On 26 March 2026 the Bundestag passed the Data Act Implementation Act (Data-Act-Durchführungsgesetz), naming the Federal Network Agency (Bundesnetzagentur) as Germany's central authority for enforcing the EU Data Act. The Bundesnetzagentur will field complaints, report unjustified data-access refusals to the European Commission, and approve dispute-resolution bodies, while the Federal Data Protection Commissioner (BfDI) keeps exclusive oversight of personal data. The headline number is what it can fine for non-compliance: a maximum of €500,000 — slashed from the €10 million in the original draft bill. The Bundesrat declined to object on 8 May 2026, clearing the law.
That ceiling is the story. Germany has just handed its newest digital regulator a deliberately small stick, even as the country's real tech-enforcement muscle — the Bundeskartellamt's Section 19a regime — keeps getting sharper. The division of labour is mostly the right call. The worry is that Germany is now stacking regulators on top of the same handful of firms.
A deliberately modest instrument
The Data Act fine regime is tiered: roughly €50,000 for minor breaches, €100,000 for moderate ones, and €500,000 at the top, applied only after the Bundesnetzagentur issues a remedial notice and a deadline that goes unmet. As the German firm Heuking notes, the cut from €10 million was made explicitly "to prevent an undue burden on SMEs and to ensure proportionality."
The strongest case against this design is real and deserves stating plainly. The Data Act's whole point — forcing access to connected-device data and easier cloud-switching — targets exactly the largest platforms, for whom €500,000 is a rounding error and a price worth paying to keep hoarding data. A cap that low arguably under-deters precisely the firms the law was written to constrain, leaving SMEs to litigate access rights they can't realistically enforce.
That critique is fair, but it misreads what the Data Act is for. This is a brand-new, untested data-sharing regime imposing genuinely novel obligations — IoT data portability, switching mechanics, B2B sharing terms — on firms that have never had to comply with anything like them. A remedy-first structure that compels actual behaviour change before it punishes is the proportionate instinct: it rewards cooperation over confrontation while the rules bed in, and it spares the small manufacturers and data holders who fall within scope from punitive exposure for honest mistakes. The €500,000 cap limits fines, not the underlying obligation to grant access. The Bundesnetzagentur can still order compliance; it simply won't lead with a sledgehammer.
Where the real teeth are
The contrast with Section 19a of the German Competition Act (GWB) is instructive. In force since 2021, Section 19a lets the Bundeskartellamt designate firms of "paramount significance for competition across markets" (PCMS) for five years, then prohibit specific conduct — without first proving concrete competitive harm. All five U.S. giants are designated: Alphabet, Amazon, Apple, Meta and Microsoft. As the Information Technology and Innovation Foundation observes, the regime shifts the burden onto firms to justify their conduct and forces them to "re-engineer services" to stay clean.
This is no longer theoretical. On 5 February 2026 the Bundeskartellamt prohibited Amazon from using "price control mechanisms" to police the prices of third-party Marketplace sellers, citing Section 19a(2) GWB, Section 19 GWB and Article 102 TFEU. Crucially, it ordered the disgorgement of around €59 million in economic benefits — its first use of disgorgement since the 2023 GWB reform, and only a partial, initial amount because the conduct is ongoing. There is no €500,000 ceiling here.
The courts have backed the tool. On 18 March 2025 the Federal Court of Justice (Bundesgerichtshof) confirmed Apple's PCMS designation, holding that no concrete danger to competition need be shown and that Apple's prior designation as a DMA "gatekeeper" did not preclude Section 19a scrutiny. Germany's competition regulator now has a judicially blessed, financially open-ended instrument aimed squarely at Big Tech.
Four regulators, one set of firms
Stack the instruments and the picture clarifies. The same five companies now answer to the Bundeskartellamt under Section 19a, to the Bundesnetzagentur under the Data Act, to the BfDI under the GDPR, and to the European Commission under the Digital Markets Act — each with its own procedures, theories of harm and penalty scales. Microsoft, brought under Section 19a in 2024, is a case in point: its data-sharing conduct could plausibly draw the attention of three of those four at once.
That is the genuine proportionality risk in German digital enforcement — not that the Data Act is too soft, but that overlapping regimes create coordination costs and cumulative jeopardy for conduct that may be a single commercial practice. A self-preferencing data-access refusal could be a Section 19a abuse, a Data Act violation, and a DMA breach simultaneously. Without clear ne bis in idem boundaries and inter-agency coordination, firms face parallel investigations and stacked liability for one act.
The proportionate read
Berlin got the Data Act instinct right: a light-touch, remedy-first regime for a novel obligation, with fines scaled to avoid crushing the SMEs the law is meant to empower. The harder questions belong to Section 19a, where a €59 million disgorgement and a Federal Court green light show the cartel office's appetite growing. The lesson is not to weaken either tool but to coordinate them — so that Germany's pro-data-sharing ambitions don't drown in four regulators chasing the same five companies.