EU Digital Rights 2026: What changes can be expected at the national level?

In 2026, digital law in Germany will enter a decisive implementation phase. While numerous digital regulations will take full effect for the first time at the European level (we reported on this in Data Protection Update No. 223), issues of enforcement, institutional responsibilities, and administrative implementation will come to the fore at the national level. German legislators and the competent authorities are faced with the task of translating European requirements into functioning supervisory, administrative, and procedural structures, while at the same time making selective national adjustments. Key factors here include the planned amendment of the Federal Data Protection Act, the national enforcement of the Data Act, and new cooperation and reporting obligations in the area of digital law enforcement and cybersecurity. In addition, there are far-reaching plans for administrative digitization, which concern digital identities, register modernization, and government platform structures and effectively create new legal requirements. The following article provides an overview of the key developments in German digital law in 2026 and assesses their practical significance for companies.

I. Data protection and data processing

In the area of data protection law, a selective but legally significant further development of the Federal Data Protection Act (BDSG) is on the horizon at the national level for 2026. This is due in no small part to the recent decisions of the European Court of Justice on scoring by credit agencies (SCHUFA case law), which clarified the scope of application of Art. 22 GDPR and called into question the previous national regulatory approach. At the same time, there are still uncertainties regarding the interaction between the GDPR and national implementing legislation, particularly with regard to permissible national specifications.

The planned amendment to the BDSG focuses primarily on the handling of automated decision-making processes and credit ratings ("scoring"), which has been the subject of legal and political controversy for years. In its ruling of December 7, 2023, the ECJ clarified that even the automated generation of a probability value by a credit agency can constitute an "automated decision" within the meaning of Art. 22 (1) GDPR, provided that this value is decisive for a third party's decision, such as granting a loan. This means that scoring as such is generally subject to the prohibition of automated individual decisions, unless one of the narrowly interpreted exceptions in Article 22(2) GDPR applies.

Against this background, the German government intends to add a new Section 37a to the BDSG, which will regulate scoring procedures and comparable automated assessments. The aim is to create an independent national legal basis for permissible automated decision-making within the meaning of Art. 22 (2) (b) GDPR and, in particular, to specify in more detail the requirements for permissible data categories, transparency, decision-making logic, and appropriate protective measures. The planned regulation is thus intended to explicitly follow the limits set by the ECJ and at the same time provide a practicable framework for data-driven business models.

The planned regulations are closely linked to the provisions of the GDPR and make use of the opening clauses provided therein without departing from the EU legal framework. At the same time, there is still a risk that special national regulations will lead to increased complexity, especially for companies that operate data-driven business models in several member states.

II. Data Act & data access

The Data Act is also increasingly becoming the focus of practical application at the national level. Although the regulation applies directly and uniformly in all member states, its actual effect depends largely on national enforcement and the design of supervisory structures. In Germany, the division of responsibilities between federal and state authorities has not yet been conclusively clarified and is the subject of ongoing consultations. In particular, it remains unclear which authorities will be primarily responsible for enforcing the new data access rights and how these responsibilities will relate to existing data protection supervisory mechanisms.

Of particular importance is that key obligations under the Data Act, in particular the obligation to provide product and service data in a user-friendly manner, will also apply to newly placed connected products from September 2026 (we reported). This means that data access will no longer be treated solely as a contractual or organizational issue, but as a product feature that must be guaranteed from a technical perspective. For manufacturers and providers, this means that data access and data portability requirements must already be integrated into development and design processes.

At the national level, 2026 will show the extent to which the competent authorities are able to effectively enforce the new access rights while at the same time appropriately resolving overlaps with existing data protection and regulatory regimes. This creates an additional need for coordination for companies, as data compliance will no longer be organized solely in accordance with the GDPR, but increasingly also in accordance with cross-sector data access rules.

III. Digital law enforcement and security

In the area of digital law enforcement and security, 2026 in Germany will be marked primarily by preparatory implementation and adaptation measures. The E-Evidence Regulation, which will apply throughout the EU from August 2026 (we reported), and European cybersecurity regulations, particularly in the context of the NIS 2 Directive and the Cyber Resilience Act, will be particularly significant in this regard. These regulations will change both access to electronic evidence and the requirements for dealing with security incidents and digital risks.

At the national level, this will primarily result in the need for adjustments to criminal procedure law and administrative practice. Law enforcement agencies will have to integrate new instruments for the cross-border securing and disclosure of electronic data, while at the same time establishing clear responsibilities and procedural processes within the federal security architecture. In this context, companies are increasingly taking on a mediating role between investigative interests and the protection of personal data.

Of particular practical importance is the increasing involvement of private providers of digital services in investigative and security measures. The E-Evidence Regulation will enable law enforcement authorities to directly oblige service providers across borders to disclose or secure electronic evidence, in some cases with very short legal implementation deadlines. For affected companies, this means a significantly increased organizational and legal pressure to act, as corresponding orders must be reviewed at short notice, implemented technically, and at the same time classified in terms of data protection law. In parallel with this, national implementation measures in the area of cybersecurity are leading to further clarification of reporting obligations in the event of security incidents and vulnerabilities.

IV. Administrative digitization

The digitization of administration is another key focus of German digital law. Unlike traditional regulatory acts, it is not primarily aimed at companies, but it does have significant indirect legal effects by establishing new digital access, identification, and procedural standards. Particularly important in this regard are the national implementation of the European Digital Identity Wallet, the continuation of register modernization, and the establishment of uniform technical infrastructure for digital administrative services.

With regard to the introduction of the Digital Identity Wallet, the main focus in 2026 will be on creating the legal and organizational conditions. This includes issues of jurisdiction, security architecture, certification of participating actors, and the integration of existing administrative and business processes. Even though the mandatory provision of the wallet will not take effect until the end of 2026, important decisions will be made in the course of this year that will shape the future use of digital identities in administration and business.

At the same time, the modernization of registers is continuing. The gradual connection of central registers and the implementation of the once-only principle mean that data retrieval between authorities is becoming increasingly automated. This raises not only technical issues, but also questions relating to data protection and organizational law, particularly with regard to transparency, access controls, and responsibility for data quality. This is complemented by the development of so-called " " basic services and platform structures, which are intended to set uniform federal standards for digital administrative services as part of a "Germany Stack."

V. Recommendations for action for companies

Against the backdrop of the developments described above, companies should use 2026 to align their existing digital compliance structures specifically with national implementation and enforcement issues. The focus here is less on introducing completely new processes and more on adapting existing processes to specific national requirements and new regulatory interfaces. Particularly where European requirements are supplemented by national regulations, administrative practices, or supervisory structures, there is an increasing need for clear responsibilities and robust internal procedures.

In the area of data protection, it is advisable to review existing data-based evaluation and decision-making procedures, in particular scoring models and comparable automated processes, at an early stage with regard to possible national specifications. In the context of the Data Act, companies should also analyze their product and data architectures to determine whether data access rights are adequately represented from a technical and organizational perspective and whether interfaces with users and authorities are designed in a practical manner.

In addition, preparatory measures in the area of digital law enforcement and cybersecurity are becoming increasingly important. Companies should ensure that official requests for electronic data and reports of security incidents can be processed in a legally compliant manner within short time frames. Especially for small and medium-sized enterprises, which often have limited human and technical resources, it is crucial to bundle the requirements at an early stage and integrate them pragmatically into existing compliance and risk management structures.

VI. Conclusion and outlook

For German digital law, 2026 marks less of a new beginning and more of a phase of practical testing of existing regulations. The focus is on the national specification, enforcement, and organizational implementation of European requirements and individual national adjustments, particularly in data protection law. At the same time, administrative digitization is gaining importance as a de facto regulatory framework and is increasingly shaping the legal framework for companies. In practice, the decisive factor will be the extent to which new obligations, regulatory requirements, and digital interfaces can be designed in a coherent and manageable manner.

This article was created in collaboration with our student employee Emily Bernklau.