Data Governance for SMEs: A Practical Check on the New DGG
9 min Read Time
The new German Data Governance Act (DGG) transposes EU Regulation 2022/868 into national law. SMEs without a data strategy now risk not only fines of up to €500,000 – but also falling behind in data-driven value chains. A practical check reveals how to get started.
The Key Takeaways
- The Data Governance Act (DGG) transposes EU Regulation 2022/868 into German law
- Violations may incur fines of up to €500,000 (German Bundestag, 2026)
- Only three data altruistic organisations are registered across the EU so far
- The Federal Network Agency (Bundesnetzagentur) will serve as the central supervisory authority for data intermediation services
- SMEs should begin with a data catalogue before evaluating governance tools
What the Data Governance Act Specifically Regulates
Germany took its time. While the EU Data Governance Act (DGA) has been applicable since September 2023, the national implementation bill only entered draft form at the start of 2026. The Data Governance Act regulates three core areas: the reuse of protected public sector data; the authorisation and supervision of data intermediation services; and the registration of data altruistic organisations.
For SMEs, the second point is especially relevant. Data intermediation services are platforms enabling data exchange between companies – without holding any economic interest in the data themselves. Anyone wishing to operate such a service must now register with the Federal Network Agency. Ignoring these rules carries fines of up to €500,000.
The Federal Statistical Office (Statistisches Bundesamt) assumes the role of central information hub. It advises public bodies seeking to open their datasets for reuse. Yet during the Bundestag’s Digital Affairs Committee hearing in January 2026, it became clear: many authorities are now reconsidering whether to publish their data at all – because administrative effort outweighs the benefits.
Why SMEs Are Affected – even If They Don’t Operate a Data Intermediation Service
The most common misconception: “The DGG doesn’t affect us – we’re not a data platform.” It’s true that direct obligations – registration, supervision – apply only to data intermediaries and data altruistic organisations. Indirectly, however, the law reshapes the rules for all companies working with enterprise data.
“Data governance isn’t bureaucratic bloat. It’s the foundation that keeps AI projects from failing due to poor data quality.”
Boris Otto, Fraunhofer ISST, Dortmund
Concretely: Participation in European data spaces (Gaia-X, Catena-X, Manufacturing-X) requires demonstrable proof that your data is structured, documented, and managed under clear governance rules. No data space accepts participants who cannot answer basic questions: Which data do we hold? Who accesses it? What usage rights apply?
Moreover, the DGG is just one piece of an expanding regulatory web. Combined with the Data Act (applicable from September 2025), the AI Act, and the GDPR, it forms a compliance package that simply cannot be managed without systematic data governance. Tackling each regulation in isolation leads to fragmentation. A unified data architecture resolves most requirements at once.
A Real-World Case: How a Manufacturing Company Built Data Governance
A strong example comes from Siemens AG’s approach within Manufacturing-X. For its manufacturing division, Siemens introduced a central data catalogue – tagging every dataset with metadata: origin, update frequency, responsible party, and classification (public, internal, confidential). This is no multi-million-euro project. Siemens uses an open-source tool (DataHub by LinkedIn/Acryl Data) – one equally accessible to SMEs without enterprise budgets.
The crucial insight: the data catalogue wasn’t the end goal – it was the starting point. Only after visualising which data actually existed could governance rules be meaningfully defined. Before that, “data governance” was little more than a PowerPoint slide declaring good intentions.
“Governance without a data catalogue is like accounting without a chart of accounts. You can write down rules – but nobody knows what they apply to.”
Boris Otto, Director, Fraunhofer ISST, Dortmund
The Counterargument: Governance as a Brake
Not all experts view the DGG positively. During the Bundestag hearing, specialists criticised the regulation for achieving “precisely the opposite effect in many respects.” Rather than making data more accessible, the administrative burden pushes public bodies to keep datasets locked away.
This is a real risk for SMEs too. Overly bureaucratic governance – requiring three approval layers for every data access request – slows down internal teams. The art lies in keeping governance lean: clear roles, simple classification, automated access control. Anything beyond that creates friction – especially harmful in SMEs, where flat hierarchies demand agility.
The numbers speak volumes: Across the entire EU, exactly three organisations have registered as data altruistic. Three. That stark figure illustrates how limited the DGA’s practical impact has been so far. Critics conclude the regulation misses reality. Supporters counter that precisely this gap demands a national implementation law offering more pragmatic incentives.
Five Steps to Get Started: Building Data Governance in SMEs
The most frequent mistake: thinking too big. Launching straight into an enterprise-wide data governance platform fails on complexity and budget. Better:
● Step 1: Build a data inventory. List all systems processing personal, business-critical, or regulated data: ERP, CRM, file servers, cloud services. Aim not for completeness – but capture your top 20 systems. This takes two to three weeks – not months.
● Step 2: Assign responsibilities. Name a data owner for each dataset in the inventory – the person who decides who may access the data and what quality standards apply. Not a new job title, but an added responsibility for existing managers.
● Step 3: Introduce classification. Three tiers suffice: Public, Internal, Confidential. Every new document or dataset receives a classification upon creation. Existing data is classified incrementally – starting with the top 20 systems from Step 1.
● Step 4: Automate access control. Implement role-based access control (RBAC) in your most critical systems. Most modern ERP and cloud platforms include this functionality out of the box. Effort lies in configuration – not in acquiring new technology.
● Step 5: Establish a review cycle. Every six months, ask: Are responsibilities still accurate? Have new data sources emerged? Have regulatory requirements changed? A half-day per quarter is enough to begin.
What This Means for RegTech Investments in 2026
The DGG arrives amid mounting regulatory pressure. DORA, the AI Act, MiCA, NIS2, the Data Act – SMEs face more simultaneous compliance demands in 2026 than ever before. Data governance isn’t an extra project. It’s the shared foundation. Knowing which data resides where – and who accesses it – already fulfils 80% of your compliance documentation.
According to its own statements, the Federal Network Agency has already begun preparations for its new supervisory role. Once the law passes, obligations take immediate effect. SMEs lacking a data inventory by then will start from behind – and scramble to catch up under time pressure. That will be expensive and chaotic.
The pragmatic path: Start the five steps now, before the law enters force. Investment is modest (an internal project lead, two to three months to build the foundation); the payoff extends far beyond DGG compliance. Because clean data architecture doesn’t just ensure compliance – it accelerates decision-making, replacing gut feeling with validated insights.
Frequently Asked Questions
What is the Data Governance Act (DGG)?
The DGG is Germany’s implementing legislation for the EU Data Governance Act (DGA, EU 2022/868). It governs the reuse of protected public sector data, supervision of data intermediation services, and registration of data altruistic organisations. The Federal Network Agency serves as the central supervisory authority.
Do SMEs need to register?
Only if they operate a data intermediation service or act as a data altruistic organisation. Indirectly, however, the law affects all companies seeking to join European data spaces (Gaia-X, Catena-X, Manufacturing-X) or work with public datasets.
How high are the fines for violations?
The draft law foresees fines of up to €500,000 per violation – primarily targeting data intermediation services that ignore registration duties or breach neutrality requirements.
Which tools suit a data governance starter kit?
Open-source solutions like DataHub (LinkedIn/Acryl Data) or Apache Atlas offer a cost-effective entry point for building a data catalogue. For access control, built-in RBAC features in modern ERP and cloud systems often suffice.
How does the DGG relate to the Data Act?
Both laws form part of the EU’s broader data strategy. The Data Act governs access to machine-generated data (e.g., IoT data) and contractual clauses for cloud switching. The DGG establishes the infrastructure for trustworthy data exchange. Together, they form the bedrock of the European data space.
Further Reading
- DORA, AI Act, MiCA – all at once: Why RegTech becomes a mandatory investment in 2026
- Kubernetes cluster governance for SMEs (cloudmagazin)
- Digital sovereignty 2026: What CIOs need to know about Delos Cloud, Gaia-X, and the EU Data Act (Digital Chiefs)
More from the MBF Media Network
- → Kubernetes cluster governance for SMEs (cloudmagazin)
- → CIO Agenda 2026 (Digital Chiefs)
Header Image Source: Pexels / Mike van Schoonderwalt
