additional development effort. Access must be simple, secure, structured, and provided in a machine-readable format, typically via a documented API.
Who’s affected-and who qualifies for the SME exemption
The Data Act simultaneously targets two groups of businesses: manufacturers of connected products and providers of related services on one side, and cloud service providers on the other. For German-speaking SMEs (DACH region), this means virtually every machinery manufacturer equipping its equipment with telemetry capabilities is considered a product manufacturer under the regulation. Likewise, any SaaS provider processing customer data qualifies as a data-processing service provider.
Crucially, the regulation’s scope applies only to products first placed on the market after 12 September 2026. Machines already sold are exempt from the “access-by-design” requirement-a key detail that eases retrofitting obligations. However, manufacturers must still adapt existing product lines by the next hardware generation at the latest, allowing sufficient lead time for certifications, software updates, and contract adjustments.
The most significant relief for SMEs is the small and medium-sized enterprise (SME) exemption under Article 7 of the EU regulation. Companies with fewer than 50 employees and annual revenue below €10 million are exempt from data access obligations. According to German Chambers of Commerce (IHK) statistics, this covers more than 90% of Germany’s mid-sized machinery manufacturers. However, timing matters: if a company exceeds these thresholds in a given fiscal year, it must comply with the obligations in subsequent years-a planning risk for scaling businesses.
No such exemption exists for cloud-switching rules, which apply to all data-processing service providers regardless of company size. Thus, a mid-sized SaaS company with 30 employees must enable customers to switch providers without flat-rate egress fees-even if it’s exempt from IoT product requirements. This distinction is critical when conducting a gap analysis across your own product portfolio.
The Three Obligation Blocks: Access, Switching, and Government Access
The Data Act consolidates three distinct sets of obligations that must be handled separately from an organizational standpoint. The first block concerns user access to data. Manufacturers of connected products must ensure that the buyer of a machine or the user of software receives direct access to the product and service data generated by it. This access must be fast, secure, and typically provided at no additional cost. These “access-by-design” requirements do not yet apply to products placed on the market before September 12, 2026-but manufacturers should use the transition period to retrofit existing products and prepare software update pathways.
The second block addresses cloud switching. As of September 12, 2025, providers of data processing services-including traditional public cloud providers as well as industry-specific SaaS vendors-may no longer impose artificial barriers that hinder customer switching. Contracts must clearly specify term durations, notice periods, and data egress terms. Starting January 12, 2027, providers will be prohibited from charging flat-rate egress fees; only costs demonstrably tied to the actual data migration process will be permitted. For hyperscalers, this represents a sharp break from established pricing models; for customers, it offers significant leverage in contract negotiations.
The third block governs public authorities’ access to data in exceptional circumstances. In clearly defined emergencies-such as natural disasters, pandemics, or major cyber incidents-government agencies may directly request corporate data if needed for crisis response. While the conditions are narrowly defined, companies must be technically prepared to respond to such requests at all. Germany’s implementing legislation specifies which authorities are authorized to issue these requests and outlines the role of the Bundesnetzagentur (Federal Network Agency) as the oversight body.
Timeline: What applies when
| Deadline | Requirement | Who is affected |
|---|---|---|
| September 12, 2025 | Cloud switching, contractual clauses, government access | All data processing service providers |
| March 26, 2026 | German implementing act adopted; BNetzA appointed as enforcement authority | All companies operating in Germany |
| September 12, 2026 | “Access by Design” for new connected products | IoT product manufacturers (excluding SMEs) |
| January 12, 2027 | No more blanket egress fees | All cloud service providers |
| 2028 | European Commission evaluates impact on SMEs | SME exemption under review |
Sources: EU Regulation 2023/2854, German Bundestag Week 13/2026, BMWK
The pivotal date on the calendar is September 12, 2026. On this day, the “Access by Design” obligation takes effect for all products first placed on the market thereafter. Manufacturers planning to launch new product generations in autumn 2026 must already have finalized their data interface architecture, drafted API documentation, and cleared access concepts with legal teams. Anyone waiting until August will be too late.
The Role of the Federal Network Agency
With the implementation act, Germany’s Federal Network Agency (Bundesnetzagentur or BNetzA) assumes a new regulatory role in a field that until now has been fragmented across data protection, competition law, and digital policy. It becomes the central point of contact for complaints, information requests, and interpretive questions. The agency may launch investigations, compel companies to provide information, issue interim orders, and impose coercive fines when necessary.
Source: German Bundestag, Plenary Session Week 13/2026
At €500,000 per violation, Germany’s penalty is modest by international standards-the GDPR allows fines up to €20 million, and the Digital Markets Act permits penalties of up to 10% of global turnover. Yet for a mid-sized machinery manufacturer with annual revenue of €25 million, a six-figure fine is a significant deterrent-especially if multiple violations are identified simultaneously. More important than the absolute amount is the signal it sends: BNetzA is an operational authority with 3,200 staff and extensive enforcement experience-from telecom regulation and energy market oversight to postal services. It will not let the Data Act fade into irrelevance.
What SMEs can expect next are initial guidelines and consultations from the Federal Network Agency-typically released in early summer 2026. These guidelines will clarify ambiguous legal terms, provide model clauses for cloud contracts, and offer guidance on distinguishing between SME exemptions and standard obligations. Companies with the capacity to actively engage in these consultations can help shape interpretations in their favor-industry associations like VDMA and Bitkom are already preparing position papers accordingly.
Six-Point Plan for SMEs
For small and medium-sized enterprises (SMEs), a structured approach across six clear steps-achievable within the next five months-is strongly recommended:
- Clarify scope: Which of your company’s products and services fall under the Data Act? Who is the manufacturer, who is the cloud provider, and who serves both roles? Without precise categorization, every subsequent measure will be fragmented and ineffective.
- Check SME exemption: Compare headcount and revenue from the last fiscal year. Even within holding structures, the group-wide view applies-individual subsidiaries may exceed the threshold if the parent company does.
- Inventory data architecture: What data do your connected products actually generate? Where is it stored, who has access, and what interfaces already exist? This inventory forms the foundation for implementing “access-by-design.”
- Develop an API roadmap: Starting September 2026, new products must include a documented access interface-typically REST or MQTT with OAuth authentication. For existing products, decide on a retrofit strategy: update them or deploy without access-by-design capabilities.
- Revise cloud contracts: Review current data processing service agreements for switching clauses. If they include flat-rate egress fees, adjustments must be made by 12 January 2027. New contracts should be drafted to comply with the Data Act-model clauses are expected in autumn 2026.
- Appoint a contact person: The implementing legislation requires an internal point of contact for user inquiries and regulatory requests. Functionally, the data protection officer is a natural fit, but product management and IT teams must also be closely aligned.
Companies that complete these six steps by the end of June can enter September with confidence. Those who only wake up in August will have to rely on guidance notes from Germany’s Federal Network Agency (BNetzA) and bridging workshops offered by industry associations-possible, but unnecessarily stressful.
Context: The Data Act in the 2026 Regulatory Mix
The Data Act is part of a broader package of EU regulations that will keep SMEs busy in 2026. The NIS2 Directive implementation addresses cybersecurity in critical sectors, the EU AI Act governs the use of AI systems-with a focus on high-risk applications-and the mandatory e-invoicing requirement is transforming accounting practices. Meanwhile, the digital euro raises additional questions for payment processes. The Data Act slots in as the fourth major regulatory pillar and overlaps with all the others at various points: with NIS2 on reporting and protection obligations for connected systems, with the AI Act on handling training data, and with e-invoicing on data formats.
For SMEs, this means compliance initiatives can’t be tackled in isolation. Companies already transitioning their IT infrastructure to external providers as part of a managed services decision should incorporate Data Act requirements directly into vendor selection. Those implementing a new ERP system should design API interfaces to inherently fulfill the “access-by-design” obligation. The key is to bundle regulatory projects rather than run them in parallel-this reduces costs and eases the burden on already scarce IT resources.
Conclusion
The Data Act Implementation Act closes a critical gap in Germany’s digital regulatory framework. The Federal Network Agency (BNetzA) becomes the supervisory authority. The penalty framework is manageable yet substantial. The SME exemption relieves at least 90% of mid-sized IoT manufacturers from data access obligations. What remains is the cloud-switching provision-and it applies to every data processing provider, even those below the revenue threshold.
The deadline of 12 September 2026 may seem distant, but it isn’t. Architectural decisions for API interfaces, software updates, contract templates, and internal responsibilities all require lead time. Those who start today have five months; those who begin in August will have just four weeks and no buffer for unexpected issues. The right time for a scope analysis is now-not when the first BNetzA guidelines are published.
Further Analysis from the Editorial Team
NIS2 Implementation: What SMEs Still Need to Do Now
Frequently Asked Questions
Does the SME exemption also apply to subsidiaries of mid-sized companies?
Assessment is generally conducted at the group level. A standalone GmbH with 30 employees that is a subsidiary of a holding company employing 300 people cannot claim the SME exemption. What matters is the entire economic entity as defined by the EU’s criteria for small and medium-sized enterprises (Recommendation 2003/361/EC). Companies operating within group structures should review their ownership arrangements early and factor in consolidated group thresholds.
What does implementation typically cost for a machinery manufacturer with 200 employees?
Costs vary widely. Companies that already have modern OT-IT integration, documented product data, and functional API management in place will face only manageable expenses for legal advice, contract adjustments, and internal process updates. By contrast, those currently offering machine data exclusively through proprietary dealer tools must build an API gateway, implement authentication, and create documentation-a multi-month project requiring significant budget allocation. Only a company-specific gap analysis delivers reliable estimates; generic figures are misleading.
Do we need to retrofit machines sold in 2024 to comply with the “access-by-design” requirement?
No. The obligation applies only to products placed on the market for the first time after 12 September 2026. Machines already sold are not subject to retrofitting requirements. However, manufacturers of existing product lines should evaluate whether they can leverage their current update infrastructure to voluntarily offer access-by-design retroactively-this builds customer trust and simplifies compliance for future product generations.
How does the Data Act interact with existing GDPR data protection rules?
Both regulatory frameworks apply concurrently but address different aspects. The GDPR protects personal data of natural persons and grants individuals specific rights. The Data Act governs access to product and service data-regardless of whether it relates to individuals-and targets users, including businesses that purchase machinery. If generated data is personal (e.g., driver data from a vehicle), both laws apply simultaneously, with the GDPR taking precedence in case of conflict. Close cooperation between Germany’s Federal Network Agency (BNetzA) and data protection authorities will be essential.
What happens if a cloud provider fails to implement egress fee rules by January 2027?
The German Federal Network Agency (BNetzA) can intervene upon customer complaint. Flat-rate egress fees will then be deemed unlawful, requiring the provider to revise its pricing. In practice, this will initially result in a formal objection with a deadline for correction; fines of up to €500,000 will follow only if the provider refuses to comply. Affected businesses should file complaints with BNetzA while simultaneously asserting claims for reimbursement against their provider. This legal basis is enforceable in Germany for the first time and will be further clarified by courts in the coming months.
Who oversees implementation in other EU countries?
Each EU member state designates its own competent authority. In France, it’s the CNIL jointly with ARCOM; in Austria, the RTR; and in Italy, AGCOM. The European Commission coordinates efforts through a dedicated Data Innovation Board tasked with developing harmonized guidelines. For companies operating across the EU, this means uniform core rules-but different national contact points. Establishing a central coordination unit within the company, especially for aligning with subsidiaries, is strongly advisable.
Source cover image: Pexels / Marco
