Data Act Enforcement in Germany: Federal Network Agency or BfDI?
Germany's Data Act implementation law is now in force. The Data Act Implementation Act Germany (DADG) was published in the Federal Law Gazette on 29 May 2026 and applies from 30 May 2026.
In the coverage around the German DADG, companies may come across two different authorities: the Federal Network Agency and the BfDI. At first glance, that raises a practical question: if a Data Act issue comes up in Germany, which authority is the right contact?
There is no real contradiction behind this. The Data Act allows Member States to designate more than one competent authority. Germany has now created a model in which the Federal Network Agency is the central authority for large parts of Data Act enforcement Germany, while the BfDI is responsible where the application of the Data Act concerns the protection of personal data.
The short answer: start with the type of issue
The practical answer depends on what the case is really about.
For most operational Data Act questions in Germany, companies should treat the Federal Network Agency as the primary point of orientation.
That includes complaints about missing data access, refusals by data holders, data sharing with third parties, switching between data processing services and many procedural questions under the German DADG.
If the issue is about the protection of personal data, the BfDI Data Act role becomes relevant. Under the DADG, the BfDI is the competent data protection supervisory authority for monitoring the application of the Data Act regarding the protection of personal data by non-public bodies.
In practice, this means:
- Data Act access, sharing and enforcement issue: usually Federal Network Agency.
- Data Act issue involving the legality of personal data processing: BfDI involvement.
- Pure GDPR issue outside the Data Act: the ordinary data protection authority structure remains relevant.
- Sector-specific issue: the relevant sector authority may also need to be involved.
The practical question is therefore not "Federal Network Agency vs. BfDI Data Act". The better question is: what kind of issue is this?
Data Act cases often mix legal categories. A machine data access request may involve non-personal product data, personal data of employees, trade secrets, API security, contract terms and cloud portability at the same time. That is why the correct contact follows the substance of the issue, not the label of the dispute.
Why the Federal Network Agency will usually be the first stop
Section 2 DADG names the Federal Network Agency as the competent authority for the application and enforcement of the Data Act in Germany.
The statute also makes the Federal Network Agency the central contact point for questions concerning implementation. Its tasks include public information, handling general and specific complaints, national supervision, admitting dispute settlement bodies and examining certain public sector data requests under Chapter V of the Data Act.
This gives the Federal Network Agency a broad enforcement role. It can handle complaints under Article 38 Data Act, conduct investigations, request information and order measures to ensure compliance.
For companies, this is the main reason why the phrase "Federal Network Agency Data Act authority" is broadly correct. If a user cannot obtain access to product data, if a data holder refuses to provide data, or if a cloud provider creates switching obstacles, the Federal Network Agency will usually be the relevant Data Act supervisory authority in Germany.
Where the BfDI enters the picture
The BfDI's role is narrower, but it is not marginal.
Article 37 Data Act states that the supervisory authorities responsible for the GDPR are responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned.
Germany implemented this through section 3 DADG. For non-public bodies, the BfDI is the competent data protection supervisory authority for the application of the Data Act regarding the protection of personal data.
The DADG also sets out how the two authorities work together. If the Federal Network Agency identifies that a decision requires an assessment of the lawfulness of personal data processing, it must involve the BfDI. The Federal Network Agency is then bound by the BfDI's assessment on that data protection question.
That is why the BfDI Data Act role should not be misunderstood as a competing general Data Act authority. It is a specific supervisory role for personal data questions within Data Act cases.
The legal basis for having more than one authority
Article 37 is the key provision behind the apparent overlap.
First, it allows each Member State to designate one or more competent authorities. A single-authority model is possible, but not mandatory.
Second, where a Member State designates more than one authority, it must arrange coordination between them. The Data Act therefore anticipates shared responsibility.
Third, Article 37 gives data protection supervisory authorities responsibility for monitoring the Data Act insofar as personal data protection is concerned.
Fourth, it requires cooperation with sector authorities and with authorities competent for data and electronic communications services. This is especially relevant for switching between data processing services under Articles 23 to 31 of the Data Act.
The result is a layered enforcement model. The Federal Network Agency handles the general Data Act enforcement architecture in Germany. The BfDI handles the personal data protection assessment where that assessment is part of a Data Act case.
What this means in typical Data Act scenarios
A user receives no access to machine data
A manufacturer of connected machinery does not give a business user access to readily available product data.
This is primarily a Data Act access issue under Articles 3 and 4. In Germany, the complaint route will usually point to the Federal Network Agency. If the refusal is based on trade secrets or security concerns, the Federal Network Agency can still be the relevant authority for the Data Act assessment.
A data access request includes personal data
A fleet operator requests vehicle data. The dataset includes driver-related location or driving behaviour data.
The access request remains a Data Act issue, but the personal data layer changes the authority picture. The Federal Network Agency may handle the overall Data Act procedure. The BfDI is relevant for the assessment of whether the personal data processing is lawful.
The Data Act does not replace the GDPR. If the user is not the data subject, Article 4(12) Data Act requires a valid legal basis under the GDPR before personal data can be made available.
A customer wants to switch cloud providers
A customer wants to switch from one data processing service to another, but the source provider delays the export or does not provide exportable data in the required format.
This falls within the Data Act rules on switching between data processing services. In Germany, this will generally be a Federal Network Agency matter. The BfDI becomes relevant only if the concrete issue requires a data protection assessment, for example because personal data is part of the exported data and the legality of that processing is in dispute.
A company complains about a data holder
A third-party service provider receives a user's instruction to obtain data from a data holder. The data holder refuses or imposes conditions that the third party considers incompatible with the Data Act.
This is a classic complaint scenario under Article 38 Data Act. The Federal Network Agency is the likely authority for the Data Act enforcement procedure in Germany. If the refusal turns on personal data, the BfDI may need to be involved for that specific assessment.
How the German DADG changed the enforcement landscape
The German DADG is the national law that now makes the Data Act enforcement structure operational in Germany.
We covered the legislative adoption of that law in a separate article:
German Parliament Passes National Data Act Law
That article explains why the German implementation law increases compliance pressure for manufacturers, IoT providers, cloud providers and data holders.
The practical takeaway
There is no real contradiction between the Federal Network Agency and the BfDI being mentioned in connection with Data Act enforcement in Germany.
The Federal Network Agency is the central authority for the application and enforcement of the Data Act under the DADG. The BfDI is responsible for the Data Act where the protection of personal data is concerned, in particular for non-public bodies under section 3 DADG.
For companies, the practical task is to classify the issue correctly before choosing the route. Missing product data access, third-party sharing, cloud switching and general complaints usually point to the Federal Network Agency. Questions about the lawfulness of processing personal data point to the BfDI within the Data Act procedure or to the ordinary GDPR supervisory framework where the matter is outside the Data Act.
FAQ
Is the Federal Network Agency the Data Act authority in Germany?
Yes, for the general application and enforcement of the Data Act. Section 2 DADG designates the Federal Network Agency as the competent authority and central contact point in Germany.
What role does the BfDI play under the Data Act?
The BfDI is responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. Under section 3 DADG, this applies to non-public bodies.
Which authority can I complain to?
For most Data Act complaints in Germany, the relevant authority will be the Federal Network Agency. If the complaint turns on personal data protection, the BfDI may be involved in the assessment or may be the relevant authority for that specific data protection issue.
What happens if personal data is involved?
The Data Act still applies, but the GDPR remains relevant. The processing needs a valid legal basis, and the BfDI can be responsible for assessing the personal data protection question within the Data Act framework.
Can several authorities be competent at the same time?
Yes. Article 37 Data Act expressly allows several competent authorities and requires cooperation. Germany uses that model by assigning broad Data Act enforcement to the Federal Network Agency while giving the BfDI a specific role for personal data protection.