I. Current Developments

The national implementation of the eIDAS 2.0 Regulation is in an advanced but not yet completed phase in Germany as of May 2026. On 26 March 2026, the Federal Ministry for Digital Affairs and State Modernisation (BMDS) presented a ministerial draft for a Digital Identities Act (DIdG), which is currently undergoing inter-ministerial coordination and is expected to be submitted to the Cabinet shortly. The draft specifies central elements of the future wallet infrastructure, in particular user onboarding, the integration of additional functions such as payment options, and potential acceptance obligations for companies. In terms of timing, the Federal Government is pursuing an ambitious roadmap: the Act is intended to enter into force during the course of the year, while the practical rollout of the wallet at the European level is scheduled for early 2027. In parallel, technical foundations are being established, for example through planned open-source documentation and supplementary security measures such as bug bounty programmes. Nevertheless, particularly at the municipal level, doubts remain regarding the feasibility of the timeline and the practical integration into existing administrative structures.

The reactions from industry associations are nuanced. In principle, the introduction of a Europe-wide harmonised digital identity solution is welcomed, but at the same time significant need for improvement is identified. Particular criticism is directed at the high complexity of the draft legislation and the resulting legal uncertainty, as numerous cross-references to other national and European regulations complicate application and increase the risk of incorrect implementation with potential sanctions. Furthermore, the market structure envisaged in the draft is questioned: associations call for a “level playing field” between public and private wallet providers, while a potential state preference is seen as inhibiting investment. In functional terms, there are also expectations that the wallet should provide all essential core functions – digital identification, attribute attestations, and qualified electronic signatures – in full from the outset, in order to avoid acceptance problems.

In parallel with the legal design, work is also continuing on the conceptual and technical development of the wallet. The BMDS has announced that the “EUDI Wallet“ will receive a new, more user-friendly name in Germany, as the current designation is considered difficult to remember and acceptance problems are feared. Technically, a phased expansion of functionalities is planned: in addition to traditional identity credentials, payment functions are also to be integrated over time, for example through the incorporation of existing credit cards or online payment services, with regulatory guardrails planned particularly regarding security and functional separation. At the same time, close integration with existing digital infrastructures such as BundID is planned, which promises synergies but also brings technical and organisational challenges, particularly on the administrative side. Overall, it is evident that implementation is currently in a dynamic phase between legislative specification, technical development, and political-economic coordination, with the coming months being decisive for the system’s practical viability.

II. Affected Companies

The eIDAS 2.0 Regulation does not impose a blanket obligation on all companies to integrate the EUDI Wallet. Rather, a distinction must be drawn between different categories of market participants, with specific obligations arising in particular for companies that offer or rely on digital identification processes.

Directly addressed are, first, so-called “relying parties”, i. e. service providers that use digital identification procedures to grant users access to their services or to receive legally relevant declarations. These include in particular regulated sectors such as credit institutions, payment service providers, telecommunications providers, and providers of digital platform services, insofar as they are legally obligated to identify their customers (for example under KYC or anti-money laundering requirements). These companies will in future be required to accept the EUDI Wallet as an identification tool, provided they use digital identification procedures and the wallet meets the required level of assurance. In such cases, a concrete need for integration and adaptation arises in existing onboarding and authentication processes.

A further group comprises companies that have not yet implemented mandatory identification processes but offer digital services for which identity verification is typically required or advisable. These include, for example, platform operators, providers of online marketplaces, or services with age verification obligations. For these actors, there is not necessarily an immediate obligation arising directly from the Regulation itself to integrate the wallet; however, the European legal framework opens up the possibility for Member States to establish corresponding acceptance obligations at the national level. Against this backdrop, it can be expected in the German context in particular that certain sectors will in future be subject to regulatory obligations to accept the wallet and process the corresponding attestations. The circle of specifically affected companies will therefore be significantly determined by subsequent national regulations.

By contrast, companies without any connection to digital identification processes – i. e. purely physical businesses without digital customer interaction – are generally not directly affected. Companies that exclusively use internal identity solutions and do not process external user identities also do not, in principle, fall within the direct scope of application of the eIDAS 2.0 Regulation.

Finally, a third group of actors must be considered, for whom the situation gives rise not so much to obligations as to market opportunities. These include in particular providers of wallet solutions, trust service providers, and technical service providers that offer interfaces, identity management systems, or verification solutions. These actors are also subject to regulatory requirements, for example regarding certification and security standards, but they are not primarily addressees of acceptance obligations; rather, they form part of the emerging ecosystem.

III. Recommendations for Action for Companies

In the short term, companies should first clarify whether and in which processes they already use digital identification procedures today. Particularly relevant are onboarding processes, contract conclusions, age verifications, and existing KYC or authentication solutions. As a first step, it is advisable to specifically inventory and prioritise these processes in order to identify those use cases in which the EUDI Wallet is likely to become mandatory or at least practically relevant in the future.

In parallel, internal responsibilities should be assigned, ideally involving Legal, Compliance, and IT. The EUDI Wallet is not a purely IT topic; regulatory requirements, liability issues, and technical integration are interlinked. Without clear responsibilities, there is a risk that necessary preparations will be delayed.

At the technical level, it is advisable to review the company’s own system architecture for wallet compatibility at an early stage. Companies should assess whether their existing identification and authentication systems are fundamentally open to external identity providers and have standardised interfaces (APIs). If this is not the case, at least a conceptual opening should be prepared in order to reduce subsequent integration effort.

Furthermore, it is advisable to closely monitor developments at the national level, particularly with regard to potential acceptance obligations for certain sectors. Companies that are potentially active in regulated areas (e.g. financial services, platform economy, telecommunications) should develop scenarios for how a mandatory wallet integration can be implemented organisationally and technically. This also includes early coordination with existing service providers, for example in the areas of identity verification or payment processing.

Finally, companies should consider concrete pilot or testing strategies as soon as corresponding interfaces or reference implementations become available. Early practical experience – even in limited use cases – makes it possible to realistically assess integration effort, user acceptance, and operational impacts, and to make necessary adjustments in a timely manner.

IV. Conclusion and Outlook

The EUDI Wallet will gradually gain practical significance with the further implementation of the eIDAS 2.0 Regulation and the accompanying national legislation. With a view to the planned rollout by early 2027, it is foreseeable that it will establish itself as an additional standard for digital identification and attestation processes. For companies, this primarily means that existing digital processes will need to be supplemented by or adapted to the use of the wallet over time.

At the same time, the current state of implementation shows that numerous detailed questions – particularly regarding specific technical design, market organisation, and potential acceptance obligations – remain open. Against this backdrop, a pragmatic approach is recommended: companies should closely follow regulatory developments and establish the necessary organisational and technical foundations at an early stage, without prematurely committing to specific solutions. Ultimately, what will be decisive is how clearly and practicably the national requirements are designed and to what extent the wallet actually gains traction in the market.

This article was created in collaboration with our student employee Emily Bernklau.

While the original ministerial draft and the cabinet draft were still considered comparatively restrained, the German Bundestag has now followed the recommendation of the Finance Committee and adopted an explicit “clarification” of the external ownership ban.

Despite the Bundestag’s approval, the legislative process is currently blocked. The Bundesrat unexpectedly rejected the draft legislation on 8 May 2026. However, the background was not the new regulation on the external ownership ban itself. Rather, the decisive factor was a tax-free relief premium for employees that had been incorporated into the law at short notice, intended as a response to the increased cost of living resulting from the Iran conflict. As the federal states saw significant tax revenue losses for themselves and the municipalities and there was no adequate offsetting financing, the Bundesrat refused to approve the law as a whole. The legislative process has thus been halted for the time being; in particular, convening the Mediation Committee now appears possible. In substantive terms, however, there is much to suggest that the professional law amendments regarding the external ownership ban will remain largely unchanged in the further proceedings.

I. The New Regulation: Look-Through Across All Levels of Participation

At the core of the reform of the external ownership ban is the new Section 55a(1) sentence 3 of the German Tax Advisory Act (StBerG). Under this provision, in the future not only directly participating auditing or bookkeeping firms will be required to meet the professional law recognition requirements. Rather, this is expressly intended to apply to all indirectly participating entities within multi-tiered participation structures.

The new regulation thus directly targets the private equity structures via foreign auditing firms that have been widespread to date. The external ownership ban is effectively extended to the entire chain of participation.

Notably, the legislature has characterised this as a mere “clarification” rather than the closing of a previously existing regulatory gap. The legislature is thus clearly pursuing the objective of retroactively providing a statutory basis for the existing restrictive administrative practice.

It is precisely this doctrinal construction that has significant practical consequences: the law contains neither transitional provisions nor explicit grandfathering protection for existing participation structures. According to the understanding set out in the legislative explanatory memorandum, even already implemented investor structures could become impermissible under professional law immediately upon entry into force.

In extreme cases, affected tax advisory firms could even face a revocation of their recognition.

II. Extended Transparency and Disclosure Obligations

Complementing the substantive tightening, the legislature is also significantly expanding regulatory transparency requirements. In the future, tax advisory firms will be required to notify the competent Chamber of Tax Advisors (Steuerberaterkammer) without delay of any changes to direct and indirect ownership interests. This applies in particular to participations by auditing or bookkeeping firms. In the case of changes at the indirect level, the entire participation structure up to the affected level must additionally be disclosed. Furthermore, indirect shareholders will in future already need to be declared during the recognition procedure.

The new regulation thus provides the chambers with significantly broader supervisory powers with respect to complex participation and platform structures.

III. Which Participation Structures Will Remain Permissible for Private Equity Investors?

Current developments already indicate how the market will react to the new statutory regulation. Numerous investors are currently considering whether to organise existing platform structures in the future via auditing firms (Wirtschaftsprüfungsgesellschaften) rather than tax advisory firms, or to restructure existing tax advisory platforms accordingly.

The background is that the tightening now envisaged is directly linked to tax advisory law, while the professional law governing auditors has not undergone a comparable reform. At the same time, auditors and auditing firms remain fully authorised to provide assistance in tax matters. Auditing firm structures are thus increasingly becoming the central alternative for investor-driven professional services platforms.

However, it remains to be seen whether this trend will prove sustainable in the long term. The legislative explanatory memorandum clearly shows that the legislature is taking an increasingly critical view of indirect influence by institutional investors. Should the market increasingly shift towards auditing firm structures in the future, it appears quite possible that the professional law governing auditors will also be subject to regulatory tightening in due course. On 23 April 2026, the board of the German Chamber of Public Accountants (Wirtschaftsprüferkammer) issued a statement clarifying that it continues to consider a private equity participation via an auditing firm to be permissible, provided that the independence of the auditing firm and the quality of the services are not called into question.

IV. Outlook

Legislative developments in this area remain dynamic. Market participants should regularly review the permissibility of their respective participation models and make adjustments as necessary to remain compliant.

I. Background and Objectives of the AI Omnibus

The European Commission presented the so-called AI Omnibus in November 2025 as part of its European “Simplification Agenda.” The background to this was, in particular, concerns expressed early on by industry, Member States, and practitioners regarding the practical feasibility of the AI Regulation. Criticism focused primarily on the high administrative burden, short implementation deadlines for high-risk AI systems, and overlaps with existing sector-specific regulations, such as in the area of product safety law. Furthermore, it was argued that certain requirements of the AI Regulation entail significant legal uncertainty and additional compliance costs, particularly for small and medium-sized enterprises.

Against this backdrop, the Commission’s proposal aimed in particular to better align the application of the AI Regulation with existing sectoral regulatory frameworks and to avoid double regulation. Among other things, the proposal included longer transition periods for high-risk AI systems, selective relief from documentation and compliance obligations, and closer integration with sector-specific harmonization legislation. At the same time, the division of responsibilities between national authorities and the European AI Office was to be clarified, and regulatory fragmentation within the EU reduced.

However, the proposals sparked controversial discussions even during the legislative process. While parts of the industry and individual member states welcomed the planned simplifications as a necessary step to ensure European competitiveness, other stakeholders warned of a potential watering down of the AI Regulation’s risk-based approach and increasing legal fragmentation.

II. The Key Points of Agreement

The political agreement of May 7, 2026, essentially adheres to the objectives of the original Commission proposal but includes important refinements and compromise solutions in several areas.

1. New Deadlines

A central component of the trilogue agreement is the adjustment of the application deadlines for high-risk AI systems. This is based in particular on the assessment that the harmonized standards and technical tools required for practical implementation are unlikely to be available in time. The Council and Parliament have therefore agreed on a phased postponement of the relevant application dates.

For so-called stand-alone high-risk AI systems, the relevant provisions of the AI Regulation will now apply only from December 2, 2027. For high-risk AI systems that are part of regulated products, such as in the fields of machinery, elevators, or toys, a later start date of August 2, 2028, is planned.

In contrast, the deadlines for transparency obligations related to AI-generated content have been shortened. Providers are to implement the necessary technical solutions for labeling artificially generated content, such as watermarks or machine-readable markers, as early as December 2, 2026. This is intended, in particular, to curb the misuse of generative AI systems more quickly.

2. New Prohibitions

The trilogue agreement also provides for an expansion of the prohibitions on certain AI practices previously set forth in the AI Regulation. In particular, an explicit ban on AI systems used to create non-consensual sexual or intimate content, as well as depictions of sexualized violence against children (CSAM), has been newly included.

This addition underscores that, despite the simplifications sought, European lawmakers are maintaining the AI Regulation’s protection framework rooted in fundamental rights. At the same time, the agreement responds to the increasing prevalence of abusive deepfake applications and growing political pressure in the area of child and personal data protection.

3. Sector-Specific Solutions

Another key focus of the agreement concerns the relationship between the AI Regulation and existing sector-specific regulatory frameworks. Particularly for regulated product areas such as medical devices, machinery, toys, watercraft, or elevators, there was concern that parallel requirements from the AI Regulation and sectoral harmonization acts could lead to double regulation and additional conformity assessment procedures.

Against this backdrop, a mechanism was agreed upon that is intended to allow for the targeted resolution of overlaps between the AI Regulation and sectoral regulations through subsequent implementing acts. In addition, the Machinery Regulation is to be partially exempted from the direct application of certain AI Regulation requirements. At the same time, the Commission is given the option to adopt supplementary health and safety requirements specifically for AI systems within the scope of the Machinery Regulation.

III. Recommendations for Action

While the trilogue agreement provides companies with additional time and greater regulatory flexibility in key areas, there is no reason to suspend ongoing AI compliance projects. Rather, companies should make targeted use of the transition periods granted to further develop existing governance and risk structures in a robust manner and to integrate the foreseeable adjustments into their compliance strategy at an early stage.

1. Do not pause existing AI compliance projects

Despite the extended transition periods, the fundamental requirements of the AI Regulation remain in place. Companies should therefore continue ongoing implementation projects, particularly in the areas of risk classification, documentation, governance, and internal responsibilities. The additional deadlines primarily provide greater planning certainty, but do not alter the fact that the regulatory requirements must be fully implemented in the medium term.

2. Prioritize transparency obligations for generative AI

There is an immediate need for action regarding AI-generated content. Companies that use generative AI systems or publish such content should implement technical solutions for labeling requirements – such as watermarks or machine-readable tags – at an early stage. Since the transition period is significantly shorter in this regard, this area is likely to become relevant before many traditional high-risk requirements.

3. Assess the relationship to sector-specific law early on

For companies in regulated industries – such as medical devices, mechanical engineering, mobility, or consumer products – the intersection between the AI Regulation and sector-specific product law is becoming increasingly important. Affected companies should therefore analyze early on which regulatory requirements will apply in parallel in the future and in which areas potential exemptions or special provisions might apply. Particularly in light of the announced further implementing acts, additional adjustments are to be expected in this area in the future.

4. Integrate prohibited AI practices and deepfake risks into existing governance

The new prohibitions make it clear that regulatory attention is increasingly focused on abusive applications of generative AI. Companies should therefore supplement existing AI governance structures with clear internal guidelines for handling synthetic media, deepfakes, and sensitive content. This applies not only to their own AI developments but also to the use of external AI tools by employees, service providers, or marketing departments.

IV. Conclusion and Outlook

The trilogue agreement on the AI Omnibus makes it clear that the European Union is placing greater emphasis on the practical implementability of the AI Regulation while simultaneously responding to increasing economic and regulatory pressure to adapt. In particular, the extended transition periods and the greater consideration of sector-specific characteristics are likely to provide many companies with additional planning certainty. At the same time, however, the agreement also shows that the EU is sticking to the AI Regulation’s fundamental risk-based regulatory approach and is even expanding it further in certain areas.

The political agreement must now be formally confirmed by the Council and the European Parliament and undergo a final legal-linguistic review. The AI Omnibus is expected to be finally adopted in the coming weeks. Companies should therefore closely monitor further developments and use the additional transition periods to adapt existing AI compliance structures to the foreseeable changes at an early stage.

This article was created in collaboration with our student employee Emily Bernklau.

Background: What Was Planned?

The legislation provided that employers could grant their employees a tax- and social security contribution-free relief bonus of up to EUR 1,000 in the form of allowances and benefits in kind until 30 June 2027. The bonus was intended to mitigate the impact of rising consumer prices and followed the proven model of the earlier inflation compensation bonus (Inflationsausgleichsprämie). Employees had no legal entitlement to the payment – the decision as to whether and in what amount the bonus would be paid was to rest solely with the employer.

Current Situation: Why the Bundesrat Blocked the Legislation

The rejection by the Bundesrat was politically motivated. The federal states consider themselves – together with the municipalities – to be exposed to a disproportionate cost burden, as the tax exemption would have led to significant revenue shortfalls in income tax, the proceeds of which are shared jointly by the federal government, the states, and the municipalities. The Federal Government has since announced that it intends to adhere to its plan and will decide on the next steps in the near future. Several scenarios are now conceivable: a referral to the Mediation Committee (Vermittlungsausschuss) and renegotiations with the states regarding compensation for the tax revenue shortfalls or – in the worst case – a definitive failure of the initiative.

Recommendations for Action for Employers

1. No Payment Without a Legal Basis

The legislation has not entered into force. There is currently no legal basis for a tax- and social security contribution-free relief bonus. Payments that employers now make under the designation “relief bonus” (Entlastungsprämie) are subject to regular tax and social security contributions. Employers should therefore refrain from making any payments and wait until the legislation has actually been promulgated and entered into force. This applies even if budgets have already been approved internally or communication measures have been prepared.

2. Put Internal Plans on “Standby” – Do Not Abandon Them

Many companies have already developed distribution models, drafted works council agreements (Betriebsvereinbarungen), or at least initiated budget approvals in anticipation of the legislation. This preparatory work is not wasted. The Federal Government has signalled that it intends to pursue the initiative. We therefore recommend not discarding the internal plans but rather converting them into a “ready-to-deploy” concept. Should the legislation enter into force at short notice following an agreement in the Mediation Committee, this will provide a considerable time advantage in implementation.

3. Involve the Works Council Early – Even Now

For companies with a works council (Betriebsrat), the following applies: The distribution of such a bonus is subject to the co-determination right under Section 87(1) No. 10 of the Works Constitution Act (BetrVG). The involvement of the works council in determining the distribution criteria, identifying the eligible employee groups, and setting the payment modalities requires the conclusion of a works council agreement (Betriebsvereinbarung). This coordination process typically takes time. Employers should therefore already now – on the basis of a draft works council agreement – seek discussions with the works council in order to be ready to act immediately upon the legislation entering into force. The fundamental decision as to whether a bonus will be paid at all and in what total amount remains solely with the employer and is not subject to co-determination.

4. Ensure Equal Treatment in Distribution

Those who use the preparation time should already now measure the planned distribution criteria against the employment law principle of equal treatment (Gleichbehandlungsgrundsatz). Differentiation is permissible – for example, a graduated scale based on income level, scope of employment, or actual work performance. A restriction to certain employee groups may also be possible, provided there are objective reasons. However, arbitrary distinctions or groupings based on irrelevant criteria are not permissible. In the event of violations, there is a risk of “upward adjustment”: disadvantaged employees could then demand to also receive the full bonus, which can cause considerable additional costs.

The case law on the earlier inflation compensation bonus (Inflationsausgleichsprämie) provides valuable guidance in this regard. In particular, it should be noted that, according to the case law of the Federal Labour Court (Bundesarbeitsgericht), the blanket exclusion of employees in the release phase of partial retirement (Altersteilzeit) is impermissible, and fixed-term employees may not be excluded without objective justification.

5. Manage Employee Communication

Particularly in larger companies and corporate groups, employee expectations are high following the public debate. Employers should communicate proactively and transparently: The legislation has not yet entered into force, but the Federal Government continues to pursue the initiative. A premature commitment to the bonus – for example at works assemblies or in internal communications – should be strictly avoided.

Conclusion

The blockade in the Bundesrat is a setback, but not a definitive end. Employers should closely monitor the situation and maintain their internal preparations without prematurely creating facts on the ground. Those who set the right course now – particularly with regard to works council agreements and distribution concepts – will be able to act quickly and with legal certainty once the legislation enters into force.

We are closely monitoring further developments in the legislative process and will inform you promptly as soon as the situation becomes clearer.

While HEUKING has in numerous iterations of publications, workshops and webinars, assessed the content and effects of the draft EU Space Act, this newsletter now focuses on the proposal for a regulation of the European Union Space Service Agency (new name used) itself.

Background: The European Union Space Agency (EUSPA or the Agency) has outgrown its original mandate. Additional tasks and responsibilities were conferred upon it by Regulation (EU) 2023/588 on the European Union Secure Connectivity Programme, and further expansion is foreseen under the proposed European Competitiveness Fund (ECF) Regulation for 2028–2034. The EUSPA currently supports the operation and exploitation of Galileo and EGNOS navigation services, manages security accreditation of EU space components, promotes downstream market development for Copernicus (Earth observation), operates the GOVSATCOM Hub and the EU Space Surveillance and Tracking (SST) Front Desk, and has assumed responsibilities regarding IRIS².

Broader Strategic Context: Mario Draghi's report on the future of European competitiveness highlighted how the European space economy faces critical challenges, including lower public investment compared to the US and China, supply chain dependencies, and regulatory fragmentation. The Commission has also explicitly described the regulation as part of Europe's pursuit of "space readiness," a concept prominently featured in the March 2025 White Paper for European Defence Readiness 2030.

Connection with the envisaged EU Space Act: In parallel, the EU Space Act, proposed as a first draft the Commission on 25 June 2025, aims to create a unified legal framework for the authorisation, registration, and supervision of space activities, with the EUSPA serving as a key implementation body with multiple tasks. Both legislative initiatives together form a comprehensive regulatory package: the Space Act harmonises the rules applicable to space operators, while the EUSPA Regulation provides the institutional architecture for enforcement and service delivery.

Legislative Status: The legislative process now moves to the European Parliament and the Council under the ordinary legislative procedure. If adopted, the new regulation is intended to apply from 1 January 2028.

I. High-Level Summary of Material Changes

The proposal introduces several material changes that together transform the character of the EUSPA from a programme-implementation vehicle into a permanent, operationally significant EU space services agency.

Renaming: The agency will be renamed from the "European Union Agency for the Space Programme" to the "European Union Space Services Agency," while retaining the well-established EUSPA acronym.

Expanded Operational Mandate: The proposal divides the EUSPA's tasks into three categories:

• own tasks, that the agency performs autonomously (security accreditation, operational security of PNT and EO, space security monitoring);
• tasks delegated by the Commission (management of PNT exploitation, GOVSATCOM Hub operation, downstream market development), EU Space Act tasks; and
• tasks to be delegated subject to operational readiness, including Earth Observation Governmental Service (EOGS), IRIS² governmental services, space weather, space surveillance and tracking, radio-frequency interference monitoring, and support for space commercialisation.

Governance Reforms. The organisational structure (Administrative Board, Executive Director, Security Accreditation Board) is retained but enhanced.

Budget Increase. The Union contribution rises from EUR 525.7 million for 2021–2027 to EUR 979.6 million for 2028–2034, nearly doubling the fix available financial resources.

Fee-Based Revenue. A new provision in Art. 25(3e) allows the EUSPA to charge fees for services rendered, with the legal basis for fee collection to be established by the EU Space Act.

Digital and AI Compliance. A "Digital Annex" obliges the EUSPA to align its digital solutions with the EU AI Regulation, the Cybersecurity Framework, the eIDAS Regulation, and the Single Digital Gateway Regulation, with consequences for contractors providing digital services to the agency.
Continuity Obligations for Contractors. Article 4(7) requires the EUSPA to ensure that its contractual operators maintain competency frameworks, succession planning, and operational capability to ensure service continuity during crises or extended disruptions.

Transitional Provisions. The new EUSPA shall continue operations and activities of the current agency in respect of all ownership, agreements, legal obligations, employment contracts, financial commitments, and liabilities. The new regulations and the transitional period until new regulations will actually have effect are arguably the most challenging effects for the EUSPA in the coming years.

II. Material Practical Effects

1. Near-Doubling of the Agency's Budget

The proposed increase from EUR 525.7 million to EUR 979.6 million represents a clear signal that the Commission envisions a materially larger and more capable agency. The budget increase is linked to both the continuation of current tasks and the financing of new activities under the expanded mandate. For industry participants, this translates directly into a larger addressable market for EUSPA-managed contracts and procurement opportunities.

2. Role under the EU Space Act

The EUSPA Regulation must be read together with the proposed EU Space Act, which assigns the agency central responsibilities for supervising compliance by EU-owned asset operators and third-country space service providers:

• under the Space Act, the EUSPA would manage the URSA, issue electronic certificates of compliance (e-certificates), and conduct technical assessments that form the basis for Commission authorisation decisions
• authority responsibilities of the EUSPA regarding EU own assets
• at least in the 2025 draft, an EU Space Label system
• crisis exemption and other easement or derogations decisions
• NIS2 and CRITIS similar implementation measures and interplay questions
• connection and cooperation with ESA and Institutions
• enhanced capacity building specifically regarding the requirements regarding the EU Space Act
• a number of further, yet unclear, areas of responsibility under future delegated acts.

The EUSPA would also be empowered to open investigations in the event of serious indications of infringement of the Space Act's technical requirements and to propose fines to the Commission.

3. Crisis Management and Operational Continuity Framework

The proposal introduces a crisis management responsibility that is novel for an EU decentralised agency of this type. Once a crisis is declared, the Executive Director of EUSPA gains authority to impose operational measures on staff and to activate business continuity procedures. Staff from Member States may be deployed for up to two years to address urgent situations or peaks of work. This framework requires the EUSPA to be 24/7 operational entity rather than a policy secretariat.

4. Enhanced Security Accreditation Authority

While the Security Accreditation Board (SAB) remains autonomous within the agencies, several procedural innovations streamline its decision-making. A single approval may now cover entire satellite constellations rather than requiring individual assessments. The Commission may request a decision within three months in duly justified cases; if no decision is adopted within that timeframe, it shall be deemed affirmative. This "silence is consent" could significantly reduce the time-to-market for new space systems and constellation deployments.

5. Digital Compliance and AI Regulation Alignment

The Digital Annex represents a significant regulatory extension into the technology governance sphere. By requiring the EUSPA to align its digital solutions with the AI Regulation, the EU Cybersecurity Framework, eIDAS, and the Single Digital Gateway, the Commission creates cascading compliance requirements for the agency's digital service providers and contractors. Companies supplying AI-powered analytics, cybersecurity tools, or digital infrastructure to the EUSPA must anticipate heightened compliance expectations, including conformity assessments under the AI Regulation for high-risk AI systems used in security-critical applications.

6. Fee-Based Revenue Model

The introduction of a fee-based financing mechanism in Article 25(3e) signals a shift toward partial cost-recovery for EUSPA services. While the precise fee structure and applicable services will be defined through the EU Space Act, this provision opens the door to registration fees, compliance certification charges, and service delivery fees that could affect space operators and data providers interacting with the EUSPA. Initial third-party estimates show a very broad range, without any concrete basis yet. The fee-based model, however, may create additional cost considerations for small and medium-sized enterprises and start-ups seeking access to the EU space market.

7. Contractual Business Continuity Requirements

Article 4(7) introduces a novel obligation for the EUSPA to ensure that its contractual operators maintain robust competency frameworks, succession planning, and operational capability sufficient to guarantee service continuity during crises or extended disruptions. For companies contracting with EUSPA, this translates into concrete contractual requirements for business continuity management (BCM) and disaster recovery plans.

8. Expanded Geographic and Organisational Footprint

Prague remains the agency's seat, but the proposal provides clearer legal backing for the establishment of local offices in Member States and the placement of staff at ground infrastructure centres across the EU. For host Member States, this may create opportunities for local economic development and specialised workforce requirements tied to space operations.

9. Interaction with the ESA and Clarification of Institutional Boundaries

The proposal implicitly addresses the long-standing institutional boundary question between the EUSPA (an EU agency) and the European Space Agency (an intergovernmental organisation). The EUSPA is positioned as the operational arm responsible for service delivery, security, market development, and user-facing functions, while the ESA retains focus on research, development, and technical oversight.

10. Commercialization and Facilitation

The proposal creates significant new opportunities for companies active in the “New Space” sector – start-ups, scale-ups, and innovative SMEs developing commercial space applications, downstream services, and space-derived data products. Article 4(3)(l) explicitly tasks the EUSPA with supporting the implementation of the “Space commercialisation and space economy” Union space component, including continuation of the CASSINI initiative, the EU’s dedicated support framework for space entrepreneurship.

Moreover, the EUSPA is mandated to foster technological development and the commercialisation of EU space industry and services, with a specific objective of helping entrepreneurs to grow and scale up. The Agency will continuously monitor the market, the evolution and impact of the space economy, and provide inputs on new user needs, creating an opportunity for innovative companies seeking to develop downstream applications, integrated services, and new data products based on EU space infrastructure.

11. The Military Dimension

The military dimension of space further amplifies these opportunities. As noted above, the Commission has explicitly described the EUSPA Regulation as part of Europe’s pursuit of “space readiness,” a concept prominently featured in the March 2025 White Paper for European Defence Readiness 2030. At the national level, Germany has made available a budget of EUR 35 billion for military space, signalling that defence-related space capabilities, notably and most prominently including secure communications, intelligence, surveillance, and reconnaissance (ISR), and space situational awareness, will be a major growth driver for the sector, in particular through trickle down effects to suppliers and startups.

For startups, this convergence of civilian and military demand creates a substantially larger addressable market. Companies offering dual-use technologies, resilient satellite constellations, space-derived data analytics, or cybersecurity solutions for space infrastructure are particularly well-positioned to benefit from both the EUSPA’s expanded commercialisation mandate and the parallel surge in national defence space procurement.

Stakeholders should note that the EUSPA’s enhanced role in operational security, its cooperation with ENISA on cybersecurity, and the Agency’s positioning as a 24/7 operational entity (described above) all reflect the growing integration of space into Europe’s broader security and defence architecture.

III. Recommended Actions for Stakeholders

The EUSPA Regulation proposal, in combination with the EU Space Act, creates a new regulatory ecosystem that will require proactive engagement from a wide range of stakeholders. The following recommendations are structured by stakeholder category.

1. EU-based space operators and manufacturers should begin mapping their current and anticipated interactions with the EUSPA to identify which authorisation, registration, and compliance obligations will apply once the EU Space Act enters into force on 1 January 2030. They should assess

• the adequacy of their cybersecurity risk management systems,
• environmental footprint calculation methodologies, and
• business continuity plans

in light of the heightened requirements of both the Space Act and the EUSPA Regulation. Early engagement with national competent authorities and envisaged Qualified Technical Bodies (QTBs) is advisable to understand the forthcoming certification processes.

2. Third-country operators providing space-based services or data within the EU, including US satellite operators, data providers, and hosted payload owners, should

• carefully assess their exposure to the EU market and determine whether they fall within the scope of the EU Space Act's authorisation requirements; and, where applicable,
• they should plan for the designation of an EU legal representative, prepare for potential equivalence decision applications, and monitor the legislative process for possible modifications to the extraterritorial scope provisions.

3. EUSPA prime contractors and service providers:

• should review their existing contractual arrangements in anticipation of enhanced business continuity and operational resilience obligations under Article 4(7) of the EUSPA Regulation;
• should prepare for compliance with the AI Regulation and the broader digital governance framework referenced in the Digital Annex if providing digital services to the agency;
• should anticipate deepened cooperation requirements between the EUSPA and ENISA, particularly if providing cybersecurity services.

4. Suppliers and service providers to EUSPA primes, in particular as it regards resilience or safety requirements should

• assess the new rulings to determine if and how these address also the supply chain, either by a requirement for the primes to contractually agree with suppliers in the same standards or indirectly, because the new Regulations may steer the market regarding certain standards and requirements;
• should engage with their prime contractors in order to, where possible, be included in cooperation and compliance planning at an early stage.

5. Member States and EU Regions should

• begin preparing for the pitch and the designation or establishment of national competent authorities as required by the EU Space Act and for contributing to the Security Accreditation Board's expanded activities.
• Member States and Regions that have not yet enacted national space legislation should consider whether to adopt interim rules or to await the final text of the EU Space Act before acting.

6. Investors and financial institutions active in the European space sector should

• factor the new regulatory costs and compliance timelines into their transaction due diligence and valuation models.
• The expanded EUSPA mandate and the near-doubling of its budget represent both regulatory risk and addressable market opportunity, depending on the positioning of portfolio companies within the emerging EU space regulatory framework.

7. Industry associations and trade bodies should

• actively participate in the legislative process during the European Parliament committee stage and Council working party negotiations, as the final text may differ significantly from the Commission's proposal.
• The public consultation period for the EU Space Act closed in November 2025, but ongoing advocacy and engagement with rapporteurs and shadow

rapporteurs remain essential channels for shaping the implementing measures and delegated acts that will determine the practical application of both the Space Act and the EUSPA Regulation.

IV. Conclusion and Outlook

The Commission's proposal for a standalone EUSPA Regulation marks a structural shift in European space governance. Seen together with the EU Space Act, it creates an integrated regulatory framework that will reshape the terms of access to the European space market for EU and non-EU operators alike.

The legislative process is now underway (also for the draft EU Space Act), with the European Parliament and the Council expected to begin substantive deliberations in the second half of 2026. While the broad objectives of the proposal enjoy broad support, specific provisions, particularly regarding the scope of Commission control over EUSPA decisions, the accreditation of third-country operators, the fee-based revenue model, and the interaction with national space legislation, are likely to generate debate during the trilogue negotiations and, possibly, again regarding the question of competency.

For all stakeholders in the European space ecosystem, from launch providers and satellite manufacturers to data service companies and downstream application developers, the message is clear: the regulatory environment for space activities in Europe is fast developing and early preparation is essential.

HEUKING’s Space Law team continues to monitor the legislative process closely and is available to assist clients in navigating the evolving EU space regulatory framework.

I. Affected Companies

The personal scope of the e-Evidence Regulation is deliberately broad and covers all “service providers” that offer electronic communication or data processing services. The decisive factor here is not formal industry affiliation, but the specific function of the respective business model. The key question is whether a company enables users to communicate with one another or stores and processes data on their behalf.

In practice, this initially includes traditional providers of electronic communication services, particularly telecommunications companies, email providers, and messenger and VoIP services. Typical examples are providers of email hosting, enterprise communication solutions, or collaboration tools. Operators of video conferencing systems or business messaging platforms may also be covered, provided they enable interpersonal communication.

Furthermore, hosting and cloud services are centrally affected. These include, for example, cloud storage providers, Software-as-a-Service (SaaS) platforms, data hosting service providers, or providers of project management and CRM systems, to the extent that they store or process data on behalf of users. This is particularly relevant in practice for companies that provide their customers with digital infrastructures, such as data rooms, document management systems, or platform solutions.

However, the scope of application extends even further and also covers other information society services, provided they offer communication or storage functions. These include, in particular, social networks, online marketplaces, gaming platforms with chat functions, dating apps, and collaboration platforms. Even services where communication is only a secondary function – such as chat features in online games or comment features on platforms – may be covered.

Also explicitly included are providers of domain and internet infrastructure services, such as domain registrars, hosting providers, CDN providers, or providers of IP addressing services. These are regularly the focus of when it comes to identifying users based on technical data such as IP addresses.

Finally, the company’s place of business is irrelevant. Providers based outside the EU are also subject to the Regulation if they offer their services within the Union, for example through a corresponding market orientation or a relevant user base within the EU. An exception applies only to certain financial services; otherwise, there are no size- or industry-based exemptions.

II. Production and Preservation Orders (EPOC and EPOC-PR)

At the heart of the e-Evidence Regulation are two new instruments: the European Production Order Certificate (EPOC) and the European Preservation Order Certificate (EPOC-PR). These enable law enforcement authorities to directly and cross-borderly compel service providers to produce or preserve electronic evidence (Art. 5, 6 E-Evidence Regulation).

The EPOC under Art. 5 of the E-Evidence Regulation obligates the addressed service provider to transmit the requested data directly to the competent authority. In particular, the order must be necessary and proportionate and, depending on the type of data, is subject to various substantive and procedural requirements, such as a judicial review requirement for traffic and content data. Upon receipt of the order, the data must generally be transmitted within ten days; in urgent cases, the deadline is reduced to eight hours (Art. 10 E-Evidence Regulation).

In contrast, the EPOC-PR under Art. 6 E-Evidence Regulation serves to secure data in order to prevent its deletion or alteration. Service providers are obligated to retain the relevant data for an initial period of 60 days (Art. 11 E-Evidence Regulation), with the possibility of an extension. It typically functions as a preliminary measure prior to a subsequent production order.

For companies, this means that they may not only be obligated to actively transmit data but must also implement and maintain data preservation measures at short notice. The Regulation thus establishes, for the first time, directly enforceable, cross-border obligations on private service providers.

III. German Implementing Act

With the Act Implementing Regulation (EU) 2023/1543, the German legislature has created an independent national legal framework that specifically defines, in particular, jurisdictions, procedures, and enforcement mechanisms. At its core is the Electronic Evidence Implementation and Enforcement Act (EBewMG), which integrates the requirements of EU law into German criminal procedure law.

First and foremost, the obligation to designate a designated recipient is central: service providers must designate a branch or a representative within the EU who is responsible for receiving and implementing production and preservation orders (§ 3 EBewMG). This designated recipient must be equipped with sufficient powers and resources to actually comply with the orders.

The law also regulates domestic jurisdictions and procedures. Depending on the type of data, public prosecutors’ offices and courts are specifically responsible for issuing and enforcing European Production Orders (Sections 9, 10 EBewMG), while the public prosecutor’s office generally acts as the enforcement authority (Section 11 EBewMG). At the same time, it is clarified that the general provisions of the Code of Criminal Procedure apply in addition (Section 7 EBewMG).

The law also provides for comprehensive enforcement and sanction mechanisms. Violations of cooperation and implementation obligations—such as the failure to provide or secure data in a timely manner—may be punished as administrative offenses with substantial fines, which, for larger companies, are based on global revenue (Section 18 EBewMG).

IV. Recommendations for Companies

In light of the E-Evidence Regulation coming into force on August 18, 2026, affected companies should take concrete organizational and technical measures at an early stage:

1. Define responsibilities and an “e-evidence response process”

Companies should establish a clearly defined internal process for handling EPOC and EPOC-PR orders. This includes, in particular, designating a central point of contact (e. g., Legal/Compliance), setting up a 24/7 availability plan, and defining binding escalation procedures to ensure compliance with the 8-hour deadlines in urgent cases.

2. Implement and document the recipient structure in a timely manner

The designation of a recipient (branch office or representative) required by the Implementation Act should not be merely a formality but should be supported by organizational measures. The recipient must actually be able to review orders, forward them internally, and implement them. This includes clear powers of attorney, access to relevant data structures, and documented communication channels with authorities.

3. Prepare technical processes for data backup and extraction

Companies should verify whether their IT systems allow for a short-term backup (“freeze”) as well as a structured extraction of relevant data (e.g., inventory, traffic, or content data). In practice, it is advisable to establish standardized export and provisioning processes (e.g., for mailboxes, log files, or account data) to ensure requests can be fulfilled in a timely and complete manner.

4. Develop review and decision-making procedures

Incoming orders should not be implemented without review. Companies should develop an internal review framework that systematically maps out, in particular, the formal requirements (e. g., competent authority, correct data category, deadlines) as well as possible grounds for refusal or further inquiry. This review must be designed to function reliably even under significant time pressure.

5. Adapt interfaces to data protection and deletion concepts

Existing deletion and archiving concepts should be reviewed to ensure they are compatible with preservation orders. In particular, mechanisms must be implemented that enable the immediate suspension of automated deletion routines. At the same time, the legal basis for processing and transmitting data in the context of e-evidence orders should be documented.

V. Conclusion and Outlook

The e-evidence regulation and the accompanying German implementing law establish a new, immediately effective regime for cross-border access to electronic evidence. For affected companies, this means a significant expansion of their obligations to cooperate, as well as the need to be able to respond to official orders at short notice. The combination of tight deadlines, direct contact from foreign authorities, and severe sanction mechanisms significantly increases compliance pressure.

In practice, the key factors will be how frequently and to what extent the new instruments are actually used, and how the competent authorities handle the existing discretion – for example, regarding rights of review and refusal. At the same time, interfaces with data protection law, particularly the General Data Protection Regulation, remain fraught with uncertainty and are likely to be subject to further clarification through case law and administrative practice.

Companies should use the time remaining until August 18, 2026, to specifically adapt their internal processes, technical structures, and responsibilities. The e-evidence rules are expected to quickly become an integral part of the regulatory requirements for data-processing business models.

Raids in North Rhine-Westphalia and Bavaria

Press reports describe this as the biggest crackdown on German tax havens in the history of the Federal Republic. The investigation is being led by the newly established Central and Contact Point for the Prosecution of Economic and Financial Crime (Zentral- und Ansprechstelle für die Verfolgung von Wirtschafts- und Finanzkriminalität (Zefin)) at the Düsseldorf Public Prosecutor’s Office. Together with approximately 110 investigators from the State Office for Combating Financial Crime (Landesamt zur Bekämpfung der Finanzkriminalität (LBF NRW)), Zefin carried out searches at numerous locations – particularly in Monheim and Leverkusen, but also in Düsseldorf, Mönchengladbach, and Siegburg, as well as in Bavaria.

The search operations targeted not only the companies themselves, which the authorities viewed as suspects, but – according to media reports – primarily a service provider that, allegedly knowing that the company’s registered office was only listed there as a front, rented offices to more than 100 companies, thereby enabling them to maintain a fictitious registered office. Law enforcement agencies in North Rhine-Westphalia, in particular, have stepped up their efforts against tax evasion. Last year alone, there were large-scale searches related to allegations of trade tax evasion. Further investigative measures and searches by the aforementioned, newly established, and adequately staffed agencies in the field of economic and financial crime are expected in the future.

Focus on Low Trade Tax Rates

The background to the statewide search operations is an investigation into tax evasion based on inaccurate trade tax returns regarding the so-called “center of business management.” Municipalities such as Monheim am Rhein, Grünwald, and Leverkusen attract companies with exceptionally low trade tax assessment rates. The assessment rate in Monheim is 250 points – significantly below the national average of around 405 points. The tax savings for companies headquartered in these locations are substantial. Tax authorities are now examining whether the reported business locations actually exist or whether they are merely mailbox addresses. The suspicion is directed at companies that do not maintain their own premises, staff, or operational activities at the low-tax location, but instead conduct their actual business operations elsewhere.

Criminal tax law risks associated with incorrect information regarding the permanent establishment

If trade tax was due at a location other than the permanent establishment location stated by the company, the previous trade tax returns may contain incorrect or incomplete information regarding tax-relevant facts within the meaning of Section 370(1)(1) of the German Fiscal Code (AO). Whether and where a permanent establishment exists is determined in accordance with § 12 AO. According to this provision, a permanent establishment is any fixed place of business or facility that serves the activities of the enterprise. In particular, a permanent establishment may also be the location of the management. In determining the location of management, the center of the overall business management must be taken into account (§ 10 AO). The decisive factors here are the actual circumstances and the actual exercise of management activities, not merely a formal registration. The tax authorities rely on indicators such as the lack of dedicated office space, no staff working on-site, the use of coworking spaces or virtual offices without a physical presence, as well as management and operational decisions being made at a different location. Criminal liability for tax evasion requires, in addition to the aforementioned incorrect or incomplete information, that this results in reduced tax payments or the obtaining of unjustified tax advantages (Section 370(1) AO). In the event of a conviction for such tax evasion, fines or imprisonment of up to five years may be imposed; in particularly serious cases, up to ten years (Section 370(1), (3) AO).

What Companies Should Do Now

Companies based in low-tax jurisdictions should immediately conduct (or have conducted) a tax review to determine whether their permanent establishment structure would withstand scrutiny under tax law or criminal tax law. It is particularly crucial that actual business activity takes place at the reported location – documented by the company’s own premises, on-site staff, and verifiable operational decisions made locally. Those who proactively analyze their own permanent establishment situation and make corrections where necessary can significantly reduce the risk of criminal prosecution.

Under the conditions of Section 371 of the German Fiscal Code (AO), a voluntary disclosure that exempts one from punishment may also be considered in individual cases – but only as long as the offense has not yet been discovered, for example, through a search and seizure of incriminating documents. Finally, companies should generally – regardless of any justified or unjustified allegations against them – prepare for potential searches, which means establishing guidelines, training employees accordingly, designating an external criminal defense attorney as an emergency contact, and maintaining an appropriate emergency plan. This plan should contain clear instructions for the employees present. In particular, it is essential to remain calm and generally cooperate until a consultant – who should be contacted as soon as possible – arrives on site to constructively assist with the search.

The Act implements various EU directives and aims to ensure a uniform and high level of consumer protection within the EU internal market. In particular, it regulates the (partial) restriction of the so-called perpetual right of withdrawal for financial services, as well as the introduction of an electronic withdrawal function for online contracts. Furthermore, the model withdrawal policy is being eliminated.

Below, we outline selected changes and highlight the resulting implications that financial service providers should consider in the future:

I. Restriction of the so-called perpetual right of withdrawal for consumer contracts regarding financial services

Under the previous legal framework, a consumer could have an indefinite right of withdrawal if the financial services provider had not properly fulfilled its information obligations under Article 246b § 2(1) EGBGB (§ 356(3) BGB, old version).

The revised version of § 356(3) and (4) BGB seeks to limit this risk. In the future, the right of withdrawal will expire, even in distance contracts for financial services, no later than 12 months and 14 days after the date specified in § 356(2) BGB or § 355(2), sentence 2, BGB. This date is generally the conclusion of the contract, even if the financial services provider has not fully complied with its duty to provide information.

However, a perpetual right of withdrawal may still arise if the consumer has not been informed of their right of withdrawal and the procedures for exercising it in accordance with Article 246b § 1(1)(16) of the Introductory Act to the German Civil Code (EGBGB), meaning the business operator has not properly instructed the consumer regarding the right of withdrawal.

II. Introduction of an electronic withdrawal function (so-called “withdrawal button”)

Section 356a(1) of the German Civil Code (BGB) introduces a mandatory electronic withdrawal option.

Businesses that enter into distance contracts via an online user interface must provide consumers with an easily accessible, consistently available, and user-friendly electronic option to cancel the contract. Canceling the contract must be just as easy as entering into it. The cancellation option must be clearly labeled with “Cancel Contract” or another equally unambiguous phrase.

The responsibility lies with the company as the consumer’s contractual partner, even in cases where the contract is concluded through third-party providers (intermediary platforms). The company must ensure – if necessary through a contractual obligation to the third-party provider – that the consumer can use an electronic withdrawal function. Exactly how this obligation is to be fulfilled in practice remains open.

III. Elimination of the Model Cancellation Policy for Financial Services

The previous model withdrawal notices from Annex 3-3b of the EGBGB are deleted without replacement. Article 246b § 2(3) of the EGBGB, which guaranteed the business that it fulfilled its duty to inform regarding the right of withdrawal by providing the consumer with the corresponding model withdrawal notice, has been deleted accordingly. The legislative rationale states that the model withdrawal notices are not provided for in the version of the fully harmonized Consumer Directive to be implemented, and there is no legislative leeway. Financial service providers must therefore independently develop and implement legally compliant withdrawal notices.

In practice, this change – contrary to its intention – leads to legal uncertainty at the expense of the business. The financial services provider cannot simply assume that the cancellation policy it uses is sufficient to fulfill the duty to inform.

IV. Expansion/Update of the Information Obligations under Article 246b § 1 EGBGB

The financial service provider’s duty to inform the consumer in accordance with Article 246b §§ 1 to 3 EGBGB (§ 312d(2) BGB) remains in effect and is expanded in scope.

New requirements include, in particular, information from the financial service provider regarding the consequences of late payment or default (Article 246b § 1 No. 8 EGBGB) as well as – where applicable – notices regarding personalized pricing based on automated decision-making. Furthermore, if environmental and social factors are incorporated into the financial service provider’s investment strategy, information must be provided regarding the environmental and social objectives pursued by the financial service (Article 246b § 1 No. 15 EGBGB).

Violations of this obligation may be punished with a fine under Article 246e EGBGB.

V. New Obligations: Duty to Remind and Duty to Explain

The law introduces additional obligations for financial service providers.

The duty to remind (Article 246b § 2 (2) EGBGB) applies if, upon conclusion of a distance contract, the information required under Article 246b § 1 (1) EGBGB is provided to the consumer less than one day before the time at which the consumer becomes bound by the contract. In this case, the consumer must be reminded of the right of withdrawal under § 355 BGB as well as the procedure for withdrawal. This reminder must be provided on a durable medium between one and seven days after the conclusion of the distance contract.

The duty to provide explanations (Article 246b § 3 EGBGB) requires financial service providers to provide the consumer with comprehensible explanations of the essential features and implications of the contract on a durable medium prior to the conclusion of the contract. The aim is to enable an informed decision. In the case of distance contracts for financial services, consumers may use online tools to request additional explanations from a human representative, even after the contract has been concluded.

VI. Conclusion and Need for Action

The new regulations lead to significant changes that require special attention from financial service providers.

A positive aspect is that the clear time limit on the right of withdrawal now generally applies to distance contracts for financial services as well. At the same time, requirements regarding information obligations, digital processes, and contract drafting are increasing. The removal of the model withdrawal instructions and the resulting legal uncertainty must be viewed critically.

Financial service providers should therefore assess at an early stage whether adjustments are necessary. Particular attention must be paid to the proper preparation and distribution of the cancellation policy in accordance with Article 246b § 1 (1) No. 16 EGBGB, as well as to the implementation of the new digital requirements.

I. Data Protection Classification

The use of AI-powered transcription tools in online meetings constitutes the processing of personal data within the meaning of the General Data Protection Regulation (GDPR). This regularly involves the capture of both spoken words and additional contextual information from participants, thereby bringing the activity within the scope of the GDPR. In its 40th Annual Report, the LfDI Baden-Württemberg clarifies in this regard that companies that decide to use such a tool are generally to be regarded as data controllers themselves and bear overall responsibility under data protection law.

In practice, the provider of the transcription service will often be classified as a processor, meaning that a data processing agreement pursuant to Article 28 of the GDPR must be concluded. This agreement must be critically reviewed and technically secured, particularly with regard to any potential use of the data for the provider’s own purposes, such as for training AI systems.

Furthermore, the processing requires a sound legal basis. In particular, the consent of the data subjects or the protection of legitimate interests may be considered, although a careful balancing of interests must be carried out on a case-by-case basis. In this context, the BayLDA emphasizes that consent, particularly in an employment context, often cannot be regarded as a valid basis, and instead the legitimate interest under Article 6(1)(f) of the GDPR takes on particular significance, provided that the necessity of the transcription can be justified.

In addition, the information obligations under Article 13 of the GDPR must be observed. Participants must be informed in a timely and transparent manner about the use of the transcription tool, the purpose of the processing, and any storage of data. Furthermore, it must be ensured that data subjects’ rights, such as the right to object, can be exercised effectively in practice.

II. Protection of the spoken word (Section 201 StGB)

In addition to data protection requirements, the criminal law protection of the spoken word must also be observed when using transcription tools. Under § 201 StGB, anyone who records or makes accessible a non-public spoken statement without the consent of the data subjects may be liable to prosecution. This is regularly the case with automated transcription, as at least an audio recording is technically made.

In practice, this means that prior consent from the participants is generally required. While this consent may also be implied – for example, by participating in a meeting clearly marked as such – it always requires clear and transparent information about the transcription. Companies should therefore ensure that all participants are explicitly informed about the transcription before the recording begins and that they consent to it.

III. Requirements of the AI Regulation

The AI Regulation introduces an additional legal framework that must be taken into account when using transcription tools. The risk-based approach of the Regulation is particularly relevant here. Pure transcription solutions will generally not be classified as high-risk AI systems as long as they are limited to converting speech into text and do not make any further assessments or decisions.

However, this classification may change if transcription functions are combined with additional analysis or evaluation elements, such as for monitoring employee performance or analyzing the content of communications. In such cases, a connection to high-risk applications – particularly in an employment context – may be considered.

Regardless of a high-risk classification, companies are required to systematically document and manage the use of AI systems. This includes, in particular, clearly defining areas of application, assessing risks, and embedding the use of such tools into internal policies and compliance frameworks.

IV. Recommendations for Companies

In practice, the following measures can be derived from the requirements outlined above:

• Ensure transparency and participant involvement: The invitation should already clearly inform participants about the planned transcription and its purpose. An additional notice (e. g., verbally or via a pop-up) is recommended at the start of the meeting. Furthermore, it must be ensured that participants can object to the transcription or switch to alternative communication channels.
• Configure and review tool settings carefully: Features such as AI training, advanced content analysis, or unnecessary data storage should be deactivated wherever possible. Additionally, it should be assessed whether transcription without permanent storage (e. g., live captions) is sufficient. The blanket or permanent activation of such features should be avoided.
• Implement contractual and organizational safeguards: Entering into a robust data processing agreement is essential and should be carefully reviewed, particularly with regard to the provider’s access to data. Additionally, it is recommended to introduce internal guidelines for the use of AI tools that include clear guidelines on use cases and the handling of sensitive content.

V. Conclusion and Outlook

The transcription of online meetings using AI-powered tools offers significant efficiency potential but is subject to complex legal requirements. In addition to data protection regulations and criminal law restrictions, the framework of the AI Regulation must increasingly be taken into account. It is therefore crucial for companies to manage the use of such tools in a structured manner and to ensure legal compliance. Given the ongoing regulation and the growing practical significance of this field, it is expected that regulatory authorities and legislators will devote even greater attention to this area in the future.

This article was created in collaboration with our student employee Emily Bernklau.

The new requirements, which apply exclusively to the B2C sector and are implemented through a revised version of the UWG, will take effect on September 27, 2026. As things stand, no transition period is planned.

I. Scope of Application of the New UWG Rules

The amendment to the UWG introduces several categories of environmental business practices, each of which is subject to separate regulations.
Specifically, this applies, among other things, to:

• “generic environmental claims” that, due to a lack of specificity in the same medium, pose a particular risk of misleading consumers;
• “sustainability labels,” which in the future must be based on a certification system or be established by the government;
• advertising “future environmental performance,” i. e., statements about environmental performance not yet achieved that are linked to a robust implementation plan;
• product-related statements regarding environmental or climate friendliness through “offsetting of greenhouse gas emissions,” which will be prohibited in the future.

In our HEUKING series, Part 1 dealt with general environmental claims, Part 2 with sustainability labels, Part 3 with future environmental performance, and Part 4 with the offsetting of greenhouse gas emissions. This article examines the consequences for trademarks, business names and corporate logos.

II. Applicability of the New Prohibitions to Protected Signs

The provisions of the EmpCo Directive do not distinguish between whether an advertising claim is protected as a trademark, a business name or a corporate logo (collectively: protected signs). Such advertising claims may now only be used under the prescribed conditions. In the opinion of the European Commission, even the subsequent cancellation of trademarks that violate the Directive should be considered.

1. Protected Signs as “Generic Environmental Claims”

In addition to its distinctive element, a trademark may also contain elements with ecological significance (e. g., eco, green, climate-neutral). Since trademarks are typically short and concise, a more detailed explanation is usually lacking, meaning they may constitute a generic environmental claim, which is only permissible under strict conditions (see ESG Update 1/2026). The overall impression is decisive: the prohibition applies only if the average consumer perceives the trademark as an environmental claim.

In the case of business names and corporate logos, classification as a generic environmental claim is often questionable, as consumers typically perceive them merely as a reference to the company. However, such a classification cannot be ruled out in individual cases.

The trademark user can counteract a classification as a generic environmental claim by providing a clear explanation on the same medium (e. g., product packaging or advertisement). However, the general requirements for permissible advertising practices and the specific provisions of the EmpCo Directive remain applicable.

2. Trademarks as “Sustainability Labels”

Trademarks may also be classified as sustainability labels, particularly if they are intended to indicate specific ecological or social product characteristics.

Typically, such trademarks are registered as certification marks. In the opinion of the European Commission, these should be classified as sustainability labels, meaning their use is permitted only under strict conditions (government designation or certification system) (see ESG Update 2/2026). For regular individual trademarks, the Commission considers this unlikely but not impossible. In the legislative rationale, the German legislature states that regular individual trademarks cannot, in principle, be sustainability labels.

This view is not entirely convincing, as some certification logos have also been registered as regular individual trademarks. Case law will therefore likely decide on a case-by-case basis whether a trademark is to be understood as a sustainability label.

3. Signs as statements regarding “future environmental performance”

The possibility that protected signs might contain statements about future environmental performance is largely theoretical. Such statements are typically not concise enough to qualify as a protected sign. If this is nevertheless the case, their use is permitted only in compliance with the relevant regulations (in particular: implementation plan, external verification) (see ESG Update 3/2026).

4. Protected Signs as Statements on Environmental or Climate Friendliness Through Greenhouse Gas Emission Offsetting

If a protected sign contains a statement regarding environmental or climate friendliness, its permissibility depends on what it is based on. If climate friendliness is to be achieved through the offsetting of greenhouse gas emissions, the statement is absolutely impermissible (see ESG Update 4/2026). In the case of actual reductions, however, the use is not objectionable under this aspect

III. Consequences for the Granting of Protection for New Signs

1. German Trademarks

To the extent that German trademarks are applied for after the provisions of the EmpCo Directive come into force, and their use is clearly inadmissible under the EmpCo Directive, the German Patent and Trademark Office (DPMA) could refuse registration of the trademark in question because this would then constitute an absolute ground for refusal under Section 8(2)(13) of the German Trademark Act (MarkenG).

However, this ground for refusal of registration only applies if it involves a statutory prohibition that prohibits the use of the trademark for the goods and services for which it is to be protected, regardless of the context of the specific use. Whether this is the case with the prohibitions arising from the EmpCo Directive is highly questionable:

The use of a generic environmental claim may (apart from cases where the user can demonstrate recognized excellent environmental performance) also be permissible, for example, by adding explanatory notes during use that transform it into a specific environmental claim. Against this background, a trademark containing a generic environmental claim can hardly be refused registration on this ground, since its use is not impermissible under certain circumstances. Trademarks that can be understood as sustainability labels or contain statements about future environmental performance may be lawfully used if certain conditions set forth in the EmpCo Guidelines are met. Whether these conditions are met is not apparent to the Trademark Office in any case, which is, however, a prerequisite for refusing protection under Section 8(2)(13) of the German Trademark Act (MarkenG). Finally, if the trademark applied for constitutes an indication of environmental or climate friendliness, its use is indeed (absolutely) prohibited under the EmpCo Directive if the environmental or climate friendliness results from greenhouse gas offset measures; however, precisely this circumstance is typically not apparent to the Trademark Office and therefore likely cannot be invoked as grounds for refusing registration either.

The absolute ground for refusal based on the registered trademark’s violation of public policy (Section 8(2)(5) of the German Trademark Act) is also unlikely to apply as a rule. Under German law, this ground for refusal also applies only to cases in which the use of the trademark is impermissible in any event, regardless of its context. Furthermore, this provision covers only violations of regulations that constitute fundamental principles of the legal system; whether this is the case with the provisions of the EmpCo Directive appears, at the very least, questionable.

Overall, therefore, it is unlikely that the restrictive requirements of the EmpCo Directive will lead to a significant change in the trademark registration practice of the German Patent and Trademark Office (DPMA). Regarding the (separately assessable) question of the subsequent cancellation of a trademark already applied for or registered at the time the legal amendment comes into force, see section IV below.

2. EU Trademarks

There is no provision in EU trademark law corresponding to German § 8(2)(13) MarkenG. Rather, the relevant absolute ground for refusal under EU trademark law arises from Art. 7(1)(f) of the EU Trademark Regulation (violation of public policy). Here, too, “public policy” does not encompass every legal regulation, and it therefore appears at least doubtful whether a violation of EmpCo regulations would be sufficient to preclude trademark registration.

However, if a violation of the EmpCo Directive is considered a violation of public policy within the meaning of Article 7(1)(f) of the EUTM Regulation, the application of this ground for refusal under EU trademark law – unlike under German trademark law – is not precluded merely because certain facts necessary for assessing the legal violation are not apparent to the European Union Intellectual Property Office (EUIPO); rather, the EUIPO may, in principle, conduct the necessary supplementary factual investigations ex officio.

Furthermore, under EU trademark law as well, the assessment of whether the ground for refusal applies cannot be based on circumstances accompanying the use of the mark, meaning that a refusal of registration cannot, in any event, be justified solely on the grounds that the applied-for mark contains a generic environmental claim.

3. Business Names and Corporate Logos

Unlike trademarks, protection of business names and corporate logos cannot be achieved through registration but arises rather through their owner’s (authorized) use in the course of trade. If the use of a new business name or corporate logo occurs only after the prohibitive provisions of the EmpCo Directive have entered into force and such use violates these provisions, the use is not “authorized,” and no protection of the corporate signarises.

IV. Consequences for Pre-Existing Protected Signs

It is questionable whether the prohibitions of the EmpCo Directive also apply to protected signs that already existed at the time the legal amendment entered into force (or, in the case of trademarks: had at least already been applied for). The European Commission assumes this is the case and argues, in particular, that the Trademark Directive even provides for the possibility of canceling trademarks whose use violates national and EU law outside the scope of trademark law (see Section 3 of the European Commission’s Q&A on the EmpCo Directive).

However, this argument fails to recognize that the subsequent cancellation due to the existence of absolute grounds for refusal of a trademark that has already been registered is, in principle, only possible if the relevant absolute ground for refusal already existed at the time of the trademark application; subsequent changes after the filing date, on the other hand, do not, in principle, permit trademark cancellation. On the other hand, it must be recognized that ownership of a trademark naturally does not give its owner the right to use the trademark in every conceivable manner, including in a manner that violates legal provisions.

Against this background, there is good reason to believe that, following the entry into force of the prohibitions under the EmpCo Directive, it will be impermissible to use protected signs in a manner that violates these provisions, even if such protected signs already existed prior to the entry into force of the legislative amendment (or, in the case of trademarks: were at least applied for). However, it will likely not be possible to remove trademarks applied for prior to this date from the register solely because their use has become impermissible following the entry into force of the amendments under the EmpCo Directive. Protected business names and corporate logos, on the other hand, could lapse if the corporate sign in question is no longer used in an authorized (i. e., legally compliant) manner, but only in a manner that violates the provisions of the EmpCo Directive or the new provisions incorporated into the German Unfair Competition Act (UWG) for its implementation.

V. What Are the Consequences of Violating the EmpCo Directive?

Violations of the provisions of the EmpCo Directive or the UWG in the version effective as of September 27, 2026, will primarily be pursued by consumer and competition associations as well as eligible competitors. In practice, this may result in particular in costly cease-and-desist letters and, if an out-of-court settlement is not reached, preliminary injunctions and injunctive relief actions.

This is particularly problematic when trademarks are printed on products or their packaging in a manner prohibited by the EmpCo Directive, as this risks rendering the products unsellable. Potential claims for damages and the risk of reputational damage must also be taken into account.

IV. Recommendations for Action and Outlook

The implementing regulations for the EmpCo Directive present companies with significant legal and practical challenges. There is not much time left until the new provisions of the UWG take effect on September 27, 2026. Companies should therefore ensure in a timely manner that, for example, products or product packaging, print advertisements, and websites no longer contain any content prohibited under the EmpCo Directive by this date at the latest. This also applies where statements prohibited under the Directive are contained in a protected sign.

It is to be expected that, once the new legal framework takes effect, consumer protection and competition associations in particular will strictly monitor compliance with the new regulations and consistently pursue violations – typically through costly cease-and-desist letters.

We would be happy to assist you in implementing the new UWG rules in a timely manner and to help you continue to communicate your commitment to sustainability in a legally compliant manner.

All ground handling organisations must, among other things:

• register with the competent supervisory authority in good time;
• review whether their documentation and record-keeping practices meet the new requirements;
• have a ground handling manual that addresses the current requirements in terms of both content and form;
• ensure that their own processes are carried out in accordance with the ground handling manual;
• review their management systems, including: safety management and operational procedures, compliance monitoring, training and ongoing instruction of ground handling personnel and maintenance programme for ground handling equipment;
• review and, where necessary, adapt the reporting system for safety-related occurrences;
• adapt the training and assessment programme for personnel;
• review responsibilities and associated qualifications;
• ensure comprehensive change management including risk assessment;
• integrate subcontractors into the safety management system in accordance with regulations and be able to demonstrate this.

If handlers operate at multiple airports, including cross-border activities, issues at one airport may prompt supervisory authorities to take at other airports as well.

What is changing in the licensing process?

The new regulations do not govern the selection of handlers. However, the new requirements will play a significant role in the future awarding of handling licences. The selecting body will review the extent to which applicants meet or are able to meet the new requirements during the application process. For all parties involved, this will also mean a noticeable increase in effort when preparing and reviewing documentation. In addition, the commencement of ground handling operations must be coordinated with the required notifications to the aviation authority.

Next Steps

The new rules are extensive and, in part, complex. All ground handling service providers should therefore ensure, in a structured manner, that they have the required notifications and systems in place in good time and are able to demonstrate their compliance in the prescribed manner.

Particular challenges exist at airports where the re-tendering of handling licences is imminent: the selecting bodies – and potentially also competitors – will be scrutinising closely whether the new regulations are being observed. We are happy to provide support, drawing on many years of legal experience.

Sources:

• Delegated Regulation (EU) 2025/20
• Delegated Regulation (EU) 2025/21
• Delegated Regulation (EU) 2025/22
• Implementing Regulation (EU) 2025/23
• Implementing Regulation (EU) 2025/24

The new requirements, which apply exclusively in the B2C sector – that is, wherever businesses interact with consumers – and are implemented through a revised version of the Unfair Competition Act (UWG), will take effect on September 27, 2026. As things stand, no transition period is planned, not even for products already on the market.

Anyone who engages in environmental advertising or intends to do so in the future and wishes to continue operating on the market in compliance with the law as of September 27, 2026, should familiarize themselves with the new rules now at the latest and, where necessary, take appropriate measures.

I. Scope of Application of the New UWG Rules

The amendment to the UWG introduces several categories of environmental business practices, each of which is subject to its own set of regulations.
Specifically, this applies, among other things, to:

• “general environmental claims” that, due to a lack of specification within the same medium, pose a particular risk of misleading consumers;
• “sustainability labels,” which in the future must be based on a certification system or be established by the government;
• “future environmental performance,” i. e., statements about environmental performance not yet achieved that are linked to a robust implementation plan;
• product-related claims regarding environmental or climate friendliness through “offsetting of greenhouse gas emissions,” which will be prohibited in the future.

As part of our HEUKING series on the aforementioned practices covered by the EmpCo Directive, Part 1 dealt with “general environmental claims” (available here), Part 2 with “sustainability labels” (available here), and Part 3 with advertising claims regarding “future environmental performance” (available here). This article now focuses specifically on the regulations governing advertising that claims environmental or climate friendliness through the offsetting of greenhouse gas emissions.

II. Advertising environmental or climate friendliness through greenhouse gas emissions offsetting

Increased consumer awareness of climate change and its causes has led many companies to attempt to reduce their greenhouse gas footprint and, naturally, to advertise this fact. As an alternative to the actual reduction of a company’s own greenhouse gas emissions – which is often difficult to achieve in practice – companies may consider implementing measures designed to offset their own greenhouse gas emissions elsewhere. For years now, a specialized market for such offset measures has been developing. Companies can “purchase” offset services from relevant providers, which may involve, for example, planting trees on land specifically acquired for this purpose.

However, such measures are often not very transparent and, upon closer inspection, turn out to be of little climate effectiveness. In the case of many projects marketed for the purpose of greenhouse gas offsetting, it is particularly doubtful whether they actually lead to an additional net reduction in greenhouse gases – such as projects intended to promote the use of renewable energy (which, however, is already the most economical form of energy in most countries, making its increased use likely anyway) or projects intended to reduce deforestation by placing forest areas under protection (which is based on assumptions that are difficult to objectively verify).

Another problem with advertising the alleged climate-friendliness of products is that it often does not make it sufficiently clear to the consumer whether a product advertised in this way caused fewer greenhouse gas emissions during its production (or whether a service advertised in this way has caused fewer greenhouse gas emissions at the time of its provision) or whether these emissions were merely offset by the provider or a third party commissioned by the provider through other measures outside the manufacturing or provision process.

In particular, the latter aspect prompted the EU legislator to include particularly restrictive provisions in the EmpCo Directive regarding advertising that claims a product’s environmental or climate-friendly nature is achieved through the offsetting of greenhouse gas emissions. According to Recital 12 of the Directive, such advertising is to be “prohibited in all circumstances,” which the EU legislator even considers to be “particularly important.”

1. New Provisions in the UWG

The EmpCo Directive provides that environmental advertising of the aforementioned type is prohibited by including it in the “blacklist” of commercial practices that are always prohibited vis-à-vis consumers. The German legislature has therefore, in transposing the EmpCo Directive into German law, decided to add a corresponding provision to the “blacklist” (Annex to Section 3(3) of the UWG), pursuant to the new subparagraph 4.c) of which it will henceforth always be impermissible to advertise to consumers with

“a statement which is based on the offsetting of greenhouse gas emissions and according to which a product has a neutral, reduced, or positive impact on the environment with regard to greenhouse gas emissions.”

2. Examples of affected advertising claims

Recital 12 of the EmpCo Directive lists various examples of advertising claims that will be prohibited in the future, which suggest that the advertised product has a neutral, reduced, or even positive environmental impact in terms of greenhouse gas emissions, namely “climate neutral,” “CO₂ neutral certified,” “carbon positive,” “climate net zero”, “climate compensated,” “reduced climate impact,” or “limited CO₂ footprint.” This list is merely illustrative and not exhaustive; all formulations that, in the understanding of consumers, have a comparable meaning are, of course, equally covered by the prohibition.

According to the wording of the law, it is not necessary for the advertising to also mention the greenhouse gas offset measures for the claim to be prohibited; rather, it is sufficient that the advertised environmental or climate-friendly nature of the product is actually based on such offset measures (and not, for example, on the avoidance of greenhouse gas emissions during the production of the goods or the provision of the service). However, given the generally presumed inadmissibility of using general environmental claims (see our ESG Update 1/2026 on this topic), the use of advertising claims such as “climate neutral” or similar will in the future impose an indirect obligation on the advertising company to provide justification, meaning that such claims cannot be used in isolation in practice anyway. As a general rule, a more detailed justification will need to be provided alongside an advertising claim regarding environmental or climate friendliness. If the advertised environmental or climate friendliness of the product is based (as is so often the case) on greenhouse gas offset measures, it becomes evident that the prerequisites of subparagraph 4.c) of the “blacklist” are met and the advertising is therefore inadmissible.

3. Product Advertising vs. Corporate Advertising

Both the aforementioned Recital No. 12 of the EmpCo Directive and the wording of the new subparagraph 4.c) of the Annex to Section 3(3) of the UWG cited above distinguish between product advertising on the one hand and (non-product-related) image advertising of the advertising company on the other. Product advertising that suggests reduced environmental impact will henceforth always be prohibited vis-à-vis consumers if the reduced environmental impact is achieved through greenhouse gas offset measures. In contrast, it remains possible to promote the advertising company’s commitment to environmental protection in a manner not related to a specific product, including with regard to greenhouse gas offset measures it has implemented. Of course, this representation must meet the general requirements for advertising claims, i. e., it must not be misleading in particular. However, the legislature explicitly does not intend to impose a general ban on image advertising regarding offsetting measures.

4. Tightening of the existing legal framework

Even under the previous legal framework, product advertising that touted environmental or climate-friendly credentials through greenhouse gas offsets was not without its problems. By way of example, reference is made to the decision of the Federal Court of Justice dated June 27, 2024 (Case No.: I ZR 98/23), which concerned the admissibility under competition law of advertising a food product as allegedly “climate neutral.” In fact, the production of the food product (naturally) resulted in greenhouse gas emissions; however, the advertising company had supported climate protection projects through a relevant service provider (namely ClimatePartner), which led to the mathematical offsetting of the greenhouse gas emissions generated during the production of the food product. The Federal Court of Justice (BGH) ruled that advertising the food product as “climate neutral” was misleading, despite the use of the ClimatePartner logo in the advertisement. In the field of environmental advertising (as in the field of health advertising), particularly strict requirements must be imposed on the accuracy, unambiguity, and clarity of advertising claims (the so-called “principle of strictness”), because the risk of misleading consumers is particularly high in these areas and, accordingly, there is an increased need for consumer information. Since the consumer targeted by the advertisement could interpret the promotion of the product as “climate neutral” to mean that the production process itself already takes place without greenhouse gas emissions (which did not correspond to the facts), the consumer is subject to a misconception triggered by the advertisement and is misled in a manner relevant to competition. The ClimatePartner logo used in the advertisement does not rule out this misconception because it was not explained exactly what role ClimatePartner plays in relation to the advertised product; thus, it was conceivable to the consumer, for example, that this was a partner company commissioned by the product manufacturer to install filtration systems in production, assist in establishing climate-friendly manufacturing processes, or supply climate-optimized raw materials. Nor did the Federal Court of Justice (BGH) consider the fact that consumers can learn more about the offset measures offered by ClimatePartner on its website to be sufficient to avoid the risk of misleading consumers, since such information should have already been provided in the product manufacturer’s own advertising.

Even under current law, advertising that highlights a product’s environmental or climate-friendly nature – achieved through greenhouse gas offset measures – is therefore only permissible if the consumer is clearly informed in the advertisement itself that the touted environmental or climate-friendly nature is based on such offset measures and what those measures specifically are. This is the reason why many such advertising campaigns fail to meet the legal requirements even today. Furthermore, it must naturally be the case that the offsetting measure actually reduces greenhouse gases to an extent that makes the advertising claim appear accurate; this, too, represents a significant hurdle.

The EmpCo Directive and its implementation in the German Unfair Competition Act (UWG) further tighten this already restrictive legal framework, rendering such advertising claims in consumer-directed product advertising absolutely impermissible in the future, regardless of whether the claim is likely to mislead or whether such misleading effects could be avoided through explanatory notes.

III. What are the consequences of violating the EmpCo?

Violations of the provisions of the EmpCo Directive or the UWG in its version effective as of September 27, 2026, will primarily be pursued by consumer and competition associations as well as eligible competitors. In practice, this entails the risk of costly cease-and-desist letters and, if an out-of-court settlement is not reached, preliminary injunctions and injunctive relief actions.

This is particularly problematic when the prohibited advertising is printed on products or their packaging, as this risks rendering them unsellable. Potential claims for damages and the risk of reputational damage must also be taken into account.

IV. Recommendations for Action and Outlook

The implementing regulations for the EmpCo Directive present companies with significant legal and practical challenges. There is not much time left before the new provisions of the UWG take effect on September 27, 2026. Companies should therefore ensure in a timely manner that, for example, products or product packaging, print advertisements, and websites no longer contain any impermissible claims regarding the environmental or climate-friendly nature of products – claims that are intended to be substantiated by greenhouse gas offset measures – by this date at the latest.

It is to be expected that, once the new legal framework takes effect, consumer protection and competition associations in particular will strictly monitor compliance with the new regulations and consistently pursue violations – typically through costly cease-and-desist letters.

However, the legal change does not affect (non-product-related) image advertising by companies promoting their commitment to climate protection, which may also consist of supporting greenhouse gas offset measures. This type of advertising will not be prohibited per se in the future. However, as has been the case up to now, the strict requirements regarding the accuracy, unambiguity, and clarity of environmental advertising claims must still be observed to prevent such advertising from being prohibited as misleading.

We are happy to assist you in implementing the new UWG rules in a timely manner and will continue to help you communicate your commitment to sustainability in a legally compliant manner.

I. Areas of AI Application

Artificial intelligence is increasingly being used in human resources throughout the entire employee lifecycle, encompassing both strategic and operational HR processes. The spectrum ranges from supportive tools to systems that prepare or significantly influence decisions.

Recruiting is a key area of focus. Here, AI systems are used in particular for the automated pre-screening of applications, for matching candidate profiles with job requirements, and for communicating with applicants, for example via chatbots. The analysis of resumes and the structured evaluation of interviews are also increasingly being carried out with AI support.

Furthermore, AI is applied in onboarding and employee development, for example through the creation of individualized onboarding plans or personalized learning and training opportunities. In the areas of performance management and employee retention, AI systems are used to evaluate performance data, identify development potential, or predict turnover risks. The employer’s managerial authority is also likely to be increasingly supported by AI in the future – whether in the allocation of work or the scheduling of shifts or departmental plans.

Finally, AI is also playing a growing role in HR administration, for example in the automated processing of employee inquiries, the creation of documents, or the analysis of HR data.

II. Requirements of the AI Regulation

1. High-Risk AI

The AI Regulation follows a risk-based regulatory approach. The scope of the legal requirements is determined by the classification of an AI system into one of the risk categories provided for in the Regulation. While systems with low or minimal risk are subject only to limited transparency obligations, the Regulation imposes comprehensive requirements on high-risk AI, particularly with regard to risk management, data quality, documentation, and human oversight. Systems with unacceptable risk, on the other hand, are generally prohibited.

For the HR sector, it is of central importance that numerous typical use cases are classified as high-risk AI. Pursuant to Article 6(2) in conjunction with Annex III of the AI Regulation, this specifically covers AI systems used in connection with employment, human resources management, and access to employment. This primarily includes applications in recruitment, such as for the automated pre-selection and evaluation of applicants, as well as systems that prepare or influence decisions regarding hiring, promotion, or termination of employment. The same applies to AI-supported systems for performance evaluation or for assigning tasks based on individual behavioral or performance data. In these areas, there is a particular risk to the rights and freedoms of data subjects, which is why the regulator provides for classification as high-risk AI.

In contrast, not all AI applications used in HR must necessarily be classified as high-risk AI. In particular, support systems in HR administration or in standardized, purely technical processing steps may fall below the high-risk threshold, provided they do not independently evaluate or make decisions regarding individuals or significantly influence such evaluations or decisions. This applies, for example, to simple automations in document creation or AI-supported tools for internal process optimization that do not involve personal data.

The exemption provided for in Article 6(3) of the AI Regulation is also of particular practical relevance. According to this provision, AI systems that generally fall within the application areas listed in Annex III are, in exceptional cases, not considered high-risk AI if they do not pose a significant risk to the health, safety, or fundamental rights of natural persons and, in particular, do not substantially influence decision-making. This may be the case, for example, with AI systems that merely perform a narrowly limited, supportive function, such as the purely formal structuring or sorting of application documents without evaluating their content – but not if the use of AI results in applicants being excluded from consideration from the outset. Systems that merely provide preparatory information without conducting an independent evaluation or significantly influencing the decision may also fall under this exception.

However, distinguishing between cases is challenging and requires a careful analysis of the specific function of the respective AI system within the HR process. A key factor here is whether the system merely supports the decision regarding an individual or whether it effectively dictates or significantly pre-structures it. Particularly in recruiting and in performance- and behavior-related evaluations, the threshold for high-risk AI is therefore regularly crossed.

2. Obligations for Operators of High-Risk AI

Companies that use AI systems in the HR sector are generally classified as operators within the meaning of the AI Regulation. Article 26 of the AI Regulation attaches a separate, comprehensive system of obligations to this operator status.

Central to this is the obligation to implement appropriate technical and organizational measures to ensure that the high-risk AI system is used in accordance with its intended purpose and the specifications in the operating instructions. In addition, the use of the system must be subject to effective human oversight. This oversight must be carried out by sufficiently qualified and trained individuals who are capable of understanding the system’s functioning and results and intervening to correct them if necessary.

Another key focus is on ensuring data quality. To the extent that the input data is subject to the operator’s control, it must be ensured that it is suitable, relevant, and sufficiently representative for the intended purpose. This aspect is particularly important in the HR context, such as in applicant selection or performance evaluation, as erroneous or distorted data can directly lead to discriminatory or factually inaccurate results.

In addition, there are ongoing monitoring and response obligations during the operation of the AI system. Operators must monitor the system’s functioning and are obligated to immediately report any risks, malfunctions, or serious incidents to the provider and the competent authorities and, if necessary, suspend use of the system. This is accompanied by documentation obligations, in particular the obligation to retain automatically generated logs for a reasonable period of time, typically at least six months.

Finally, transparency obligations toward employees are of particular relevance to the HR sector. Employers are required to inform employee representatives and the affected employees about the use of a high-risk AI system before its introduction or use in the workplace. Furthermore, affected individuals must be informed if an AI system makes decisions about them or significantly supports such decisions.

III. Data Protection Aspects

The use of AI systems in the HR sector regularly involves the processing of personal data and is therefore subject to the provisions of the GDPR with virtually no exceptions. In this regard, the AI Regulation does not create a separate legal framework for data processing but rather supplements existing data protection requirements. Companies must therefore ensure that there is a sound legal basis for every form of AI use in HR and that the principles of purpose limitation and data minimization are upheld.

Particular challenges arise as early as the training and implementation phase of AI systems. Existing personnel data is often used for training purposes without having been originally collected or processed for this purpose, which raises questions regarding a change of purpose and permissibility under Article 6 of the GDPR. Compliance with transparency obligations toward applicants and employees can also prove difficult in practice, particularly with complex or opaque (“black box”) systems.

Article 22 of the GDPR is also of central importance, as it grants data subjects the right not to be subject solely to an automated decision that produces legal effects or similarly significantly affects them. Particularly in recruiting, in performance-based evaluations, or in connection with the employer’s managerial authority, it must therefore be ensured that AI systems, at most, prepare decisions, but that the final decision is made by a natural person. It should be noted that even AI recommendations that effectively influence outcomes can pose problems under data protection law.

In addition, further data protection requirements must be observed, in particular the conduct of a data protection impact assessment for high-risk applications, the safeguarding of data subjects’ rights, and – when using cloud-based AI services – compliance with the requirements for transfers to third countries.

IV. Recommendations for Companies

Companies should first create a structured AI inventory in the HR sector and systematically record all AI applications currently in use and those planned. On this basis, a legal classification under the AI Regulation must be performed for each system, particularly with regard to a possible classification as high-risk AI. This inventory forms the basis for all further compliance measures and should be updated regularly.

Building on this, it is recommended to implement clear human-in-the-loop structures in HR. Specifically, this means that AI systems – particularly in recruiting or performance evaluations – must not be allowed to make autonomous decisions, but must always be subject to review and override by qualified HR staff. This requires not only organizational guidelines but also appropriate training for the relevant employees to critically assess the AI’s results.

Another key step is the early involvement of the works council and the creation of transparent regulations. The introduction of AI systems in human resources is almost always subject to the works council’s right of co-determination. Ideally, therefore, a framework works agreement on the use of AI should be concluded. In parallel, an internal AI policy should be established that specifically regulates the permissible use of AI in HR, for example regarding the handling of applicant data or the use of external AI tools.

Finally, companies should make targeted investments in data quality and testing. Before productive use, it must be verified whether the data used is representative and free of systematic biases. Additionally, AI systems should be regularly tested using specific HR use cases, such as through spot checks in the recruiting process, to identify and correct discriminatory or factually incorrect results at an early stage.

V. Conclusion and Outlook

The use of AI in HR offers significant potential for efficiency and optimization, but is subject to complex legal requirements. In particular, the classification of many HR applications as high-risk AI leads to extensive obligations under the AI Regulation, which in practice are closely intertwined with the provisions of the GDPR. Companies are therefore required to systematically document the use of AI in human resources at an early stage and ensure legal compliance.

With regard to the implementation of the AI Regulation, current regulatory developments are also gaining further momentum. As part of the so-called “AI Omnibus,” discussions at the European level are focusing in particular on adjustments and clarifications regarding implementation deadlines, which is also significant for high-risk AI systems in HR. Regardless of potential exemptions or delays, however, it is already clear that companies must establish the necessary organizational and technical prerequisites to meet future requirements. The legally compliant use of AI is thus increasingly becoming an ongoing compliance task – not only in the HR sector.

This article was created in collaboration with our student employee Emily Bernklau.

The focus here is less on the specific sample and more on a fundamental question of copyright law: When is creative reference permissible – and when does it cross the line into use requiring consent?

The Core Issue: Creative Reference and Copyright Protection

Sampling, remixes, memes, and mashups make it clear how much artistic and communicative creation thrives on engagement with existing works. At the same time, copyright law grants authors and holders of related rights comprehensive exclusive exploitation rights. Any recognizable incorporation of protected elements therefore generally constitutes an infringement.

It would be unrealistic to limit modern forms of art and communication solely to completely original material. Especially in digital culture, creative value often lies in transformation, a shift in context, or deliberate recognition. This is where the concept of pastiche comes in. It describes uses that do not aim merely to adopt third-party content, but rather to engage in a recognizable creative dialogue with an existing work.

A pastiche can take various forms: it can appear to be inspired by or appreciative of the original, such as a stylistic homage, but – unlike caricature or parody – it need not be humorous or critical. The decisive factor is that the original work does not merely serve as a source of material, but as a point of reference for a distinct creative statement. Typical examples include altered film scenes in memes or texts that incorporate characteristic motifs of well-known authors and recontextualize them. The original remains recognizable but is placed in a new context.

Conversely, uses in which third-party works are merely appropriated to replace one’s own creative output or to capitalize on the original’s fame are not covered. The line is not drawn based on quantitative criteria such as length or scope, but is determined by whether the new work appears as an independent creative engagement.

How did the decision come about?

The legal dispute between Kraftwerk and Moses Pelham began in the late 1990s with a lawsuit filed in the Hamburg Regional Court. In 1997, Pelham had taken a roughly two-second rhythm sample from the Kraftwerk track “Metall auf Metall” for Sabrina Setlur’s song “Nur mir,” slightly altered it, and used it as a continuous loop. Kraftwerk viewed this as an infringement of their neighboring rights in the sound recording.

In the years that followed, the case went through the courts several times. After the European Court of Justice (ECJ) clarified in 2019 that the then-existing German regulation on “free use” was contrary to EU law, the Federal Court of Justice (BGH) ruled in 2020 that the sampling constituted an infringement of rights, at least for the period from 2002 to 2021.

The case took a new turn with the introduction of Section 51a of the German Copyright Act (UrhG) in 2021, which for the first time explicitly provides for an exception for caricature, parody, and pastiche. Since the legal dispute was still pending, it now had to be examined whether the sampling could be permissible under the new legal situation. The Higher Regional Court of Hamburg affirmed this and classified the use as a pastiche. The Federal Court of Justice (BGH) subsequently stayed the proceedings and referred the question of how the EU-law concept of pastiche is to be interpreted to the European Court of Justice (ECJ).

The ECJ’s Decision

The ECJ clarified that the concept of pastiche must be interpreted autonomously under EU law and should not be understood narrowly. It encompasses creations that evoke existing works but exhibit perceptible differences and use protected elements to engage in a recognizable artistic or creative dialogue with the original. This dialogue may consist, for example, of a stylistic reference, an homage, or even a critical engagement; a humorous intent is not required.

Of particular practical significance is that, for a use “for the purposes of a pastiche,” the user’s subjective intent is irrelevant. It is sufficient that the pastiche character is objectively recognizable to an audience familiar with the referenced work. The Court thus focuses on the effect of the new work and refrains from examining internal motives.

Significance for the case at hand and beyond

With this interpretation, the ECJ significantly lowers the thresholds for applying the pastiche exception. Sampling may also be permissible in principle, provided it is part of a recognizable creative engagement. However, determining where the line into impermissible appropriation is crossed in individual cases remains subject to the discretion of national courts.

For the Kraftwerk v. Pelham case, this means that the Federal Court of Justice must now conclusively determine whether the specific sampling in question qualifies as a pastiche since the entry into force of Section 51a of the German Copyright Act (UrhG). Regardless of the outcome, however, this is a decision of considerable significance for artistic practice and digital culture.

I. Background: Digital Sovereignty from a Corporate Perspective

From a corporate perspective, digital sovereignty describes the ability to operate and control digital infrastructures, data, and applications independently, securely, and in accordance with the applicable legal framework. At its core, the goal is to limit dependencies on individual providers, non-European legal systems, and opaque technology stacks, while maintaining actual control and access sovereignty.

The topic is particularly relevant for companies with extensive cloud usage, international data processing, or AI-supported business models, as well as for operators of critical infrastructure and companies in highly regulated industries (such as the financial sector, healthcare, or energy). Export-oriented companies and corporations with global IT structures are also increasingly confronted with requirements arising from differing legal systems and access regimes, such as the tension between European data protection law and non-European access powers.

The current situation is characterized by increasing regulatory complexity coupled with ongoing legal uncertainties (as we reported in Data Protection Update No. 237). Instruments such as the EU-US Data Privacy Framework, standard contractual clauses, or sector-specific security requirements address individual aspects but do not offer a definitive solution to the question of comprehensive digital sovereignty. Companies therefore face the challenge of translating fragmented requirements into a consistent governance and risk management framework, even though uniform assessment criteria have not yet been established for this purpose

II. European Standards: Cloud Sovereignty Framework

At the European level, the European Commission has developed the Cloud Sovereignty Framework, a structured reference framework for assessing digital sovereignty in the cloud context. The goal is to supplement existing security requirements with specific sovereignty criteria, thereby providing, for the first time, a systematic assessment model for cloud services. The framework builds on existing initiatives and regulatory regimes such as NIS-2, DORA, and Gaia-X, integrating them into a unified assessment model.

At the core of the approach are eight dimensions of sovereignty that address different levels of corporate control, including, in particular, legal and jurisdictional integration, data and AI sovereignty, operational independence, as well as supply chain and technology sovereignty. As the overview on page 3 of the framework shows, this is based on a comprehensive understanding of sovereignty that goes well beyond classic data protection and security aspects and, in particular, also takes dependencies in the value chain into account.

Methodologically, the framework combines minimum requirements with a differentiated evaluation system: so-called “Sovereignty Effectiveness Assurance Levels” (SEAL) define minimum standards that a cloud provider must meet to be considered at all. In addition, a “Sovereignty Score” is calculated, which enables a comparative ranking of different providers and serves as an award criterion, particularly in procurement processes.

Even though the Cloud Sovereignty Framework does not yet constitute a directly binding legal framework, there are already signs that it will gain significance as a de facto standard for public procurement and, in the future, for regulated industries as well. For companies, this creates a benchmark against which their own cloud and IT strategies must increasingly be measured.

This is also evident in the European Commission’s current procurement practices. As part of a large-scale procurement process (up to 180 million euros over six years), several European providers – including StackIT, Scaleway, OVHcloud consortia, and Proximus with partners – were selected to provide sovereign cloud services. The selection was based on the Cloud Sovereignty Framework and was deliberately aimed at diversification and limiting non-European influence.

III. Additional Assessment Approaches for Digital Sovereignty

In addition to the Cloud Sovereignty Framework, other models are currently emerging that seek to make digital sovereignty measurable and comparable. These approaches share the common goal of translating a concept that has thus far been heavily politicized into concrete, verifiable criteria, but differ in methodology, scope, and level of detail.

1. ES³ Model by Schwarz Digits

In mid-April 2026, Schwarz Digits introduced the “European Sovereign Stack Standard” (ES³), a practice-oriented maturity model for assessing the digital sovereignty of IT services. The starting point is the observation that, to date, there has been a lack of uniform and actionable criteria to reliably assess sovereignty in a corporate context and make providers comparable.

The model is based on a multi-level maturity approach (“Sovereignty Maturity Levels”), which classifies IT services into four levels – ranging from basic requirements (“Basic”) to fully sovereign, future-proof solutions (“Future-Proof”). The assessment is based on a comprehensive catalog of criteria with over 100 individual requirements that reflect various dimensions of digital sovereignty.

In terms of content, the ES³ model is closely aligned with the European Cloud Sovereignty Framework, but expands upon it with additional distinctions and greater operationalization. Of particular note is the independent consideration of artificial intelligence as a separate dimension of sovereignty, whereas in the European model it is classified merely as part of data sovereignty.

The practical value of the ES³ model lies primarily in its practical applicability: In the future, cloud and IT services – for example, within the Stackit Cloud environment – are to be classified using the model to provide companies with a robust basis for procurement decisions. As a result, the model is evolving into a potential market standard that goes beyond purely regulatory requirements and could gain particular significance for vendor evaluation in the private sector.

Nevertheless, it must be noted that this is a business-driven initiative whose acceptance will depend largely on the extent to which the model establishes itself as a cross-industry reference framework and can be reconciled with existing regulatory requirements.

2. Criteria Catalog of the Center for Digital Sovereignty (ZenDiS)

The Center for Digital Sovereignty in Public Administration (ZenDiS) takes a more organization-focused approach with its set of criteria, which evaluates digital sovereignty not only at the level of individual services but also holistically at the organizational and IT levels. The starting point is strategic goals such as the ability to switch providers, flexibility in design, and influence over providers, which are translated into concrete evaluation criteria and assigned to four categories: organization, applications, data, and operations.

This approach makes it clear that digital sovereignty depends significantly on governance, procurement, and technical flexibility and cannot be reduced to individual technologies. This is supplemented by a risk-based application of the criteria, which is guided by factors such as data criticality and dependencies, thereby enabling a flexible assessment

IV. Recommendations for Action for Companies

Against this backdrop, companies should not view digital sovereignty merely as an abstract guiding principle, but rather translate it into concrete measures and systematically integrate it into their IT, procurement, and compliance processes. The following starting points are particularly relevant:

• Carefully review cloud and IT contracts for access provisions and jurisdiction: Contracts with cloud and SaaS providers should be systematically reviewed to determine whether non-European access provisions exist (e. g., based on the U.S. CLOUD Act). In particular, it must be clarified where data is processed, who has access, and which technical and contractual safeguards (e. g., encryption, customer-managed keys, audit rights) are actually in place.
• Practically secure exit strategies and provider changes: Companies should not merely rely on “portability” in the abstract, but rather define and test concrete exit scenarios. This includes standardized data formats, documented migration processes, and contractually guaranteed support services from the provider in the event of a switch or a return to in-house operations.
• Make dependencies along the IT and supply chain transparent: It is advisable to conduct a structured analysis of one’s own IT landscape to systematically identify dependencies on individual providers, proprietary technologies, or non-European supply chains. In addition to software, this includes underlying infrastructure, support services, and third-party components in use.
• Integrate sovereignty criteria into procurement and governance processes: When selecting new IT and cloud solutions, criteria such as data location, provider structure, openness of interfaces, or exit capability should be mandatorily integrated into tenders and decision-making processes. In addition, it is recommended to embed corresponding requirements in internal guidelines and to assign clear responsibilities within the IT and compliance departments.

V. Outlook and Conclusion

Digital sovereignty is increasingly evolving from a political guiding principle into a concrete benchmark for IT strategies, procurement decisions, and compliance structures. With initiatives at the European and national levels, as well as market-based evaluation models, the first outlines of uniform standards are emerging, even if final harmonization has yet to be achieved. Companies are therefore advised to integrate relevant requirements into their governance and IT structures at an early stage to minimize regulatory risks and secure strategic flexibility.

Against this backdrop, the topic will also be the focus of our event “Digital Sovereignty – How Companies Strategically Use Data, Artificial Intelligence, and the Cloud” in Hamburg on April 21, 2026, where legal, technical, and strategic perspectives will be examined from a practical standpoint.

This article was created in collaboration with our student employee Emily Bernklau.

The decision is significant in practice because it separates the data protection right of access under Article 15 GDPR from civil law claims enforcement models. The BGH does not treat the right of access as a generally available instrument for preparing pecuniary claims but ties its assertion closely to the actual ownership of the claim and the respective authority to conduct the proceedings. The judgment thus sets important limits, particularly for legal tech models, debt collection constellations, and mass claims in the insurance sector.

Facts

The claimant is a stock corporation based in Switzerland whose business model consists of having consumers assign to it, by way of claims purchases, claims against their contractual counterparties so that it can assert them in its own name. In the present dispute, it asserted claims belonging to six policyholders who held private health insurance and private long-term care insurance with the defendant insurer. In 2021, the claimant entered into agreements with those policyholders under which reimbursement claims and damages claims arising from allegedly excessive premiums were to be assigned. At the same time, the agreements provided for authorisations to assert rights of access and data portability claims.

By way of a staged action, the claimant sought, for various years in the period from 2010 to 2018, information on premium income, active tariffs, and premium increases in order, on that basis, to obtain findings that certain premium adjustments were ineffective and to quantify repayment claims. The Regional Court dismissed part of the claims as inadmissible and another part as unfounded. The Higher Regional Court of Hamm dismissed the appeal. In the appeal on points of law, the claimant pursued its claims only insofar as they concerned information under Article 15 GDPR.

The Core Issues of the Proceedings

At its core, the BGH had to decide three questions. First, whether the policyholders had effectively assigned their rights under Article 15 GDPR to the claimant at all. Second, whether the data protection right of access had in any event passed to the claimant, by analogy to section 401 BGB, as an ancillary right together with the assigned reimbursement and damages claims. Third, whether the claimant could at least assert the rights of access in its own name by way of an authorised procedural standing arrangement.

Key Findings of the BGH

No transfer based on the agreed assignment

The BGH first denied, already at the level of contractual interpretation, that rights of access under Article 15 GDPR had passed to the claimant. According to the wording of the assignment agreements, only “reimbursement claims and damages claims” were covered. By contrast, “rights of access and data portability claims” were not assigned but were merely mentioned separately for the purpose of their assertion. The Senate therefore made clear that the agreements could not be construed as showing that the policyholders had intended to transfer their rights under Article 15 GDPR to the claimant as well.

Article 15 GDPR is not a mere ancillary right within the meaning of section 401 BGB

Of practical relevance is the Senate’s further finding that the right of access under Article 15 GDPR also does not pass, by analogy to section 401 BGB, together with the assigned principal claims. According to existing case law, ancillary rights such as rights to information or to an account may pass together with a claim where they serve the enforcement of the principal claim. However, that is precisely not how the BGH understands Article 15 GDPR. According to the judgment, the right was not created to prepare or quantify pecuniary claims, but rather to enable the data subject to become aware of the processing of his or her data and to verify the lawfulness of that processing. In this way, the Senate expressly distinguishes the data protection right of access from classic accessory ancillary rights.

No ruling on the general transferability of Article 15 GDPR

It is equally noteworthy what the BGH did not decide. The Senate expressly stated that the question raised by the appellate court, namely whether claims under Article 15 GDPR are generally transferable, did not arise in the present case. The reason is that, under the specific agreement, no assignment had already occurred. The frequently debated fundamental question of the general transferability of the right of access therefore remains open.

Authorised procedural standing fails because of the specific contractual structure

Nor could the claimant assert the right of access in its own name in the alternative. The BGH classified the issue of authorised procedural standing as a procedural requirement and examined the claimant’s authority to conduct the proceedings independently under German procedural law. In the end, however, the claimant failed because the specific agreement did not contain a sufficiently clear authorisation to assert third-party rights of access in its own name. According to the wording and structure of the contractual clauses, the auxiliary authorisation for the “enforcement of the above-mentioned claims in one’s own name” related only to reimbursement and damages claims, but not to rights of access and data portability claims. In addition, in the Senate’s view, it remained unclear when the scenario envisaged as “purely auxiliary” was supposed to arise at all. To that extent, the action was already inadmissible.

Implications for Practice

The decision is important for companies, first, because it places limits on claims purchase and debt collection models in the data protection context. The BGH prevents Article 15 GDPR from readily becoming an annex-like information-gathering instrument for third parties who have purchased pecuniary claims. In future, controllers will be able to argue, with good reason, that the assignment of repayment or damages claims does not automatically entail an independent standing to assert Article 15 GDPR.

The decision is equally important for the doctrinal classification of the right of access. The BGH does not understand Article 15 GDPR merely in functional terms as a preliminary step in the enforcement of other claims but instead maintains the autonomous data protection purpose of this transparency and control right. From a corporate perspective, this is ambivalent. On the one hand, the judgment limits the usability of Article 15 GDPR in claims purchase models. On the other hand, it also reinforces the autonomous character of the right of access as a data subject right. Companies should therefore not misconstrue the decision as meaning that economically motivated access requests are generally excluded. The Senate rules only on ownership of the claim and authority to conduct proceedings in the specific third-party model before it.

The judgment is particularly relevant for the insurance industry and other sectors characterised by standardised mass business. It concerns constellations in which third parties attempt to combine data protection rights of access with civil law repayment or damages models to prepare mass proceedings more efficiently. In this respect, the BGH provides procedural and substantive legal clarity in favour of controllers, at least where the specific contractual structure does not provide a reliable basis for a transfer of the right or for procedural standing.

What Companies Should Do Now

1. Carefully review standing and the legal basis of the claim

Where companies receive access requests from legal tech providers, debt collection service providers, or claims purchasers, they should in future examine more closely on which legal position the request is based. A distinction must be drawn between the sender’s own claim, a mere authorisation to act in the name of the data subject, and an alleged assertion of a third party’s right in the sender’s own name. The judgment shows that these distinctions may be decisive in the proceedings.

2. Assess contractual structure and authority not only formally, but systematically

The BGH based its decision to a significant extent on the wording and systematic structure of the contractual clauses used. Companies should therefore not stop at labels when reviewing assignment agreements and powers of attorney submitted to them but should carefully analyse which claims are actually covered and how the individual clauses relate to one another.

3. Do not overextend the judgment

The decision does not mean that Article 15 GDPR may in future be asserted only personally and never with the assistance of third parties. The BGH expressly left open the general transferability of the right of access. Nor did it decide that procedural standing is generally excluded in data protection law. Companies should therefore apply the judgment specifically to constellations involving comparable contractual arrangements and comparable claims purchase models.

Conclusion

With VI ZR 430/24, the BGH places clear limits on attempts to reinterpret data protection rights of access, via claims purchase models, as economically exploitable ancillary rights. The Senate clearly separates Article 15 GDPR from the assigned reimbursement and damages claims and rejects a transfer by analogy to section 401 BGB. At the same time, the decision shows that even an authorised procedural standing arrangement is not established merely by broadly worded standard clauses but requires a precise and sufficiently robust legal basis for authorisation. For companies, the judgment is therefore an important signal. Article 15 GDPR remains a strong data subject right, but it cannot readily be transformed into a general instrument of commercial claims enforcement.

As part of our HEUKING series on the changes introduced by the EmpCo Directive, Part 1 addressed general environmental claims and Part 2 addressed future requirements for sustainability labels. This article now focuses on the regulations regarding claims about future environmental performance.

I. Subject Matter and Background of the Regulation

Environmental claims, particularly climate-related claims, increasingly refer to future performance in the form of a transition to CO2 or climate neutrality or a similar goal by a specific date. Through such claims, businesses create the impression that consumers contribute to a low-carbon economy by purchasing their products. Typical examples include statements such as “We will be climate-neutral by 2030” or “Our company aims to be net-zero by 2035.” Since these promises can have a significant influence on consumers’ purchasing decisions, European lawmakers see a particular need for regulation.

To this end, the EmpCo Directive inserts a new subparagraph (d) into Article 6(2) of the Unfair Commercial Practices Directive (UCP Directive). Accordingly, making an environmental claim regarding future environmental performance without meeting certain conditions is prohibited as a misleading commercial practice following a case-by-case assessment.

II. The Requirements in Detail

Under the new rules, a statement regarding future environmental performance is permissible only if it is supported by clear, objective, publicly available, and verifiable commitments set out in a detailed and realistic implementation plan. Specifically, the following conditions must be cumulatively met:

1. Clear, objective, and verifiable commitments and targets

The commitments and targets underlying the environmental claim must be clearly formulated, objectively verifiable, and publicly accessible. Vague declarations of intent without concrete content do not meet these requirements. The commitments must include measurable and time-bound targets. This means that both the targeted reduction goals and the timeframes within which these goals are to be achieved must be specifically stated.

2. Detailed and realistic implementation plan

The commitments and targets must be included in a detailed and realistic implementation plan that sets out how the targets are to be achieved. The implementation plan must also include other relevant elements necessary to support its implementation, such as, in particular, the allocation of resources. According to the recitals of the EmpCo Directive, the implementation plan should, in accordance with Union law, include, where applicable, all relevant aspects necessary for fulfilling the obligations, such as financial resources and technological developments.

Consequently, the measures and milestones outlined must be genuinely suitable and feasible – mere declarations of intent without substantial backing are insufficient. In practice, this means that when making statements about future environmental performance, companies must present a robust and transparent plan that clearly indicates the specific means by which the set goals are to be achieved.

The EmpCo Directive does not require that the implementation plan be presented on the same medium as the environmental statement itself. In the opinion of the European Commission, it is sufficient if the statement directs consumers to where the information can be accessed – for example, via a QR code that links to the implementation plan on the company’s website.

3. Regular review by an independent external expert

The implementation plan and progress toward achieving the targets must be regularly reviewed by an independent external expert. According to the recitals of the EmpCo Directive, this expert must be independent of the business operator and must not be subject to conflicts of interest. Additionally, they must possess experience and expertise in environmental matters.

In its Q&A on the Directive, the European Commission has clarified that the Directive does not specify whether the expert must be a public body or a private entity. In practice, therefore, private auditors or consulting firms may also assume this role. The key requirement is that the expert be capable of assessing the business operator’s progress regarding obligations and targets in a credible, objective, and regular manner. The Directive does not prescribe a specific audit methodology.

Regarding the frequency of reviews, the Directive merely uses the term “regularly” without specifying a concrete time interval. In the Commission’s view, best practices suggest annual or biennial reviews, although additional reviews may be warranted if significant changes occur.

4. Publication of Results

The results of the regular reviews conducted by the external expert must be made available to consumers. However, the Directive does not prescribe any specific means of making the information accessible. Various options are therefore available, as long as consumers can easily access the information – for example, via a QR code on the product packaging or marketing materials that links to the results on the company’s website.

III. Case-by-Case Assessment Instead of a Per Se Ban

Unlike, for example, general environmental claims, which are per se prohibited under certain conditions and appear on the so-called “blacklist,” claims regarding future environmental performance are not subject to an absolute ban. Rather, they must be assessed on a case-by-case basis, whereby it must ultimately be demonstrated that the contested practice causes or is likely to cause the average consumer to make a business decision that they would not otherwise have made.

In practice, this means that the absence of one of the above-mentioned elements – such as a robust implementation plan or an independent review—does not automatically render the practice inadmissible, but constitutes strong evidence of a misleading commercial practice that may be prohibited in the specific case.

IV. Interaction with Other Provisions of the EmpCo Directive

Claims regarding future environmental performance may also conflict with other provisions of the EmpCo Directive in specific cases. For example, statements based on the offsetting of greenhouse gas emissions and claiming that a product has a neutral, reduced, or positive impact on the environment with regard to greenhouse gas emissions are always inadmissible at the product level. This prohibition is on the blacklist and therefore applies – unlike statements regarding future environmental performance – without a case-by-case review.

The European Commission has clarified in its Q&A that company-level claims regarding the transition to climate or carbon neutrality, as claims about future environmental performance, are subject to the relevant requirements. At the same time, the Commission emphasizes that this ban does not prevent companies from promoting their investments in environmental initiatives, provided the information is not misleading and meets the requirements of EU law.

V. What are the consequences of violations?

Violations of the provisions of the EmpCo Directive or the version of the UWG effective as of September 27, 2026, will primarily be pursued by consumer and competition associations as well as eligible competitors. In practice, this may result in costly cease-and-desist letters and, if an out-of-court settlement is not reached, preliminary injunctions and injunctive relief. Potential claims for damages and the risk of reputational damage are also conceivable.

VI. Recommendations for Action and Outlook

The effective date of the UWG amendment on September 27, 2026, is drawing nearer. Companies that advertise with statements about future environmental performance or intend to do so should promptly review their communications to ensure they meet the requirements for statements regarding future environmental performance.

To this end, all existing future-oriented environmental claims – whether on product packaging, in advertising campaigns, on company websites, or on social media – should be identified and documented. Each individual claim must then be reviewed to determine whether a detailed and realistic implementation plan with measurable and time-bound targets exists and whether a corresponding allocation of resources has been outlined. If such a plan does not yet exist, it must be created. Furthermore, steps should be taken early on to engage an independent external expert to regularly review the implementation plan. Finally, it must be ensured that the results of these reviews are made available to consumers in an easily accessible format.

Since no transition period is provided for products already on the market, existing products must also comply with the new requirements as of the effective date. It is to be expected that, once the new legal provisions take effect, consumer protection and competition associations in particular will strictly monitor compliance with the new regulations and consistently pursue violations.

We would be happy to assist you in implementing the new UWG rules in a timely manner.

In upcoming posts, we will take a closer look at other aspects of the EmpCo guidelines, particularly the implications of the ban on CO2 offset claims and the consequences for brands and corporate logos.

Competencies Remain

Following the Bundestag’s decision, the Federal Network Agency ("Bundesnetzagentur") remains – unsurprisingly – the central authority responsible for overseeing the implementation of the Data Act in Germany.

Despite opposition from the Bundesrat, the special jurisdiction of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) will be retained. Accordingly, the BfDI has sole jurisdiction over the supervision of the application of the Data Act with regard to the protection of personal data when processed by non-public bodies. In addition, the state data protection authorities retain jurisdiction over processing by the data recipient. In its statement, the Bundesrat therefore warned against dual oversight and the associated risk of parallel proceedings, as well as potentially divergent assessments by different authorities and courts. Common fundamental issues – such as the classification of the information in question as personal data – could be assessed differently by the BfDI when evaluating a data usage request than by the state authority within the scope of its ongoing data protection oversight. In light of these potential divergences, no adjustments were made to the draft. Whether this will ensure the legal clarity and certainty promised by the federal government regarding the application of the Data Regulation remains to be seen, particularly given the difficulties in distinguishing between the Data Act and data protection.

Sanctions: Lower Fines Than Originally Planned

The adopted draft of the Data Act Implementation Act conclusively regulates the sanctions for violations of the Data Act and the Data Act Implementation Act.

With a maximum limit of EUR 500,000, the penalty payments are significantly lower than in the draft bill, which previously provided for penalty payments of up to EUR 10,000,000.

A tiered system is in place for determining the amount of fines: a maximum limit of EUR 50,000 applies to minor violations, EUR 100,000 to moderate violations, and EUR 500,000 to serious violations. A serious violation occurs, for example, when connected products are not designed in such a way that the data they generate or record is accessible to the user. If a user is prevented from sharing received data, this may constitute a moderate violation. A violation of the obligation to provide evidence in the event of a refusal to share data is considered minor.

Furthermore, the maximum limits may be exceeded if economic benefits were derived from the sanctioned violation.

Overall, the sanctions have been made more lenient than originally planned. The adjustment is intended, in particular, to prevent an undue burden on SMEs and to ensure proportionality. It can be assumed that this approach is designed in line with the objectives of the Digital Omnibus.

Outlook

With the Bundestag’s resolution, the groundwork has now been laid for sanctioning violations of the Data Act (and the Data Act Implementation Act). Companies are therefore well advised to use the remaining time until the national implementing regulations take effect to adapt existing processes to the new requirements at an early stage and minimize potential sanction risks. It is expected that the Data Act Implementation Act will enter into force shortly, given the already delayed national implementation.

This article was created in collaboration with our research associate Esma Yildiz.

The new requirements, which apply exclusively in the B2C sector – that is, wherever businesses interact with consumers – and are implemented through a revised version of the Unfair Competition Act (UWG), will take effect on September 27, 2026. As things stand, no transition period is planned, not even for products already on the market.

Anyone who engages in environmental advertising or intends to do so in the future and wishes to continue operating in the market in compliance with the law as of September 27, 2026, should familiarize themselves with the new rules now at the latest and, where necessary, take appropriate measures.

I. Scope of Application

The amendment to the UWG introduces several categories of environmental business practices, each of which is subject to its own set of regulations.

Specifically, this applies, among other things, to:

• “general environmental claims,” which, due to a lack of specification in the same medium, pose a particular risk of misleading consumers;
• “sustainability labels,” which in the future must be based on a certification system or be established by the government;
• “future environmental performance,” i. e., statements regarding environmental performance not yet achieved that are linked to a robust implementation plan;
• statements regarding the “offsetting of greenhouse gas emissions,” which will be prohibited in all product-related contexts in the future.

As part of our HEUKING series on the aforementioned practices covered by the EmpCo Directive, Part 1 dealt with “general environmental claims” (available here). This article now focuses specifically on the regulations regarding sustainability labels.

II. Sustainability Labels

In the EmpCo Directive (and the future Section 2(2)(4) of the Unfair Competition Act (UWG), as amended), a “sustainability label” is defined as

“a voluntary public or private trust mark, quality label, or similar, intended to highlight or promote a product, process, or business activity with regard to its environmental or social characteristics, or both, excluding all mandatory labeling under Union or national law.”

In short, sustainability labels are therefore, in particular, voluntary trust labels or quality marks that serve to highlight or promote the environmental or social characteristics of a product, process, or business activity.

Due to the broad definition, depending on the intended use, overall context, and consumer perception, even nature-related elements (e. g., green leaves or water droplets next to a text element or logo) can be considered sustainability labels and thus fall within the scope of application.

Sustainability labels serve a trust-building function for consumers. Consumers should be able to trust that the specific characteristic advertised by a sustainability label is actually present. This function of instilling trust is regularly not fulfilled when companies use their own sustainability labels. The provisions of the EmpCo Directive therefore aim to ensure the transparency and credibility of sustainability labels and to put a stop to the proliferation of private sustainability labels.

As of September 27, 2026, it will therefore be prohibited to display sustainability labels that are neither based on a so-called certification system nor established by government agencies.

In cases where the use of a sustainability label is linked to commercial communication that gives the impression that a product has a positive or no impact on the environment or is less harmful to the environment than competing products, this sustainability label should also be regarded as an environmental claim under Recital 8 of the EmpCo Directive.

1. Government-established sustainability labels

Examples of government-established sustainability labels include the EU Ecolabel introduced by the European Commission, the “Blue Angel” label as the German federal government’s environmental label, and the “Green Button” label of the Federal Ministry for Economic Cooperation and Development. These are subject to strict monitoring by government regulatory authorities.

If a sustainability label has been established by a government agency, it may continue to be used in the future. If the sustainability label was not established by a government agency, it must be based on a certification system.

2. Certification System

“Certification system” is defined in Section 2(2)(6) of the UWG (Unfair Competition Act), as amended, as

“a system of third-party verification that confirms that a product, process, or business activity meets certain requirements, that enables the use of a corresponding sustainability label, and whose terms and conditions, including its requirements, are publicly available and meet the following criteria:
a) the system is open to all businesses under transparent, fair, and non-discriminatory conditions,
b) the system’s requirements are developed by the system owner in consultation with appropriate experts and stakeholders,
c) the system establishes procedures for addressing non-compliance with the system’s requirements and provides for the withdrawal or suspension of the entrepreneur’s use of the sustainability label in the event of non-compliance with the system’s requirements, and
d) monitoring of an entrepreneur’s compliance with the system’s requirements is subject to an objective procedure and is carried out by a third party whose competence and independence from both the system owner and the entrepreneur is based on international or Union-wide standards and procedures or on standards and procedures of a Member State of the European Union.”

A certification system is therefore a formalized verification and monitoring system designed to certify products, processes, or business activities against established criteria. It constitutes the basis for the lawful use of a sustainability label.

The audit required under the system must not be conducted by the party whose product, process, or business activities are being audited, but must be carried out by an independent third party. This is intended to strengthen the “transparency and credibility” of the certification system and, consequently, of the sustainability label (Recital 7 of the EmpCo Directive). Mere self-certification therefore does not meet the requirements for a certification system.

A distinction must therefore be made between three parties involved:

• The system owner, who designs, operates, and is responsible for the respective certification system. This individual establishes the system’s requirements and conditions. This means that they specify the criteria for awarding a sustainability label and the conditions under which such a label may be used.
• The third party, independent of the certification program owner, who performs monitoring tasks and verifies compliance with the requirements set forth in the certification system.
• And finally, the certified business that is permitted to use a sustainability label based on the certification system.

The conditions of the certification system, including the requirements for the products, processes, or business activities that must be met for certification, must be publicly accessible. In this regard, easy accessibility to the public is required, for example through publication on freely accessible websites. Conversely, it is insufficient if the conditions and requirements are only available after prior registration and/or sign-up or are provided solely upon individual request.

3. What applies to test seals and trademarks?

It remains unclear whether test seals (Stiftung Warentest, Öko-Test, etc.) also qualify as sustainability labels. In principle, even a logo that primarily serves to promote test results may be perceived by consumers as a recognized seal or quality mark.

Currently, however, it is generally assumed that neutral consumer tests are not covered by the scope of application. Due to the fact that the assessment is made from a consumer’s perspective, uncertainty remains in individual cases as to when a test seal – which, while not primarily focused on sustainability, nevertheless includes sustainability aspects – can be considered a sustainability label.

The German statutory text contains no explicit exception for trademarks. According to the legislative rationale, however, the concept of a sustainability label must be interpreted narrowly from a teleological perspective and covers only marks that, from a consumer’s perspective, appear to be an independent confirmation of certain sustainability characteristics. Pure indications of origin are therefore generally not intended to fall under this definition (BT-Drs. 21/3327, p. 19). Accordingly, trademarks are generally not sustainability labels; according to the legislative history, an exception may apply at most to warranty marks.

While the European Commission shares the basic premise that traditional trademarks are not automatically classified as sustainability labels, it rejects a blanket exclusion based on the form of the trademark and always requires a case-by-case assessment. Furthermore, it points out that trademarks – regardless of their legal classification – can function as environmental statements if their name or design contains relevant references.

In practice, this therefore typically involves two stages of examination: First, it must be clarified whether the sign appears as a sustainability label, second, it must be examined independently of this whether the trademark name can be understood as an environmental statement. For companies operating throughout the EU, it is advisable to follow the Commission’s positions, as they set the stricter standard.

III. What are the consequences of violating the EmpCo?

Violations of the provisions of the EmpCo Directive or the version of the UWG effective as of September 27, 2026, are primarily pursued by consumer and competition associations as well as eligible competitors. In practice, this entails, in particular, costly cease-and-desist letters and, if an out-of-court settlement is not reached, preliminary injunctions and injunctive relief actions.

As a result, non-compliant goods may become unsellable, and potential claims for damages and the risk of reputational damage must also be taken into account.

IV. Recommendations for Action and Outlook

The implementing regulations for the EmpCo Directive present companies with significant legal and practical challenges. There is not much time left before the new provisions of the UWG take effect on September 27, 2026. Companies should therefore ensure in a timely manner that, for example, products or product packaging as well as their websites no longer feature unauthorized sustainability labels or unauthorized environmental advertising claims by that date.

It is to be expected that, once the new legal framework takes effect, consumer protection and competition associations in particular will strictly monitor compliance with the new regulations and consistently pursue violations – typically through costly cease-and-desist letters.

In upcoming posts, we will take a closer look at further aspects of the EmpCo Directive, particularly the new requirements for statements regarding future environmental performance and the implications of the ban on CO2 offset claims.

We are happy to assist you in the timely implementation of the new UWG rules and will continue to help you communicate your commitment to sustainability in a legally compliant manner.

This article was written in collaboration with our research assistant Franziska Klinzing.

I. Who the CRA Applies To

1. Manufacturers

The manufacturer is the central figure of the CRA and, at the same time, the economic actor subject to the most far-reaching obligations. The definition in Art. 3 No. 13 CRA is decisive:

A manufacturer is any natural or legal person who develops or has a product with digital elements manufactured and places it on the market under their own name or brand. What is decisive, therefore, is not so much the actual technical manufacturing as the presence on the market.

Based on this, two requirements can be identified:

“A manufacturer is any natural or legal person who develops or has manufactured a product with digital elements and places it on the market under their own name or brand. What is decisive, therefore, is not so much the actual technical manufacture as the presence on the market.”

Second, the company must market the product under its own name or brand. This “placing on the market under its own label” is the central distinguishing criterion: whoever appears to market participants as the responsible provider is the manufacturer – regardless of whether the development was actually carried out in-house or entirely by third parties.

Against this background, the following scenarios in particular should be classified as manufacturers:

• Traditional manufacturers: Companies that develop hardware or software themselves and distribute it under their own name.
• Software developers: Companies that exclusively develop and distribute software (e.g., apps, operating systems, or other standalone software) are also manufacturers, provided that the software is made available as a standalone product.
• Quasi-manufacturers (white-label): Companies that have products or software developed or produced by third parties but distribute them under their own brand are also considered manufacturers.
• Platform or system providers: To the extent that they market their own products with digital elements under their own name (e. g., bundled hardware and software solutions), they are also classified as manufacturers.

Conversely, a manufacturer is not someone who is involved in the development or production but does not act as a supplier to the market themselves. Nor does it matter whether the product is provided for a fee or free of charge.

The legal presumptions of manufacturer status are also of particular practical relevance: An importer or distributor becomes a manufacturer if they place a product on the market under their own name or brand, or make a substantial change to a product. As a result, the role of manufacturer can “shift” along the supply chain, a fact that is often overlooked in practice.

Overall, the CRA’s definition of a manufacturer is deliberately broad. Companies that “only” develop software or distribute products under their own brand, in particular, should therefore carefully examine whether they are already classified as manufacturers under the Regulation, with the resulting comprehensive regulatory obligations.

2. Importers

An importer (Art. 3(16) CRA) is any natural or legal person established in the Union who places a product with digital elements from a third country on the Union market for the first time. The decisive factor is thus solely the function as a “point of entry” for non-EU products, not the company’s own involvement in development or manufacturing.

A prerequisite is that the product continues to be marketed under the name or brand of the third-country manufacturer. In this case, the original supplier remains the manufacturer, while the importing company is classified as the importer. In practice, therefore, importer status is often not permanent but may cease to apply due to rebranding or product modifications.

3. Distributor

A distributor (Art. 3(17) CRA) is any natural or legal person in the supply chain who makes a product with digital elements available on the Union market without altering its characteristics, without being a manufacturer or importer.

The defining characteristic is thus a purely distributive function. The distributor does not place products on the market themselves, but merely passes them on within the supply chain. This covers the entire distribution level, including wholesale, intermediate, and retail trade, as well as online distribution. As soon as a company modifies products or distributes them under its own name, it ceases to be a distributor and becomes a manufacturer. It is therefore decisive whether the activity remains limited to the unaltered transfer of products.

II. Key Obligations

The obligations under the CRA are largely tied to the respective role in the supply chain, with the manufacturer facing the most comprehensive set of obligations. Central to this are, in particular, cybersecurity requirements throughout the entire product lifecycle, including secure product design, vulnerability management, and the provision of security updates.

In contrast, importers and distributors are subject to graduated due diligence and verification obligations. They may only make products available on the market if they meet the CRA’s requirements and must, in particular, verify compliance with formal conformity requirements.

All economic operators are required to take action in the event of identified risks or security incidents and to cooperate with manufacturers and authorities. The specific scope of these obligations depends crucially on the respective classification as a manufacturer, importer, or distributor.

III. Current Developments

An important step toward the practical implementation of the CRA was taken on March 3, 2026, with the publication of a draft guidance document by the European Commission. The guidance aims to make the regulation’s requirements – which have so far been somewhat abstract – more tangible for companies and to provide early guidance for the ongoing transition phase. Given that many companies still underestimate their role as manufacturers and the scope of their obligations, this document is of considerable practical importance.

In terms of content, the guidance specifically clarifies the requirements for secure product development (“secure by design” and “secure by default”). The Commission makes it clear that cybersecurity should not be an afterthought but must be systematically considered as early as the design and development phases. This includes, for example, structured risk analyses, secure default settings, and processes to minimize attack surfaces. Companies must therefore frequently conduct fundamental reviews and document their development processes.

Another key focus is on vulnerability management. The guidelines describe in detail how manufacturers must handle vulnerabilities – from establishing internal processes for identification and assessment, through coordinated disclosure procedures, to the timely provision of security updates. Particular emphasis is placed on the obligation to maintain a functioning vulnerability management system throughout the entire product lifecycle. In doing so, the Commission clarifies one of the most practically relevant and, at the same time, most resource-intensive sets of obligations under the CRA.

In addition, the Commission addresses questions regarding the scope of application. It clarifies that the CRA must be interpreted broadly and, in particular, regularly covers pure software products as well. In doing so, the guidance confirms the broad scope already inherent in the text of the Regulation and once again underscores that software providers, in particular, must closely examine their potential classification as manufacturers.

The guidance also provides further details regarding reporting obligations. In particular, it clarifies the requirements regarding the content, deadlines, and recipients of reports. This is of great importance for companies, as the relevant obligations will take effect as early as September 2026 and must be coordinated in practice with existing reporting obligations, e. g., from the NIS 2 Directive or the GDPR. The guidance already suggests that parallel compliance with multiple regimes may be necessary as long as harmonization does not occur.

In this regard, the European Commission is working within the framework of the so-called Digital Omnibus to achieve a comprehensive simplification of digital law reporting obligations. The goal is to harmonize existing reporting obligations more closely and, in the long term, to consolidate them through central contact points (we reported on this in Data Protection Update No. 221 and No. 236). For companies, this could lead to a noticeable reduction in administrative burden in the medium term. In the short term, however, the legal landscape remains fragmented, meaning that the various reporting obligations must continue to be observed in parallel and coordinated organizationally.

IV. Conclusion and Outlook

The CRA already necessitates significant action today – especially for companies that have not yet recognized that they may be classified as manufacturers under the Regulation. The transition periods should therefore be actively utilized to clarify one’s own role and implement the necessary technical and organizational measures in a timely manner.

The guidance published by the Commission provides important direction in this regard but is not yet final. Companies currently still have the opportunity to participate in its further development: The Commission is conducting a consultation and accepting comments on the guidance until April 13, 2026.

In light of further developments – particularly within the framework of the Digital Omnibus – a progressive clarification and partial standardization of the requirements is also to be expected. Nevertheless, it must be noted: Companies must set the course for CRA compliance now.

This article was created in collaboration with our student employee Emily Bernklau.

I. Background: Why the Legislator Is Regulating the Cloud Market

Anyone purchasing digital infrastructure today – whether storage space, computing power, or a complete software platform – often enters into a long-term commitment. Data is stored in proprietary formats, interfaces are tailored to a specific provider, and switching providers often fails due to the technical and financial hurdles of migration. This phenomenon – known in technical jargon as vendor lock-in – not only impairs the flexibility of individual companies but also hinders competition across the entire European cloud market.

This is precisely where Chapter VI of the Data Act (Regulation (EU) 2023/2854) comes into play. The regulations, effective as of September 12, 2025, require providers of so-called data processing services to enable their customers to switch providers seamlessly. The scope of these obligations ranges from mandatory contract terms and the provision of open interfaces to the phased elimination of switching charges. However, for these obligations to take effect, a preliminary question must first be answered: Does the service in question even fall under the definition of a data processing service?

II. What the Data Act means by a data processing service

Article 2(8) of the Regulation contains a definition that establishes the scope of Chapter VI. According to this, a data processing service exists when a digital service provides the customer with network-based access to a shared pool of computing resources – such as storage, processing power, or network components – that can be provided on-demand, in a scalable manner, and with minimal administrative overhead.

This description is based on the internationally established cloud computing definition from the National Institute of Standards and Technology (NIST) from 2011. The regulator has largely adopted the terminology used there and merely supplemented it with elements intended to include decentralized processing models such as edge computing. The explanatory notes to the Regulation (Recital 81) explicitly mention the three common service models – IaaS, PaaS, and SaaS. Furthermore, the definition is technology-neutral, meaning that newer concepts – such as data-driven services or AI-based offerings – can in principle also fall under the term.

Upon closer examination, it becomes clear that drawing the line in practice is anything but trivial. This is because the definition combines around 17 individual characteristics, many of which are open to interpretation. Furthermore, the various language versions of the Regulation are not entirely consistent with one another.

III. Where the distinction becomes difficult: The example of complex software services

For traditional infrastructure offerings – such as virtual servers, storage capacity, or database instances – there is little doubt that they fall under the definition of data processing services. These services directly provide customers with technical resources that they can scale up or down as needed. This constitutes the core business of the major cloud platforms, and the legislature clearly had these offerings in mind when designing the switching regime.

The situation is less clear-cut for software services that, while provided via the Internet, derive their actual value not from computing power but from the specific functions they perform. A cloud-based accounting program, a human resources management system, or industry-specific planning software naturally utilize scalable computing resources in the background. However, the customer does not purchase storage or processor time, but rather a business solution. They configure payroll rules or inventory management processes—not server instances.

The crucial question is therefore: Is it sufficient for classification as a data processing service that a service is based on cloud infrastructure in the background? Or must the customer themselves have access to the underlying resources? If one follows the framework and purpose of the regulation, there is a reasonable case for the second interpretation: The text of the law requires that the service “enables” access to computing resources – which implies more than the provider’s mere internal use of such resources.

A look at the NIST framework also supports this assessment: It distinguishes between the infrastructure layer, where resources are directly provided, and the application layer, where ready-made software is consumed without resource control. The more a service maps operational processes, is configuration-intensive, and requires individual customization, the further it moves away from the type of data processing service that the regulation has in mind.

In practice, this means: A provider that exclusively provides server capacities or platform services clearly falls under Chapter VI. By contrast, a provider of highly specialized industry-specific software, whose value lies in the business logic rather than in the provision of technical resources, has several good reasons for considering itself outside the scope of the regulation. Between these two extremes, of course, there are numerous hybrid forms for which a blanket answer is not possible. Therefore, a specific analysis of the actual services offered and their concrete structure is always required.

IV. Deadlines and Contract Terms When Switching Providers

1. The Process of Switching Under Art. 25 DA

The Regulation provides for a phased switching process. First, the customer must notify the provider of their intention to switch. For this purpose, Art. 25(2)(d) DA provides for a maximum notice period of two months, which must be specified as an upper limit in the contract. Following the expiration of this period, a mandatory maximum transitional period of generally 30 calendar days begins, during which the actual data migration is to take place. During this phase, the provider must continue to provide the service and assist the customer with the switch.

2. A Linguistic Issue with Practical Consequences

In the German version of the Regulation, the two-month period was originally referred to as a “Kündigungsfrist.” This was misleading, as the contract does not end upon the expiration of this period. In fact, it merely marks the starting point of the switching process – the contract is only considered terminated once the switch has actually been completed or the transition period expires. Consequently, the act of notifying a data processing service provider of the intention to switch does not constitute a contractual right in the strict sense. A formal notice of termination is therefore not required in this context.

The consolidated version of the Data Act now uses the more accurate term “Ankündigungsfrist.”

3. Reality Check: 30 Days for a Migration?

The 30-day transition period is realistic for simple services, but quickly reaches its limits in complex environments. If large amounts of data must be migrated, interfaces adapted, and business processes mapped in a new environment, one month is likely to be insufficient in many cases. The regulation takes this into account by allowing the provider to apply for an extension of up to seven months if they can demonstrate technical infeasibility (Art. 25(4) DA). However, it remains unclear whether and how this proof can be provided in practice.

V. What applies to existing contracts?

One of the most controversial issues regarding Chapter VI concerned whether contracts concluded before the Regulation took effect on September 12, 2025, would be covered. The Regulation itself does not provide a clear answer to this. Article 50 of the Data Act (DA), which specifies the effective dates for each chapter, simply contains no explicit provision for Chapter VI – unlike, for example, the provisions on unfair contract terms, for which the legislature has provided a clear transitional provision.

However, the Federal Network Agency – which was designated as the supervisory authority by the Data Act Implementation Act (DADG) passed by the Bundestag on March 26, 2026 – clarifies this and states unequivocally in the FAQ section on the DA: The provisions of Chapter VI of the DA apply to both existing and new contracts.

VI. Digital Omnibus

1. The Proposal for Article 31(1a) of the DA-E

In November 2025, the European Commission also proposed amendments to the Data Act as part of its Digital Omnibus Package. For the issue discussed here, one new exemption is particularly relevant: According to the proposed Article 31(1a) DA-E, services whose functionality has been predominantly tailored to a customer’s individual requirements are to be exempted from most switching obligations – but only if the relevant contract was concluded before September 12, 2025.

This proposal is revealing in two respects. On the one hand, it confirms that the switching regime primarily targets standardized, widely available infrastructure and platform offerings and not individually configured specialized applications. On the other hand, it also raises new questions: When exactly is the “majority of the functions” of a service customized for a specific customer? And why should the exception apply only to existing contracts, when the demarcation problem also exists for new contracts? Ultimately, the proposal addresses the issue of temporal applicability but leaves the fundamental question of demarcation unanswered.

VII. Conclusion and Recommendations

The regulations on cloud switching in Chapter VI of the Data Act pursue a clear objective: customers should no longer be trapped in closed systems. In practical implementation, however, it becomes apparent that key questions remain unresolved – above all, the scope of the term “data processing service.”

For companies that offer or use cloud services, this gives rise to specific requirements for action: Providers should analyze their product portfolio to determine which services could be classified as data processing services. In doing so, the marketing label matters less than the question of whether the customer gains access to technical resources or uses a ready-made application functionality. Existing contracts must be reviewed for compliance with the requirements of Article 25 of the Data Act and amended as necessary.

Given the uncertainties that still exist, it is advisable to closely monitor further developments: The EU Commission’s FAQs on the Data Act, the standard contractual clauses for cloud migration, the administrative practices of the Federal Network Agency, and the progress of the Digital Omnibus will play a key role in clarifying the currently unresolved issues in the coming months.

With the political agreement, the legislative process has entered its final phase. In early March, the provisionally final drafts of the new Regulation (“Draft Regulation”) and the new Directive (“Draft Directive”) were published. No material changes are expected at this stage and companies should therefore begin preparing for the foreseeable changes now.

I. Regulatory Protection Periods: Data Exclusivity and Market Protection

The regulation of protection periods was among the most controversial aspects of the reform. After long negotiations, the Commission, Parliament and Council agreed on a base data exclusivity period of eight (8) years (Art. 80(1) Draft Directive), thereby maintaining the current level of protection. During this period, competitors may not rely on the pre-clinical and clinical study data and other documentation of the marketing authorisation holder in order to obtain a marketing authorisation through the simplified procedure. An extension of this data exclusivity period is generally not contemplated. The sole exception is a one-year extension through the Transferable Exclusivity Voucher – on which more below.

Following data exclusivity, a one (1) year market protection period will apply going forward, one year less than under the current regime (Art. 80(2) Draft Directive). During this period, competing products such as generics and biosimilars whose marketing authorisations reference the data of the reference medicinal product may not be marketed. Market protection may be extended by twelve (12) months if the medicinal product falls within one of the following four categories:

A further one-year extension of market protection is available where the marketing authorisation holder obtains, during the data exclusivity period, an authorisation for one or more additional therapeutic indications for which a significant clinical benefit compared to existing therapies has been demonstrated (Art. 81(2a) Draft Directive). This extension may expressly be granted only once. The maximum duration of market protection is capped at two (2) years, unless an extension for an additional indication is granted (Art. 81(2b) Draft Directive). In that case, a total of three (3) years of market protection is possible. The overall protection period is thus limited to a total of eleven (11) years, in line with the current legal position. From the perspective of research-based pharmaceutical companies, it is a positive development that the originally proposed significant reduction of data exclusivity has been taken off the table and the baseline protection of eight years has been preserved. At the same time, planning uncertainty for pharmaceutical companies is increasing: the complex conditions attached to the market protection extension options are only partially within a company’s control.

It should also be noted that market protection may cease to apply in individual Member States where the marketing authorisation holder has failed to comply with a request from the relevant Member State to make the medicinal product available in sufficient quantities in that country (Art. 56a Draft Directive, on this in more detail under VI.).

Unsurprisingly, the concept of so-called drug repurposing has also been included in the final version of the new Directive. Under this provision, medicinal products authorised for a new therapeutic indication are granted a one-time data exclusivity period of four (4) years (Art. 84 Draft Directive), provided that no data exclusivity previously existed for the product or the initial authorisation was granted at least 25 years ago. This creates an incentive both for research involving known active substances and for the swift and cost-effective provision of new medicinal products.

II. Bolar Exemption

The reform clarifies and broadens the so-called Bolar exemption in order to enable generic manufacturers to enter the market immediately upon expiry of patent protection. The agreement clarifies that neither patents nor rights arising from a supplementary protection certificate are infringed where studies, trials and other activities necessary for obtaining a marketing authorisation are conducted (Art. 85(1) Draft Directive). The scope extends to health technology assessments (HTA), pricing and reimbursement decisions, as well as public procurement procedures. In addition, it has been clarified that intellectual property rights of the reference medicinal product do not constitute a valid ground for refusing, revoking or suspending decisions taken within the scope of the Bolar exemption (Art. 85(2) Draft Directive).

This new provision is likely to contribute to the harmonisation of the Bolar exemption across the EU. At the same time, concerns have been raised regarding potential adverse effects on the competitiveness of the European pharmaceutical industry.

III. Orphan Drugs

A central objective of the reform is to promote research and development of medicinal products for rare diseases – so-called orphan drugs. The concept of “high unmet medical need”, originally proposed by the Commission but subsequently deleted, has been reintroduced under the new designation “breakthrough orphan medicinal product”. Under Art. 70 of the Draft Regulation, this category encompasses drugs whose use results in a clinically relevant reduction in disease morbidity or mortality in the relevant patient population, provided that no authorised medicinal product for the rare condition in question exists in the Union.

Market exclusivity is governed on a differentiated basis: for standard orphan drugs, an exclusivity period of nine (9) years is provided for, whereas breakthrough orphan drugs will enjoy an extended exclusivity period of eleven (11) years. Where the authorisation is based on bibliographical data, market exclusivity is limited to four (4) years.

In addition, market exclusivity may be extended twice by twelve (12) months each. The prerequisite is that the marketing authorisation holder obtains, at least two years before the expiry of the exclusivity period, an authorisation for one or more new therapeutic indications for a different rare disease. This provision represents a significant departure from the existing legal framework, under which market exclusivity could be obtained separately and in full for each therapeutic indication for a rare disease.

IV. Antimicrobials

To effectively face the growing threat of antimicrobial resistance, the reform introduces an innovative voucher system: the so-called Transferable Exclusivity Vouchers (TEVs). These vouchers extend data exclusivity for a priority antimicrobial by twelve months (Art. 40 Draft Regulation). The system is designed with flexibility: companies may apply the TEV either to the priority antimicrobial itself or to another centrally authorised medicinal product of the same marketing authorisation holder. Moreover, transfer to third parties is possible. Where the TEV is used for a different medicinal product, it may be exercised in the fifth or sixth year of the base data exclusivity period. This represents an expansion compared to the original proposal, which provided for use only in the fifth year. However, a so-called blockbuster restriction applies. Vouchers may not be used for medicinal products whose gross annual turnover in the EU exceeds EUR 490 million within the first four years following authorisation. As this constitutes a novel incentive mechanism, the system is initially limited to 15 years. The Commission may issue a maximum of five vouchers during this period (Art. 43 Draft Regulation).

In addition, the reform confirms the subscription model (“Netflix” model) introduced by Parliament as a voluntary procurement mechanism for antimicrobials (Art. 43a Draft Regulation). Member States may jointly enter into multi-year subscription contracts under which remuneration is delinked from sales volumes. The company receives an agreed regular payment irrespective of prescription and sales figures and in return undertakes to ensure a continuous and sufficient supply of defined quantities.

Furthermore, the reform strengthens stewardship measures. A mandatory prescription requirement for antimicrobial agents is to apply EU-wide (Art. 51 Draft Directive). Marketing authorisation applications for antimicrobials must include a stewardship plan (Art. 17 Draft Directive) and the risk of antimicrobial resistance must be taken into account in the environmental risk assessment (Art. 22(4) Draft Directive).

This package of measures is intended to provide predictable revenues for the refinancing of research and development of antimicrobials. At the same time, it promotes a restrained, needs-based use of new antimicrobials, thereby aiming to contain the development of resistance.

V. Acceleration and Digitalisation

The reform contains important elements aimed at accelerating and modernising procedures. As a result of the trilogue negotiations, the standard review and authorisation period under the centralised procedure at the EMA will be shortened from the current 210 to 180 days – the Commission’s draft proposal has prevailed on this point. Industry has welcomed this acceleration of the approval processes.

Also to be viewed positively are the introduction of regulatory sandboxes and the further digitalisation of procedures. Applications must in future be submitted uniformly in electronic form and package leaflets must be made available in digital format. To reduce administrative burden, marketing authorisations are in principle to be granted for an unlimited duration. The EMA may derogate from this on safety grounds.

VI. New Obligations: Security of Supply and Shortage Management

The supply obligations introduced by the Council have become part of the reform and may affect centrally authorised medicinal products (Art. 5a Draft Regulation). Member States may request a marketing authorisation holder to make its medicinal product available on the respective market in sufficient quantities. To this end, they may either use their own procedure or rely on the mechanism under the new Art. 56a Draft Directive. Marketing authorisation holders concerned are generally obliged to comply with such a request, unless exceptional, unforeseeable or demonstrably uncontrollable circumstances exist. Non-compliance does not, for the time being, entail financial sanctions, contrary to earlier proposals by Parliament. An evaluation by the Commission in four years’ time is to determine whether sanctioning mechanisms for this obligation should be introduced.

Where data exclusivity or market exclusivity exists for a medicinal product, Art. 56a Draft Directive additionally provides the following consequences: if a marketing authorisation holder fails to comply with a Member State’s request within three years, the market protection under Art. 80(2) Draft Directive and, in the case of orphan drugs, the extension of market exclusivity for new therapeutic indications, shall not apply in that Member State. Generics and biosimilars may then be placed on the market in that Member State, even though market protection continues to apply in other Member States. To ensure that the end of market protection in one Member State is not abused to effectively circumvent protection in other Member States, wholesaler and distance sale distributors are prohibited from placing such medicinal products on markets where the protection of the originator product is still in force (Art. 166(5) Draft Directive). Additionally, under certain conditions, marketing authorisation applications for generics and biosimilars may be validated and assessed as early as six years after the commencement of data exclusivity for the reference medicinal product. The authorisation itself, however, may only be granted upon expiry of the full eight-year protection period.

The obligations relating to the prevention of supply shortages are being expanded. A general obligation to prepare Shortage Prevention Plans (SPPs) applicable to all medicinal products has not been adopted. However, such an obligation applies to all prescription-only medicinal products (Art. 117 Draft Regulation). Companies must report imminent shortages at least six months in advance (Art. 116 Draft Regulation). For small and medium-sized companies in particular, this is likely to entail a significant additional burden.

VII. Next Steps

On 18 March, the Committee on Public Health (SANT) in Parliament voted positively on the outcome of the trilogue negotiations. This paves the way for translation of the legislative texts into all Union languages and formal endorsement by the Council and Parliament, which could take place as early as this autumn.

The new Regulation enters into force 20 days after publication in the Official Journal of the EU, with application commencing generally 24 months after entry into force. Immediate application or a shorter transitional period is foreseen only for a limited number of exceptions, including the provisions on orphan drugs, TEVs and regulatory sandboxes. The new Directive is subject to a transposition period of 24 months. In addition, delegated acts and guidelines are expected. These will have a significant influence on whether the reform ultimately achieves the objectives it pursues.

1. Add-Ons as a serial process – The essential starting perspective

What fundamentally distinguishes buy-and-build and roll-up strategies from conventional one-off M&A is not the individual transaction, but the logic behind it. Add-ons are not standalone deals strung together in sequence; they are components of a serial process that must be conceived and structured as such from the outset.

This shift in perspective has far-reaching practical consequences. Decisions that can be made case by case in a one-off transaction must, in a serial model, be anticipated structurally in advance. Which documentation do we use? Which purchase price mechanics are standardisable? Where do we allow flexibility, and where do we not? How does the negotiation run – not just in the first deal, but perhaps in the seventh add-on? The real efficiency gains do not come from optimising the first transaction. They come from building a model that is just as robust at the tenth transaction as it was at the beginning.

From a legal perspective, this means every process decision should be evaluated for its repeatability. What looks like a pragmatic exception today can become a structural liability later.

2. LoI / Term sheet: A steering instrument, not a formality

One of the most consistently underestimated elements in buy-and-build processes is the letter of intent or term sheet. In conventional single transactions, it is often treated (wrongly) as a non-binding opening move: a document that captures rough parameters without committing much. In a serial model, this view is far too narrow.

In the buy-and-build context, the LoI / term sheet serves multiple functions simultaneously. It is an acquisition tool, a trust anchor for the seller, a structuring document, and the pacemaker for everything that follows. A well-crafted term sheet locks in the deal's essential parameters tightly enough that the subsequent documentation is no longer perceived as negotiating territory, but as the implementation of a framework both parties have already agreed.

In practice, it has proved effective to keep the term sheet standardised, clear, and – particularly when dealing with mid-market sellers without M&A experience – genuinely easy to understand. In terms of substance, it should go well beyond a vague price range and already map out the key economic and structural parameters: valuation and purchase price structure, cash component and any rollover equity, vendor loan, core governance assumptions, and the timeline to closing. The message this sends does not need to be stated bluntly to land: we have agreed the key parameters together – everything else follows from the group’s standard framework and process, for reasons that are straightforward to explain.

3. Transaction structure

One decision that is occasionally taken too late in practice is the choice of transaction structure.

In buy-and-build strategies, the default is a full acquisition by way of share deal. The asset deal remains an option but is reserved for clearly defined situations – where the target carries material legacy liabilities that cannot be otherwise managed structurally, or where regulatory requirements compel a different approach. What matters most is not which structure is chosen, but that the decision is made consciously, early, and consistently – and not revisited mid-process. A structural change after due diligence has begun creates additional work, confusion on the seller side, and consumes negotiating capital that would be better deployed elsewhere.

In certain sectors, such as healthcare businesses involving MVZ structures or particular regulated professional service structures, pre-structuring on the seller side may be necessary before the transaction itself can be completed: changes in legal form, carve-outs, or restructuring of existing entities. These points need to be identified early, addressed cleanly in the contracts, and – depending on who carries out the pre-structuring – priced in with appropriate implications for timeline and cost allocation.

4. Due diligence with proportionality

Due diligence in a serial model follows a different logic than in a one-off transaction. The guiding question is not: what can we review? It is: what is material enough, from an economic and liability perspective, to justify the effort for everyone involved?

A risk-conscious approach with a clearly defined scope has consistently proved far more efficient than attempting to inventory everything comprehensively. Extensive DD reports can be appropriate – for internal investment committees, third-party financing, or atypical risk profiles. In many add-on situations, however, a structured, decision-relevant summary of the key risk areas is sufficient.

An important conceptual distinction is that between due diligence as a risk assessment tool and post-merger integration as the operational follow-on step. What can be harmonised efficiently and group-wide after closing (data protection documentation, internal policies, standard contracts, IT processes) does not need to be fully resolved before signing. The DD establishes whether known or latent risks are price-relevant or give rise to liability; the PMI ensures the actual state is brought in line with the target state. Drawing this distinction consistently saves considerable effort and keeps the focus where it belongs.

A concrete efficiency gain can also be achieved by linking the data room to the warranty structure. Where aggregated lists are requested for DD purposes anyway – leases, employees, insurance policies, material customer and supplier contracts – these can serve directly as the basis for the contractual warranties, without duplicating the work.

5. Documentation as a scaling lever

The principle is straightforward: in the buy-and-build context, the buyer provides the documentation. This is not a question of leverage, but a question of efficiency, and experienced sell-side advisers will rarely be surprised by this.

This foundational decision implies a far-reaching design principle: the documentation must be modular, standardised, and built for repetition from the outset. This encompasses template SPAs and APAs, standardised articles of association and rules of procedure / governance rules, service contract templates, and clear, simple mechanics for purchase price components, liability, and rollover equity.

Two design principles have proved particularly effective. First, variables should appear at as few and as clearly defined points in the document as possible. Purchase price, parties, reference dates – these parameters are set once and referenced by definition across all downstream documents. Defining the purchase price and its calculation basis independently in three places across three schedules creates errors and unnecessary coordination overhead. Second, the documentation should be structured so that it is in principle automation-ready. At high transaction volumes, the use of structured data templates – where parties, ownership interests, and core parameters are entered once and populate all relevant documents – can yield a significant efficiency gain. This is not appropriate for every strategy, but the documentation should at least be designed so that the option remains open.

For economically and psychologically sensitive points – rollover equity, purchase price calculation, non-competes, bonuses – an additional principle applies: simplicity is king. Complex, lengthy documentation on these topics slow negotiations, create uncertainty, and generate friction that persists well beyond closing. Addressing these points clearly, comprehensibly, and in a way that can be explained in plain terms wins not only speed, but also acceptance.

6. Seller psychology as a success factor

Buy-and-build strategies frequently encounter sellers who are not seasoned M&A professionals – entrepreneurs selling the business they have built over a lifetime, often without legal counsel or with advisers who lack specific transaction experience. For this audience, a professionally assembled, scale-oriented transaction package can feel daunting at first encounter. The questions that arise are less legal than human: What am I giving up? What am I committing to? Do I actually understand what is happening here?

This reaction is normal and predictable – which means it should be anticipated in the process plan, not left to improvisation. Buyers and their advisers play an active explanatory role in this situation: structures must be explained, not merely delivered. Rollover equity concepts must be written so that they are intelligible without a legal background. Guides or FAQ documents addressing recurring questions can meaningfully reduce friction in the negotiation.

Seller psychology is not a soft side issue in this context – it is a hard efficiency factor. Sellers who feel understood and fairly treated move faster, cooperate more readily, and prove more reliable counterparties, including after closing.

7. Rollover equity: economic, timing and emotional dimensions

Rollover equity is a central but often underestimated element of the overall process. It serves not only to partially finance the purchase price and incentivise performance, but also fundamentally shapes how sellers see their role after closing. A seller who is a co-shareholder in the platform from day one thinks differently about group interests, willingness to cooperate, and exit orientation. Depending on the specific model chosen for the overall transaction, participation can be structured at different levels of the group, potentially using different instruments across multiple tiers and a range of legal constructs. Here too, the same principle applies: structural complexity should be the exception; the most efficient path is the goal.

In designing rollover equity, the tax interests of the sellers – typically their primary concern alongside purchase price structure – should be taken into account wherever possible. For sellers, this is one of the most tangible and therefore most central negotiation points.

Beyond incentivisation, rollover equity frequently determines the deal timeline in practice – and does so in an objective, readily explicable way. Capital increases at holding level typically occur only at a small number of points during the year and are based on fair market value at the relevant date. A seller who wishes to participate at an earlier, lower valuation must have the transaction completed by a certain deadline. Later entry occurs at correspondingly higher valuations. This logic is not a pressure tactic – it is a structural reality, and it imposes discipline without requiring any explicit negotiating manoeuvre.

8. Standard and exception – decided deliberately, not drifted into

Standardisation does not mean rigidity. In virtually every add-on, there will be points that require or justify a departure from the standard. That is neither unusual nor problematic – provided the departure is the result of a conscious decision, and not of a lack of process discipline or a negotiation that has taken on a life of its own.

A distinction between negotiable and non-negotiable elements (communicated clearly and early) has proved its worth in practice. As the transaction track record grows, recurring patterns of deviation can be identified and absorbed into the standard: as optional modules or defined ranges of flexibility that are handed to the deal team and advisers as a toolkit to work with autonomously. This creates genuine scalability: advisers can act faster and more independently, without waiting for case-by-case decisions.

9. Fine-tuning after the first transactions

Few transaction models offer better conditions for continuous improvement than buy-and-build. After just a handful of add-ons, clear patterns emerge: which DD topics recur consistently, where the most stubborn negotiation points arise, which clauses generate discussion that could have been avoided.

Structured fine-tuning – realistically first undertaken after the third add-on, then repeated at regular intervals – pays direct dividends in efficiency and quality. The matrix of typical negotiation points, standard positions, and pre-agreed margins of flexibility, developed jointly with advisers, is not a bureaucratic instrument. It is a practical tool that accelerates transactions and ensures consistency.

10. What follows

Individual add-on transactions are the operational backbone of every buy-and-build and roll-up strategy – and with a scalable, standardised process in place, the essential foundations for lasting success are established. This foundational series concludes here.

Deeper analysis of selected topics – competition law considerations, sector-specific particularities, add-ons by strategic acquirers, and VC-driven platforms – will follow in the coming weeks as focused articles on this page.

The team at HEUKING is always available for your questions or direct discussion.

This part goes deeper on the platform itself as the starting point of the strategy. While individual add-on transactions tend to attract most of the public attention, execution requires putting first things first: one of the most significant success factors is a clean, purposeful design of the platform. It is not merely an acquisition vehicle – it is the legal, economic, and organisational pivot around which everything else turns.

Practice shows this clearly: the more carefully and forward-looking the platform is designed, the greater the scalability of the strategy, the lower the friction in subsequent add-ons, and the more resilient the model is to regulatory, financing, and other challenges down the line.

1. A deliberate starting point, not a by-product of the first transaction

A purposeful platform design depends materially on the specific economic and operational strategy, as well as any applicable regulatory requirements. These factors must drive the design and can in some cases call for highly individual configurations.

From a legal perspective, however, every such structure should be designed – in the interest of scalability – to meet at least the following criteria:

it should

• accommodate add-ons, including potentially different types, without creating structural breaks;

• anticipate financing requirements and individual deal conditions efficiently and adequately;

• provide for rollover equity and incentivisation mechanisms;

• consolidate governance processes efficiently; and

• enable a clean, tax-efficient exit.

2. Base model as a key strategic decision

One of the most consequential early decisions is selecting the base model that fits the particular strategy. In our experience, different platform structures have established themselves in practice depending on the industry, the intended degree of integration, and the investor model.

a. Holding-centric models with a high degree of autonomy

In roll-ups targeting fragmented markets, a pure holding structure is often the preferred approach, under which the add-ons – typically numerous – remain legally independent entities. These models generally place significant emphasis on retaining all or selected sellers and managers, with operational intervention reserved for selective purposes: shared services functions, or group-wide standards on chosen matters.

This model frequently enables high acquisition velocity, seller willingness to share risk through deferred or contingent consideration, and lower operational integration hurdles. The challenges, beyond managing the tension between autonomy and group interest, can include limited levers for direct intervention and an elevated need for coordination at governance level.

b. Integrated platform models

At the other end of the spectrum sit integrated models, in which autonomous operation by add-on companies is deliberately limited and structural consolidation – through mergers, for instance – typically follows quickly. These models are usually built around a core operating platform company, the nucleus, to which add-ons are attached.

The challenges here include greater integration complexity and, at times, stronger reservations from employees, management, and sellers of the target companies. The advantages lie in a leaner group structure with a stronger unified identity, faster realisation of operational synergies, and clear leadership and decision-making hierarchies.

c. Hybrid models

In practice, investors most often opt for hybrid models tailored to the specific target industry and its particular complexities: add-ons that initially remain legally independent, combined with the stepwise operational integration of selected functions – procurement, IT, legal, HR – potentially followed by structural consolidation over time.

3. Governance

As the number of add-ons grows, the need for clear governance structures increases proportionally. At a conceptual level, governance must follow from the chosen base model and then requires further elaboration: where decisions are made and who makes them.

Typical governance elements include:

• a clear allocation of authority between the investor, the holding or platform management, and the add-on managing directors;

• defined approval processes and reserved matters – for acquisitions, investments, management changes;

• and uniform reporting systems and KPIs.

In practice, these are implemented primarily through constitutional documents (such as articles of association), rules of procedure for the managing directors – ideally standardised across the group – and, where appropriate, shareholder agreements. Here too, the same principle applies: what works smoothly with three add-ons can quickly become dysfunctional and obstructive at ten or more. Part 3 of this series will therefore focus specifically on standardised template documentation – including the governance documentation that, depending on the base model, significantly touches on seller interests – designed to enable the efficient negotiation and execution of individual add-ons.

4. Group infrastructure

Particularly in light of operational and tax requirements, corporate groups generally require a suite of intra-group agreements. These should be tailored to the specific needs of the group and typically include a master services agreement, a group-wide data protection agreement, a cash pooling arrangement, and – where applicable – profit and loss transfer agreements.

5. Rollover equity, management equity programmes and role design

A central element of many strategies is the rollover equity participation of sellers and managers in the platform. This serves not only to partially finance the purchase price but, more importantly, to provide long-term incentivisation and commitment – for all or selected sellers and managers – to the platform group. The dynamic shifts decisively when sellers are aligned from day one with maximising the group's success and, by extension, its exit value.

For rollover equity to deliver its intended effect without creating unnecessary complexity, it should:

• enable a tax-efficient entry – often via a rollover mechanism – and exit;

• be structurally embedded cleanly in the platform and scalable;

• be substantially limited to economic participation, with governance rights clearly demarcated; and

• be drafted and communicated in a way that is straightforward to understand.

The focus on efficient handling matters here too. While rollover equity documentation must address many interrelated aspects carefully, overly lengthy and complex documentation has in our experience a tendency to slow negotiations considerably and, at times, to create difficulties beyond the negotiation table itself.

6. What follows in this series

With a sound platform structure in place, the essential prerequisites for efficient scaling are established.

There are equally important legal success factors in the execution of the individual add-on transactions themselves – and that is where the final part of this series turns. Part 3 addresses add-on transactions in the buy-and-build and roll-up context: efficient scaling through standardisation and sound judgement, covering due diligence scoping, learnings on transaction documentation, managing deal-by-deal particularities, and more.

Extraordinary events with direct impacts on the stability of supply chains have occurred regularly in recent times (the COVID-19 pandemic, the Suez Canal blockage, the war in Ukraine, attacks on merchant ships in the Red Sea). Most recently, trade conflicts involving export restrictions and new and changing tariffs have put additional pressure on companies; the escalation in the Middle East has now been added to the mix. Those with long-term supply contracts or who rely on raw materials or intermediate products are feeling this particularly acutely right now.

Fixed-price contracts are reaching their limits – price adjustment mechanisms can help

Many companies established their supply relationships still during a period of stable trade conditions – with fixed prices, fixed delivery quantities, and fixed deadlines. This approach offers planning security; at the same time, it can become a cost and liability trap in the face of sharply fluctuating prices for raw materials or intermediate products and challenging global transport routes.

When, for example, the customs situation changes significantly – as recently occurred with new U.S. import tariffs on European goods—the question arises for both buyers and suppliers: Who bears the additional costs? In contracts, the standard legal answer is initially: the party to whom the contract assigns the burden, which often stems from rather inconspicuous transport clauses such as the ICC Incoterms. An pass-through of such additional costs is usually not provided for—nor is it readily possible.

The same applies to massive price increases in the procurement of raw materials and intermediate goods, as well as the creeping erosion of remuneration due to rising inflation. Here, price adjustment mechanisms can offer security or at least some relief. While they are widespread in international transport law, there are several hurdles in national legal systems that must be taken into account. At least outside the consumer sector, international standards can also help here. A commission of the International Chamber of Commerce is currently drafting relevant proposals – with my involvement.

Force Majeure: A Powerful Term, Narrow Limits

The first instinct of many contracting parties in a crisis situation is to invoke the force majeure clause – the legal doctrine of force majeure. The logic is obvious: if external events make contract performance economically unfeasible, surely one can be released from it?

It’s not quite that simple. Classically, force majeure requires that an event was unforeseeable, originated externally, and makes contract performance objectively impossible – not merely more expensive or complicated. This is precisely where the problem lies with tariffs: A tariff generally does not make a delivery impossible. It makes it more expensive. That is not sufficient for a classic case of force majeure in most legal systems.

Added to this is the question of foreseeability. Anyone entering into a supply contract today, for example, can hardly argue that they did not have trade conflicts between the U.S. and the EU on their radar. (Arbitration) courts dealing with such cases will scrutinize such arguments critically.

Hardship clauses: The underestimated tool

More effective – and often underestimated in practice – are so-called hardship clauses. They apply not in cases of impossibility, but in cases of severe economic unreasonableness: when the underlying conditions of a contract have changed so fundamentally that adhering to the original terms becomes unreasonable for one party (see § 313 BGB).

A well-drafted hardship clause can trigger an obligation to renegotiate and, in extreme cases, even enable a contractual adjustment through the courts or arbitration. This is not a free pass – but a legitimate tool that should be taken seriously in the current situation.

The decisive factor here is what was contractually agreed upon. Many standard contracts of German companies contain no hardship provisions or only rudimentary ones. Contracts in an international context are often better equipped in this regard.

What companies should do now

The current situation is a good opportunity to review existing supply contracts and templates for future contracts to ensure they are crisis-proof. Specifically, it is advisable to examine the following points:

1. Review existing contracts

• Are the purchase or sale prices fixed, or are adjustments permitted?
• Are customs risks particularly relevant – for example, for goods from the U.S. or China? Which party bears these risks?
• Do the contracts contain a force majeure clause, and how is it worded?
• Is there a hardship clause that might allow for an adjustment?

2. Draft new contracts to be future-proof

Anyone entering into new contracts today should keep the current uncertainties in mind when drafting them.

• Are fixed-price commitments appropriate, or can price adjustment clauses help?
• How broadly should a force majeure clause be defined? Is a force majeure clause suitable for covering the relevant risk?
• Clearly defined hardship provisions can help minimize risks – not only in international contracts.
• Aligning with international standards often facilitates the acceptance of proposals in international transactions.

Conclusion and Outlook

Contract law has long been characterized by stability, predictability, and the principle of pacta sunt servanda: contracts must be honored. The new geopolitical realities challenge this principle. However, contracts generally cannot be terminated at will in the event of unforeseen complications. Companies are therefore well advised to understand their contractual foundations – and to proactively shape them for the future before an emergency arises.

Although German courts have consistently taken a strict view of environmental advertising in the past – particularly regarding claims of “climate neutrality” or “CO2 offsetting” – as the confectionery manufacturer Katjes experienced in the landmark 2024 Federal Court of Justice (BGH) ruling, in which its advertising using the term “climate-neutral” was prohibited as misleading because the claim was not explained in a sufficiently understandable manner.

With the aforementioned amendment to the UWG, this standard is now being further tightened and codified into specific legal provisions.

Scope of Application and Implementation Effort

Important for practice: The new unfair competition regulations from the EmpCo Directive apply exclusively in the B2C sector, i. e., in the relationship between businesses and consumers. In B2B transactions, the previous general standards of the UWG remain in effect. Nevertheless, the scope of application is significant, as it covers all business practices – that is, any act, omission, or communication directly related to the advertising, sale, or delivery of a product to consumers.

The implementation costs for the business sector will therefore be considerable. The draft bill estimates annual compliance costs of approximately 52 million euros, as well as one-time transition costs of approximately 355 million euros. A one-time cost of approximately 178 million euros is estimated for the review and adaptation of product information alone. Companies should therefore begin reviewing their environmental claims at an early stage.

Categories of Environmental Practices

The amendment to the UWG introduces several categories of environmental claims, each of which is subject to its own set of regulations.
Specifically, this applies, among other things, to:

• “general environmental claims,” which, due to a lack of specificity on the same medium, pose a particular risk of misleading consumers;
• “sustainability labels,” which in the future must be based on a certification system or be established by the government;
• “future environmental performance,” i. e., statements regarding environmental performance not yet achieved that are linked to a robust implementation plan;
• statements regarding “offsetting of greenhouse gas emissions,” which will always be prohibited in the future when product-specific.

This article focuses on general environmental claims:

General environmental claims – vague and high-risk

A central regulatory objective of the EmpCo Directive is so-called “general environmental claims,” whereby “general” is to be understood as “non-specific” or “vague” in contrast to “specific environmental claims.” The draft bill for the UWG amendment defines a general environmental claim as

“an environmental claim made in writing or orally, including via audiovisual media, that is not contained in a sustainability label and for which the specification of the environmental claim is not clearly and prominently stated on the same medium.”

The key point, therefore, is that the claim is either not explained at all or, in any case, not explained in more detail on the same medium.

The explanatory memorandum to the UWG amendment cites – with reference to the recitals of the EmpCo Directive – various examples of general environmental claims, such as:

• “environmentally friendly,”
• “environmentally friendly,”
• “green,”
• “nature-friendly,”
• “ecological”,
• “environmentally sound”,
• “climate-friendly”,
• “environmentally compatible,”
• “CO2-friendly”,
• “energy-efficient”,
• “biodegradable” and
• “bio-based.”

Similar phrases are also covered, provided they suggest outstanding environmental performance or create a corresponding impression. According to the legislative rationale, these are typically short, catchy terms that, taken on their own, have no verifiable meaning based on objective criteria, but are particularly memorable to consumers due to their slogan-like nature. Brand names, company names, or company logos containing environmental terms may also be classified as general environmental claims.

The regulation of such general environmental claims is particularly strict. Consequently, general environmental claims will in the future be included in the so-called “UWG blacklist,” a list of commercial practices that the legislature deems unlawful without further ado.

Accordingly, general environmental claims directed at consumers are always prohibited if the business operator cannot demonstrate an underlying so-called “recognized outstanding environmental performance.”

This somewhat cumbersome phrase, “recognized outstanding environmental performance,” is defined as follows:

“an environmental performance in accordance with

a) Regulation (EC) No. 66/2010 (EU Ecolabel),
b) national or regional environmental labeling schemes in accordance with DIN EN ISO 14024 Type I, June 2018 edition, which are officially recognized in the Member States of the European Union, or
c) environmental best practices under other applicable Union law.”

As examples, the legislative rationale specifically mentions products certified with the EU Ecolabel, the German government’s “Blue Angel” label, or the Scandinavian “Nordic Swan” label.

In practice, this means: Anyone who wishes to continue advertising with general environmental claims must be able to prove that their product lawfully bears one of the aforementioned recognized environmental labels or meets the requirements for top environmental performance under EU law. If this proof cannot be provided, the claim is unfair per se and thus risks being subject to a warning letter with costs.

“Specific environmental claims” as a panacea?

However, the strict regulation of general environmental claims by no means implies that companies will have to refrain from any environmental advertising in the future.

The draft bill offers a clear solution: the use of specified, i. e., specific environmental claims. The key distinguishing criterion between a general and a specific environmental claim is whether the specification of the claim is clearly and prominently stated on the same medium. An environmental claim that is sufficiently explained and specified on the same medium – such as on the same product packaging, in the same television or radio commercial, or on the same online sales interface – is sufficiently explained and specified does not, under the legal framework, fall under the term “general environmental claim” and is therefore not subject to the per se prohibition of the blacklist provision.

The legislative rationale illustrates this distinction with the following illustrative example from the recitals of the EmpCo Directive (see figure).

The decisive difference lies in the fact that the statement on the right has verifiable, concrete content that enables the consumer to understand the environmental aspect, the relevant stage of the life cycle, and the specific claimed effect.

The requirements regarding the degree of specificity depend on the medium. The legislative rationale explicitly clarifies that the requirements also depend on the characteristics of the medium, such as the space available on the product packaging or the time available for a commercial. Thus, a detailed scientific explanation is not required in every case—but the core message must be concretely articulated in a comprehensible manner within the same medium. Merely providing a QR code through which further information can be accessed, however, is likely to be legally problematic on a regular basis.

Yet even if a specific environmental claim is less strictly regulated than a general environmental claim, it is – unsurprisingly – still not in a legal vacuum. This is because specific environmental claims are simply subject to the general requirements of the Unfair Competition Act (UWG) regarding all advertising claims: the specific environmental claim must therefore be factually accurate and must not mislead the recipient.

Finally, it is also always impermissible to make false claims regarding the scope of an environmental claim. This is the case, for example, when the claim applies only to a part of the product but is used in advertising for the entire product. In this case, a statement that would otherwise be classified as a specific environmental claim may nevertheless be impermissible in and of itself.

In addition, specific environmental claims must also comply with broader legal requirements, such as those regarding future and the prohibition of product-related CO2 offset claims.

Recommendations and Outlook

The effective date of the UWG amendment on September 27, 2026, is drawing nearer. Companies that advertise using environmental claims should promptly subject their entire product communication – from packaging and labels to online presence and advertising campaigns – to a comprehensive review and adapt it as necessary. Since no transition period is provided for products already on the market, existing products must also comply with the new requirements as of the effective date.

It is to be expected that once the new legal framework takes effect, competitors and, in particular, consumer protection organizations will strictly monitor compliance with the new regulations and issue costly warnings in cases of non-compliance.

In upcoming articles, we will take a closer look at further aspects of the EmpCo Directive – in particular, the practical requirements for sustainability labels, the new guidelines for claims regarding future environmental performance, and the implications of the ban on CO2 offset claims.

This provides ample reason to take a structured look from a legal practitioner’s perspective. In this segment more than most, recurring patterns, clear success factors, and standardisable solutions can be identified – provided the buy-and-build or roll-up strategy is conceived not as a transaction-driven exercise "on the fly", but with sufficient lead time, clear objectives, and the involvement of specialist advisers from the outset, then executed with discipline.

This three-part series therefore examines the recurring structures, key decisions, and practical solutions from a legal perspective, offering a compact overview of the critical success factors across the full lifecycle of a buy-and-build strategy.

1. What Buy-and-Build and Roll-Ups actually are – definition and mechanics

The terms buy-and-build and roll-up are frequently used interchangeably, particularly in the Anglo-American market. Both describe the systematic construction of a corporate group or platform through a series of coordinated acquisitions – add-ons or bolt-ons. The defining feature is this: even the first transaction is not conceived as a standalone deal, but as the starting point of a repeatable, scalable model designed from day one for continuation and serial acquisitions.

Where the market does draw a distinction, it tends to run as follows:

• Roll-ups in the narrower sense typically involve acquiring a large number of broadly comparable market participants in rapid succession – usually in regionally or functionally fragmented markets – with the platform often emerging as a pure holding structure.

• Buy-and-build in the narrower sense, by contrast, describes models where a defining core business is first acquired as the platform nucleus, with further add-ons then attached to it deliberately over time.

What both approaches share is that they are – in keeping with the classic PE model – typically exit-oriented, with holding periods of around three to seven years. Alongside these, longer-horizon models also exist: evergreen structures and cashflow compounders that nonetheless regularly provide exit options for individual investors, shareholders, or management.

One structural question that must always be answered for the specific model at hand is how tightly the operational and organisational integration of the group companies is to be designed. Some models pursue rapid and comprehensive integration; others deliberately preserve greater entrepreneurial autonomy for the acquired businesses. This foundational decision has direct consequences for structure, governance, contract design, and post-merger integration.

The economic logic of buy-and-build and roll-up strategies – touched on here only briefly – rests on several elements:

• accelerated inorganic growth;

• operational synergies and efficiency gains across products, processes, procurement, IT, HR, and legal functions;

• targeted market consolidation and market share gains; and

• valuation effects at group level – what the market calls multiple arbitrage.

The goal is to generate value creation that materially exceeds the mere sum of individual targets. For sellers, this also means the ability to achieve significantly higher purchase prices – typically expressed as EBITDA multiples – than a conventional trade sale within their own industry would yield.

The typical target sectors are those with fragmented markets characterised by small and mid-sized participants, often regional in footprint and not optimally scaled operationally. Examples range from IT and software services to healthcare-adjacent businesses, trades and craft services, and regulated professional service structures.

In 2025, the roll-up strategy has also made a significant mark on the venture capital and start-up world. A number of investors – General Catalyst and 8VC among them – have been acquiring mature, labour-intensive services businesses at scale, spanning customer services, legal services, accounting, and IT services, as well as start-ups, with the primary aim of fundamentally transforming service delivery through the platform-wide deployment of artificial intelligence. The goal is an AI-native platform that achieves margin structures that remain out of reach for conventional software vendors. In doing so, these strategies borrow heavily from the private equity playbook, and in these segments the boundaries between venture capital and private equity are increasingly blurring.

2. Success factors from a legal perspective

The emphasis on repetition and scalability is precisely what sets buy-and-build and roll-up strategies fundamentally apart from individual one-off transactions. The real challenge lies not in the first acquisition, but in building a model that is legally, organisationally, and operationally robust over the long term. A number of central success factors have emerged – each of which will be explored in greater depth in the subsequent parts of this series.

A clear platform structure that is sound from a regulatory, tax, and operational perspective – before the first add-on

Before the first bolt-on is executed, the structure on which the entire group will be built long-term should already be settled. This includes in particular the holding structure, the long-term financing logic, and the integration into the governance mechanisms of the financial investor. Equally important is how the structure connects with further elements: potential future seller rollover equity, possible co-investments by strategic partners such as industry experts, and incentive programmes for the operational team and, where relevant, key employees of add-on targets.

In regulated business areas, the central preliminary question is how to create a structure that is legally permissible on the longest possible horizon – ideally one already designed with headroom to adapt if the regulatory environment tightens.

Scalable acquisition documentation – including any rollover equity, earn-out, or bonus components – in place before the first add-on

Repetition is the core of these strategies. Accordingly, key transaction documents should be conceived early, modularly, and with a sense of proportion. It is therefore virtually essential – departing from the default logic of individual transactions – that the buyer rather than the seller provides the documentation, and that the buyer picks the notary, ideally one already familiar with the structure.

This encompasses:

• standardised term sheets, SPA/APA frameworks, and foundation documents – articles of association, shareholder agreements, service contracts – built with a modular structure and optional schedules;

• clear mechanics around liability and purchase price; and

• a robust, clearly communicable, and practically implementable framework for rollover equity, earn-outs, and management incentivisation.

The focus should be on creating a documentation package that is easy to understand for sellers – who are often first-time participants in such processes – adapted to the specific industry and its particular challenges, and stripped back to the essentials. The goal is not maximum rigidity, but a solid framework that forms the foundation for efficient add-ons. It is particularly important to involve the acquirer – typically the financial investor – substantively in designing the template documentation, for instance through workshops, so that sector-specific and target-group-specific factors are built in from the start.

Consistent, standardised execution of add-ons with efficient timelines and clear process discipline

Building on that documentation, the transaction strategy should then be executed as consistently as possible. This is supported by a pragmatically scoped due diligence focused on core concerns, together with clear roadmaps, timelines, and defined responsibilities.

The advantages of a well-prepared, repetition-oriented approach should be exploited systematically. This includes making the bulk of the pre-drafted documentation available to sellers at an early stage. It is also typically understandable – and accepted – by sellers that a business model designed for numerous parallel and efficient transactions cannot accommodate the renegotiation of every individual point or the creation of unnecessary complexity. Certain structures and processes are simply non-negotiable – an effect that grows stronger with each successive transaction and an expanding track record. The trade-off, as a rule, is a purchase price multiple meaningfully above what a trade sale in the same industry would deliver.

That said, deviations from the standard will arise in virtually every deal and will sometimes be warranted. The decision to deviate should always be made consciously, as a deliberate exception – not out of a lack of process discipline or negotiating inertia. Over time, it often becomes possible to define a "standardised" range of flexibility for certain points and hand that to the deal team and advisers to work with autonomously.

Fine-tuning after the first transactions

Few deal settings offer the same opportunity as these strategies to draw concrete conclusions and apply them to future add-ons. Ongoing attention should be paid to refining the due diligence scope, the individual transaction documents, and the communication and negotiation processes – continuously raising efficiency. It is particularly worthwhile to compile with advisers a running list of typical negotiation points and the corresponding parameters and solutions, enabling them to act autonomously and efficiently. Realistically, a first round of this kind of fine-tuning can take place after the third add-on – but it should then be repeated at planned intervals thereafter.

3. What follows in this series

Buy-and-build and roll-up strategies offer substantial opportunity and are successfully executed in practice across a wide range of contexts. What ultimately matters, however, is approaching execution in a structured and disciplined manner – with clear guardrails, scalable frameworks, and a realistic view of the people and organisations involved.

The remaining parts of this series explore these themes in depth.

• Part 2 addresses the platform as foundation – covering possible base structures, central governance decisions, and their implications for scalability and control.

• Part 3 examines the efficient execution of add-on transactions – including due diligence scoping, learnings on transaction documentation, managing deal-by-deal particularities, and the dynamics of negotiation.
  

Obligation to disclose major holdings of voting rights

Under the German Securities Trading Act (WpHG), anyone who reaches, exceeds or falls below 3%, 5%, 10%, 15%, 20%, 25%, 30%, 50% or 75% of the voting rights in a company whose shares are admitted to trading on an organised market (such as the regulated market on a German stock exchange), must notify the company and BaFin and publish this notification. This is intended to ensure that the company and the capital market are informed at an early stage of a stakebuilding and a potentially imminent takeover bid. To prevent circumvention (also known as ‘creeping in’), voting rights from shares owned by other persons are attributed to the person subject to the disclosure obligation on the basis of detailed attribution criteria.

Mandatory offer following acquisition of control

The acquisition of a major holding of voting rights also triggers certain obligations of the acquirer of control over a listed company as set out in the German Securities Acquisition and Takeover Act (WpÜG). This so-called bidder must immediately disclose the holding of 30% or more of the voting rights and offer to purchase the shares of the company’s other shareholders in return for adequate consideration (so-called mandatory offer). Voting rights held by other persons are also attributed to the bidder. In this context, the criteria for attribution (usefully) correspond to those applicable to voting rights notifications under the WpHG.

Acting in Concert

The attribution criterion of a so-called ‘acting in concert’ is of particular significance. Under German law, the voting rights of persons with whom a shareholder subject to the notification requirement or a bidder coordinates his conduct with respect to a listed company on the basis of an agreement or otherwise are attributed to that shareholder or bidder. Agreements in individual cases are exempted. According to the wording of the law, acting in concert requires an agreement on the exercise of voting rights or collaboration with the aim of bringing about a lasting and significant change in the company’s business strategy in any other way.

European law requirements

The requirements of different European directives apply to the obligation to disclose major holdings of voting rights and to mandatory offers. Voting rights disclosures are regulated in the Transparency Directive, mandatory offers in the Takeover Directive. In Germany, these have been implemented into national law in the WpHG and the WpÜG.

The ECJ ruling of 12 February 2026

According to the ECJ ruling, a provision of member state law resulting in the attribution of voting rights where the holders of voting rights coordinate their conduct in relation to the issuer in a manner other than on the basis of an ‘agreement’ concluded between them is contrary to European law. An exception applies to attribution directly related to takeover bids, mergers and other transactions affecting the ownership structure or control of companies. This is because such far-reaching attribution of voting rights is not only not provided for in the Transparency Directive. Member States are in fact expressly prohibited from imposing stricter rules on voting rights disclosure than those laid down in the Transparency Directive. There are only a few exceptions to this principle of maximum harmonisation, for example in relation to additional notification thresholds, stricter substantive requirements for voting rights notifications or – as set out by the ECJ – in direct connection with takeover bids and comparable corporate transactions.

The BaFin supervisory notice of 20 March 2026

BaFin subsequently announced on 20 March 2026 that, with immediate effect, it would only apply the aggregation of voting rights in relation to voting rights disclosure obligations in the cases provided for in the Transparency Directive. Specifically, this means:

1. Voting rights will only be attributed on the basis of an ‘acting in concert’ if the holders of voting rights coordinate on the consensual exercise of voting rights on the basis of an agreement that obliges the parties to pursue a common policy regarding the management of the issuer in question over the long term. So far BaFin has understood the term ‘agreement’ to encompass any form of contract under civil law. It must be legally binding, but the specific form is not relevant. A verbal agreement is therefore sufficient if the parties wish to be bound by it.
2. BaFin will no longer apply further attribution criteria not provided for in the Transparency Directive. In this regard, BaFin cites

• Section 34(1) sentence 1 no. 3 WpHG (voting rights arising from shares transferred as collateral) and
• Section 34(1), sentence 1, no. 5 WpHG (voting rights arising from shares that may be acquired on the basis of a declaration of intent – so-called ‘option in rem’).

The supervisory practice set out in Module 2 of BaFin’s Issuer’s Guide and the BaFin FAQs therefore no longer applies in this respect.

By contrast, the supervisory practice regarding the attribution of voting rights in connection with the acquisition of control pursuant to Sections 29, 30 of the WpÜG and a mandatory offer to be made thereafter remains unchanged. This means that the previous grounds for attribution, including the previous broader concept of ‘acting in concert’, continue to apply here without change.

Consequences

As a result of the ECJ ruling of 12 February 2026, the relevant statutory provisions on the attribution of voting rights under the WpHG are no longer applicable until further notice. Therefoe, some of the circumstances under which holdings are aggregated for voting rights notification requirements under the WpHG and for the acquisition of control under the WpÜG now differ. This presents increased challenges for investors subject to notification requirements and for issuers.

The BaFin supervisory notice applies “until an amendment in line with European law” is made to the attribution provisions. A corresponding adjustment of the voting rights notification obligations by the German legislator should be adopted as soon as possible in order to eliminate the complexity resulting from the ECJ ruling. A corresponding adjustment of the attribution criteria under the WpÜG should also restore alignment between the provisions governing voting rights notifications and the acquisition of control. The Takeover Directive does not preclude this, as it merely provides for the linking of the control triggering a mandatory offer to a voting rights threshold, whilst leaving the specific level and method of calculation to the national law of the EU Member States.

Further information:

• BaFin supervisory notice of 20 March 2026 (only available in German)
• ECJ judgment of 12 February 2026 in Case C-864/24
• Transparency Directive: Directive 2004/109/EC of 15 December 2004, OJ L 390, 31 December 2004, p. 38 (Transparency Directive); amended in particular by Directive 2013/50/EU of 22 October 2013, OJ L 294, 6.11.2013, p. 13 (Transparency Directive Amendment Directive).
• Regarding the Takeover Directive: Directive 2004/25/EC of the European Parliament and of the Council of 21 April 2004 on takeover bids, OJ L 142, 30.4.2004, p. 12.

Internationally structured corporate groups frequently employ cross-entity matrix structures in which executives of a foreign group company exercise supervisory functions vis-à-vis employees of a German subsidiary – not uncommonly exclusively by videoconference from abroad.

In practice, the question frequently arises as to whether and when the deployment of foreign group executives constitutes a co-determination-relevant "hiring" (Einstellung) within the meaning of Section 99(1) sentence 1 of the German Works Constitution Act (Betriebsverfassungsgesetz, BetrVG), thereby triggering the works council's right of consent. In a recent decision, the Federal Labour Court (BAG) has, for the first time, addressed a cross-entity and simultaneously cross-border matrix organisation and has specified the requirements for a hiring under works constitution law in this context.

Facts of the Case

The employer manufactures and distributes mass spectrometers and employs approximately 500 employees at its sole establishment in Germany. The company is part of a US-based corporate group which operates cross-entity matrix structures.

Four individuals were active in the German establishment who did not have an employment relationship with the employer but were employed by a group company domiciled abroad. They performed their duties for the employer's establishment exclusively by way of videoconferences. In relation to certain employees of the employer, they held supervisory functions and the right to issue instructions.

The works council took the view that the engagement of these four individuals constituted hirings within the meaning of Section 99 (1) sentence 1 BetrVG by virtue of their integration into the establishment, and applied for the judicial reversal of the personnel measures. The employer objected, arguing that the requisite right to issue instructions was lacking, as was sufficient collaboration between the four individuals and the employees working in the establishment.

The Labour Court of Bremen-Bremerhaven initially ruled in favour of the works council, and the Higher Labour Court (Landesarbeitsgericht, LAG) of Bremen also dismissed the employer's appeal.

Decision

The BAG overturned the decision of the LAG and remanded the case for a new hearing and decision. The key findings of the BAG can be summarised as follows:

First, the BAG confirmed that the scope of application of the BetrVG is open. Pursuant to the territoriality principle, Sections 99 et seq. BetrVG apply to all domestic establishments, irrespective of the employer's registered office, the registered office of the group parent company, or the legal system applicable to the individual employment relationship. The only relevant question is whether the person concerned is integrated into the establishment located in Germany.

At its core, however, the BAG held that the LAG had incorrectly assumed that, for the integration of executives employed by another group company (so-called matrix managers), it was irrelevant whether they themselves were subject to the instructions of the establishment owner (Betriebsinhaber). The BAG made unequivocally clear: a hiring within the meaning of Section 99(1) sentence 1 BetrVG always requires that the person concerned performs work subject to instructions and that the establishment owner holds at least a partial right to issue instructions – typical of an employment relationship – with respect to the content, place and time of the activity. This applies expressly also to executives in matrix structures.

The requisite personnel authority (Personalhoheit) of the establishment owner cannot be substituted merely by appointing intra-group executives as supervisors of the employees already belonging to the establishment.

Furthermore, the BAG criticised the LAG for having failed to make sufficient findings regarding the joint realisation of the establishment's operational purpose (arbeitstechnischer Betriebszweck). The mere finding that an executive holds a "right to issue professional instructions" (fachliches Weisungsrecht) is insufficient, as this is not a defined legal term and does not, in itself, establish whether the executive is in fact involved in the operational tasks and work processes of the establishment. Specifically, the executives must regularly collaborate with the employees working in the establishment in order to carry out the tasks assigned to them, thereby actually exercising their professional instructional authority. Conducting target agreement discussions or mere coordination of leave alone does not, in itself, permit the conclusion that the individual is integrated into the establishment.

At the same time, the BAG provided the LAG with several important guidelines for the new proceedings: for the question of integration, it is generally irrelevant how frequently or to what temporal extent the activities carried out in furtherance of the establishment's purpose take place. Neither quantitative nor qualitative minimum requirements can be derived from the statute. Likewise, it is not necessary for the person concerned to perform their work on the premises of the establishment or to be physically present to any minimum extent. The fact that the four executives reside abroad and work from there does not, in principle, preclude a hiring. Finally, simultaneous integration into multiple establishments is possible, as the BetrVG contains no provision that would preclude this.

Practical Implications

The decision is of far-reaching significance for the day-to-day advisory practice of internationally structured corporate groups with matrix organisations.

It is now established that the principles of works constitution law regarding integration also apply to matrix executives based abroad who are employed by a foreign group company. Employers deploying intra-group executives in a German establishment should therefore carefully assess whether and to what extent the German company, as the establishment owner, holds the employer-typical right to issue instructions vis-à-vis these executives that is required for integration.

Where the German subsidiary lacks at least partial personnel authority – which is frequently the case in practice where the management level of the German company is hierarchically positioned below the foreign executives – a co-determination-relevant hiring is precluded on this ground alone. The mere coexistence of employee groups of different group companies within a single establishment does not, in itself, give rise to a co-determination right of the works council under Section 99 BetrVG.

On the other hand, the BAG deliberately sets a low threshold for affirming integration: neither a minimum temporal extent of the activity nor physical presence in the establishment is required. Even an activity carried out exclusively by videoconference from abroad may constitute a hiring, provided the remaining requirements are met.

The decisive factor remains the overall assessment of all circumstances of the individual case, focusing on the specific involvement in the operational tasks and work processes of the establishment.

Questions that remain open after the decision include, among others, what degree of subordination to instructions is sufficient in the individual case and whether, in addition to the right to issue professional instructions, the establishment owner must also hold a disciplinary right to issue instructions vis-à-vis the executive.

Employers with matrix structures should closely monitor the further development of case law and review their intra-group personnel organisation in light of these new principles.

In its decision of December 2, 2025 (Ref. 9 AZB 3/25), the Federal Labour Court ruled that a plaintiff serving as the general director of a municipal theatre is an employee within the meaning of Section 5 (1) sentence 1 of the German Labour Court Act (ArbGG) and Section 611a of the Civil Code (BGB). Despite extensive artistic freedom in shaping the repertoire, casting roles, and assigning directing duties, the Federal Labour Court affirmed the plaintiff’s employee status, as the artistic director’s contract, in conjunction with the municipal theatre’s bylaws and rules of procedure, established comprehensive subordination to instructions and external control. A decisive factor was that the mayor, as the superior, exercised process-oriented legal supervision and, in the event of a conflict, had comprehensive powers of intervention that could override the decisions of the general artistic director.

A. Facts of the Case

The parties are in dispute over the admissibility of legal action before the Labour Courts in the context of an unfair dismissal proceeding.

The plaintiff worked as General Director (1st Artistic Director) of a theatre operated as an independent agency of the defendant city for a period of five years on the basis of a “Director’s Contract” concluded on July 7, 2021. He was responsible, in particular, for independently designing the program, casting roles, and assigning directing and conducting duties. In addition, the plaintiff – in agreement with the administrative director – was responsible for concluding and terminating contracts, in particular permanent employment and service contracts, as well as for concluding, renewing, or not renewing fixed-term employment or service contracts. The plaintiff received a gross monthly salary of €15,000.00 plus an annual bonus amounting to 60% of a gross monthly salary.

The artistic director’s contract provided that, while the plaintiff was subject to the legal supervision of the mayor as his employer, he was not subject to the mayor’s technical supervision with respect to artistic decisions. The plaintiff was required to report and obtain approval for secondary employment and to submit a certificate of incapacity for work before the end of the third day of incapacity. He was entitled to continued pay in the event of illness for up to six weeks, as well as to 45 calendar days of paid vacation annually, which had to be reported to the legal entity and was generally to be taken during the theatre’s vacation period. However, he was not required to document his daily working hours. The plaintiff was also not required to use the office provided to him.

Together with the Administrative Director, the General Director formed the theatre’s two-person management team. The in-house operating bylaws and rules of procedure referenced in the contract governed the organization of the theatre, the duties of the management team, and the powers of the management committee and the mayor as the employer in detail.

The defendant city terminated the contractual relationship with the plaintiff without notice by letter dated August 1, 2024. The plaintiff subsequently filed an action for unfair dismissal with the Erfurt Labour Court and asserted a claim for continued employment.

The defendant challenged the admissibility of the legal action before the Labour Courts and moved for referral to the Regional Court on the grounds that the plaintiff was not an employee within the meaning of Section 5 (1) sentence 1 of the German Labour Court Act (ArbGG) and Section 611a of the German Civil Code (BGB), but had been working under a freelance contract.

The Erfurt Labour Court (see decision of Oct. 30, 2024 – 5 Ca 1430/24) and – subsequently, on appeal – the Thuringia Regional Labour Court (decision of Jan. 27, 2025 – 2 Ta 81/24) affirmed the plaintiff’s status as an employee and the jurisdiction of the Labour Courts.
With the admitted appeal, the defendant continued to pursue before the Federal Labour Court the referral of the legal dispute to the Regional Court that it sought.

B. Reasons for the Decision of the Federal Labour Court

The Federal Labour Court dismissed the appeal as unfounded, classifying the plaintiff, who was employed as a general director, as an employee within the meaning of Section 5 (1) sentence 1 of the German Labour Court Act (ArbGG) and Section 611a of the German Civil Code (BGB), and consequently affirming the jurisdiction of the Labour Courts.

In the opinion of the Federal Labour Court, the present case concerns a civil dispute between an employee and an employer arising from an employment relationship, such that, pursuant to Section 2 (1) No. 3 lit. a) of the German Labour Court Act (ArbGG), the Labour Courts have jurisdiction.

I. Not a “sic non” case

The Federal Labour Court first confirmed the Regional Labour Court’s view that this is not a so-called “sic non” case, in which the claim can only be well-founded if the legal relationship is classified as an employment relationship, such that the mere assertion of this legal claim opens the legal avenue to the Labour Courts. Since the validity of the extraordinary termination would also have to be reviewed under the standard of Section 626 of the German Civil Code (BGB) even within the context of a contract for services, the success of the main claim does not depend on the plaintiff’s status as an employee. The mere legal assertion of being an employee is therefore insufficient to establish the jurisdiction of the Labour Courts.

II. No Application of Section 5 (1) Sentence 3 of the German Labour Court Act (ArbGG)

In the opinion of the Federal Labour Court, the plaintiff is also not a legal representative of the defendant city within the meaning of Section 5 (1) sentence 3 of the German Labour Court Act (ArbGG). As the first plant manager and a member of the management of the municipal enterprise, he did not represent the city as a legal entity, but merely in matters concerning the municipal enterprise established by it, subject to the instructions of the mayor as the city’s actual legal representative.

III. Definition of “employee” under Section 5 (1) sentence 1 of the German Labour Court Act (ArbGG), 611a of the German Civil Code (BGB)

In assessing whether the plaintiff is an employee within the meaning of Section 5 (1) sentence 1 of the German Labour Court Act (ArbGG), the Federal Labour Court based its decision on the definition of an employee codified in Section 611a of the German Civil Code (BGB). According to this provision, an employee is a person who, on the basis of a contract under private law, is obligated to perform work subject to instructions and external control in a relationship of personal dependence in the service of another. The right to issue instructions may concern the content, performance, time, and place of the work. A person is subject to instructions if they cannot, in essence, freely organize their work or determine their working hours. The degree of personal dependence also depends on the nature of the respective activity. To determine whether an employment contract exists, an overall assessment of all circumstances must be made. If the actual performance of the contractual relationship indicates that it is an employment relationship, the designation in the contract is irrelevant.

The Federal Labour Court clarified that the right to issue instructions under an employment contract is characterized by being person-specific and process-oriented – in contrast to the task-specific and results-oriented instructions given to a self-employed person. To determine whether an employment relationship exists, a comprehensive assessment of all circumstances must be made, taking into account constitutional considerations, in particular the freedom of the arts under Art. 5 (3) of the Basic Law (see BAG 30 Nov. 2021 – 9 AZR 145/21, NZA 2022, 623, para. 36 et seq.). An employment relationship can only be assumed if the circumstances indicating personal dependence are given sufficient weight within the required comprehensive assessment or if they characterize the legal relationship (see BAG Dec. 1, 2020 – 9 AZR 102/20, NZA 2021, 552). If the actual performance of the contractual relationship indicates that it is an employment relationship, the designation in the contract is irrelevant (see BAG 17 Dec. 2024 – 9 AZR 26/24, NZA 2025, 1243, para. 20 et seq.).

IV. Subordination to Instructions Despite Artistic Freedoms

Despite the far-reaching freedoms in the artistic sphere, the Federal Labour Court affirmed the plaintiff’s obligation to follow instructions. The artistic director’s contract provided for comprehensive legal supervision by the mayor as the superior, which could extend not only to work results but also to procedural processes. The right to issue instructions was thus also process-oriented. The rules of procedure provided for a comprehensive right of intervention by the mayor in the event that the general director and the administrative director, as the responsible heads of the institution, could not reach an agreement, including in matters left to their independent discretion. In the event of a conflict, the mayor could therefore fully override the general director’s decision.

V. External Control Through Organizational Integration

The Federal Labour Court further found that the plaintiff’s work was subject to external control due to his integration into the theatre’s organization, which was strongly oriented toward the division of Labour. The theatre’s management structure provided for close cooperation between the General Director and the Administrative Director, as well as oversight by the Mayor and the Theatre Committee, whose decisions could override those of the General Director in the event of a conflict. The administrative director, too, could ensure in all areas that the mayor’s decision superseded that of the general director. In addition, close cooperation and coordination with the theatre’s works committee was required, as the committee could demand information from the theatre management at any time regarding the conduct of business and the status of the municipal enterprise. The obligation to report and obtain approval for secondary employment, as well as the requirement to submit a certificate of incapacity for work starting on the third day of illness, further underscored the integration into the operational organization.

VI. Overall Assessment

In its comprehensive assessment, the Federal Labour Court concluded that the mayor’s authority to issue instructions and the degree of external control resulting from the plaintiff’s close integration into the theatre’s work organization carry significant weight and do not allow the work to appear essentially independent. In contrast, factors that would suggest a freelance relationship – such as the freedom to organize one’s own working hours and the lack of a specified workplace – take a back seat. The distinctive feature of the case lies in the fact that, in the event of a conflict, the administrative director could secure decisions from other bodies in all areas of responsibility, significantly restricting the artistic director’s freedom. Even the freedom of the arts under Article 5(3) of the Basic Law and a potentially stricter standard of review cannot, in the opinion of the Federal Labour Court, alter this, since the nature of the work, due to the contractual arrangement, does not prove to be so independent that the legal relationship could be regarded as a freelance arrangement. The Federal Labour Court emphasized that the specific nature of the General Director’s work does not have a decisive influence on the classification of the legal relationship, since the work can be performed, depending on its structure, both within the framework of an employment relationship and within the framework of a freelance service relationship.

Since the interpretation of the contract (pursuant to Sections 133 and 157 of the German Civil Code) already establishes the existence of an employment relationship, the question of the actual performance of the contract is irrelevant in the present case.

C. Practical Note

The decision makes clear that the classification of a worker as an employee or an independent contractor does not depend on the contractual designation or the nature of the work, but solely on the specific factual structure of the contractual relationship. The decisive factor is whether the employer’s right to issue instructions is structured in a manner that is more personal and process-oriented – and thus typical of an employee – or more task-oriented and results-oriented.

Contracts that – as in the present case – provide for comprehensive legal supervision as well as far-reaching rights of intervention by the employer and integrate the worker into a highly division of labour-oriented organizational structure regularly lead to a finding of employee status – even if there are far-reaching freedoms in the core artistic area. Nor can the freedom of the arts under Article 5 (3) of the German Basic Law (GG) compensate for de facto integration typical of an employee.

The decision is likely to have a ripple effect beyond the specific case on comparable situations in the cultural and creative industries – such as managerial positions at other cultural institutions, festival directors, or museum directors in similarly division-of-Labour-based organizational structures. Legal entities of cultural institutions should review their existing organizational structures and, if necessary, adapt them to avoid the unintended classification of a contractual relationship as an employment relationship – or consciously accept the consequences of an employment relationship, in particular the applicability of the Unfair Dismissal Protection Act, the Continued Remuneration Act, and other protective provisions under Labour law.

For companies, this increasingly raises the question of the direction in which European digital law is evolving and whether the announced relief will actually materialize or whether new uncertainties will arise. The following overview highlights current developments regarding the Data and AI Omnibus and assesses their practical relevance.

I. Background and Objectives

The European Commission’s omnibus initiatives are set against the backdrop of increasingly complex and fragmented digital regulation. In recent years, key legislative acts – including the GDPR, the Data Governance Act, the Data Act, and the AI Regulation – have been developed and adopted, in some cases in parallel, without their interactions being consistently coordinated. As a result, companies are frequently confronted with overlapping obligations, unclear demarcation issues, and increased compliance burdens.

Against this backdrop, the Commission’s omnibus proposals aim to selectively adapt existing regulations, better align them with one another, and improve their practical applicability. The focus is particularly on reducing bureaucratic burdens and promoting innovation, especially in the areas of data-driven business models and artificial intelligence. At the same time, it is clear that the planned adjustments are not merely technical in nature but concern key policy decisions in European digital law.

II. Data Omnibus

The proposal for a “Digital Omnibus” represents the first concrete intervention in the regulatory framework of the GDPR since its entry into force. The goal is to modernize the regulation in specific areas, integrate it more closely with related regulations – particularly the Data Act and the AI Regulation – and, at the same time, reduce practical implementation challenges.

1. Planned Changes

In terms of content, the planned changes focus primarily on three areas: First, the central concept of “personal data” is clarified, with future provisions placing greater emphasis on concrete identifiability by the respective data recipient . Second, it is clarified that the processing of personal data for the training, testing, and validation of AI systems may, in principle, be based on a legitimate interest. Third, a limited exception is introduced for the processing of special categories of personal data in the AI context, provided that such processing is unavoidable and not targeted.

Accompanying adjustments are planned, such as clarifying specific definitions (e. g., health data), easing transparency and reporting obligations, and further harmonizing procedural requirements in conjunction with other digital legislation.

2. Current Status

The Digital Omnibus is currently still undergoing the legislative process at the EU level. The Commission’s proposal from November 2025 is currently being debated in the European Parliament and the Council. In parallel, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) submitted a joint opinion in February 2026 that is significantly shaping the further legislative process.

While the supervisory authorities expressly support the goal of simplifying and harmonizing the digital legal framework, they simultaneously voice significant criticism of key elements of the proposal. The focus is particularly on the planned amendment to the definition of “personal data.”

The Commission bases this adjustment primarily on a recent ruling by the ECJ (Case C-413/23 P – EDPS v. SRB). In this decision, the Court clarified that data is not considered personal data for a specific recipient if that recipient cannot identify the data subject using “means reasonably available to them.” At the same time, however, the ECJ emphasizes that data can regain its personal character as soon as it reaches a recipient who has the means to identify the data subject.

This is precisely where the criticism begins: The Omnibus Proposal addresses this case law only selectively and, in the view of the EDPB and EDPS, goes significantly beyond it. In particular, the proposed clarification that data should not be considered personal merely because another recipient could identify it contradicts the CJEU’s case law.

The supervisory authorities see this as a significant threat to the level of protection afforded by data protection law. The proposed redefinition would noticeably narrow the scope of the GDPR and could incentivize companies to deliberately structure data processing in such a way that it formally falls outside the scope of the regulation. Furthermore, new difficulties in defining boundaries would arise, leading not to greater legal certainty, but to less.

Further points of criticism relate in particular to:

• Pseudonymization: The planned option to determine, through implementing acts, when pseudonymized data no longer qualifies as personal data is viewed as contrary to the system, as this affects the core area of data protection law.
• AI-specific exemptions: While it is acknowledged that practical challenges exist, for example, in the training of AI systems, the proposed blanket exemptions (e. g., regarding legitimate interests or sensitive data) are deemed too vague and potentially threatening to fundamental rights.
• Protection of fundamental rights: Overall, the proposal is criticized for going beyond a mere “technical simplification” in some respects and potentially resulting in substantial changes to the level of protection provided by the GDPR.

As a result, the interim assessment is therefore ambivalent: While individual simplifications—such as regarding reporting obligations or in the research sector - are viewed predominantly positively, the encroachments on core concepts of data protection law in particular raise significant concerns. Against this backdrop, extensive revisions are still to be expected in the further legislative process.

III. AI Omnibus

1. Planned Changes

In terms of content, the planned changes in the AI Omnibus focus primarily on three areas. First, overlaps between the AI Regulation and other regulatory frameworks – particularly the GDPR – are to be reduced, and questions of demarcation are to be clarified. Second, simplifications are envisaged for the development and deployment of AI systems, for example regarding the handling of training data and risk-based requirements. Third, the proposals aim to simplify compliance and conformity procedures, particularly through standardization and reduced documentation requirements. Additionally, closer integration with existing sector-specific regulations and supervisory structures is planned.

2. Current Status

The AI Omnibus is also currently undergoing the legislative process. Following the publication of the Commission’s proposals in November 2025, the Member States have already agreed on a common Council position; in the European Parliament, the lead committees (IMCO and LIBE) have adopted a compromise text. The plenary vote is imminent, after which trilogue negotiations are set to begin.

In terms of content, the discussion remains highly contentious. At the center of the debate is, in particular, the question of whether and to what extent certain sectors should be exempted from key requirements of the AI Regulation. The Parliament’s proposal aims to remove parts of the scope of application – particularly in the area of already regulated product sectors – from the direct application of the AI Act or to transfer them to other regulatory mechanisms.

However, it is precisely these approaches that have drawn significant criticism. For one thing, representatives of the certification and standardization industry warn of a structural weakening of the risk-based approach of the AI Regulation. In particular, postponing or removing key provisions in Annex I could result in large portions of industrial AI systems no longer being directly subject to the requirements of the AI Act. This would undermine the uniform regulation sought thus far and lead to a fragmentation of the legal framework.

On the other hand, there are fears that the proposed changes will lead not to less, but to more bureaucracy and legal uncertainty. If requirements were increasingly shifted to sector-specific regulations in the future, these would first have to be specified through additional legislative acts. This would delay the implementation process and further complicate the regulatory landscape.

Significant risks are also seen with regard to standardization: ongoing work on harmonized AI standards could be partially undermined or would need to be adapted, which would lead to further delays. Additionally, there is a risk of losing expertise if key application areas fall outside the scope of the regulation.

Finally, there is no unified political stance either. While parts of Parliament and industry welcome the proposed exemptions as a necessary step to avoid double regulation, other voices – including national governments – warn against lowering the level of protection and weakening the horizontal structure of the AI Regulation.

IV. Impact on Practice

The current drafts of the Data and AI Omnibus should be understood less as deregulation and more as a realignment and, in some cases, a shift in existing regulatory priorities. The practical effects are particularly evident in the following areas:

1. Increasing relevance of classification decisions in data protection

The proposed realignment of the concept of personal data shifts a significant portion of compliance to the upstream qualification decision. For companies, this means that in the future, it will be necessary to examine and document even more rigorously whether and for whom a personal reference actually exists.

In practice, this does not lead to a blanket reduction in burden, but rather to higher requirements for data classification, technical access controls, and documentation. Particularly in the case of data processing involving a division of labor (e. g., cloud, platforms, AI training), it will be crucial to determine which actors have the means to re-identify individuals. Companies should therefore map their data flows in granular detail and clearly separate the respective perspectives of individual processing units.

2. More leeway in AI training

The explicit inclusion of legitimate interest for AI training points to greater flexibility in the future. At the same time, the focus is shifting toward the qualitative nature of the balancing of interests.

In practice, this means that companies cannot rely on a “blanket” legal basis but must comprehensively justify and safeguard their training processes. This includes, in particular, transparent definitions of purpose, technical safeguards (e. g., against data leaks or regurgitation), as well as robust arguments regarding the benefits and foreseeability of the processing. The requirements for internal documentation and governance are thus likely to increase, even if consent processes could be reduced in the future.

3. Risk of Fragmented AI Regulation Due to Sectoral Exemptions

The sectoral exemptions discussed in the AI Omnibus have potentially significant practical implications. Should entire industries be excluded from the direct scope of the AI Regulation, this would disrupt the previously uniform legal framework.

Companies would then face the challenge of having to account for different regulatory frameworks simultaneously, depending on whether an AI system falls under the AI Act or under sector-specific product law. Rather than simplifying matters, this could lead to additional coordination needs between compliance, product, and regulatory teams.

V. Conclusion and Outlook

The omnibus initiatives clearly demonstrate that European digital law is in a phase of realignment. The aim of simplifying existing regulations and better aligning them with one another faces fundamental conflicts of interest – particularly between promoting innovation and maintaining high standards of protection.

In the case of both the Data and AI Omnibus initiatives, it is already clear at this stage of the proceedings that key proposals are politically contentious and may undergo significant changes in the further legislative process. In particular, the discussion regarding the personal nature of data in data protection as well as sectoral exemptions within the scope of the AI Regulation is likely to shape further negotiations.

In practice, this means that no fundamental relief is to be expected in the short term. Rather, a transitional phase is to be anticipated in which regulatory guidelines are only just emerging. In the long term, however, the omnibus initiatives could contribute to a clearer structure and better integration of European digital law.

This article was created in collaboration with our student employee Emily Bernklau.

In a press release, marking the publication of the new General Export Authorization 48 (GEA 48), the Federal Minister for Economic Affairs Katherina Reiche stated:

“Iran's indiscriminate attacks on the Gulf states have created an urgent need for military equipment there, particularly for air defense. At the same time, Ukraine's need for military support, especially for air defense, remains as urgent as ever. With the new, temporary GEA 48, we are adapting our arms export control procedures for the export of urgently needed military equipment to these countries to meet the new requirements. In doing so, we are ensuring swift and unbureaucratic exports to strengthen their defense systems and are thus sending a signal of solidarity.”

GEA 48 has been in force since March 20, 2026, and is valid for six months until 15 September 2026.

What is a General Export Authorization (GEA)?

General Export Authorizations are a type of export license that have the same legal effect as individual licenses but do not require a prior application to the Federal Office for Economic Affairs and Export Control (BAFA). Instead, they are issued by BAFA, publicly announced and henceforth apply to all exports and transfers that meet the conditions specified in the respective GEA.

As a result, exporters can carry out transactions covered by a GEA immediately, ensuring both speed and planning certainty for the duration of the authorization.

Scope of the GEA 48

GEA 48 defines its scope of application with reference to the types of goods it covers, their intended use, and the authorized recipients and destinations.

Authorized Goods

GEA 48 applies to the export and transfer with subsequent export of goods listed in Part I Section A of the Export List, provided that such goods are supplied by a domestic exporter and are intended for use in air and maritime defense.

Further, the authorization only applies where the goods are supplied to recipients who (i) belong to the armed forces of an authorized destination country or (ii) act as a contracting authority in the defense sector and make the purchase exclusively for use by those armed forces. In individual cases, deliveries to other recipients may also be carried out under GEA 48.

Certain categories of sensitive military goods and technologies are excluded from the scope of GEA 48. This also includes goods classified as war weapons, unless the exporter or shipper has obtained a license under the War Weapons Control Act for the specific export or transfer.

Permitted Destinations

GEA 48 applies to exports to Bahrain, Qatar, Kuwait, Oman, Saudi Arabia, the United Arab Emirates, and Ukraine, as well as to transfers within the European Union, provided that the transferor is aware that the goods will subsequently be exported to one of the aforementioned destinations for defense purposes covered by GEA 48.

Key Compliance Requirements

GEA 48 is subject to a number of detailed ancillary provisions set out by BAFA. These include, in particular, the following obligations:

• Registration: Exporters intending to rely on GEA 48 must register as users with BAFA via the ELAN-K2 portal prior to the first export or transfer, or within 30 days thereafter.
• Reporting Obligations: Exports and transfers carried out under the authorization must be reported to BAFA on a monthly basis via the ELAN-K2 portal.
• Record-Keeping requirements: Exporters and transferors must retain all documentation relating to the use of the GEA 48 for at least three years following the end of the calendar year in which the export or transfer took place.

Key Grounds for Exclusion

GEA 48 sets forth a number of grounds for exclusion, under which the authorization cannot be relied upon. These include, among others, exports followed by re-export to unauthorized destinations, cases where the goods are intended to support Russia’s war of aggression, as well as circumstances where BAFA requires individual licensing.

Practical Implications and Navigating Requirements with HEUKING

GEA 48 provides significant procedural relief by enabling faster exports in situations where defense equipment is urgently required. In particular, it facilitates deliveries to Ukraine and selected Gulf states without the delays associated with individual licensing procedures, thereby offering greater flexibility and planning certainty for exporters operating in this space.

At the same time, the strict licensing conditions and detailed compliance requirements applicable to the GEA 48 should not be underestimated. Companies should assess, at an early stage, whether their goods actually fall within the scope of GEA 48 and ensure that its requirements are properly implemented. In the event of a violation, the GEA 48 may be revoked, and regulatory and criminal penalties may apply. To prevent this, thorough assessment and robust internal compliance processes are essential.

We regularly advise clients on the application of export control laws and on the implementation of internal processes to ensure compliance with German and European export control requirements. In addition, we assist you with registration and reporting obligations and provide support in situations where compliance issues have arisen. Furthermore, we advise on transaction-specific risks associated with the export of goods, enabling you to make optimal use of the GEAs published by BAFA within the framework of your export process.

The FRiG serves to implement various EU directives and, in particular, makes far-reaching amendments to the German Capital Investment Code (hereinafter “KAGB”). A particular focus of the FRiG in this context is the introduction of requirements for lending by AIFs and the mandatory selection of, in principle, two “liquidity management instruments” for open-ended investment funds.

However, beyond merely implementing new EU requirements, the FRiG also introduces additional amendments to the KAGB that are, at least in part, welcome from the perspective of the investment industry. These include, in particular, the long-awaited introduction of closed-end funds in contractual form in the public fund sector – a development the industry has long advocated for – and the newly introduced dilatory defense under Section 93 (3a) of the KAGB, as amended.

Selected amendments to the KAGB resulting from the FRiG are outlined below.

Stricter requirements for KVG managing directors; Section 23 No. 2a KAGB (as amended)

Pursuant to Section 23 No. 2a of the KAGB (as amended) a capital management company must be denied authorization if there are facts indicating that the two required managing directors are not employed on a full-time basis (i. e., at least 40 hours per week) by the respective capital management company. Furthermore, the two required KVG managing directors must in the future be resident in the European Union.

In practice, KVG managing directors have often worked for and been employed by other companies – particularly group companies – and continue to do so. This necessarily required the affected managing director to divide their working hours among these entities. Even though the issue of the availability of KVG managing directors – at least in cases of very heavy workloads – has been discussed by the Federal Financial Supervisory Authority (hereinafter “BaFin”) in its supervisory practice in the past, the mandatory requirement of full-time employment for KVG managing directors is new.

However, the legislative rationale for the FRiG leaves a small loophole regarding the full-time requirement. According to this, in corporate group structures, it may occur in practice that there is partial overlap in the identities of the managing directors. The example cited here is a situation where, for instance, two capital management companies belong to a corporate group. According to the legislative rationale for the FRiG, such a scenario may continue to be considered permissible following a review of the individual case. Outside of group-related situations, however, the legislative rationale for the FRiG does not provide for the possibility of a deviating decision on a case-by-case basis.

Whether a third or additional managing director must then also be employed on a full-time basis cannot be unequivocally determined from Section 23 No. 2a of the KAGB (as amended). In discussions with industry associations, BaFin has expressed the view that in situations where there are more than two managing directors, departments may also be managed on a part-time basis. The combined workload of all managing directors must amount to two full-time equivalents (i. e., a cumulative total of 80 hours per week).

Furthermore, according to BaFin statements, grandfathering provisions are to apply to those capital management companies that do not have two managing directors residing in the EU prior to the entry into force of the FRiG on April 16, 2026. However, should changes occur in the management after April 16, 2026, the new requirements regarding the residence of the managing directors must be observed.

Lending by AIF Capital Management Companies; Section 29a et seq. KAGB (as amended)

In particular, the newly added Section 29a KAGB (as amended) and Section 29b KAGB (as amended) serve to establish uniform regulations within the EU for AIFs and their capital management companies that grant loans. In this context, the focus is, among other things, on maximum credit limits for certain borrowers such as financial firms (see Section 29a (3) KAGB, as amended) and the prohibition on granting loans to certain market participants, such as the AIF’s depositary (see Section 29a (7) KAGB, as amended).

However, certain provisions of the KAGB regarding the regulation of lending apply only to the category of “lending AIFs” newly introduced into the KAGB. “Lending AIFs” are, pursuant to Section 1(19) No. 24d of the KAGB (as amended), AIFs whose investment strategy consists primarily of granting loans or whose granted loans reach a nominal value amounting to at least 50 % of the AIF’s net asset value. Not every AIF that grants loans is therefore automatically a “lending AIF” within the meaning of the KAGB.

For example, the provision of Section 30 (3a) of the KAGB, as amended, applies only to lending AIFs. Accordingly, an AIF capital management company must ensure that the lending AIFs it manages are closed-end funds. Notwithstanding this, a lending AIF may be an open-ended fund provided that the AIF capital management company managing it can demonstrate to BaFin that the AIF’s liquidity risk management system is consistent with the investment strategy and redemption policy of the AIF capital management company.

Furthermore, with regard to open-ended lending AIFs, a leverage cap of 175 % applies pursuant to Section 29a (5) of the KAGB (as amended), and for closed-end AIFs, a cap of 300 % of the ratio of the AIF’s risk – calculated using the so-called “commitment method” – to its net asset value.

Pursuant to Section 29b (1) of the KAGB , as amended, capital management companies must make withholdings if a loan granted by an AIF is subsequently transferred to third parties. Accordingly, an AIF capital management company must ensure that an AIF it manages withholds 5 % of the nominal value of the relevant loans. This percentage is retained until maturity for loans with a term of up to eight years. For other loans, the aforementioned percentage must be retained for at least eight years. Exceptions to this are regulated in Section 29b (2) of the KAGB (as amended), such as in connection with the dissolution of a fund.

The granting of loans by AIFs to consumers within the meaning of Section 13 of the German Civil Code (BGB) is generally prohibited by the newly added Section 16a of the KAGB (as amended), as was already the case under the provision of Section 285 (2) No. 2 of the KAGB (as previously in force), which was repealed by the FRiG.

In this context, the FRiG also expands the definition of collective asset management in Section 1 (19) No. 24 of the KAGB to include the granting of loans by AIFs and the management of securitization special-purpose entities.

For the application of the provisions of Section 29a of the KAGB (as amended) and Section 30 (3a) of the KAGB (as amended) to existing funds that grant loans, the transitional provision of Section 367 of the KAGB (as amended) must be observed. For example, in the case of lending AIFs that were established before April 15, 2024, and that do not raise additional capital after April 15, 2024, it is assumed that they comply with the maximum leverage limits pursuant to Section 29a (5) of the KAGB, as amended.

Selection of Liquidity Management Instruments for Open-Ended Investment Funds; Section 30a KAGB (as amended)

The FRiG provides for the insertion of Section 30a KAGB (as amended) into the KAGB, which concerns the selection of liquidity management instruments (hereinafter also “LMTs”) for the management of open-ended investment funds. Accordingly, a capital management company must select at least two suitable LMTs from a specified list for each open-ended investment fund it manages. Notwithstanding this, in the case of money market funds, it is possible to select only one suitable LMT; see Section 30a (3) of the KAGB, as amended.

According to the statutory definition in Section 1 (19) No. 25a of the KAGB (as amended), LMTs include (i) the suspension of unit issuance, subscriptions, repurchases and redemptions (ii) redemption restrictions (iii) the extension of redemption periods (iv) the redemption fee (v) swing pricing (vi) dual pricing, (vii) a dilution protection fee, (viii) distribution of assets in kind, and (ix) the spin-off of illiquid investments.

Consequently, all open-ended investment funds – including existing funds – must have at least two operational LMTs in place by April 16, 2026, and must also stipulate this in their investment terms and conditions.

Section 366 (1) of the KAGB, as amended, provides for certain exemptions regarding the necessary adjustment of the investment terms for existing funds. In this regard, for UCITS or domestic open-ended public AIFs, the application for approval of the amended investment terms may, in addition to editorial changes, include only those changes to the investment terms that are necessary to comply with the requirements of the version of the KAGB effective as of April 16, 2026. In this case, certain requirements for amending the investment terms do not apply, meaning, for example, that investors do not have to be offered the option to redeem their shares in this context.

The investment terms and the information pursuant to Section 307 (1) and (2) of the KAGB for domestic open-ended special AIFs must also be adapted to the version of the KAGB effective as of April 16, 2026, by April 16, 2026. From a thematic perspective, this will focus in particular on the possibilities and conditions for the use of the selected liquidity management instruments.

According to BaFin statements, the implementation of detailed strategies and procedures for the activation and deactivation of the selected liquidity management instruments pursuant to Section 30a (2) sentence 2 of the KAGB (as amended) implies that the management company must inform investors of such activation or deactivation (e. g., via a website).

Right of defense under Section 93 (3a) of the KAGB (as amended)

A new paragraph 3a is inserted into Section 93 of the KAGB, granting capital management companies a temporary right to refuse performance in the management of funds in contractual form. Pursuant to Section 93 (3a) of the KAGB (as amended), the capital management company in question may refuse to fulfill obligations arising from legal transactions conducted on behalf of the investors of a fund in contractual form for as long and to the extent that the capital management company cannot satisfy its obligations from the fund in contractual form. Although attempts have regularly been made to date to negotiate a corresponding right of defense for the capital management company in individual contracts, this could not be enforced in all cases in practice.

The new defense option under Section 93 (3a) of the KAGB (as amended) is structured as a so-called “dilatory defense,” which only temporarily suspends the enforcement of the claim and leaves the existence of the claim unaffected. The defense can therefore only be raised as long as the special fund’s liquidity is actually insufficient, for example, because the sale of a property has not yet been completed.

From its character as a dilatory defense, it follows in legal doctrine that this defense must be raised by the capital management company at least by implication and, for example, will not be considered ex officio by the adjudicating court in a lawsuit. If a capital management company successfully invokes the defense under Section 93 (3a) of the KAGB (as amended) in a lawsuit, the claim is dismissed only as currently unfounded and may be brought again once the defense no longer applies – i. e., once the fund in contractual form regains its solvency.

Furthermore, a payment made in ignorance of the dilatory defense under Section 93 (3a) of the KAGB (as amended) cannot be reclaimed under Section 813 of the BGB because it is not a permanent defense. Before making such a payment, a capital management company is therefore advised to actively examine whether the defense under Section 93 (3a) of the KAGB (as amended) can be raised. Once payment has been made, the capital management company is barred from seeking reimbursement on the grounds of the fund’s illiquidity.

However, under Section 93 (3a) of the KAGB (as amended), this defense has no deferral effect and no impact on the occurrence of default or on the realization of collateral that the capital management company has provided for a liability of the fund in contractual form. For example, the defense under Section 93 (3a) of the KAGB, as amended, does not prevent the accrual of default interest pursuant to Section 288 of the BGB.

According to the legislative history of the FRiG, the new provision of Section 93 (3a) of the KAGB, as amended, is intended to achieve equal treatment of creditors of funds in contractual form without legal personality with creditors of investment companies. Under current law, there is a difference in the liability of capital management companies depending on whether the funds they manage are investment companies with legal personality or funds in contractual form without legal personality. In the case of investment companies, the capital management company is not liable with its own assets, whereas in the case of funds in contractual form, under current law, the capital management company is liable with its own assets if the liabilities cannot be covered by the claim for reimbursement of expenses under Section 93 (3) of the KAGB against the special fund. In particular, this difference in the liability regime had frequently led, in the area of special AIFs, to the investment company being preferred over the fund in contractual form during fund setup.

Section 93 (3a) of the KAGB, as amended, is also intended to facilitate the financing of funds in contractual form, as banks can thereby treat the special fund as the debtor for the purposes of the European Capital Requirements Regulation (CRR), which typically has significantly better capital adequacy than the capital management company.

Winding-up by the Capital Management Company upon termination of the management of a fund in contractual form; Section 99 (1) of the KAGB (as amended)

Under Section 99 (1) of the KAGB (previous version), capital management companies are entitled to terminate the management of a fund in contractual form by giving six months’ notice through publication in the Federal Gazette and additionally in the annual report or semi-annual report. For special funds, a shorter notice period may also be agreed upon in the investment terms and conditions. Following termination, the fund in contractual form must be liquidated by the custodian in accordance with the current legal situation.

Section 99 (1) of the KAGB is being significantly amended by the FRiG. Under the new provisions, the requirement to observe a specified notice period is eliminated. From the date of notification of termination (or, in the case of special AIFs, from the date of notification to investors), the capital management company – and no longer the depositary – will be obligated to liquidate the fund in contractual form. The capital management company’s obligation to manage the fund in contractual form does not end until the capital management company has fully liquidated the fund in contractual form. Furthermore, it is clarified that investment limits no longer need to be observed during liquidation, which is consistent with current management practice.

The above provisions apply mutatis mutandis to closed-end investment limited partnerships pursuant to Section 154 (1) sentence 5 of the KAGB.

Contract amendment mechanism pursuant to Section 163 (5) of the KAGB, as amended

A new paragraph 5 is inserted into Section 163 of the KAGB, which concerns the approval of investment terms for open-ended public investment funds. Under Section 163 (5) of the KAGB (as amended), existing contracts (such as investor agreements) between the capital management company and the investors will be automatically adjusted to reflect changes to the investment terms approved after the conclusion of the contract and which have become part of the contract, provided that such changes to the investment terms are necessary to implement new mandatory legal or regulatory requirements. This is currently likely to apply in particular to the liquidity management instruments required as of April 16, 2026.

According to the legislative rationale, this special provision is intended to enable the unbureaucratic and legally certain adaptation of existing contracts to new statutory or regulatory requirements. If the capital management company plans other changes to its investment terms that are not necessary to comply with statutory or regulatory requirements, the general provisions of contract law regarding contract amendments apply to such changes. For such changes to become part of the contract, an amendment agreement must be concluded with the investors or an existing contract amendment clause must be utilized.

The capital management company is merely required to inform investors of the automatic contract amendment pursuant to Section 163 (5) of the KAGB (as amended), without any specific information medium or deadline being prescribed by law in this regard.

Expansion of investment opportunities from closed-end public AIFs to open-end AIFs, Section 261 (1) No. 5 and No. 6 of the KAGB (as amended)

Section 261 (1) No. 5 and No. 6 of the previous version of the KAGB provided that closed-end public AIFs with a fund-of-funds strategy could invest in other closed-end AIFs. Investment in open-end AIFs was not permitted. From a liquidity management perspective, this was difficult to justify given the fundamental possibility of redeeming shares in open-end AIFs.

Section 261 (1) No. 5 and No. 6 of the KAGB (as amended) contain no restriction to closed-end AIFs. Closed-end public funds-of-funds may therefore also invest in open-end AIFs in the future. According to the legislative rationale for the FRiG, this is intended to increase the competitiveness of German closed-end public AIFs. This will not reduce the level of investor protection, as open-ended AIFs are also regulated and supervised products. We agree with this assessment.

Conclusion

From the industry’s perspective, the FRiG introduces several welcome changes to the KAGB. These include, in particular, the long-awaited introduction of closed-end funds in contractual form for the public fund sector. In particular, in conjunction with the newly introduced dilatory defense under Section 93 (3a) of the KAGB (as amended), capital management companies should assess whether they wish to consider launching funds in the form of closed-end funds in contractual form in the future.

The new automatic statutory contract amendment mechanism under Section 163 (5) of the KAGB (as amended) also simplifies the process of incorporating statutory or regulatory changes into contractual documents and is very much welcomed by the industry.

On the other hand, it cannot be denied that the FRiG will also entail additional bureaucratic burdens for the industry. For example, the requirement for at least two full-time KVG managing directors will not make recruiting staff any easier for smaller capital management companies – especially in times of a shortage of qualified managers.

The statutory requirements for works council compensation are clearly formulated in their basic principles. In practice, however, their application is often associated with considerable uncertainties. This is especially true in light of recent case law and the associated civil and criminal law risks for decision-makers within the company.

Employers therefore face the challenge of making compensation decisions that comply with both the voluntary service principle (in conjunction with the principle of compensation for lost earnings) and the prohibition against preferential or disadvantageous treatment. Below, we present some proven practices that have been established in advisory work as suitable for supporting a legally compliant approach to works council compensation.

I. Early and Structured Determination of the Relevant Comparison Group

A key starting point for a legally compliant compensation structure is the accurate determination of the comparison group. As discussed in the first two articles of this series, this group serves as the relevant reference framework for the development of compensation under Section 37(4) of the German Works Constitution Act (Betriebsverfassungsgesetz).

In practice, it is advisable to systematically establish the comparison group at the time the works council member takes office and to document the relevant considerations in a traceable manner. This includes, in particular, a brief description of the selected comparison persons, their roles, and their relevant qualifications (both professional and personal).

Such documentation not only facilitates subsequent adjustment decisions but also helps to present the reasoning clearly in the event of later inquiries or reviews. Particularly in cases of long-standing works council mandates, it can otherwise be difficult to reliably reconstruct the original considerations regarding comparability.

At the same time, employers should be aware that a comparison group, once established, may not be changed without due cause. A new comparison group may only be formed if there is an objective reason for doing so.

It should also be noted that under Section 37(4) sentences 4 and 5 of the German Works Constitution Act, a procedure for determining comparable employees may be established through a works agreement (Betriebsvereinbarung). Such an arrangement can help make the selection of comparison persons more transparent and traceable, thereby avoiding future disputes. However, this does not relieve the employer of the duty to carefully assess in each individual case which employees are actually comparable.

II. Regular Review of Compensation Development

The compensation of works council members is not a static matter. Section 37(4) of the German Works Constitution Act provides for a dynamic approach, under which works council members participate in the customary development of compensation within the company for comparable employees.

Employers are therefore well advised to regularly review whether the compensation within the relevant comparison group has changed and whether adjustments are necessary. In practice, it is helpful to link this review to existing HR processes, such as annual compensation rounds or other regular salary reviews.

In addition, attention should be paid to whether specific development opportunities have arisen within the company that could be relevant to the hypothetical career progression of the works council member. As outlined in the second article of this series, the prohibition against disadvantageous treatment under Section 78 sentence 2 of the German Works Constitution Act, in conjunction with Section 611a(2) of the German Civil Code (Bürgerliches Gesetzbuch), may give rise to an independent entitlement to compensation adjustment if the works council member would have attained a certain position had they not taken on their role.

A regular review of relevant developments helps to identify emerging adjustment issues at an early stage and address them appropriately.

III. Transparent Decision-Making Processes and Careful Documentation

A recurring risk in connection with works council compensation often lies less in the substantive decision itself than in inadequate documentation and traceability. Employers should therefore ensure that key decisions regarding works council member compensation are made transparently and documented thoroughly.

This applies in particular to:

• the formation and, where applicable, adjustment of comparison groups
• the customary compensation development within the comparison group
• the hypothetical career development of the works council member, particularly with regard to hypothetical promotion decisions
• decisions regarding variable compensation components and their derivation
• the treatment of overtime and compensatory time off

The documentation does not need to be particularly extensive. What matters is that the key substantive considerations are recorded and that the documents show the basis on which a particular compensation decision was made.

Such documentation can be especially important if compensation decisions are reviewed at a later date or if questions arise about possible preferential or disadvantageous treatment.

IV. Clear Internal Responsibilities and Structured Decision-Making Processes

In many companies, uncertainties regarding works council compensation arise not primarily due to unclear legal requirements, but rather due to a lack of internal structures. It is therefore advisable to define clear responsibilities for matters relating to works council compensation.

In practice, it is often helpful to centralize these matters within the HR department and to involve employment law expertise early on when needed.

Furthermore, it may be useful to develop standardized internal procedures for typical situations, such as documenting established comparison groups, regularly reviewing compensation developments, or handling overtime worked by works council members.

Structured processes help to ensure that compensation decisions are made consistently and reduce the risk of individual errors.

V. Raising Awareness Among Decision-Makers in the Company

Another key aspect is raising awareness among those individuals in the company who are involved in compensation decisions. The compensation of works council members is subject to specific legal requirements. Unlike with other employees, the voluntary service principle under Section 37(1) of the German Works Constitution Act and the prohibition against preferential or disadvantageous treatment under Section 78 sentence 2 of the German Works Constitution Act must be strictly observed.

Against this background, it is advisable to regularly raise awareness among managers and HR staff regarding these specific considerations. This can be achieved through internal guidelines, training sessions, or early involvement of the relevant specialist department.

Such awareness-raising helps to identify and avoid potential risks in advance.

VI. Particular Caution with Individual Special Arrangements

Finally, practice shows that individually tailored special arrangements in connection with works council member compensation can be associated with heightened risks.

These include individually agreed compensation components, flat-rate bonuses, or other arrangements that cannot be readily derived from the development of the comparison group or from the general compensation structures of the company.

Such arrangements can quickly give the impression of impermissible preferential treatment within the meaning of Section 78 sentence 2 of the German Works Constitution Act. Employers should therefore generally ensure that compensation decisions are aligned with objective and traceable criteria.

This applies not only in the context of employment court proceedings but also in view of potential civil or criminal law issues (e. g., breach of fiduciary duty under Section 266 of the German Criminal Code [Strafgesetzbuch]).

Conclusion

The legally compliant design of works council compensation does not require a complex special framework, but it does require structured and transparent decision-making processes.

Employers are well advised to carefully establish comparison groups, regularly review compensation developments, and document key decisions in a traceable manner. Clear responsibilities and awareness among the relevant decision-makers also contribute to reducing legal risks.

Those who follow these principles create a solid foundation for a compensation structure that meets both the legal requirements and the practical needs of the company.

This concludes our publication series on legally compliant works council compensation. We hope that the legal principles and practical guidance presented have provided you with helpful orientation for dealing with this complex topic.

Should you have any questions or require advice on specific cases, we are of course always happy to assist.

Furthermore, the BGH clarifies that the determination of whether knowledge and skills are being imparted asynchronously always depends on the specific case.

Facts

The most recent proceedings were based on the following facts:

The defendant offers online mentoring programs without authorization under Section 12(1), sentence 1 of the Distance Learning Act (FernUSG). The plaintiff entered into a so-called “Business Class Coaching Agreement” with the defendant. According to the defendant, this Business Class mentoring is a highly professional and very personalized mentoring program designed to help establish one’s own business.

The plaintiff was required to pay EUR 16,000.00 for the seven-month duration of the coaching.

The goal of the program was to establish her own online business in the field of coaching. Under the terms of the contract, the plaintiff gained access to instructional videos and workbooks on the online platform and participated in weekly live calls with the defendant or the experts it had engaged. In addition, a “live customer event” took place over a weekend in Baden-Baden. Employees of the defendant even managed the plaintiff’s Facebook page and handled the brand design.

The Legal Dispute

The parties now argued before the Federal Court of Justice (BGH), among other things, whether the purpose of the coaching program was to impart knowledge and skills or merely to provide support for professional development.

The central issue – as in all coaching cases – was the nullity of the contract pursuant to § 7(1) of the Distance Selling Act (FernUSG).

The plaintiff was successful before the Ulm Regional Court. However, the Stuttgart Higher Regional Court dismissed the claim in its entirety, holding that the contract was not void under Section 7(1) of the Distance Selling Act. In the Federal Court of Justice’s recent decision, however, the plaintiff prevailed.

Previous Case Law of the Federal Court of Justice

The ruling aligns with the BGH’s line of case law regarding the applicability of the FernUSG. As early as February 5, 2026 (III ZR 137/25), the BGH clarified the central and controversial question of when a geographical separation exists under Section 1(1)(1) of the FernUSG. We previously reported on this in our IP, Media & Technology Update No. 137. Furthermore, last year (judgment of June 12, 2025 – III ZR 109/24), the BGH affirmed the applicability of the FernUSG to the B2B sector as well, thereby increasing the relevance of this new area of law. As previously outlined in our IP, Media & Technology Update No. 123, this topic is of great significance.

Key finding of the ruling: A right to ask questions suffices as a learning assessment

In its latest ruling, the Federal Court of Justice (BGH) had to address, in particular, the question of when contractually agreed monitoring of learning progress exists pursuant to § 1(1)(2) FernUSG.

The fact that the plaintiff may be a start-up entrepreneur and thus an entrepreneur within the meaning of § 14 BGB could be left open here. As outlined above, the FernUSG also applies to entrepreneurs. The BGH has now reiterated this in its ruling.

The Higher Regional Court, however, based its dismissal of the claim on the absence of monitoring of learning progress: the mere possibility of asking questions was insufficient. Active monitoring by the defendant provider had not been agreed upon.

The Federal Court of Justice expressly disagreed with this narrow interpretation and clarified that individual exam assignments or other specific learning assessments are not required for this element of the offense. The Senate has previously ruled that it is sufficient if the learner is entitled under the contract to receive individual monitoring, for example through oral questions on the material covered in an accompanying class session. Most recently, the court reaffirmed this precedent on January 15, 2026 (III ZR 80/25).

The individual case remains decisive

Although the Federal Court of Justice (BGH) corrected the Higher Regional Court’s legal opinion, it could not ultimately rule in favor of the plaintiff. This is because the appellate court had left open whether the contract was aimed at the transfer of knowledge and skills at all – or whether it was rather a matter of individual consulting and support in building a business. The Federal Court of Justice (BGH) could not determine which specific services were to be provided by the defendant. In particular, it was unclear what was meant by “mentoring” in this context and what specific knowledge was to be imparted. For this reason, the Higher Regional Court (OLG) will have to clarify in detail the nature, content, and focus of the contract concluded between the parties in the new appeal proceedings.

In summary, whether so-called business coaching or mentoring services fall under the Distance Selling Act must be assessed by examining the specific scope of services agreed upon in each individual case, with the focus of the contract being decisive.

The other party to the contract may bear a secondary burden of proof regarding the agreed-upon content, format, and manner of delivery.

Furthermore, the Higher Regional Court did not sufficiently determine the exact proportion of synchronous and asynchronous instructional components (live calls vs. videos) in this case. The Federal Court of Justice refers in this regard to its ruling of February 5, 2026 (III ZR 137/25), Update IP, Media & Technology No. 137.

What does this ruling mean for those affected?

The Federal Court of Justice (BGH) continues to consistently interpret the criterion of monitoring learning success broadly. With its latest ruling, the BGH has now reaffirmed its case law within a span of less than two months. It can therefore be assumed that the BGH will not take a more restrictive approach anytime soon.

This provides legal certainty, but also shows that contract drafting in the online coaching and mentoring sector remains a key factor for the applicability of the FernUSG: On the one hand, affected coaching providers must ensure, upon concluding a contract, that they agree on a right to ask questions with the learner. Furthermore, in legal disputes involving the FernUSG, it continues to depend on whether the focus of the coaching was on knowledge transfer or on personal counseling. This leaves room for further argumentation.

I. What is digital compliance?

Digital compliance refers to adherence to the legal requirements arising from the use of digital technologies, the processing of data, and the operation of IT-supported business processes. In corporate practice, the term thus encompasses a range of different regulatory requirements, ranging from data protection law and IT security requirements to specific regulations for digital services and data ecosystems. While large companies have often established specialized compliance structures for this purpose, in small and medium-sized enterprises (SMEs) such requirements are frequently perceived primarily as an IT or data protection issue. In reality, however, it is an organizational management task that must be integrated into the company’s compliance and risk management framework.

1. GDPR Requirements

Compliance with the General Data Protection Regulation (GDPR) remains a central component of digital compliance. It governs the conditions for processing personal data and thus affects virtually all of a company’s digital business processes – from human resources management and customer relations to the use of digital platforms or cloud-based IT infrastructures. Companies must not only observe individual substantive requirements but also establish a structured data protection management system that ensures organizational compliance with legal requirements.

The starting point for any data protection assessment is the question of the lawfulness of data processing. According to Article 6 of the GDPR, the processing of personal data is only permissible if there is a corresponding legal basis, such as the consent of the data subject, the performance of a contract, legal obligations, or the legitimate interests of the company. These requirements must be assessed and documented for each processing operation. At the same time, Article 5 of the GDPR requires companies to adhere to fundamental data protection principles – in particular purpose limitation, data minimization, transparency, and the integrity of data processing.

An essential component of compliance management is the obligation to provide information to data subjects. In accordance with Articles 13 and 14 of the GDPR, companies must provide comprehensive privacy notices, for example, to employees, job applicants, customers, or suppliers. This information must include, among other things, the purpose of the processing, the respective legal basis, potential recipients of the data, the retention period, and the rights of data subjects. Transparent information is of particular practical importance, especially in the context of employment or within the framework of digital application processes.

Furthermore, the GDPR requires companies to maintain extensive documentation. Pursuant to Article 30 of the GDPR, a record of processing activities must be maintained, in which all relevant data processing activities within the company are recorded. This record regularly serves as the basis for internal data protection audits as well as for potential inspections by supervisory authorities. In addition, technical and organizational measures must be implemented in accordance with Article 32 of the GDPR to ensure an appropriate level of protection for personal data. These include, for example, access and authorization policies, encryption, backup systems, or internal security guidelines.

Special requirements apply to processing operations that may pose a high risk to the rights and freedoms of data subjects. In such cases, a data protection impact assessment must be conducted in accordance with Article 35 of the GDPR. This may be the case, for example, when using new technologies, when processing large amounts of sensitive data, or when systematically monitoring individuals. The aim of the impact assessment is to identify potential risks at an early stage and to define appropriate protective measures. With the increasing use of AI, data protection impact assessments are also gaining in importance.

Finally, the GDPR also requires organizational measures to raise employee awareness. Data protection training, internal guidelines, and clear responsibilities within the company are essential elements of effective data protection management. This aspect is often underestimated, particularly in small and medium-sized enterprises, even though many data protection violations in practice can be attributed to organizational shortcomings or a lack of awareness regarding the handling of personal data.

2. Other Digital Law Requirements

In addition to data protection law, the regulatory framework for digital business processes is increasingly shaped by other EU legal requirements. In recent years, the European Union has adopted a multitude of new legal acts regulating the use of digital technologies, data handling, and IT security requirements in companies. Digital compliance is therefore no longer limited to data protection issues but encompasses a broad spectrum of requirements under European digital law.

Of particular practical significance is the Regulation on Artificial Intelligence (AI Regulation) (see our latest article). It establishes a uniform EU-wide legal framework for the development, distribution, and use of AI systems. The regulation follows a risk-based approach: While certain AI applications are completely prohibited, so-called high-risk AI systems are subject to extensive requirements, for example regarding risk management, data quality, documentation obligations, transparency, and human oversight. Companies that develop, distribute, or use AI systems in their business processes must therefore assess whether their applications fall under the relevant categories and what compliance obligations arise from this. Current adaptation considerations at the European level, some of which are being discussed under the banner of an “AI Omnibus,” also aim to clarify the practical implementation of individual requirements and make them more manageable for companies (we reported).

Another key component of European digital law is the NIS 2 Directive, which significantly expands cybersecurity requirements in security-relevant sectors (see topic page). Compared to the previous legal framework, the scope of affected companies has been significantly broadened and now includes numerous small and medium-sized enterprises across various industries. The directive requires companies, in particular, to implement comprehensive risk management measures in the area of IT security, to establish incident reporting structures, and to secure digital supply chains. At the same time, it explicitly emphasizes the responsibility of management, which is accountable for implementing and monitoring cybersecurity measures.

The Data Act, which regulates access to and the use of data in the European data economy, will also gain importance for many companies (we reported). Among other things, the regulation aims to facilitate access to data from connected products and digital services and to improve the ability to switch between cloud providers. Companies will therefore need to pay closer attention in the future to the data access and sharing obligations arising from the use of data-driven products or platforms and to the contractual adjustments that will be required.

For the financial sector, the Digital Operational Resilience Act (DORA) further specifies the requirements for IT risk management (see topic page). Banks, insurance companies, and other financial firms will be required to establish comprehensive ICT risk management, conduct regular security tests, and systematically monitor their dependencies on third-party IT service providers, particularly cloud providers. Here, too, the focus is shifting more strongly toward management’s responsibility.

The Cyber Resilience Act (CRA) is also of particular importance in this context (see topic page). The regulation establishes, for the first time, a uniform European legal framework for the cybersecurity of products with digital elements, thereby addressing in particular manufacturers, importers, and distributors of such products. Companies are required to incorporate security requirements as early as the development phase (“security by design”), systematically monitor vulnerabilities, and provide security updates throughout the entire product lifecycle. In addition, there are comprehensive documentation, reporting, and compliance obligations. Indirectly, increased requirements also arise for companies that merely use such products, for example, in the selection of suppliers, contract drafting, and within the framework of IT risk management.

Furthermore, other European initiatives are gaining relevance. Sector-specific data spaces such as the European Health Data Space (EHDS) are creating new frameworks for accessing and using sensitive data (we reported). The planned European digital identity (EUDI wallet) will bring new requirements for authentication and identity infrastructures (we reported). In addition, the E-Evidence Regulation aims to facilitate cross-border access to electronic evidence by law enforcement authorities, which creates additional requirements for handling official data access requests (we reported).

These regulatory developments are closely linked to the growing discussion surrounding corporate digital sovereignty (we reported). This refers to the ability to manage digital infrastructures, data flows, and IT dependencies in such a way that legal requirements are met and strategic risks are controlled. In particular, the widespread use of global cloud and platform providers raises questions regarding data access from third countries, technical dependencies, or limited options for switching providers. Numerous European digital laws, such as the NIS 2 Directive or the Data Act, therefore also aim to strengthen interoperability, reduce dependencies, and give companies more control over their digital resources. In practice, digital sovereignty is thus increasingly becoming an integral part of corporate digital compliance and risk strategies (see our event on April 21, 2026, on the topic of digital sovereignty).

II. Personal Liability of Management

The implementation of digital compliance affects not only organizational processes within the company but also the personal responsibility of management. Under Section 43(1) of the German Limited Liability Companies Act (GmbHG), managing directors of a limited liability company (GmbH) are obligated to exercise the due care of a prudent businessman. This includes, in particular, the duty to organize the company in such a way that legal requirements are complied with and legal risks can be adequately controlled. For members of the executive board of a stock corporation, this organizational duty is further specified by Section 91(2) of the German Stock Corporation Act (AktG), which requires the establishment of a monitoring system for the early detection of developments that could jeopardize the company’s continued existence. For publicly traded companies, Section 91(3) of the German Stock Corporation Act (AktG) further requires an appropriate and effective internal control and risk management system.

If digital legal requirements – such as those related to data protection, IT security, or the use of new technologies – are not adequately addressed within the company, this can therefore also have liability consequences. If management violates its organizational duties and the company suffers damages as a result – such as fines, claims for damages, or significant economic disadvantages – personal liability toward the company may generally be considered.

A practical liability risk arises in particular when breaches of duty only become apparent in retrospect. It is not uncommon for data protection violations, IT security incidents, or regulatory shortcomings to come to light only during regulatory audits, internal investigations, or in the context of a change in management. When a managing director leaves the company, compliance structures are frequently reviewed or reassessed. If it turns out that key requirements – such as those related to data protection or IT security measures – have not been implemented for an extended period, the company may generally consider holding the former managing director liable.

In addition, regulatory enforcement of digital regulations is gaining momentum. Data protection supervisory authorities have been conducting regular audits for years, and more intensive oversight is also expected in the area of cybersecurity regulation. With the implementation of new European digital legislation, corresponding control structures will be further expanded. Initial hearings and audit procedures already indicate that authorities are beginning to scrutinize the practical implementation of digital compliance requirements in companies more closely. This increases the pressure on management to establish appropriate structures early on and in a transparent manner.

III. Implementation Steps

Implementing digital compliance often presents practical challenges for small and medium-sized enterprises. Unlike large corporations, many companies have neither their own compliance departments nor extensive personnel or financial resources. Nevertheless, this does not mean that comprehensive and cost-intensive projects are necessary to achieve an adequate minimum level of digital compliance. Rather, what is crucial is a structured and pragmatic approach that focuses on the essential legal requirements.

1. Defining Roles and Responsibilities

A first step is to define clear responsibilities for digital compliance issues within the company. In practice, it is often the case that issues related to data protection, IT security, or the use of new technologies are spread across different departments and are therefore not systematically coordinated. Simply appointing a responsible contact person or consolidating relevant topics into a central function can help identify risks early on and implement regulatory requirements in a structured manner. At the same time, the issue should also be taken seriously at the executive level. It is no coincidence that the saying “data protection is a top priority” has been around for years.

2. Inventory of Digital Processes

Once responsibilities have been defined, a structured inventory should be conducted first. Companies should identify which digital systems, cloud services, or data-driven applications are in use and what types of data are being processed. This transparency forms the basis for assessing which specific regulatory requirements are relevant – such as those from the GDPR, the AI Regulation, or IT and security guidelines. In many cases, this reveals that only a limited portion of the existing systems actually triggers complex compliance requirements.

3. Establishing Minimum Documentation and Basic Structures

A key component of digital compliance is robust foundational documentation. This includes, in particular, privacy notices for different groups of individuals, a record of processing activities, and basic internal guidelines for handling data and digital systems. Such structures do not necessarily have to be extensive or highly complex. Even clear and comprehensible documentation of core processes can make a significant contribution to meeting regulatory requirements and remaining capable of acting during regulatory audits.

4. Raising Employee Awareness

Moreover, many compliance risks in everyday business operations do not arise from complex legal issues, but rather from a lack of awareness regarding the handling of data and digital applications. Regular training on data protection, IT security, or the use of new technologies can already make a significant contribution to risk minimization. Especially in small and medium-sized enterprises, such training measures can often be implemented with manageable effort and integrated into existing internal communication or training structures.

5. Prioritizing and pragmatically addressing risks

Ultimately, it makes sense for small and medium-sized enterprises to take a risk-based approach to digital compliance. Not every company is equally affected by all digital regulatory initiatives. While the AI Regulation, for example, is relevant only for certain applications, other requirements affect only specific industries or company sizes. A structured prioritization of the issues that are actually relevant makes it possible to allocate resources in a targeted manner while achieving an appropriate level of compliance.

IV. Conclusion and Outlook

Digital business processes are now subject to a growing number of regulatory requirements that go far beyond traditional data protection. For medium-sized companies, this means that digital compliance is increasingly becoming an integral part of proper corporate governance and is also coming more into focus for management from a liability perspective.

At the same time, practical experience shows that a robust minimum level of digital compliance can be achieved with manageable organizational measures. A structured approach is crucial, one that identifies key digital risks, establishes clear responsibilities, and implements fundamental documentation and organizational obligations.

In light of new European digital legislation such as the AI Regulation, NIS-2, or the Data Act, it is also reasonable to assume that regulatory requirements will continue to increase in the coming years. For medium-sized companies, it is therefore advisable to establish digital compliance early on as an integral part of the corporate organization and to gradually expand the corresponding structures.

This article was created in collaboration with our student employee Emily Bernklau.

The decision addresses two key practical issues: First, under what conditions data controllers may reject a request for access based on abuse or excessiveness. Second, whether and under what conditions a claim for damages under Article 82 of the GDPR may arise from a refusal or insufficient provision of information. Thus, the judgment concerns the practical handling of strategically motivated requests from data subjects as well as the scope of liability risk under the GDPR.

Facts

The proceedings were based on a legal dispute between the optical company Brillen Rottler and a private individual. In March 2023, the individual had subscribed to a newsletter via the company’s website and thereby consented to the processing of her personal data. Thirteen days later, the individual made a request for access under Article 15 GDPR to the company. Brillen Rottler rejected the request within the prescribed time limit, citing the abusive or excessive nature of the request. Subsequently, the data subject not only pursued the right of access but also asserted a claim for non-material damage under Article 82 of the GDPR in the amount of 1,000 euros.

Brillen Rottler justified its position by arguing that publicly available sources showed that the defendant systematically provoked alleged data protection infringements to base claims for damages on them. The Arnsberg Local Court stayed the proceedings and referred several questions to the CJEU for a preliminary ruling. The focus was particularly on whether a first-time request for access could already constitute an abuse of rights, what significance should be attached to the data subject’s motivation to seek damages, and whether Article 82 of the GDPR necessarily requires the processing of personal data.

The Core Issues of the Case

The CJEU essentially had to rule on the following points: First, whether an initial request for access can under any circumstances be classified as excessive or abusive within the meaning of Article 12(5) of the GDPR. Second, whether the data subject’s intention to use the request for access to prepare a subsequent claim for damages can justify a refusal. Third, whether publicly available information regarding a corresponding pattern of behaviour by the data subject is sufficient for this purpose. Fourth, whether a violation of the right of access itself can give rise to a claim for damages under Article 82 of the GDPR and whether “processing” within the meaning of Article 4(2) of the GDPR is required for this. Finally, the question arose as to whether a mere loss of control or uncertainty regarding the handling of personal data already constitutes non-material damage.

Key Findings of the CJEU

On the defense of abuse of rights

The CJEU clarifies that even an initial request for access may, in certain circumstances, be regarded as “excessive” within the meaning of Article 12(5) GDPR and may therefore be abusive. What is decisive in this regard is not merely the formal exercise of the right of access, but the purpose for which that right is exercised. A request may be refused where the controller demonstrates that it was not made in order to obtain awareness of the processing of personal data and to verify its lawfulness, but solely in order to artificially create the conditions for a claim for damages.

On the motivation of the data subject

The Court places particular emphasis on the objective pursued by the access request. The mere fact that a data subject intends to assert a claim for damages at a later stage is not, in itself, sufficient. What is decisive, rather, is whether the right of access is being used for a purpose contrary to its function. According to the judgment, a request is abusive where it is not aimed at reviewing the data processing but serves solely to generate a claim scenario.

Regarding publicly available information about a pattern of conduct

The CJEU acknowledges that publicly available information indicating a systematic course of conduct on the part of the data subject may be taken into account when assessing whether a request is abusive. In this context, it may be relevant whether the data subject has, in a manner apparent to the public, repeatedly submitted requests for access to various controllers and subsequently linked such requests to claims for damages. While such circumstances may not necessarily be sufficient in isolation, they may constitute a significant indication of an abusive intention.

Regarding Art. 82 GDPR

At the same time, the Court confirms that a claim for damages under Article 82 GDPR is not limited to classic cases of unlawful data processing. In principle, an infringement of the right of access may also give rise to material or non-material damage and thus found a claim under Article 82 GDPR. In doing so, the CJEU underlines that the procedural safeguards provided for by the GDPR may also be relevant from a liability perspective.

On non-material damage

The Court also makes it equally clear that Article 82 GDPR does not provide for automatic compensation for every infringement of the law. The data subject must demonstrate that he or she has in fact suffered material or non-material damage. In addition, a claim is excluded where the data subject’s own conduct constitutes the decisive cause of the alleged damage. This is significant in practice, because it means that neither the mere rejection of an access request nor the mere invocation of a loss of control will automatically give rise to a claim for damages.

Implications for practice

The decision is relevant for companies in two key respects. On the one hand, it strengthens controllers in dealing with clearly strategically motivated access requests. The CJEU recognises that data subject rights cannot be instrumentalised independently of their protective purpose. On the other hand, the Court does not lower the threshold for refusing such requests but instead makes refusal contingent upon substantiated proof of abusive intent. A hasty reliance on Article 12(5) GDPR therefore remains risky.

The judgment is equally significant from a liability perspective. Companies cannot assume that infringements of the right of access fall outside the scope of Article 82 GDPR. Anyone who wrongfully refuses or inadequately responds to an access request remains exposed to civil liability. That risk is, however, limited by the requirement that the data subject must plead and prove actual damage, and by the fact that the data subject’s own conduct may exclude liability where it constitutes the decisive cause of the alleged damage.

What companies should do now

First, companies should review their processes for handling access requests to ensure that atypical or strategically motivated requests can be properly identified and documented. Following the judgment, the defence of abuse is available, but it requires a sufficiently robust factual basis.

Second, publicly available indications of a systematic course of conduct on the part of an applicant should not be relied upon in a blanket manner, but should instead be assessed in a structured way in light of the specific circumstances of the individual case. This requires reliable documentation showing why the request in question does not serve the purpose of reviewing the data processing, but rather the artificial preparation of claims for damages.

Third, controllers should in future align refusals of access requests more closely with their liability assessment under Article 82 GDPR. This is because an infringement of the right of access may, in principle, also be relevant for damages purposes.

Fourth, it is advisable to refine internal escalation and approval processes for cases involving suspected abuse. Decisions to refuse access in whole or in part should be legally reviewed, clearly documented, and prepared in a manner capable of withstanding scrutiny in subsequent litigation.

Conclusion

With Brillen Rottler, the CJEU brings the interests of data subjects and controllers into a new balance. The Court continues to protect the right of access as a central transparency instrument of the GDPR, while at the same time making clear that it must not be misused to artificially generate claims for damages. For companies, this is an important signal: abusive requests can be resisted, but only on the basis of a carefully established and well-documented case. At the same time, the judgment makes equally clear that errors in handling access requests may continue to have liability consequences.

The focus of the decision is particularly relevant in practice: the company had transferred data from more than 10.5 million members of a bonus or loyalty programme to a social media platform for targeted advertising without ensuring a sound legal basis for doing so. The decision was adopted in a consistency procedure involving 16 other supervisory authorities.

Facts

According to the CNIL's findings, between late 2018 and February 2024, the company transferred personal data of members of its loyalty programme to an unnamed social media platform, in particular email addresses and telephone numbers. The platform matched these identifiers with its users and, in the event of a match, displayed personalized advertisements promoting the company's products.

Even though, according to the CNIL, only around 1.6 million data records could be assigned to a social media account and subsequently received advertising, the CNIL already considered the transfer of data from over 10.5 million individuals to be an independent, unlawful processing operation.

Key statements by the CNIL

1. No effective consent for disclosure to social media

The CNIL criticized that the consent of loyalty programme members was only directed at receiving advertising via text message and email. According to the CNIL, there was no separate, informed consent for the transfer of identifiers to third parties for advertising purposes. This meant that the necessary legal basis was lacking.

2. Platform consent does not replace consent from the advertising company

The company argued that social media users had given their consent by accepting the platform's privacy policy. The CNIL clearly rejected this for two reasons:

• Not all data subjects whose data was transferred had a social media account at all.
• Even for users, any consent only referred to processing by the platform in its own context and not to the upstream data transfer by the company.

This distinction is central to common advertising setups. Advertising companies that transfer data to social media must establish and document the legal basis for doing so themselves.

3. DPIA obligation for large-volume, cross-company linking

The CNIL classified the targeting as high-risk, particularly due to the large amounts of data and the cross-linking between companies. A required data protection impact assessment was missing.

4. Information obligations under Art. 13 GDPR

The CNIL criticized incomplete information, including a lack of clear assignment of processing activities to their perspective legal bases and information on storage periods. In addition, it objected that information on data transfers to the US was not up to date, as reference was still made to the EU-US Privacy Shield, even though this had already been declared invalid at the time.

5. Security deficiencies in passwords

The CNIL considered the password requirements to be insufficient. In addition, the storage was deemed unsuitable because it made passwords more vulnerable.

6. Cookie violations after ePrivacy implementation

According to the CNIL's findings, the company set several non-essential cookies before a consent decision was made and did not reliably delete certain cookies even after they were rejected.

7. Remedial action does not protect against sanctions

The CNIL acknowledged that the company had made extensive remedial improvements during the proceedings, including terminating transmissions, adjusting cookies, updating information, and switching to stronger password hashing. Nevertheless, substantial fines were imposed.

Implications for practice

The decision addresses a pattern that is very common in consumer goods, retail, and loyalty ecosystems: CRM and loyalty programme data are provided to social media as identifiers in order to match existing customers on the platform and then serve advertising. It is precisely at this interface that the greatest compliance risks regularly lie.

The CNIL makes it clear that obtaining general marketing consent or referring to platform documentation is not sufficient for legality. Data transfer to social media is a separate processing step that requires a separate legal basis, robust transparency, and a risk-adequate governance setup.

What companies should do now

Separate and clarify consent design: Consent for direct marketing via email or SMS does not automatically constitute consent for the transfer of identifiers to social media. Anyone who wants to base this transfer on consent needs separate, clear, and verifiable consent that describes the data flow to the platform and the purpose of the matching in a comprehensible manner.

Fully document social media data flow: Technical design, data categories involved, matching logic, recipients, third-country references, and storage periods must be consistently reflected in directories, information obligations, and internal approvals.

DPIA check for targeting and matching use cases: In the case of large-volume inventories and cross-company links, it is necessary to check at an early stage whether a data protection impact assessment is required.

Update and operationalize information texts: Data protection notices should describe the specific processing in such a way that data subjects understand what is happening. This includes clear legal basis assignment, storage periods, and current information on third-country transfers, where relevant.

Ensure cookie compliance from a technical perspective: Non-essential cookies may only be set after effective consent has been given. Refusals must also be enforced from a technical perspective, including deletion mechanisms and regular tests.

Do not neglect security basics: Password requirements and secure storage remain standard points of attack. Even though the decision focuses on marketing, the case shows that supervisory authorities regularly review the entire compliance setup in such proceedings.

Conclusion

The CNIL decision is a clear message to companies with loyalty and CRM-driven marketing: the transfer of customer identifiers to social media is not a minor issue, but a central compliance block with high potential for fines. Particularly important is the key message that neither general marketing consents nor the acceptance of platform policies can replace the company's own legal basis for the transfer. Ex-post corrections may mitigate follow-up measures, but they do not necessarily prevent severe sanctions for past actions.

a) identify, before and/or during treatment, patients who are most likely to benefit from the corresponding medicinal product; or
b) identify, before and/or during treatment, patients likely to be at increased risk of serious adverse reactions as a result of treatment with the corresponding medicinal product (Art. 2 no. 7 IVDR).

In practice, CDx and the corresponding medicinal product are precisely coordinated with one another. CDx are regularly incorporated into the clinical trial of the medicinal product under Regulation (EU) 536/2014 ("CTR") or even developed in parallel. Unlike in other jurisdictions, however, the development and authorisation procedures are regulated separately, which poses considerable challenges for CDx manufacturers and sponsors of clinical trials. As early as 2024, efforts to harmonise these procedures at the European level were initiated through the COMBINE programme. On 16 December 2025, the European Commission published two proposals aimed at strengthening the European biotechnology sector („EU Biotech Act“) and amending Regulation (EU) 2017/745 on medical devices and the IVDR („MDR/IVDR Revision“; see our article Revision of the MDR and IVDR: European Commission Presents Reform Proposal for Simplification), which also contain significant changes affecting the development and approval of CDx.

I. Current Regulatory Framework

In the EU, the development and approval of CDx is carried out separately from the corresponding medicinal product. Demonstration of compliance with the general safety and performance requirements for the CDx, i.e. confirmation of analytical performance or clinical performance, takes place by means of so-called performance studies (Art. 57 et seq. IVDR). CDx performance studies require, in particular, authorisation from the competent authority and invariably involve the relevant ethics committees. Exceptions exist only for performance studies using left-over specimens (e.g. residual material from other studies, provided this is covered by the subject's informed consent).

In order to affix the CE marking under the IVDR, a conformity assessment involving a Notified Body is necessary, as CDx fall into at least the second-highest risk class C (Annex VIII rule 3 lit. f) IVDR; MDCG 2020-16 rev.4, p. 22). The Notified Body must also obtain a scientific opinion on the suitability of the CDx from the national medicines authority or the EMA. A link to the corresponding medicinal product is established only to the extent that the International Nonproprietary Name (INN) is listed in the CDx's instructions for use.

In many cases, only parallel development of the CDx and the medicinal product is possible. However, there is no uniform procedure for combined studies involving (not yet authorised) CDx used as assays in clinical trials of medicinal products due to the different regulatory frameworks and competences. Clinical trials for the medicinal product and the CDx may be conducted simultaneously, but they proceed through two separate regulatory processes, typically involving different sponsors. Sponsors have so far been dependent on a patchwork of individual member state regulations (MDCG 2022-10, question 10).

II. Revision of the IVDR

New Definition of CDx

The Commission's proposal first includes a clarifying expansion of the CDx definition. As it has already been the practice, in vitro diagnostic medical devices shall now also expressly qualify as CDx where they are intended for the safe and effective use of multiple medicinal products (Art. 2 no. 7 IVDR). Accordingly, the Commission's proposal provides that, as an alternative to the INN of the corresponding medicinal product, the relevant class of corresponding medicinal products may also be indicated in the CDx's instructions for use (Annex I Sec. 20.4.1 lit. c) viii) IVDR). Products used for monitoring treatment with a medicinal product in order to ensure that the concentration of the relevant substances in the human body remains within the therapeutic window (so-called complementary diagnostics, e.g. blood glucose monitoring) shall, however, continue not to be qualified as CDx.

Facilitation of CDx Performance Studies

Furthermore, the Commission's proposal provides for simplifications in respect of CDx performance studies that do not entail any additional risks for subjects. Performance studies involving only routine blood sampling from non-vulnerable study participants shall no longer be subject to the additional requirements under Art. 58 to 76 IVDR and, in particular, shall no longer require authorisation from the competent authority. For such performance studies, only notification obligations vis-à-vis the authorities and the general requirements in conjunction with the respective national law shall apply. For CDx performance studies using exclusively left-over specimens, even this notification obligation of the sponsor is to be dispensed with (Art. 58 para. 1 lit. c), 2 IVDR; Recital (50) MDR/IVDR Revision).

Primacy of Pharmaceutical Law for Combined Studies

Moreover, the Commission's proposal sets the course for a genuine co-development of CDx and the corresponding medicinal products. For the first time, the Commission's proposal introduces the concept of a combined study. Combined studies are defined as clinical trials involving medicinal products within the meaning of the CTR that are combined with performance studies for in vitro diagnostic medical devices (including CDx) (Art. 2 no. 75 IVDR). Within the framework of these combined studies, sponsors of performance studies requiring authorisation shall have the option of a single application and assessment procedure. As an alternative to the current separate application process under the IVDR (in the affected member states) and the CTR (via the EU portal CTIS), sponsors shall be enabled to submit a single application for a combined study. In such cases, a primacy of pharmaceutical law shall apply, and a coordinated assessment shall take place exclusively in accordance with the provisions of the CTR (Art. 75a IVDR; Recital (43) MDR/IVDR Revision).

Consultation of Medicines Authorities

Finally, the Commission's proposal emphasises that the consultation of the medicines authority, as currently provided for, shall only be required for novel CDx. For established CDx, a renewed assessment is to be waived. In this context, the European Commission also clarifies that the medicines authority shall not repeat the medical device regulatory assessment carried out by the Notified Bodies (Art. 48 para. 10b IVDR, Annex IX Sec. 5.2 lit. c), g) IVDR respectively Annex X Sec. 3 lit. k) IVDR; Recital (49) MDR/IVDR Revision).

III. EU Biotech Act

Coordinated Assessment Procedure for Combined Studies

The EU Biotech Act establishes the legal prerequisites for implementing the unified assessment mechanism for combined studies. To this end, an identical definition of combined studies is to be codified in pharmaceutical law as well (Art. 2 no. 44 CTR). The Commission's proposal then sets out substantive details regarding the procedure for the coordinated assessment. The sponsor's single application is first to be transmitted via the EU portal to all affected member states. The assessment of the application is then carried out under the lead of a reporting member state and also encompasses the assessments of the competent authorities and the ethics committees. Objections raised by affected member states during and after the assessment are to be limited to specific grounds. The final decision on the authorisation of the combined study, however, is to remain with each affected member state individually. The European Commission is empowered to amend or supplement the relevant provisions of the CTR with regard to the conduct of combined studies by means of delegated acts (Art. 14c CTR; Recital (135) EU Biotech Act).

Combined Studies Involving AI

In the examination of human samples, analytical software is regularly employed which, depending on its intended purpose, may itself constitute a CDx. In practice, such software-based CDx increasingly utilise artificial intelligence. Examples include machine learning for the localisation of granular biomarkers, pattern recognition in identifying suitable or unsuitable patients, or linking vast datasets with patient data to create comprehensive suitability profiles. The Commission's proposal also provides for the described coordinated assessment for the authorisation of combined studies involving such AI-based CDx. Corresponding guidelines on the handling of AI are to be developed by the EMA, the newly established Clinical Trials Coordination and Advisory Group (CTAG), the MDCG and the Artificial Intelligence Board (Art. 27e para. 3, 4 CTR).

IV. Conclusion and Outlook

On a global scale, the market for personalised medicine and CDx is experiencing strong growth. In the EU, however, the rigid regulatory requirements for CDx manufacturers and sponsors of clinical trials have posed considerable challenges in recent years to the practical implementation of research and development projects. The simplifications introduced through the EU Biotech Act and the MDR/IVDR Revision are therefore welcome from an industry perspective. Nevertheless, both Commission proposals merely mark the beginning of the respective legislative processes. The opinions of the European Parliament and the Council are still pending. It remains to be seen how quickly the European legislator will be able to translate these plans into action.

I. Digital Omnibus: New deadlines for the AI Regulation

The European AI Regulation (AI Regulation) currently stipulates that key requirements for high-risk AI systems will become applicable from August 2, 2026. Particularly relevant are Sections 1 to 3 of Chapter III of the Regulation, which define the classification of AI systems as high-risk AI, the technical requirements, and the obligations of providers and operators. These provisions are of practical importance for many companies, for example when AI systems are used in human resources, credit decisions, or safety-related products.

Against this background, adjustments to the AI Regulation are currently being discussed at European level as part of the so-called Digital Omnibus Package. In addition to a general Digital Omnibus (we reported on this in Data Protection Update No. 221, No. 223, and No. 236), the Digital Omnibus on AI in particular contains proposed amendments specifically relating to the AI Regulation. The central consideration is to postpone the application of the regulations for high-risk AI.

The background to the discussion is primarily the currently limited practical feasibility of the requirements. Many of the requirements of the AI Regulation presuppose technical standards, certification procedures, and regulatory guidelines that are only partially available at present. Without these specifications, companies face considerable legal uncertainty in implementing the extensive compliance obligations for high-risk AI. The omnibus proposal therefore links the applicability of the relevant regulations to the availability of supporting guidelines and standards from the European Commission.

According to the current proposal, the rules for high-risk AI would only become applicable in the future after a corresponding decision by the European Commission, with staggered transition periods. For AI systems under Article 6(2) and Annex III of the AI Regulation (e.g., systems in the personnel or education sector), the obligations would take effect six months after such a decision, while for AI systems under Article 6(1) and Annex I (e.g., safety-related components of certain products), a twelve-month transition period is provided for. Irrespective of this, the proposal provides for absolute maximum deadlines: December 2, 2027, and August 2, 2028, respectively.

The legislative process is not yet complete. The omnibus package is on the agenda of the Committee of Permanent Representatives in the Council of the European Union for March 13, 2026, with a view to laying the groundwork for negotiations with the European Parliament. Formally, therefore, August 2, 2026, remains the date of application for the time being. However, in the political debate, a postponement of the deadlines is now considered likely.

II. AI and copyright

1. New case law from German courts

Parallel to regulatory developments, the copyright classification of AI applications is also becoming increasingly important. German courts are increasingly dealing with the question of how classic copyright protection mechanisms should be applied to content created or used in connection with AI systems. Initial rulings show that the use of AI does not negate the copyright protection of human works.

A recent example is a ruling by the Frankfurt Regional Court on December 17, 2025 (Ref. 2-06 O 301/25). The subject of the proceedings was a piece of music that had been created using generative AI from lyrics previously written by a natural person. The lyrics were written by a private author and set to music by a third party using an AI music generator. The song was then released through a music distributor and promoted on social media. The author of the lyrics subsequently asserted claims for injunctive relief.

The court clarified that the copyright protection of a text created by a human being does not lapse when it is integrated or edited into a new work, such as a piece of music, with the help of AI. The decisive factor is whether the original text continues to be a personal intellectual creation within the meaning of copyright law. The court affirmed this. Even though individual passages had been revised or reworded, the author's individual expression remained recognizable. The use of the text in the AI-generated song therefore constituted use of the protected work.

The court considered the distribution of the song to be an infringement of the lyricist's copyright, in particular the right of reproduction under Section 16 of the German Copyright Act (UrhG). Although the lyrics in the song had been partially altered, the basic structure and central passages had been retained. The distribution of the AI-generated piece of music could therefore be prohibited.

The decision is one of a series of recent cases in which German courts are beginning to apply copyright principles to AI constellations. For example, the Regional Court of Munich I had already ruled on copyright issues in connection with AI-generated content in its judgment of November 11, 2025 (Ref. 42 O 14139/24). There, too, it became clear that the decisive factor for copyright protection remains whether a human creative achievement is involved.

2. New EU initiatives for AI and copyright

At the European level, too, the copyright dimension of generative AI is increasingly coming into focus. On March 10, 2026, the European Parliament adopted a resolution on "Copyright and generative artificial intelligence – opportunities and challenges", which was largely based on an initiative by CDU MEP Axel Voss.

The resolution addresses the current uncertainties surrounding the interaction between generative AI and European copyright law. In the Parliament's view, the training of AI models with copyright-protected content, transparency regarding the training data used, and the remuneration of rights holders raise key legal questions. At the same time, it emphasizes that innovation in the field of AI and the protection of creative works should not be seen as opposites, but that both areas must be developed together.

In terms of content, Parliament advocates, among other things, greater transparency in the use of copyright-protected content for training AI systems. In the future, providers of generative AI should disclose which protected content has been used in training data sets. In addition, Parliament calls for the development of functioning licensing mechanisms to ensure fair remuneration for authors while enabling access to high-quality training data.

Another focus is on strengthening the position of rights holders, particularly those in the cultural and media industries. They should be given effective means of objecting to the use of their works for AI training purposes or of licensing such uses. In this context, the role of the European Union Intellectual Property Office (EUIPO) as a possible mediator for transparency and licensing mechanisms is also being discussed.

The resolution does not yet result in legally binding changes. Nevertheless, the initiative clarifies the political direction of further European regulation. The European Parliament expressly calls on the Commission to examine whether the existing copyright legal framework, in particular the rules on text and data mining, should be adapted or supplemented in view of the development of generative AI. It is therefore foreseeable that the copyright regulation of AI systems is likely to be further specified at EU level in the coming years.

III. National implementation of the AI Regulation: AI-MIG

In addition to developments at the European level, the national implementation of the AI Regulation is also progressing. Although the AI Regulation applies directly in all member states, supplementary national regulations are required, in particular to determine the competent authorities and to organize market surveillance and supervision. In Germany, this implementation is to be carried out by the planned AI Market Surveillance and Innovation Act (AI-MIG) (we reported).

The draft law essentially provides for the existing market surveillance structures for regulated products to be transferred to AI systems. In particular, it envisages a coordinating role for the Federal Network Agency, which is to act as a central point of contact for AI supervision issues and coordinate cooperation between the various specialist authorities. In addition, the respective competent supervisory authorities will remain responsible for certain areas of application, such as the financial sector. The aim of the law is to create an efficient supervisory structure while making the most of existing responsibilities.

The current draft of the law is on the agenda of the Bundesrat on March 11, 2026. In political and economic discussions, the project has so far been largely viewed as a necessary step toward the organizational implementation of European requirements. At the same time, isolated concerns have been expressed, for example regarding the complexity of the planned supervisory structure and the practical coordination between the authorities involved.

IV. International regulation: The Colorado AI Act

In addition to European regulation, specific legal frameworks for the use of AI systems are also increasingly emerging outside the European Union. One particularly noteworthy example is the Colorado AI Act, which was passed in May 2024 and is considered one of the first comprehensive AI regulations in the United States. The law will come into force gradually from June 30, 2026, and is aimed in particular at companies that develop or use AI systems that can have a significant impact on individuals.

Similar to the EU, the law focuses on so-called "high-risk artificial intelligence systems." These include, in particular, AI applications that are used in sensitive areas such as employment, lending, housing, healthcare, or education and can make automated decisions with potentially significant consequences for the individuals affected. The Colorado AI Act imposes a number of risk management and transparency obligations on developers and operators of such systems.

Among other things, companies must conduct risk assessments, analyze potential discriminatory effects, and implement appropriate risk mitigation measures. In addition, there are transparency obligations toward users and, in some cases, toward affected individuals, for example, when automated systems are used for decision support. The aim of the law is, in particular, to prevent algorithmic discrimination and ensure the responsible use of AI systems.

Compared to the European AI Regulation, the Colorado AI Act takes a more sector- and risk-oriented approach, but focuses primarily on avoiding discrimination risks and less on comprehensive technical requirements for AI systems. Nevertheless, the law shows that regulatory approaches to AI are also increasingly developing in the United States, albeit primarily at the individual state level so far.

V. Recommendations for action

The developments described above show that the legal framework for the use of AI is currently taking shape in several areas in parallel. Even though individual regulations are still in flux, concrete measures can already be derived that companies can use to reduce their legal risks when using AI.

1. Check AI systems early on for possible high-risk classifications

Against the backdrop of the AI Regulation, companies should analyze their existing or planned AI applications to determine whether they could potentially be classified as high-risk AI systems within the meaning of Art. 6 AI Regulation. This applies in particular to applications in the area of human resources, automated decision-making processes, or safety-related product contexts. Even if the application of the relevant obligations may be delayed due to the digital omnibus procedure currently under discussion, it is already to be expected that extensive requirements for risk management, documentation, and governance will take effect. Companies should therefore establish internal processes for classifying and evaluating AI systems at an early stage.

2. Review the use of copyright-protected content in AI applications

Recent case law from German courts and current initiatives at the EU level show that the handling of copyright-protected content in connection with AI systems is increasingly coming into focus. Companies should therefore review whether and to what extent protected content is processed when using generative AI for marketing, content creation, or software development, for example. This applies in particular to cases wh , texts, images, or music are fed into AI systems or processed by them. If necessary, appropriate rights of use or licenses should be obtained to avoid copyright risks.

3. Monitor the development of national and international AI regulation

In addition to the European AI Regulation, national supervisory structures and international regulatory models are also emerging. In Germany, the planned AI-MIG is currently creating the institutional framework for the supervision of AI systems. At the same time, other jurisdictions are developing their own regulatory approaches, such as the Colorado AI Act, particularly with regard to the risks of discrimination in AI-supported decisions. Companies that use or develop AI systems internationally should therefore align their compliance structures in such a way that the different regulatory requirements of various jurisdictions can be taken into account.

VI. Conclusion and outlook

The legal framework for the use of artificial intelligence is currently undergoing intensive development. In addition to the gradual implementation of the AI Regulation and possible adjustments within the framework of the Digital Omnibus procedure, initial guidelines are taking shape, particularly in copyright law, through case law and political initiatives at the European level. At the same time, national implementing laws such as the planned AI-MIG are creating the institutional basis for supervision and enforcement, while separate regulatory approaches are also increasingly emerging outside Europe.

For companies, this means that the legal framework for AI applications will continue to consolidate in the coming years. It is therefore to be expected that, in addition to new guidelines and technical standards, court decisions and further European legislative initiatives in particular will contribute significantly to the concretization of the framework. Companies are therefore well advised to continuously monitor regulatory developments and to align their internal processes with the foreseeable requirements at an early stage.

This article was created in collaboration with our student employee Emily Bernklau.

What is the issue?

As part of a private equity investment program, a managing director was given a stake in an investment limited partnership (Beteiligungs-KG) at market value as a limited partner. There was no provision for a share in current profits. Instead, he – like the private equity fund involved – was only to earn a share of the profits in the event of a successful exit, i.e., a subsequent sale of the company.

This was a classic management participation program with the usual leaver provisions: as long as the managing director works for the group, he remains a participant. If he leaves the group — whether voluntarily or involuntarily — the majority shareholder can buy back his shares via a so-called "call option." The purchase price for the shares differed depending on the reasons for leaving and provided for different purchase prices for a "good leaver" and a "bad leaver" .

This is exactly what happened: the managing director was duly dismissed as managing director by the majority shareholder without giving reasons and his employment contract was terminated, whereupon the shareholders exercised the call option. He received around €35,000 for his shares based on the currently determined market value – significantly less than his original investment of €150,000.

The managing director filed a lawsuit, arguing that the call option was invalid because it allowed the majority shareholders to force him out of the company at any time and without reason. Such a clause was unconscionable, he argued.

The lower courts ruled in favor of the managing director – but the Federal Court of Justice did not.

The Augsburg Regional Court and the Munich Higher Regional Court considered the call option to be invalid. Their main argument was that the managing director had invested real money and borne a real economic risk. His shareholding was therefore more than just an appendage to his position as managing director and could not simply be withdrawn by means of a call option.

The Federal Court of Justice overturned the appeal ruling and ruled that the call option was not unconscionable in this case.

What does the Federal Court of Justice say — and why is this important?

The Federal Court of Justice (BGH) first confirms that termination clauses that allow a majority shareholder to buy out a manager from the company without cause can, in principle, be void under the German Commercial Code. However — and this is the good news for practitioners and financial investors — the Federal Court of Justice also clarifies that there are exceptions to this rule, defining these exceptions much more generously than before and explicitly including classic call options from financial investors in these exceptions.

Three points are particularly relevant for practice:

Firstly: Overall assessment of the "management model". Until now, there has been concern in practice that a call option would only be effective if it met exactly all the criteria established by the Federal Court of Justice in an older decision from 2005. The Federal Court of Justice now clarifies that it is not a rigid "checklist" that matters, but rather an overall assessment of all the circumstances of the individual case in order to objectively justify a call option. The previous criteria are taken into account in the assessment, but they are not mandatory requirements and do not have to be met in their entirety. The decisive aspects in the overall assessment are the specific contractual arrangements in each individual case, the personal circumstances and the significance of the shareholder position in relation to the operational role in the company, as well as the specific purpose of the right of exclusion.

Secondly: an exit participation instead of ongoing profits is not a problem. The Munich Higher Regional Court had argued that the lack of participation in ongoing profits argued against the effectiveness of the call option because it lacked the "reward function" of the participation. The Federal Court of Justice clearly disagrees: A share in the exit proceeds instead of in current profits is the standard model for financial investors and is completely legitimate. The exit participation is comparable to a bonus payment for a successful business transaction and corresponds to the private equity business model, which from the outset is geared towards increasing value and realizing this value in the context of a sale.

Thirdly: even genuine investment by the manager does not cause any harm. The manager had acquired his shares at market value and thus assumed a real economic risk – he did not receive a symbolic investment or financial assistance from the investor, as in many previous cases. The Munich Higher Regional Court saw this as a reason for the call option to be invalid. The Federal Court of Justice ruled differently: the assumption of an economic risk by the manager does not in itself preclude the validity of the call option. On the contrary: those who are financially at risk are more likely to actively exercise their shareholder rights and will not be deterred from exercising their shareholder rights by the financial investor and the threat of the call option being exercised. The Federal Court of Justice therefore even cites this circumstance as an additional argument for the validity of the call option.

The result: call options in private equity investments are effective

As a result, the Federal Court of Justice ruled in favor of call options, which are typically used by private equity investors in the "management model", and their effectiveness, and clearly stated this. Even a call option that can be exercised in the event of a purchase as a result of unilateral termination by the company without a reason specified by the manager, i.e., typical "good leaver" call options, can therefore be validly agreed upon, as in the case decided here. The Federal Court of Justice sees the need for a corrective measure at most at the level of exercising control over the specific call option and the appropriate purchase price as a severance payment arrangement.

Abuse control remains possible

The ruling does not mean that private equity funds can now dismiss managers at will. The Federal Court of Justice expressly points out that the specific exercise of the call option is subject to control in individual cases and must meet the requirements of good faith in order to prevent abusive exercise. However, the Federal Court of Justice sets the bar high: anyone who exercises the call option shortly before an exit, for example, in order to deliberately deprive the manager of his share of the proceeds, must expect a court to classify the exercise as an abuse of rights in individual cases.

Separation of call option and severance payment provision

Another point relevant to practice: The Federal Court of Justice continues to make a strict distinction between the validity of the call option as such and the question of whether the associated severance payment arrangement is appropriate. Even if the severance payment turns out to be too low, this does not invalidate the call option. These are two different issues that must be assessed separately. The question of whether the manager receives enough money for his shares only concerns the validity of the severance clause – not the question of whether he can be forced to leave at all. However, the fund must be aware that if the court considers the purchase price to be too low in an individual case and the call option has already been exercised, the market value of the purchased shareholding will have to be paid without the possibility of unilaterally withdrawing from the purchase.

What does this mean in practice?

This ruling is good news for private equity funds and majority shareholders who set up management participation programs:

The Federal Court of Justice has expressly recognized the common private equity structure — management participation with exclusive exit proceeds participation and call option in the event of early departure — as an objectively justified model. The argument that the manager has invested "real money" and therefore cannot be dismissed does not hold water if the participation is contractually linked to the manager's executive activities or other personal involvement. In this case, the private autonomy of the parties takes precedence.

Conversely, the following applies to managing directors and managers: anyone who joins a management participation program should be aware that the participation usually stands or falls with the active role in the company and the good conduct of the participant. The BGH decision strengthens the position of investors in recovering shares after a manager leaves the company.

In future, managers should pay particular attention to severance pay arrangements: because the Federal Court of Justice strictly separates the validity of the call option from the question of the amount of severance pay to be paid, the question of appropriate compensation upon departure rather than the question of the validity of the purchase becomes the central point of negotiation.

The ruling gives private equity funds significantly more certainty in the design of their investment programs — but still requires a sense of proportion in their exercise.

Facts

The defendants operated a dental practice as part of a corporate structure consisting of several partnerships and, starting in the 2010 assessment period, systematically manipulated the income attributable to the partners by not recording cash receipts and falsifying operating expenses. To conceal this, foreign companies were founded with the involvement of a financial advisor. In the declarations for the separate and uniform determination of profits for the years 2010 to 2013, the defendants made inaccurate statements regarding the income attributable to the shareholders. In total, income of around EUR 1.83 million was underreported, resulting in an income tax reduction of over EUR 700,000.

Legal background

If income is incorrectly declared to the tax authorities in the assessment procedure for a partnership, this results in a fundamentally incorrect basic assessment notice. This inaccuracy has a direct impact on subsequent notices, as the individual tax assessments of the shareholders are based on an understated assessment basis. Under criminal law, it is recognized that the elements of § 370 AO (German Fiscal Code) can already be fulfilled by the incorrect determination of income and that obtaining an unjustified tax advantage pursuant to § 370 (4) AO is to be considered an independent criminal offense.
The question of what threshold for unjustified tax advantages must be exceeded in assessment notices in order to fulfill the qualifying criterion of large scale has not yet been clarified by the highest court. The practical relevance arises from the significant legal consequences: the penalty range is extended to up to ten years' imprisonment, while the statute of limitations for prosecution is extended to fifteen years pursuant to Section 376 (1) sentence 1 AO.

The ruling of the Federal Court of Justice

According to established case law, the threshold for "large scale" tax evasion pursuant to Section 370 (3) sentence 2 no. 1 Alt. 1 AO is EUR 50,000. However, the Federal Court of Justice does not apply this standard schematically to cases of unjustified tax advantages through incorrect declarations of assessment, but determines an independent value limit: According to this, a "large extent" exists if income of at least EUR 140,000 is assessed in favor of the parties involved in the assessment, deviating from the income actually earned. The Senate bases this determination on the risk character of Section 370 of the German Fiscal Code (AO) and links it to the maximum risk to the tax claim. To derive this, the Federal Court of Justice (BGH) uses a flat maximum tax rate of 42% and a safety margin of 15%, which results in a potential tax reduction of EUR 50,000 in the event of an incorrect assessment of EUR 140,000.

Consequences for practice

From the perspective of criminal tax defense, the supreme court's determination of a specific value limit for the "large scale" of tax evasion through incorrect declarations is to be welcomed, as it creates legal certainty, particularly with regard to sentencing and the statute of limitations.

In this context, the following should be noted in particular for the defense: In cases where, despite obtaining a tax advantage of more than EUR 140,000, the actual tax evasion is significantly less than EUR 50,000 in view of the personal tax characteristics of the parties involved in the assessment, the actual tax reduction can be taken into account when deciding on the application of the standard example or the specific sentencing in order to avoid undue hardship, thus taking sufficient account of the special circumstances of the individual case. For the question of the statute of limitations, however, it is not important whether the standard example is actually applied in the specific case, but only whether the facts of the case fulfill the requirements.

I. Background: Current situation for German companies

From a corporate perspective, digital sovereignty describes the ability to use digital infrastructures, data, and applications in such a way that legal requirements can be met, economic dependencies can be managed, and strategic risks can be controlled. This does not mean complete technological self-sufficiency, but rather a robust ability to control and make decisions about central IT resources, in particular cloud services, data flows, and AI systems.

In practice, many German companies rely on infrastructure (IaaS), platform services (PaaS), or software solutions (SaaS) from major US providers, in particular Amazon Web Services, Microsoft, and Google. These providers offer powerful, scalable, and economically attractive solutions and are often deeply integrated into existing IT architectures.

However, the downside of this market concentration is legal and factual dependency. Companies are often unable to fully control where data is physically processed, nor can they rule out the possibility that foreign authorities may demand access to stored information under certain circumstances.

1. CLOUD Act and GDPR

The discussion about the digital sovereignty of German companies has been significantly influenced by the CLOUD Act, which was passed in 2018. The law obliges providers of electronic communications and cloud services based in the US to hand over data in their "possession, custody, or control" upon request by US law enforcement authorities. The decisive factor here is not the physical location of the data, but the company's legal access to it. Even data stored on servers within the European Union can therefore be subject to this law if it is managed by a US company or a company controlled by a US company.

For German companies that use cloud infrastructures or software solutions from Amazon Web Services, Microsoft, or Google, for example, this creates a structural conflict with European data protection law. While the General Data Protection Regulation imposes high requirements on third-country transfers and government access powers, the CLOUD Act is based solely on the US jurisdiction of the provider. Even if data is processed exclusively in European data centers, a US parent company may be required to disclose it. The legal assessment depends largely on the specific corporate structure, contractual control rights, and actual influence over data processing.

Against this backdrop, several US providers have developed so-called "sovereign cloud" models. Prominent examples include European cloud variants from Microsoft and partnership models from Google with European operators. These concepts regularly stipulate that data is stored exclusively in the EU, that operations are carried out by a European company, and that particularly sensitive administrative access is restricted or technically secured. In some cases, a separate legal entity based in an EU member state is established to offer the service and exercise certain control rights.

However, the decisive legal question is whether such structures actually exclude the applicability of the CLOUD Act or at least substantially reduce it. The decisive factor is whether the US parent company continues to have de facto or legal control over the data or the European operating company. If a controlling relationship exists or if data can be made indirectly accessible, it cannot be ruled out that US authorities could assert claims for disclosure. The mere localisation of data within the EU or a contractual assurance of "European sovereignty" is therefore not necessarily sufficient to rule out the risk of extraterritorial access.

2. Role of the EU-US Data Privacy Framework

Against the backdrop of this tension, the EU-US Data Privacy Framework (DPF) is of central importance (we reported on this in Data Protection Update No. 206 and No. 219). Since July 2023, transatlantic data traffic has been based on the European Commission's adequacy decision pursuant to Art. 45 GDPR. For German companies, this means that personal data may generally be transferred to US service providers certified under the DPF without additional safeguards such as standard contractual clauses.

This represents a significant operational relief, especially for companies that make extensive use of cloud and SaaS services from Amazon Web Services, Microsoft, or Google. The use of globally integrated IT architectures thus remains manageable in terms of data protection law without requiring a separate risk assessment for each transfer in accordance with the "Schrems II" ruling.

However, the legal stability of this construct was controversial from the outset. In its judgment of September 3, 2025, the General Court of the European Union (GCEU) dismissed the action for annulment (T-553/23) brought against the adequacy decision, thereby confirming the validity of the DPF. After a substantive review, the court concluded that the reform measures introduced by the US, in particular Executive Order 14086, the two-tier appeal mechanism via the Civil Liberties Protection Officer (CLPO) and the Data Protection Review Court (DPRC), and expanded control mechanisms in the area of FISA 702 orders, meet the standard of "essentially equivalent" protection developed by the ECJ in "Schrems II."

In practice, this means that as long as the adequacy decision remains in force, supervisory authorities are bound by it; fines for DPF-based transfers are not an option. The decision thus provides companies with considerable, albeit possibly only temporary, legal certainty.

Nevertheless, the issue of digital sovereignty has not been conclusively resolved, as the DPF addresses only the admissibility of data transfers under data protection law. It does not eliminate the structural dependence on non-European providers subject to the CLOUD Act, nor does it resolve issues of vendor lock-in, technical interoperability, or the strategic resilience of IT infrastructures. Digital sovereignty is therefore not exhausted by the formal use of an adequacy decision.

II. EU initiatives

The European Union is responding to the dependencies described above not only politically, but also with an increasingly dense regulatory and structural framework. Digital sovereignty is particularly relevant for companies on two levels: the regulatory framework and the development of European data and infrastructure ecosystems.

1. Regulatory framework

With the NIS 2 Directive, the EU has significantly tightened cybersecurity requirements for companies. It no longer covers only traditional critical infrastructure operators, but a significantly expanded group of "essential" and "important" entities, including cloud providers, data centers, digital infrastructure service providers, and numerous industrial companies. The directive requires comprehensive risk management measures, incident reporting, supply chain controls, and active involvement of senior management. Digital sovereignty is effectively becoming a compliance requirement here, as companies must systematically identify and manage risks arising from IT dependencies.

For the financial sector, the Digital Operational Resilience Act (DORA) further specifies these requirements. It obliges banks, insurance companies, and other financial enterprises to implement structured ICT risk management, comprehensive testing requirements, and special controls for "critical" third-party IT service providers. Cloud providers can be directly subject to European supervision. DORA thus directly interferes with freedom of contract and procurement, forcing companies to think ahead contractually and organizationally about exit strategies, substitution options, and concentration risks.

This framework is flanked by other digital legislation, such as the Data Act or sector-specific security requirements, which are intended to strengthen interoperability, portability, and data access. Taken as a whole, these regulations aim to reduce unilateral dependencies, improve switching options, and make technical and organizational resilience mandatory. Digital sovereignty is thus not only demanded politically, but also operationalized legally.

2. EU data spaces

In addition to regulation, the EU is focusing on building its own data ecosystems (we reported on this in Data Protection Update No. 231). A key project is GAIA-X, a European initiative to develop federated, interoperable cloud and data infrastructures. The goal is not to create a single "European hyperscaler," but to establish common standards for transparency, data control, and interoperability. Providers, including those outside Europe, can participate as long as they meet the defined governance and compliance requirements.

In addition, sectoral European data spaces are emerging, for example in the industrial, mobility, and energy sectors. The planned European Health Data Space (EHDS) is particularly advanced. It is intended to enable the cross-border exchange of health data for care, research, and innovation, while at the same time standardizing strict access and security requirements. This creates new market opportunities for companies in the life sciences and digital health sectors, but also complex compliance requirements.

III. Recommendations for action for companies

Digital sovereignty is not a political buzzword, but a question of concrete governance decisions. Companies should approach the issue in a structured manner and integrate it into existing compliance, IT, and risk management processes.

1. Systematically record IT and data dependencies

The starting point for any sovereignty strategy is transparency. Companies should comprehensively record which cloud, platform, and SaaS services are used, which data categories are affected, and which jurisdictions the respective providers are subject to. It is important to consider not only the immediate contractual partner, but also the subprocessor chain.

Only on this basis can it be assessed whether particularly sensitive data such as research, health, defense, or employee data could be covered by non-European legal systems and what regulatory risks this entails.

2. Strengthen contract and exit strategies

Digital sovereignty is often determined in the contract. Companies should ensure that cloud and IT contracts contain clear provisions on data localization, audit rights, information obligations in the event of requests from authorities, and technical security measures.

Equally important are robust exit clauses. Data portability, interoperability, and migration support should be contractually guaranteed. Especially in light of NIS 2 and DORA requirements, it is essential to be able to simulate a change of provider, at least theoretically and organizationally. Vendor lock-in is not only an economic risk, but increasingly a regulatory risk as well.

3. Increase technical resilience through architectural decisions

Digital sovereignty is not just a legal issue, but also a question of system architecture. Multi-cloud strategies, hybrid models, or the deliberate separation of particularly sensitive workloads can reduce dependencies.

In addition, companies should examine whether client-side encryption with their own key sovereignty can be implemented. Where possible, a clear separation between personal and non-personal data can create additional flexibility. Compliance and IT departments should work closely together here; purely "paper solutions" are not sufficient.

4. Designing resilient transfer governance

Even though the EU-US Data Privacy Framework is currently in force, companies should not rely exclusively on it for their transfer mechanisms. It is advisable to have standard contractual clauses available as a fallback, to regularly update transfer impact assessments, and to actively monitor regulatory developments.

In this context, digital sovereignty means planning for regulatory volatility. Those who are prepared organizationally and contractually can respond to a possible reassessment by the ECJ without risking operational disruptions.

5. Anchoring digital sovereignty as a board-level issue

With NIS-2 and DORA, at the latest, management is being explicitly held accountable. IT dependencies, cloud concentration risks, and third-country access are part of company-wide risk management.

Companies should therefore not treat digital sovereignty in isolation in the IT department, but rather understand it as part of compliance, ESG, M&A due diligence, and strategic corporate planning. In transactions or collaborations, dependence on certain platforms should be examined as well as financial or antitrust risks.

IV. Outlook and conclusion

For German companies, digital sovereignty is neither a political buzzword nor a short-term trend, but rather an expression of a permanently changed regulatory and geopolitical framework. Dependence on global IT and cloud providers remains economically sensible and practically unavoidable in many cases. However, it can be managed legally and organizationally, provided that companies analyze their IT structures, contractual relationships, and data flows transparently and integrate them into their compliance and risk management.

Developments in EU law, from the confirmation of the EU-US Data Privacy Framework by the General Court to NIS-2, DORA, and sectoral data spaces, create legal certainty on the one hand, but also increase the requirements for documentation, resilience, and governance on the other. At the same time, the transatlantic legal situation is not static, and judicial reviews and political developments may necessitate adjustments.

Against this backdrop, a pragmatic approach is recommended. Digital sovereignty should be understood as an integral part of proper corporate organization. Those who are aware of dependencies, address them contractually, and secure them technically are not only acting in line with regulatory expectations, but also strengthening their own ability to act in an increasingly complex digital environment.

This article was created in collaboration with our student employee Emily Bernklau.

Facts

In the underlying case, the plaintiff had concluded a contract with the defendant in December 2022 for participation in the "FBA Unstoppable E-commerce Training Program" at a gross price of €8,092. The contract included various services, in particular access to a learning platform with videos, a messenger group, and video calls with a coach, as well as the opportunity to participate in regular video conferences (so-called live calls). The defendant did not have a license for distance learning courses in accordance with Section 12 FernUSG. The plaintiff claimed that the contract was void in accordance with Section 7 (1) FernUSG because it lacked the necessary license under the FernUSG and demanded repayment of the fee.

Key statements of the judgment

1. Teleological reduction of the concept of spatial separation

The Federal Court of Justice first confirmed the course it had already taken in its judgment of June 12, 2025 (III ZR 109/24): Section 1 (1) No. 1 FernUSG is to be interpreted by way of a teleological reduction to the effect that the teacher and the learner are to be regarded as spatially separated if the transfer of knowledge takes place over a physical distance and not by means of bidirectional – synchronous communication, in which the learner has the opportunity to contact the teacher without any particular effort, as is the case in face-to-face classes. The court justified this by stating that when the FernUSG was enacted in 1976, the legislature was unaware of today's technical possibilities for synchronous bidirectional communication and that, according to its purpose, the characteristic of physical separation can only fulfill its function of distinguishing it from traditional face-to-face teaching if it is additionally required that the transfer of knowledge takes place at a different time (asynchronously) or that the learner has no opportunity for direct exchange.

The BGH thus expressly rejects the opposing view that any transfer of knowledge via online communication should be considered spatial separation. In doing so, it contradicts the Higher Regional Courts of Celle, Stuttgart, and Dresden, which had affirmed spatial separation based solely on physical presence in different locations.

2. The content of the contract is decisive – not the actual implementation

The central clarification, which is particularly important in practice, concerns the question of which facts should be used to assess the physical separation. The Federal Court of Justice states unequivocally: The decisive factor is the content of the contract, i. e., the legally agreed form of the service, and not the actual form of the lessons or the scope of the services actually used by the learner.

In contrast, the court of appeal (Higher Regional Court of Oldenburg) had erroneously based its decision on how the lessons actually "took place" and weighted the asynchronous and synchronous parts of the lessons on the basis of the actual use by the plaintiff. The BGH criticizes this as legally erroneous and refers to its landmark decisions of June 12, 2025 (III ZR 109/24) and October 2, 2025 (III ZR 173/24).

3. Criteria for assessment in individual cases

According to the Federal Court of Justice, whether the teacher and the learner are predominantly physically separated during the transfer of knowledge depends on the specific circumstances of the individual case. Possible points of reference in the case of different teaching services, as in this case, include the content and significance of the partial services for the intended learning success or the respective duration of the learning units provided for in the contract. Recordings of synchronous teaching components that are subsequently made available to participants for retrieval in accordance with the agreement reached are to be treated as asynchronous teaching.

4. Burden of proof

According to the Federal Court of Justice, the burden of proof and presentation for the factual requirements of Section 1 (1) FernUSG lies with the party invoking the applicability of the FernUSG – typically the participant asserting the invalidity of the contract. The teleological reduction of the provision has no influence on this.

5. Monitoring of learning success – broad understanding

The ruling also contains a statement relevant to practice regarding the element of learning success monitoring pursuant to Section 1 (1) No. 2 FernUSG: This element is already fulfilled if the participant is contractually granted the right to ask questions relating to their own understanding of the material learned. According to the Federal Court of Justice, no further "monitoring by the teacher" is required.

Practical consequences: need for review and adjustment for coaching providers

The decision has significant practical implications for providers of online coaching and mentoring programs. By focusing on the content of the contract, the contractual design becomes the central lever for determining whether an offer is classified as distance learning within the meaning of the FernUSG – and is therefore subject to the licensing requirement under Section 12 FernUSG. A violation of this licensing requirement leads to the nullity of the contract pursuant to Section 7 ( (1) FernUSG, with the result that participants can reclaim the remuneration paid.

Providers of online coaching, mentoring programs, and comparable digital continuing education offerings should therefore urgently review their existing contracts and amend them if necessary. In particular, the following should be noted:

First, the contractual service description should be subjected to a thorough review. Since the Federal Court of Justice (BGH) bases its decision on the content of the contract, the wording of the services owed is crucial. Contracts that focus on asynchronous elements such as learning videos, self-study modules, or recorded content run the risk of being classified as distance learning if no license has been obtained. Conversely, contracts that clearly focus on synchronous, bidirectional communication formats – such as live calls, interactive workshops, or real-time individual coaching – may indicate that there is no predominant physical separation.

In addition, the weighting of the individual service components in the contract is important. The Federal Court of Justice cites as possible points of reference both the content and significance of the partial services for the intended learning success and the respective duration of the contractually stipulated learning units. Particular caution is required if recordings of synchronous parts of the course are made available to participants for later retrieval, as the Federal Court of Justice treats such recordings as asynchronous teaching.

Finally, it should be noted that the Federal Court of Justice interprets the characteristic of monitoring learning success very broadly. The contractual granting of a right to ask questions is sufficient. Since such a right to ask questions is likely to be included at least implicitly in almost every coaching offer, this criterion will regularly be fulfilled in practice. The applicability of the FernUSG will therefore be decided in most cases by the question of physical separation.

Conclusion

With its ruling of February 5, 2026, the Federal Court of Justice has set another important guideline for the legal classification of online coaching services under the FernUSG. The clear focus on the content of the contract as the assessment criterion for spatial separation gives providers legal certainty on the one hand, but also creates an urgent need for action on the other. Existing contracts should be reviewed promptly for compliance with the principles established by the Federal Court of Justice and amended if necessary in order to minimize the risk of contractual invalidity under Section 7 (1) FernUSG.

Ryanair pilots are employed. This also applies if they are formally self-employed and are placed through a third-party company. The intermediary placement company, which only handles contracts and payments, is neither an employer nor a temporary employment agency and is therefore not liable for social security contributions.

Facts

The plaintiff was a limited company based in the United Kingdom with no branch in Germany. It provided the airline Ryanair with pilots from an exclusive pool on an on-call basis. From 2009 onwards, the pilots acted as "one-man limited companies." Their activities were essentially limited to contract management and payment processing in return for an agency fee.

Ryanair made the selection decisions itself, determined home bases, integrated the pilots into duty rosters, organized training, and checked their operational readiness. Vacation requests and sick notes also went through Ryanair's systems. The plaintiff invoiced the remuneration based on the data provided by the airline and forwarded the payments.

The defendant classified the pilots as dependent employees and regarded the plaintiff as their employer or, alternatively, as a temporary employment agency. The Berlin Social Court overturned the decision. Although employment did exist, the plaintiff was not the employer. The pension insurance fund appealed against this decision.

Decision

The Berlin-Brandenburg Social Court confirmed the existence of dependent employment under Section 7 (1) of the German Social Security Code IV (SGB IV). The decisive factors were the obligation to follow instructions and integration into the work organization. Both characteristics were clearly fulfilled – but not in the plaintiff's business. The pilots were fully integrated into Ryanair's operational processes and were subject to its professional supervision. In particular, there was no entrepreneurial decision-making leeway.

The interposition of single-person companies did not change the assessment. The decisive factor was the actual implementation. Even in the case of contracts between legal entities, an employment relationship with the operating company could exist if the natural person was in fact employed as an employee.

However, the court denied that the plaintiff was an employer. The employer is the party who decides on deployment and organization. The plaintiff did not take on any personnel management or operational management. Her role was limited to administrative tasks.

The court also rejected liability as a temporary employment agency under Section 28e (2) SGB IV in conjunction with the AÜG. The plaintiff did not have its own employer function. All key management decisions were made by Ryanair. The plaintiff's activity was therefore more likely to be classified as agency work with an accounting function.

Practical note

The decision underscores that the assessment of social security status is consistently based on the actual reality of the assignment. Contractual arrangements with foreign companies that are not subject to social security law or formal self-employment agreements do not offer reliable protection. The only decisive factor is whether the operational involvement of the persons concerned corresponds to that of an employee.

When using external personnel concepts, companies should clearly analyze the allocation of responsibility within the contractual structure. This is particularly important in view of the considerable economic and criminal law risks associated with misjudgment. Anyone who effectively employs personnel as if they were their own employees must expect to be classified as an employer under social security law. The decision provides further confirmation of this and is likely to further increase the sensitivity of the auditing authorities to complex pooling and placement models.

In preliminary injunction proceedings, a decision was made on the correction of the voter list for a works council election scheduled to take place on March 2, 2026.

Facts

The applicant employer is a non-profit association and operates several locations throughout Germany in addition to its headquarters in Cologne. A works council has been formed at the employer, which has so far been elected by the employees of all locations. The basis for this is a works agreement from 2022, according to which a company-wide works council is formed for all businesses.

In January 2026, the election committee sent the election notice and voter list to the entire workforce. The employer then lodged an objection to the voter list and applied to the court to have around ten external locations removed from the list. In the employer's opinion, these locations were geographically distant and therefore qualified as independent parts of the company within the meaning of Section 4 of the Works Constitution Act (BetrVG). In the absence of an assignment decision, the employees working there were not eligible to vote. In addition, the works agreement was invalid because a local works council was not responsible for company-wide regulations.

Decision

The Cologne Labor Court rejected the application to correct the voter list and referred the employer to the possibility of contesting the election.

Although interim legal protection against measures taken by the election committee is possible in principle, strict requirements must be met for the claim for an injunction and the grounds for the injunction, which were not fulfilled in this case.

In the opinion of the labor court, the employer was unable to credibly demonstrate that the voter list was based with sufficient certainty on a fundamental misunderstanding of the company structure and was therefore actually incorrect. The labor court also considered the works agreement to be valid; in any case, it could not be assumed with the necessary certainty that it was invalid. The decisive factor for the court was that the current works council was the democratically legitimized employee representation for all employees. This also applied if the works council election held in 2022 had taken place based on a misinterpretation of the company structure, provided that the election in 2022 was not contested. Since the election at that time was not contested, the supposedly independent part of the company formed a single entity under works constitution law with the main company.
There were also no grounds for an injunction, as a correction of the voter list would outweigh a subsequent election challenge in the weighing of consequences. In the event of an election correction, approximately 100 employees would be without employee representation; in contrast, conducting a regular election challenge procedure was the milder remedy.

The decision is not yet final.

Practical tip

The decision of the Cologne Labor Court highlights the high hurdles that must be overcome in order to intervene in ongoing works council elections.
A correction of the voter list during the ongoing election process can only be obtained in preliminary injunction proceedings in the case of serious and obvious procedural errors. There is a noticeable tendency for courts to refer employers to the contestation procedure in cases of doubt about the legality of the voter list. Since this means that the works council, which may have been elected incorrectly, remains in office until the court decision, employers should intervene as early as possible. The decision also shows that a lack of election challenges may have an impact on future works council elections and possibly reinforce unlawful conditions.

Employers who have doubts as to whether the works council or election committee is basing its decisions on the correct company structure should therefore seek legal advice in good time so that they can take the necessary measures.

In its ruling of January 29, 2026 (8 AZR 49/25), the Federal Labor Court (BAG) once again had to deal with the question of whether headscarves worn for religious reasons are permitted in the workplace. The BAG clarifies that even as an aviation security assistant at passenger and baggage screening, there is no justification for a blanket ban on headscarves. If an employer rejects an application because the applicant wears such a headscarf, this constitutes unjustified discrimination on the grounds of religion. At the same time, the Eighth Senate rejects a blanket requirement of neutrality for entrusted companies in this area and confirms a claim for compensation under Section 15 (2) AGG.

At the time of publication, the written grounds for the judgment are not yet available. The key guidelines are taken from the BAG press release.

Background

The General Equal Treatment Act (AGG) prohibits discrimination on grounds including religion (Sections 7, 1 AGG) and grants monetary compensation in the event of violations by employers (Section 15 (2) AGG). The burden of proof is eased by Section 22 AGG: if the disadvantaged person presents evidence suggesting discrimination, the employer must refute this assumption.

In very limited exceptional cases, different treatment, e. g., on the grounds of religion, may be permissible. This is the case if the characteristic in question constitutes a genuine and determining occupational requirement (Section 8 (1) AGG).

Facts

The plaintiff, a Muslim, applied for a position as an aviation security assistant at a security company licensed by the Federal Police at Hamburg Airport. She wears a headscarf in public for religious reasons. During the application process, she submitted a photo of herself wearing a headscarf. Shortly thereafter, she received a rejection without explanation.

In the lawsuit, the defendant claimed that the plaintiff had been rejected because of gaps in her resume – not because she wore a headscarf. However, it also claimed that a company agreement prohibiting head coverings of any kind applied. The defendant also invoked a state requirement of neutrality to which aviation security assistants, as agents of the federal police, were subject.

The labor court and regional labor court upheld the claim and awarded compensation in the amount of €3,500.

The decision

The Federal Labor Court upheld the decisions of the lower courts and dismissed the employer's appeal. Taking all the circumstances into account, the plaintiff had presented sufficient evidence within the meaning of Section 22 AGG to suggest discrimination on the basis of her religion. The defendant employer had not been able to refute this presumption.

The court emphasized that not wearing a headscarf was not an essential and decisive professional requirement within the meaning of Section 8 (1) AGG for working in passenger and baggage control. Nor did abstract fears that religious symbols could exacerbate an already conflict-prone situation at control points carry any weight. There were no objective indications of increased conflicts due to female aviation security assistants wearing headscarves. The compensation decision of the lower courts therefore remained unchanged.

Practical information

For employers – including those in the security and service sectors – the decision clarifies the limits of blanket neutrality requirements. Internal guidelines or works agreements that generally prohibit head coverings or religious symbols are legally risky if they are not based on a sound foundation. All restrictions on the free practice of religion should therefore be examined very critically in order to avoid creating evidence of discrimination.

Since the burden of proof regularly lies with the employer, particular caution is required early on in the application process. The BAG's decision clearly illustrates that even a rejection can potentially be sufficient to trigger a claim for compensation by an applicant.

I. Background: Revision of the AI Regulation and GDPR

With the drafts for a "Digital Omnibus" of November 19, 2025, the European Commission is pursuing the goal of structurally consolidating the previously fragmented digital regulation and addressing enforcement problems. This particularly affects the Data Act and related data laws, the GDPR including ePrivacy rules, the European cyber reporting system, and the AI Regulation.

In data law, the Data Act is to serve as the central legal framework in the future and integrate the Data Governance Act, the FFDR (Free Flow of Data Regulation), and the open data regulations (we reported). The plans include standardized definitions of terms, more precise access and switching obligations, especially for cloud providers, stronger protection mechanisms for trade secrets, and a restriction of official data access to clearly defined emergencies.

The GDPR is to be amended in specific areas. These include a clarification of the term "special categories of personal data," an explicit opening for AI training based on legitimate interests under technical safeguards, simplified information and reporting obligations for smaller companies, and the integration of ePrivacy rules with technically standardized consent mechanisms (we reported).

In addition, a central European reporting portal for cyber and data protection incidents will be created to bundle multiple reports under the GDPR, NIS-2, DORA, or CRA. In the area of AI regulation, extended transition periods, simplified documentation requirements for SMEs, expanded testing opportunities under real conditions, and greater centralization of oversight at the AI Office are planned.

II. Current status

1. AI Omnibus

The legislative process for the AI Omnibus is about to enter the parliamentary consultation phase. Negotiations in the European Parliament are scheduled to begin on Wednesday, February 25. The issue is also on the agenda at the member state level: on Friday, February 27, the EU Committee of the Bundesrat will discuss the Digital Omnibus in the context of the European data strategy.

Once Parliament and Council have each determined their position, the trilogue could begin in April or May, according to current plans. The goal is to complete the process before August 1 so that the changes can take effect in time for the AI Regulation's relevant application date of August 2. The schedule is correspondingly tight and politically ambitious.

2. Data Omnibus

The status of the Data Omnibus procedure is less clearly structured. Discussions have been more controversial so far, particularly with regard to data protection adjustments.

The European Data Protection Board (EDPB) in particular has expressed considerable reservations about individual proposals and criticized a possible lowering of the level of data protection. Against this background, it is currently unclear whether the data protection reform components will be synchronized with the AI Omnibus or whether they will go through a separate, possibly longer legislative process.

III. Concrete practical advantages for companies

The drafts of the Digital Omnibus are not designed as substantive deregulation, but as a structuring and simplifying reform. The practical effects for companies therefore lie less in a lowering of protection standards than in increased predictability, reduced multiple regulation, and clearer structures of responsibility. The main operational effects can be summarized in five key areas.

1. Uniform regulatory framework in data law

The planned integration of the Data Governance Act, FFDR, and open data regulations into the Data Act eliminates the parallel structure of different data regimes that has existed to date. For companies, this means a systematic consolidation of the regulations on data access, data use, and disclosure obligations into a uniform set of rules.

In practice, this reduces the need for multiple legal reviews of data-driven business models, platform architectures, or intra-group data transfers. Clear and EU-wide harmonized definitions of terms reduce interpretation uncertainties, particularly with regard to qualification as a data holder or data user. For internationally active companies, this reduces transaction costs in contract drafting and the risk of diverging national enforcement practices.

2. More precise cloud and interoperability requirements

The specification of change and interoperability requirements in the Data Act has a direct impact on existing IT and cloud infrastructures. The possibility of exempting customized and non-standardized services from interoperability requirements under certain conditions increases contractual and investment security.

For companies with complex, tailor-made IT environments, this reduces the risk of short-term technical conversions or cost-intensive migration obligations. At the same time, data sandboxes create a regulatory-controlled framework for testing new data products and interface solutions without immediately imposing all full requirements. This favors innovation projects in early stages of development.

3. Data protection openings for AI development

Of particular practical relevance is the planned explicit recognition of legitimate interest as the legal basis for AI training, provided that appropriate technical and organizational measures are implemented. For companies, this opens up greater scope for using existing data sets for training purposes without having to rely on individualized consent in every case.

This facilitates the scaling of data-intensive models and reduces the administrative burden of consent management. At the same time, information and reporting requirements for smaller companies will be differentiated on a risk basis. In the future, data protection violations without significant risk will only be subject to documentation requirements, but not to reporting requirements. In operational practice, this means a reduction in the burden on internal compliance resources and a focus on incidents that are actually relevant to risk.

4. Bundling of cyber and data protection reports

The planned central European reporting portal will bundle the previously separate reporting obligations under the GDPR, NIS-2, DORA, and CRA. This will eliminate the need for companies to contact different national authorities in parallel via different reporting channels.

The harmonization of forms and automated forwarding to the relevant authorities will reduce coordination efforts and friction in incident management. This will create a consistent and digitized process that avoids multiple reports and redundant checks, particularly for companies with multiple regulatory reporting obligations.

5. Adjustments to the AI Regulation: time savings, simplification, and centralization

There are several cumulative relief effects in the area of AI regulations. Linking the effective date of high-risk obligations to the availability of harmonized standards prevents companies from having to implement requirements without being able to refer to specific technical standards. This improves project planning and reduces the risk of faulty implementations or implementations that need to be adjusted retrospectively.

The extension of simplified documentation and quality management requirements to SMEs and small-mid-caps reduces the administrative burden, especially for high-growth companies. Expanded opportunities for testing under real-world conditions and an EU-wide sandbox program promote early market testing of innovative systems under regulatory supervision.

Finally, strengthening the AI Office as the central supervisory authority for certain AI systems will lead to greater harmonization of enforcement practices. For providers operating across Europe, this may reduce the number of parallel national proceedings and contribute to more consistent application of the law.

IV. Conclusion and outlook

The Digital Omnibus does not mark a paradigm shift in European digital law, but it does mark a noticeable change of course toward consolidation, procedural simplification, and realistic implementation. The drafts do not aim to materially lower protection standards, but rather to reduce regulatory friction losses that have resulted from parallel legal acts, unclear demarcations, and tightly scheduled deadlines. For companies, the concrete benefits lie primarily in improved predictability for AI and data projects, a bundling of reporting and documentation requirements, and greater leeway in the design of training and development processes in accordance with data protection law.

Whether these effects actually materialize depends largely on the further legislative process. While the AI omnibus bill is following an ambitious schedule and is set to come into force before August 2, the data omnibus bill is more politically controversial. Intensive negotiations and possible readjustments are to be expected, particularly in the area of data protection. Companies should therefore closely monitor developments and already start to consider where strategic adjustments can be made – for example, in AI governance structures, data architectures, or reporting processes.

Regardless of the final wording of the reform, however, a clear trend is emerging: the Commission is responding to practical implementation problems and signaling its willingness to make regulatory structures more functional. For companies, this opens up the opportunity to align compliance not only as a fulfillment of obligations, but as an integral part of a plannable and innovation-oriented digital strategy.

This article was created in collaboration with our student employee Emily Bernklau.

The draft regulates in particular the responsibilities of the market surveillance authorities, their cooperation, and the national structure of the fine procedure. At the same time, it places emphasis on promoting innovation, for example through the establishment of an AI real-world laboratory and coordinating competence structures. Even though the implementing law does not establish any new material obligations for companies, future supervisory practice will be significantly influenced by the proposed regulatory architecture.

In the following, we present the key contents of the government draft and highlight the structural changes that companies should already be keeping an eye on.

I. Background and objectives

The AI Regulation applies directly in all member states as an EU regulation, creating a uniform legal framework with a risk-based approach that provides for graduated requirements ranging from transparency obligations to comprehensive specifications for high-risk AI systems.

Despite its direct applicability, the AI Regulation requires national support. In particular, member states are required to determine which authorities are responsible for application and enforcement, how market surveillance and notification are organized, which bodies conduct fine proceedings and handle complaints, and how existing administrative structures, such as federal ones, are integrated into the new supervisory architecture.

This is precisely where the government draft of the AI-MIG, which has now been adopted, comes in. It specifies the distribution of responsibilities among authorities, regulates cooperation mechanisms, and creates the procedural basis for sanctions. At the same time, the draft aims to ensure that the AI Regulation is implemented in a way that is conducive to innovation and conserves resources, and to systematically integrate existing sector-specific expertise.

II. Key content

1. Federal Network Agency as central market surveillance authority

The core of the draft is the designation of the Federal Network Agency as the central market surveillance authority for compliance with the AI Regulation, unless special legal responsibilities apply (Section 2 (1) AI-MIG). The legislator has thus opted for a largely centralized model with a clear nationwide point of contact for AI-related supervisory issues.

The explanatory memorandum to the draft explicitly refers to efficiency and coherence considerations: the aim is to avoid fragmentation of responsibilities, prevent divergent interpretations of the AI Regulation, and pool scarce AI expertise. At the same time, the choice of the Federal Network Agency ties in with its growing role as a digital supervisory authority.

For companies, this means that in all constellations not explicitly related to a specific sector, the Federal Network Agency will in future be the primary point of contact for market surveillance issues, supervisory measures, and the enforcement of obligations under the AI Regulation.

To support this central role, the draft provides for the establishment of a coordination and competence center (KoKIVO) at the Federal Network Agency (Section 5 AI-MIG). The KoKIVO is intended to structure coordination between the authorities involved, pool expertise, and ensure uniform application of the AI Regulation.

2. Sectoral responsibilities

Despite the central role of the Federal Network Agency, existing supervisory structures will remain in place in certain areas. Authorities that already act as market surveillance authorities under EU harmonization legislation will also assume this function for AI systems related to the respective products (Section 2 (2) AI-MIG).

This applies in particular to regulated product sectors such as machinery, medical devices, motor vehicles, or other areas covered by Annex I of the AI Regulation. The aim is to leverage existing sector-specific expertise and not to impose completely new supervisory structures on companies.

A special regulation also applies to the financial sector: for AI systems directly related to regulated financial services – such as creditworthiness checks, credit ratings, or actuarial risk assessments – the Federal Financial Supervisory Authority (BaFin) is to be responsible as the market surveillance authority. This integrates AI supervision into existing financial market supervision.

Federal peculiarities are also taken into account: insofar as AI systems are placed on the market or used by public authorities of the federal states, market surveillance is the responsibility of the authorities designated under state law. The draft thus preserves the federal division of powers and integrates the federal states into the new supervisory architecture. At this point, however, a fragmentation of competences and differing interpretations of individual points of the AI Regulation could arise.

3. Promoting innovation: AI real-world laboratory and testing opportunities

In addition to market surveillance, the draft explicitly focuses on instruments that promote innovation. The Federal Network Agency is to be responsible in particular for the establishment and operation of a national AI real-world laboratory. This instrument ties in with the provisions of the AI Regulation, which encourages member states to create regulatory real-world laboratories.

The AI real-world laboratory is intended to give companies – especially start-ups and SMEs – the opportunity to develop and test AI systems under official supervision. The aim is to clarify regulatory requirements at an early stage and not to hamper innovation through legal uncertainties.

In addition, the draft provides for testing opportunities for high-risk AI systems. These are intended to allow certain systems to be tested under controlled conditions and regulatory issues to be addressed before widespread market deployment. Unfortunately, the guidelines planned for the treatment and classification of such systems are still pending, even though the AI Regulation requires them to be in place by February 2, 2026.

III. What does this mean for companies?

Even though the AI-MIG does not create any new material obligations, it marks an important transition from the normative level of the AI Regulation to practical enforcement in Germany. Companies should take the now concretized supervisory architecture as an opportunity to strategically review their internal structures and processes.

1. Conduct a responsibility analysis at an early stage

First, it is advisable to carefully analyze future regulatory responsibilities. Depending on the business model, either the Federal Network Agency as the central market surveillance authority, an existing sector-specific market supervisory authority, or, in the financial sector, BaFin may be responsible. Parallel responsibilities may arise, particularly in the case of technology-open platform models or corporate structures with different product lines. Early clarification makes subsequent coordination with the authorities much easier and reduces the risk of delays in approval or review processes.

2. Adapting AI governance to the new supervisory structure

In addition, companies should adapt their AI governance to the new enforcement reality. The AI Regulation already requires providers to have structured risk management, comprehensive documentation requirements, and a system for monitoring high-risk AI systems after they have been placed on the market. However, operators of such systems also have certain obligations, such as monitoring and information requirements.

With the supervisory structure now clearly defined, the likelihood of coordinated audits and cross-sector coordination between authorities is increasing. It is therefore advisable to clearly define internal responsibilities, systematically map interfaces between data protection, product safety law, IT security, and regulatory compliance, and review existing control mechanisms for their resilience.

3. Examine real-world laboratory and testing options

At the same time, the planned instruments for promoting innovation should be strategically evaluated. The planned AI real-world laboratory opens up the possibility of testing new or regulatory complex AI applications under official supervision. For companies with innovative high-risk systems, this can be a suitable instrument for obtaining legal certainty at an early stage and integrating regulatory requirements into product development. Consciously embedding such test phases in the development strategy can not only minimize risks but also safeguard investment decisions.

4. Preparation for supervisory and fine proceedings

Finally, structured preparation for possible supervisory and fine proceedings is recommended. Clear internal processes for dealing with regulatory inquiries, defined escalation mechanisms, and coordinated communication strategies are central components of a robust compliance system. In view of the planned evaluations of the regulatory structure at the national and European level, ongoing monitoring of further legal developments is also advisable. It can be assumed that fines will be lower if it can be documented that at least an effort was made to meet the existing requirements.

IV. Conclusion and outlook

With the AI-MIG, the legislator is creating the organizational conditions for the effective enforcement of the AI Regulation in Germany. The substantive obligations continue to arise directly from the European regulation; however, the now planned authority architecture with the Federal Network Agency as the central market surveillance authority and clearly defined sectoral responsibilities will be decisive for practice.

The government draft of February 11, 2026, will now be introduced into the parliamentary legislative process. Following deliberation in the Bundestag and referral to the Bundesrat, a swift conclusion is expected in view of the deadlines under EU law. Major structural changes appear rather unlikely at present.

Companies should closely monitor further developments and already align their AI compliance with the foreseeable supervisory structure. With the AI-MIG coming into force, the enforcement of the AI Regulation in Germany will be specified in more detail, and supervisory practice will thus also gain noticeable momentum.

In addition to registering by March 6, 2026, affected companies have been required since December 6, 2025, to implement appropriate technical and organizational measures (TOM) to ensure the availability, integrity, and confidentiality of their network and IT infrastructure. They must also report significant security incidents within 24 hours. The key provisions are set out in the amended Act on the Federal Office for Information Security (BSIG).

In total, almost 30,000 companies and federal administrative institutions in Germany are affected.

Violations can result in fines of at least EUR 10 million or 2 % of global annual turnover.

Affected sectors – smaller companies may also be affected

The range of industries covered has been significantly expanded. In addition to the traditional critical infrastructure sectors – in particular energy, transport, finance, health, water, and aerospace – other economic sectors are now subject to the registration requirement. These include postal and courier services, waste management, the chemical industry, food production, and certain research organizations. Manufacturers of critical products are also included, for example, in the fields of medical technology, computer and electronics production, engineering, and vehicle manufacturing. In addition, there are central digital services such as cloud computing services, data centers, managed service providers (MSPs), managed security service providers (MSSPs), online marketplaces, online search engines and social networks.

The registration requirement generally applies to companies in the above-mentioned industries that meet the following thresholds:

• at least 50 employees and an annual turnover or annual balance sheet total of €10 million each ("important entities")
• at least 250 employees or annual revenue of more than €50 million and annual balance sheet total of more than €43 million ("particularly important entities").

Affiliated companies must generally be included, which is particularly important to note in the context of holding structures.

Certain companies must also register regardless of their size. This applies in particular to providers of public telecommunications networks, DNS resolvers, TLD registries and trust service providers under the eIDAS Regulation. The registration requirement also applies to operators of critical facilities within the meaning of the Ordinance on the Determination of Critical Infrastructures Pursuant to the BSIG (BSI-KritisV).

Personal responsibility of management

Management is responsible for implementing and monitoring appropriate TOMs. Failure to comply with these obligations may result in personal liability. The responsibility for implementing IT and cyber security measures therefore lies directly with the board of directors and management.

Next Steps

Check promptly whether these obligations apply to your business. If your company is part of a corporate group, the assessment must generally be carried out at group level.

Affected companies can register via the BSI portal: Login | BSI portal, where security incidents must also be reported. To register, companies need access credentials for "My Company Account" (MUK). To obtain this, companies must first apply for an ELSTER organization certificate: ELSTER. A German tax number is required to apply for the certificate. As the entire process can take some time, affected companies should act promptly.

The impact assessment and timely registration with the BSI, as well as the implementation of the necessary security measures, should be given the highest priority. This not only enables companies to fulfill their compliance obligations with regard to IT and cybersecurity, but also significantly reduces their risk of suffering considerable losses as a result of cyberattacks.

We are happy to assist you with the impact assessment, registration and implementation of the BSIG requirements, including the introduction and implementation of appropriate security and risk management measures.

I. Scope

The scope of the directive is not linked to the industry or size of a company, but to the type of contract conclusion and the existence of a statutory right of withdrawal. It covers entrepreneurs who conclude distance contracts with consumers via an online user interface and where the consumer has a right of withdrawal under EU law. The decisive factor is therefore whether the contract is concluded via a digitally designed user interface – such as a website or an app – and whether withdrawal has been possible to date without any formal requirements, but without an equivalent electronic function.

In terms of content, the directive is primarily aimed at providers of financial services, as it fundamentally restructures the Consumer Rights Directive in this area and repeals the previously separate Distance Marketing of Financial Services Directive. However, the obligation to provide a withdrawal function is not limited to financial services contracts. Rather, it applies to all distance contracts for which the Consumer Rights Directive provides a right of withdrawal, provided that the contract is concluded via an online user interface. The European legislator is thus pursuing a horizontal approach to ensure that consumers can withdraw from contracts as easily as they previously concluded them digitally.

On the other hand, contracts concluded exclusively between businesses and contracts that are not concluded at a distance or via an online user interface are not covered by the scope of application. Also outside the scope are situations in which there is no right of withdrawal by law. It is therefore crucial for the companies concerned to systematically review their digital conclusion processes and contract types to determine whether they fall under the consumer protection withdrawal regulations and must be equipped with an electronic withdrawal function in the future.

II. New obligations

1. Withdrawal button

The core element of Directive (EU) 2023/2673 is the introduction of a mandatory electronic withdrawal function for distance contracts concluded via an online user interface. The European legislator is thus adopting the principle that the procedure for exercising the right of withdrawal must not be more complicated than the digital conclusion of the contract itself. Consumers should be able to declare their decision to withdraw without additional hurdles, detours, or formal requirements directly via the same digital environment through which the contract was concluded.

The basic concept of the withdrawal button aims to achieve functional equivalence between the conclusion and withdrawal processes. The withdrawal function must therefore be permanently available, easy to find, and clearly marked throughout the entire withdrawal period. The directive requires clear labeling, for example with the words "withdraw contract," and prohibits designs that effectively impede or delay access to withdrawal. Withdrawal should be possible directly via the online user interface without the consumer having to search for additional communication channels, download forms, or go through new identification processes if they are already identified.

From a functional point of view, the withdrawal button must guide the consumer through a structured electronic withdrawal process. This includes submitting the withdrawal declaration, confirming the withdrawal decision, and immediately sending a confirmation of receipt on a durable medium. The confirmation of receipt must document the content of the withdrawal declaration and the time of its receipt and serves both consumer protection and legally secure evidence on the part of the entrepreneur.

The introduction of the revocation button regularly requires not only adjustments to the user interface, but also organizational and technical integration into existing systems. Companies must ensure that revocation declarations are automatically recorded, clearly assigned to the respective contract, and transferred to downstream processes, such as billing, service processing, or customer communication. At the same time, internal responsibilities, documentation obligations, and interfaces to customer service must be clearly defined in order to ensure that revocations are processed in a timely and proper manner.

Overall, the revocation button should therefore not be understood as a mere design element, but as a binding component of digital contract management. Companies that offer distance contracts via online user interfaces should plan implementation at an early stage and understand it as an integral part of their digital conclusion and inventory processes.

2. Adaptation of cancellation policy and privacy policy

The introduction of the mandatory withdrawal button is not limited to technical adjustments to the online user interface, but also entails changes to the content of consumer information. In particular, the withdrawal policy must be adapted to the new requirements, as consumers must in future be informed not only about the existence of the right of withdrawal, but also about the specific possibility of exercising it electronically. The directive expressly requires that the conditions, deadlines, and procedures for withdrawal also include information about the existence and location of the withdrawal function.

Companies must therefore review and supplement their cancellation policies to ensure that electronic cancellation via the cancellation button is clearly and comprehensibly described as an equivalent form of exercise. This applies both to pre-contractual information and to the instructions to be provided to the consumer on a durable medium after conclusion of the contract. Incomplete or contradictory information can not only call into question the start of the withdrawal period, but also lead to legal risks with regard to the enforceability and legal consequences of the withdrawal.

In addition, the revocation button is relevant to data protection law. The electronic revocation function necessarily requires the processing of personal data, in particular for the identification of the consumer, for the assignment of the revocation to a specific contract, and for the documentation of the time of the declaration. If this processing goes beyond existing processes or establishes new purposes, the privacy policy must be reviewed and, if necessary, adapted. Consumers must be informed transparently about which personal data is processed in the context of electronic withdrawal, for what purposes this is done, and on what legal basis the processing is based.

III. German implementation

The national implementation of Directive (EU) 2023/2673 has not yet been completed in Germany. Although the directive should have been transposed into national law by December 19, 2025, a corresponding implementation law has not yet entered into force. Currently, there is only a draft law from the federal government dated September 29, 2025, which essentially implements the requirements of the directive by amending the consumer rights provisions of the German Civil Code (BGB).

In particular, the draft bill provides for the introduction of a separate legal provision on the electronic withdrawal function, which systematically ties in with the existing provisions on the right of withdrawal in distance contracts. According to the draft, a new Section 356a BGB-E is to be introduced for this purpose, which expressly regulates the exercise of the right of withdrawal via an online user interface and thus transposes the EU legal requirements of Article 11a of the Consumer Rights Directive into national law.

In terms of content, the draft bill adopts the central requirements of the directive almost word for word. The entrepreneur shall be obliged to provide a withdrawal function for distance contracts concluded via an online user interface that is clearly marked, available throughout the entire withdrawal period, and easily accessible to the consumer. The draft also provides for a two-stage withdrawal process with submission of the withdrawal declaration, subsequent confirmation, and immediate confirmation of receipt on a durable medium.

IV. Recommendations for action for companies

Companies that conclude distance contracts via online user interfaces should use the remaining time until June 19, 2026, to implement the new requirements in a structured and legally compliant manner. The starting point should be a comprehensive inventory of the types of contracts and digital conclusion processes affected. In doing so, it is necessary to check which offers are subject to a statutory right of withdrawal and via which user interfaces the contracts are concluded.

On this basis, it is advisable to involve the technical and organizational departments at an early stage. The withdrawal button should not be viewed in isolation, but as an integral part of digital contract management. In addition to the visible placement and user-friendly design of the withdrawal function, the downstream processes in particular – from automated recording and contract assignment to confirmation and further processing of the withdrawal – must function reliably and be documented.

At the same time, the legal content should be reviewed and adapted. Cancellation policies, contract information, and privacy statements must accurately reflect the electronic exercise of the right of withdrawal and correspond to the actual technical implementation. Inconsistencies between the user interface and legal information pose considerable risks, particularly with regard to the start of the withdrawal period and possible complaints from consumers or supervisory authorities.

Finally, it is advisable to test the implementation at an early stage and to clearly define internal responsibilities. Training relevant employees, especially in customer service, can help to ensure that withdrawal notices are correctly identified and processed properly. In view of the application deadline specified by EU law, companies should not make their preparations dependent on the further course of the national legislative process.

V. Conclusion and outlook

The electronic withdrawal button supplements the existing consumer law requirements with a further, technically specified form of exercising the right of withdrawal. Even though the national implementation law in Germany is still pending , the content framework has already been clearly outlined by Directive (EU) 2023/2673 and the current draft law. Companies must therefore assume that the new requirements will be binding from June 19, 2026, at the latest.

In practice, early and structured implementation is recommended, taking technical, organizational, and legal aspects into account in equal measure. The withdrawal button should be understood less as an isolated innovation and more as a further development of existing digital contract processes. Proper integration makes it possible to implement the legal requirements while continuing existing processes in a consistent and transparent manner.

This article was created in collaboration with our student employee Emily Bernklau.

Deceptive packaging can not only be a PR disaster for companies, but can also have tangible legal consequences.

1. What is "deceptive packaging"?

Deceptive packaging is defined as pre-packaged goods whose size, shape, or presentation gives the buyer the impression that there is more product content than is actually the case. The deception does not arise from the absolute quantity of the product contained, but from the disproportion between the size of the packaging (the possible filling quantity) and the actual filling quantity – i.e., the so-called "relative filling quantity."

The decisive factor is what impression the average consumer forms of the filling quantity based on the packaging design, given appropriate attention to the situation, and whether this impression differs from the actual content. Even the correct indication of the filling quantity on the packaging cannot reliably dispel any deception if the packaging visually suggests a larger filling level.

2. Why are deceptive packaging practices problematic?

Under fair trading law, pretending to have a larger fill quantity by using oversized packaging is considered a misleading commercial practice because this "deceptive packaging" is likely to mislead consumers about essential characteristics of the product, in this case the fill quantity, and thus influence their purchasing decision.

According to the ruling of the Federal Court of Justice in the "Hydra Energy" case, the question of whether there is misleading information about the relative fill quantity and thus whether there is an illegal "deceptive packaging" is assessed on the basis of whether the packaging is proportionate to the content. This applies across all media and distribution channels, both in brick-and-mortar and online retail. The decisive factor is the expectation of the average consumer, who regularly assumes that everyday products are not completely full, but are filled to significantly more than just two-thirds of their capacity.

However, a lower fill quantity may be harmless if, among other things, the pretense of a larger fill quantity is reliably prevented. This can be achieved, for example, by:

• the design of the packaging, for example by using transparent material on all sides.
• informative notes, for which, however, the mere indication of the fill quantity on the packaging is generally not sufficient, as consumers regularly ignore this abstract figure or are unable to assess it correctly. One possible solution would be to use a contrasting color and clearly recognizable fill line, possibly in conjunction with an indication of the fill quantity.

The fact that the fill quantity is based on technical requirements may also argue against misleading consumers.

However, the burden of proof and explanation for all of the above objections to misleading advertising lies with the user.

3. What are the legal consequences?

If, after all this, there is a deceptive package and thus a violation of fair trading practices, this justifies a claim for injunctive relief by competitors and also by consumer associations. In addition, secondary claims, in particular for information and damages, are possible.

A claim for injunctive relief is regularly asserted in the context of a warning letter subject to a fee, which then demands the submission of a cease-and-desist declaration with penalty clause within a short period of time. If this is submitted, the deceptive packaging in question must be withdrawn from circulation immediately in order to avoid the forfeiture of contractual penalties.

If a cease-and-desist declaration with penalty clause is not submitted within the deadline, the next step is usually to apply to the court for a preliminary injunction. Once the court injunction has been issued, which can happen within a few days of the application being filed, the prohibited activity must be stopped immediately in order to avoid an administrative fine. Given the short time frame of sometimes only around two weeks between receipt of the warning letter and delivery of the court injunction, this can cause considerable logistical problems.

Ideally, therefore, the risk of "deceptive packaging" should be correctly assessed and reviewed from the outset.

4. At what threshold does it become critical?

Case law is regularly based on various rules of thumb and thresholds that companies can use as risk indicators for their own initial assessment. However, these thresholds, which were generally established for everyday products, cannot, of course, replace a detailed assessment of individual cases.

• The first relevant risk indicator is the so-called "70% rule," which is also used by the courts as a practical guideline. According to this rule, if the fill volume is less than 70% of the packaging volume, this is generally a strong indication of deceptive packaging.
• Depending on the type of product, however, previous case law has also deemed lower fill volumes or empty spaces of up to 50% to be harmless. As a rule, however, a hard line should be drawn at the latest when more than half of the packaging contains only air.

Practical conclusion: For everyday goods in prepackages, a filling ratio of at least 70% should be aimed for, or the actual filling quantity should be clearly indicated, e.g., by means of a fill line.

5. Decision of the Heilbronn Regional Court – “36% content is too little”

Deceptive packaging is therefore critical in terms of fair trading law and is repeatedly challenged in court in practice, often by consumer associations.

Kaufland recently experienced this when the Baden-Württemberg Consumer Association took the company to the Heilbronn Regional Court (Ref. Me 8 O 227/24) for selling a tofu product in oversized packaging.

The court upheld the plaintiff's request for an injunction on the grounds that the volume of the product (shrink-wrapped tofu) was only around 36% of the packaging volume, whereas the remaining 64% of the prepackaged product contained air. It was therefore assumed that the relative fill quantity was misleading because the size of the packaging led consumers to expect a significantly higher fill quantity; specifically, consumers expected to purchase approximately twice the amount of tofu in the packaging than they actually received.

Furthermore, the cardboard packaging was neither transparent nor did it contain any suitable explanatory information. The defendant was also unable to demonstrate that the fill quantity was based on technical requirements.

Procedural side issue. Originally, the plaintiff had included the exception "for reasons not necessary for technical reasons" in its application for an injunction, which the defendant complained was too vague. The plaintiff later dropped this exception clause, which the court considered harmless, as the plaintiff did not have to point out to the defendant what it was allowed to do. Instead, the defendant should have argued that there was an exception in its favor, such as a technical necessity for the fill quantity. In the court's view, the deletion of the "non-claim-establishing addition 'technically unnecessary' in the final application" was therefore “merely a linguistic smoothing and had no altering influence on the subject matter of the dispute and/or the specificity of the applications.”

I. Background: Fragmentation of the legal framework

Despite extensive harmonization efforts, the European single market for businesses continues to be characterized by considerable fragmentation of the legal framework. Although a regulatory framework exists under EU law in many areas, it is often overlaid by national implementations, supplementary regulations, and differing enforcement practices. For companies, this means that cross-border activities are not subject to a uniform legal regime, but regularly require the parallel application of several national legal systems.

These problems are particularly evident in the scaling of digital business models. Companies wishing to offer their services across the EU are confronted with diverging requirements in areas such as company, labor, tax, insolvency, and administrative law. Even where EU law requirements exist, differing national interpretations and enforcement mechanisms create legal uncertainties that make reliable planning difficult. The result is increased transaction costs, delays in market entry, and a considerable expenditure of resources for legal and administrative compliance.

These structures are particularly burdensome for start-ups and young growth companies. Unlike established corporations, they often lack the human and financial resources to serve several national legal regimes in parallel on a permanent basis. Studies show that a significant portion of available resources is spent on regulatory tasks, which directly inhibits innovation and growth processes. In addition, key scaling factors such as access to capital, labor mobility, and participation in public and institutional markets are further hampered by legal fragmentation.

From a digital law perspective, a structural tension becomes apparent: while digital business models are inherently cross-border in nature, the underlying legal framework remains nationally organized in key areas. This discrepancy not only affects the competitiveness of individual companies, but also has an indirect impact on the innovation and locational attractiveness of the European Union as a whole.

II. Proposals for the 28th Regime

Against the backdrop of continuing legal fragmentation, the 28th Regime is being discussed as an optional EU-wide legal framework that would provide companies with a uniform legal basis for their activities in the internal market. Unlike traditional harmonization instruments, the concept does not aim to harmonize national legal systems, but rather to create an additional, directly applicable EU regime that would exist alongside existing national systems. Companies could voluntarily opt into this regime without displacing national legal systems.

In terms of content, the proposals to date focus on those areas of law where fragmentation is particularly costly and risky for digitally active and growth-oriented companies. The initial focus is on company law, in particular the introduction of a uniform EU-wide company form. This is intended to enable fully digital incorporation, uniform governance structures, and simplified capital and reporting requirements, thereby facilitating cross-border expansion. For companies with a digital business model, this would significantly reduce the administrative burden of setting up and maintaining multiple national companies.

Closely linked to this is the area of insolvency and restructuring law. Despite existing minimum standards under EU law, there are still considerable differences in the eligibility requirements, duration of proceedings, and legal consequences of national insolvency proceedings. A coherent EU-wide framework is therefore proposed, which would create reliable "second chance" mechanisms, particularly for innovative companies, thereby facilitating investment and financing decisions. For capital-intensive digital business models, predictable insolvency law is a key location factor.

Further considerations relate to labor law, particularly with regard to cross-border employment models. Digital companies often work with distributed teams, hybrid forms of work, and cross-border talent mobility. Standardized labor law modules are therefore proposed, for example for employment contracts, remote work models, or employee participation, which would be recognized throughout the EU under the 28th regime. The aim is not to completely standardize labor law, but to reduce legal inconsistencies for internationally based teams.

Finally, tax law is discussed as a central, albeit politically sensitive, component. Although complete tax harmonization is not planned, uniform compliance and reporting requirements, particularly in the area of corporate taxation and value-added tax, could bring about significant simplifications. A common EU-wide framework for tax reporting and documentation requirements would provide noticeable relief, especially for young companies with limited resources.

What all the substantive proposals have in common is that they are to be designed in a modular fashion. The 28th Regime is not conceived as a comprehensive "EU company law," but as a system that can be expanded step by step, initially focusing on areas that are particularly prone to conflict and economically relevant. From a digital law perspective in particular, the added value lies in the possibility of bundling key business functions – formation, financing, employment, and restructuring – under a coherent EU-wide framework, thereby reducing the structural gap between cross-border business models and nationally oriented legal systems.

III. Practical implications for companies

The practical implications of a 28th regime vary considerably depending on the business model, organizational structure, and expansion strategy of the companies concerned. The new legal framework is particularly relevant for companies whose activities are cross-border from the outset and which are dependent on rapid scaling within the internal market. These include, in particular, providers of digital services, software-based products, platform solutions, and data-driven business models.

1. Companies with a cross-border market orientation

For companies that offer services uniformly in several Member States, the key practical benefit of the 28th regime is the ability to bundle central business functions under a coherent EU-wide legal framework. Instead of parallel corporate structures and national compliance setups, a uniform regime could simplify internal organization and reduce the number of legally relevant interfaces. This applies in particular to formation processes, organizational structures, reporting requirements, and issues of intra-group control.

Especially in early growth phases, this would help to limit legal scaling costs and allow management capacities to focus more on operational and strategic issues.

2. Providers of regulated digital services

The 28th regime is particularly important for companies operating in regulated markets, such as financial services, healthcare applications, digital identity solutions, or data-intensive platform services. In these constellations, the effort often lies not only in complying with substantive legal requirements, but also in coordinating different national organizational, liability, and reporting requirements.

An optional EU-wide regime could at least standardize the corporate and organizational law basis and thus reduce the complexity of regulatory integration. Although sectoral licensing and supervisory requirements would remain in place, corporate structure and internal governance could be standardized across the EU, which promises practical efficiency gains, particularly when expanding into other member states.

3. Employment models and internal organization

The 28th regime also has practical relevance for companies with decentralized or cross-border employment structures. Uniform or standardized labor law modules could facilitate the drafting of employment contracts, remuneration and participation models, and remote work arrangements. This would simplify internal coordination between human resources, legal, and compliance functions in particular and reduce legal fragmentation in the employment of skilled workers in different member states.

Although mandatory national labor law would still have to be observed, a coherent EU-wide framework for key labor law issues could significantly reduce the complexity of cross-border human resources strategies.

IV. Conclusion and outlook

The 28th Regime marks a renewed attempt by the European Union to address structural deficits in the single market that have been evident for years, particularly among cross-border and growth-oriented companies. The European Commission has now explicitly included the project in its internal market strategy and announced in its work program for 2026 that it will present a corresponding legislative proposal, which will initially focus on innovative companies.

In terms of content, a more concrete proposal can therefore be expected in the foreseeable future, the scope, legal form, and modularity of which will be decisive for its practical added value. It remains to be seen whether it will be possible to create a truly uniform, directly applicable legal framework or whether the 28th regime will once again be relativized by national connecting factors. Acceptance in practice will depend on whether the regime goes beyond symbolic simplifications and enables tangible relief in terms of start-up, scaling, and ongoing compliance.

Companies should monitor the development of the 28th regime at an early stage and assess it strategically. In particular, companies with a clear internal market focus, cross-border organizational structures, or expansion plans should examine in which areas legal fragmentation currently causes particular costs or risks. Such an assessment can form the basis for evaluating the potential advantages of an optional EU-wide regime at an early stage and, if necessary, preparing for a change or parallel use.

This article was created in collaboration with our student employee Emily Bernklau.

What is decisive is the company’s functioning compliance management system and its organizational effectiveness; if effective safeguards are lacking, the sanction can be directed at the company. With this decision, the Court continues its line from GDPR case law (including Deutsche Wohnen SE): corporate sanctions must not fail due to the inability to identify an individual perpetrator where structural deficiencies are established.

Legal Framework

The Fourth Anti-Money Laundering Directive (EU) 2015/849 requires effective, proportionate, and dissuasive sanctions against obliged entities, explicitly including legal persons.

In the ECJ´s view, the provisions on attributing the acts of management bodies and subordinate employees do not imply a requirement for a preceding individual proceeding. Sanctions against natural persons, such as members of the management, remain possible but are not a precondition for the liability of the legal person. This already follows from the principle of effet utile: the EU’s preventive and sanctioning mechanisms in the fight against money laundering must remain practically enforceable – particularly in complex organizational structures.

Background of the case

The decision arose from proceedings by the Austrian Financial Market Authority against a credit institution for alleged breaches of due diligence obligations under the FM-GwG (Financial Markets Anti-Money Laundering Act). Although the statute already provides an attribution model regarding acts of persons in management as well as supervisory/control failures, the Austrian Higher Administrative Court (VwGH) had set strict attribution thresholds and maintained that, prior to a corporate sanction, a specific natural person had to be accused, their culpable conduct established, and they named in the judgment. The ECJ has now expressly rejected this “logic,” which requires an identified natural person first.

Practical implications for supervisors and companies

The ECJ makes it unequivocally clear:

• The addressee of the sanction is the company where its organization fails; identifying an individual perpetrator is not required for that. This brings the substance of the compliance architecture to the fore. Those who take governance and control seriously will materially reduce sanction risk; those who merely claim compliance on paper should expect tangible measures.
• Supervisory authorities can proceed directly against companies where organizational deficiencies exist; the search for a “key person” is no longer a barrier.
• Members of management can still be held personally liable – in addition, not as a prerequisite for corporate attribution. Central are risk assessment, internal controls, effective monitoring, escalation paths, and demonstrable training. What is decisive is whether the institution masters its AML risk management – not whether a single perpetrator is identified.

Significance beyond Austria

For Germany and other Member States, the Court thereby confirms the direct corporate addressee of administrative sanctions – consistent with the already established line on data protection fines (Case C-807/21, Urt. v. 05.12.2023).

This strengthens AML and data protection supervision alike and undercuts defense strategies that attempt to narrow proceedings to the identification of a single natural person while leaving structural deficits unaddressed.

Governance recommendations for practice

A range of consequences follow for companies subject to obligations under the German Anti-Money Laundering Act (GwG) that wish to avoid fines for violations.

In addition to sharpening risk control, responsibilities should be clearly defined – that is, roles and the four-eyes principle should be bindingly regulated, and effective control paths and escalation mechanisms ensured. Obliged entities should also be able to evidence effectiveness through training, controls, alerts, and measurable actions.

It is also helpful and advisable, for purposes of optimizing the system, to review the entire process – from client onboarding through to the filing of any required suspicious activity report – to determine where improvements are still needed.

The decision has far-reaching consequences for real estate brokerage practice and the validity of brokerage agreements concluded in electronic commerce.

Facts

In the underlying case, the plaintiff, a real estate broker, offered a single-family home for sale via a web portal and used a standardized online tool via brokerage software to conclude the contract. The defendant contacted the plaintiff by telephone and requested further information about the object. He then received an automated email with a link to the object description and other documents. The link redirected the defendant to the plaintiff's website, where he confirmed the conclusion of the contract by clicking on the "Send" button, after which he gained access to the object description.

The defendant then viewed the property and signed a brokerage and referral confirmation from the plaintiff. After the notarized purchase agreement was concluded, the broker invoiced the defendant for the commission; the defendant refused to pay.

The Stuttgart Regional Court dismissed the broker's claim for payment. The Court of Appeal ruled against the defendant on appeal. The defendant's appeal was successful: the Federal Court of Justice overturned the appeal ruling and referred the case back to the Court of Appeal.

Decision

In its ruling of 9. October 2025 (BGH, judgment of 09.10.2025 – I ZR 159/24), the Federal Court of Justice first clarified that a brokerage agreement can oblige the consumer to pay within the meaning of Section 312j (3) sentence 1 of the German Civil Code (BGB), even if the commission is only payable upon conclusion of the main contract. This results in high transparency and confirmation requirements for brokers in their business dealings with consumers.

If, in the case of a brokerage agreement concluded in electronic business transactions, the broker does not design the consumer's declaration of acceptance as an express confirmation of the commission obligation ("order with obligation to pay") contrary to Section 312j (3) BGB, the brokerage agreement is not only provisionally but definitively invalid (Section 312j (4) BGB). The activation of standardized buttons such as "Send", "Continue", or comparable neutral labels is not sufficient for validity.

The Federal Court of Justice also clarifies that a contract that was initially concluded invalidly cannot be subsequently remedied by mere conclusive behavior – e. g., the consumer's request to organize a viewing appointment. A subsequent confirmation within the meaning of Section 141 (1) BGB can only re-establish the brokerage contract if it complies with the requirements of Section 312j (3) BGB. This requires an express confirmation of the commission obligation by the consumer, which is regularly lacking in the case of implied conduct.

In the opinion of the Federal Court of Justice, the standardized and automated email correspondence used in the specific case also does not fulfill the exception under Section 312j (5) BGB because there is no individually written communication between the parties.

Conclusion

With its ruling, the Federal Court of Justice strengthens the rights of consumers in electronic commerce.

Brokers should carefully review their websites and the software used to conclude contracts. The external design must ensure that the consumer expressly and transparently confirms the commission obligation, for example by clicking on a button labeled "Place order subject to payment." If the principles established by the Federal Court of Justice are violated, the brokerage contract is invalid; the commission claim therefore does not arise.

In a world of shifting alliances, consequently, EDIP too does not only include EU member states but is open to the participation of “associated countries” from EEA/EFTA as well as Ukraine (it is noteworthy that on 19th December EU Member states' representatives endorsed Canada joining the 100 times(!) larger €150-billion SAFE Regulation (SAFE: member states endorse agreement on the participation of Canada - Consilium), underscoring Canada's strategic shift which was highlighted by Prime Minister Mark Carney’s address on 20th January during the 2026 Davos summit (Davos 2026: Special address by Mark Carney, PM of Canada | World Economic Forum).

The EDIP Regulation is a complex (too complex?) framework to reinforce Europe’s defence technological and industrial base (EDTIB), ensure timely availability of defence products, and support the recovery and integration of Ukraine's defence industry into the European market. It builds on and extends the logic of short-term emergency measures ASAP (Reg. 2023/1525) and EDIRPA (Reg. 2023/2418), creating a medium term programme for 2025–2027 with dedicated legal frameworks for common procurement, industrial reinforcement, strategic projects, and crisis supply measures.

EDIP establishes six pillars:

1. a Programme to strengthen the EDTIB;
2. a Ukraine Support Instrument;
3. a framework for European Defence Projects of Common Interest (EDPCIs);
4. a European Military Sales Mechanism;
5. a new cooperative vehicle for Structures for European Armament Programmes (SEAPs); and
6. an internal market supply crisis regime for defence and crisis relevant products.

According to Article 1 paragraph 1 the EDIP Regulation

“aims to enhance the technological leadership, innovation, readiness, long-term competitiveness, resilience, integration and preparedness of the European Defence Technological and Industrial Base (EDTIB), ensuring the timely availability and supply of defence products and contributing to the recovery, reconstruction and modernisation of the Ukrainian Defence Technological and Industrial Base (the ‘Ukrainian DTIB’)”.

Recipients and contractors must meet several criteria, e.g. they must generally be established, managed, and operate assets in the EU or associated countries.

How to receive financial support under the EDIP Regulation depends on the specific pillar. Most of the procedural details still need to be specified in work programmes and implementation acts by the EU Commission. In practice, a company seeking EDIP support will need to submit a proposal in response to EU Commission calls under the relevant work programme for industrial reinforcement or supporting actions; for common procurement, it participates as a bidder in the procurement run by the designated procurement agent/authority; for FAST, it engages with the implementing partner(s) offering the debt/equity products designated for defence supply chain investment.

If you have any questions regarding EDIP, SAFE or any other of the current EU or national initiatives to strengthen European defence, please get into contact with HEUKING.

The initial situations

The proceedings before the BGH are based on a decision of the Higher Regional Court of Düsseldorf of July 27, 2023 (6 U 1/22) (see Update Compliance 7/2023 – Higher Regional Court of Düsseldorf: No recourse against managing directors for antitrust fines), in which the Higher Regional Court of Düsseldorf rejected recourse against managing directors for antitrust fines. In these proceedings, a limited liability company (GmbH) is demanding compensation from its former managing director for an antitrust fine of EUR 4.1 million imposed by the Federal Cartel Office for a price cartel.

The OLG Frankfurt (judgment of October 21, 2025 – 31 U 3/25), on the other hand, dealt with a case involving a fine under capital market law. The Federal Financial Supervisory Authority (BaFin) had imposed a fine of EUR 290,000 on a listed stock corporation because its half-yearly financial report did not contain a so-called balance sheet oath. The sole member of the management board at the time was responsible for failing to issue the declaration required under Section 115 (2) of the German Securities Trading Act (WpHG). The company sought recourse against the former member of the management board for reimbursement of the fine and legal costs. The appeal is pending before the BGH´s Second Civil Law Senate – not the Antitrust Law Senate.

The decisions

At the time, the BGH suspended the antitrust proceedings and referred the case to the ECJ for a preliminary ruling. The ECJ is to clarify whether Article 101 TFEU precludes a provision in national law under which a legal entity can claim compensation from its management body for damage caused by a cartel fine. The Cartel Senate considers both an affirmative and a negative answer to the question of recourse to be justifiable. The effectiveness of the fine could be impaired if the company were able to relieve itself of the financial burden through recourse. At the same time, however, the Senate emphasizes the behavior-controlling effect of recourse: without the threat of personal recourse, the managing director would not have to pay the fine, which would contradict the control function of Section 43 (2) of the German Act on Limited Liability Companies (GmbHG).

The OLG Frankfurt also affirms the fundamental recourseability of association fines with explicit reference to the preliminary ruling of the BGH. The wording of section 93 (2) sentence 1 AktG does not provide for any restriction. The meaning and purpose of directors' and officers' liability also argue in favor of recourse: in addition to compensation for damages, the threat of personal liability encourages members of the executive board to exercise greater care.

The court rejects a teleological reduction of the provision. Neither the punitive nor the preventive purpose of the association fine is thwarted by the possibility of recourse. Limited D&O coverage, the personal financial capacity of the body, and the risk of litigation and insolvency ensure that an effective portion of the fine can remain with the company.

Practical note

A significant legal development is emerging for companies and their management bodies. The BGH and the OLG Frankfurt have sent a clear signal in favor of the recourseability of fines imposed on companies. If this view prevails, the affirmation of the recourseability of fines would be expected to lead to an increase in cases of directors' and officers' liability in the future. Members of the executive board and managing directors should therefore review their personal liability situation with regard to the risk of fines. The coverage amounts of existing D&O insurance policies deserve special attention, as the insurance can only cover the liability risk to a limited extent in the case of high fines.

Outlook

It remains to be seen how the ECJ will rule on the recoverability of antitrust fines. In its referral decision, the Antitrust Law Senate of the BGH has already indicated that it will affirm recoverability on the basis of national law. A corresponding decision by the Second Civil Division of the BGH is also expected for the capital markets law proceedings.

Objectives and Key Instruments of the CMA

The CMA aims to reduce dependency on third countries, diversify supply chains and strengthen the competitiveness of the European pharmaceutical industry.

“Critical medicines” are defined as those medicinal products for human use that are included in the “Union List of Critical Medicines” maintained by the European Commission, the European Medicines Agency and the Heads of Medicines Agencies. The CMA expressly refers to this Union List and the designation procedure provided for in the EU Pharmaceutical Package. The list comprises active substances that are considered essential for the healthcare systems of the EU. It covers a broad spectrum, including antibiotics, insulin, medicinal products for the treatment of chronic diseases and other core indications for primary and acute care. Vaccines and medicinal products for rare diseases are also included. The decisive criteria for inclusion are the use in the treatment of serious diseases and the lack of available therapeutic alternatives. The CMA focuses not only on “critical medicines” but also on so-called “medicines of common interest”, which are required but not or only limitedly available in three or more Member States.

The key instruments of the CMA include in particular:

• Strategic Projects: Strategic projects shall be designated for the manufacture of critical medicines and their precursors. These projects benefit from accelerated authorisation procedures and facilitated access to national and European funding.
• Amendments to Procurement Law: New procurement rules are intended to enable contracting authorities to give greater consideration to supply security and supply chain resilience. The Commission shall also support coordinated, cross-border procurement procedures.
• International Partnerships: In addition, the draft proposal provides for the establishment of partnerships with “like-minded” third countries in order to broaden the supplier base and thereby reduce dependency on individual suppliers.
• Guidelines: Specific State aid guidelines are intended to provide Member States with legal certainty when supporting strategic projects.

Position of the European Parliament

In its opinion, the European Parliament sets additional priorities that are of considerable practical significance, particularly for pharmaceutical companies. It proposes an expansion of the definition of “medicines of common interest” to expressly include orphan drugs. Furthermore, the Parliament advocates for the prioritisation of funding for strategic projects in the current and upcoming EU multiannual financial framework. In return, companies receiving public funding shall be obliged to prioritise supply to the EU market.

In the area of public procurement, the Parliament calls for a clear departure from pure price competition. In the future, qualitative criteria such as supply security, supply chain diversification and production locations shall be given greater consideration. Specifically, preference shall be given to manufacturers that produce a substantial part of critical medicines within the EU.

Furthermore, the minimum number of Member States for joint procurement procedures shall be reduced from the current nine to at least five in order to make such procedures more practicable. To prevent and manage shortages, the Parliament also calls for an EU-wide coordination mechanism for emergency reserves. As a measure of last resort, the Commission shall even be empowered to order a redistribution of medicines between national stockpiles in the event of acute shortages.

Next Steps in the Legislative Procedure

With the adopted positions of the Council and Parliament, the CMA has entered the decisive phase of the legislative procedure. The final version of the legislation will now be negotiated in trilogue. The substantive focus of the discussions is expected to be on the design of the strategic projects as well as the scope of the new provisions relating to procurement law and State aid law. Considering the scepticism already expressed by healthcare payers, the departure from pure price competition is likely to lead to debate. The scope of supply obligations for funded companies as well as the Commission’s crisis powers are also likely to be subject to controversial negotiations.
Assessment and Outlook

The CMA marks a paradigm shift in EU health policy: away from pure cost competition towards greater supply security and industrial resilience. For the life sciences sector, this creates new opportunities, for example through funding possibilities and improved framework conditions for production investments in the EU. At the same time, regulatory requirements are also increasing, particularly in procurement law and State aid law as well as regarding supply obligations towards the EU market. Companies should therefore engage with the potential implications of the CMA for their production, procurement and funding strategies at an early stage.

On January 28, 2026, the German Federal Court of Justice (BGH) handed down a landmark ruling (Case No. VIII ZR 228/23) that is likely to affect millions of tenancies across Germany: tenants who sublet their apartments are not permitted to make a profit. Subletting at a price higher than one's own rent does not give rise to a claim for subletting permission – and may even result in termination of the tenancy.

The Case: A Two-Room Berlin Apartment Turned Lucrative Side Business

A tenant had been renting a two-room apartment in Berlin since 2009 at a net cold rent of €460 per month. When he left Germany for an extended stay abroad in early 2020, he sublet the apartment to two subtenants – at a net cold rent of €962, more than double what he himself was paying. Including advance payments for utilities and heating, the subtenants were actually paying €1,100 per month. The tenant had not sought the landlord's permission before doing so.

When the landlord discovered the arrangement, she issued a formal warning and ultimately terminated the tenancy with proper notice in February 2022.

The Decision: Profit-Making Is Not a Legitimate Interest

The Charlottenburg Local Court initially dismissed the landlord's eviction claim, ruling in favor of the tenant. However, the Berlin Regional Court reversed this decision and found for the landlord. The tenant's appeal to the BGH was unsuccessful.

The VIII Civil Senate of the BGH stated unequivocally: there is no legitimate interest in subletting within the meaning of Section 553(1) sentence 1 of the German Civil Code (BGB) where the tenant earns a profit exceeding their own housing-related expenses. The landlord may therefore refuse consent to the subletting arrangement. Without such consent, the tenant has no right to sublet (Section 540 BGB). The tenant's breach of this rule justifies termination of the tenancy on grounds of a significant and culpable violation of contractual duties (Section 573(1), (2) No. 1 BGB).

The Reasoning: Subletting Exists to Preserve Housing, Not to Generate Profit

The BGH grounded its decision in a comprehensive interpretation of Section 553 BGB and reached a clear conclusion: the statutory framework for subletting serves solely to allow tenants to retain their apartments when their personal circumstances change significantly - for instance, during a temporary stay abroad or a shift in family situation.

The legislature, however, never intended for this provision to enable tenants to profit from subletting. This is evident from the legislative history and reflects the necessary balance between the landlord's property rights and the tenant's possessory rights, both of which are protected under the property guarantee of Article 14(1) of the German Basic Law (Grundgesetz).

While case law has long recognized that tenants may reduce their own rent burden through subletting, this does not mean they may generate income exceeding their own costs.

An interesting aside: the BGH left open the question raised by the Berlin Regional Court as to whether a violation of Germany's rent cap rules (Mietpreisbremse) might also preclude a claim to subletting permission. In this case, the profit motive alone was sufficient to deny the tenant any right to sublet.

Analysis: A Landmark Ruling with Far-Reaching Implications

This decision carries considerable practical significance for several reasons.

First, the BGH provides legal certainty on a previously contested issue. Courts and commentators had long debated whether – and to what extent - landlords are entitled to know the terms of a sublease. Some courts held that landlords had no business inquiring into the income a head tenant derives from subletting. The BGH has now rejected this view.

Second, the ruling directly impacts numerous business models. In recent years, particularly in major cities, it had become common practice to sublet cheaply rented apartments at significantly higher prices through platforms like Airbnb or WG-Gesucht. This practice is now unambiguously unlawful – meaning landlords have grounds to terminate leases where they have not consented to subletting.

The rules are even stricter for short-term tourist rentals: under established BGH case law, there is no entitlement to subletting permission for daily rentals to tourists, as this form of use differs fundamentally from ordinary subletting. Even a general subletting permission does not cover short-term tourist lets - and landlords may typically terminate such arrangements without notice.

Third, the ruling also protects subtenants from inflated rents, a point the BGH expressly emphasized.

Fourth, some legal uncertainty remains in the details. The BGH explicitly left open how cases should be handled where the tenant provides additional services, such as furnishing the apartment. In this particular case, the appellate court found that such services did not justify the substantial gap between the head rent and the sublet rent. However, how to assess situations where additional services might genuinely offset a higher price remains an open question.

Conclusion: Is the Tenant-as-Middleman Model Finished?

The BGH's ruling sends a clear message: another person's apartment is not a speculative asset. Anyone who sublets may, at most, cover their own costs – but not profit from others' housing difficulties. With this decision, the BGH firmly supports socially responsible housing use and delivers a decisive rebuke to the profit-driven subletting business model.

Practical Guidance

For landlords, this ruling means you should review subletting arrangements carefully. If you receive a subletting request or learn of an existing arrangement, inquire about the sublease terms. Where the sublet rent significantly exceeds the head rent, you may refuse permission. For ongoing sublets at inflated prices, a formal warning followed by termination may be appropriate.

For tenants considering subletting: the sublet rent should not exceed your own costs. Whether a reasonable surcharge for furniture provided along with the apartment is permissible remains unclear, so caution is advised. If you plan to sublet during a stay abroad or other temporary absence, discuss the terms with your landlord beforehand and obtain written permission. Subletting without permission – especially at inflated prices – risks losing your apartment entirely, as this ruling makes clear.

For subtenants, there is reason for cautious optimism: you may be better protected from excessive pricing by head tenants in the future.

Do you have questions about subletting, need to review a subletting arrangement, or want to take action against an unauthorized sublet? Get in touch – our tenancy and real estate law team is here to help.

In its decision of November 6, 2025, the Hamm Regional Labor Court clarified that minor errors in the consultation procedure and in the mass dismissal notification do not necessarily render a dismissal for operational reasons invalid. The decision is not yet final; an appeal has been allowed.

Background

In the event of a mass dismissal, the employer must provide the works council with relevant information in good time in accordance with Section 17 (2) of the German Employment Protection Act (KSchG), in particular regarding the number and occupational groups of the employees to be dismissed. In addition, a mass dismissal notification must be submitted to the Employment Agency in accordance with Section 17 (1) and (3) KSchG. The consultation procedure and the notification procedure are independent of each other and serve in different ways to achieve the objective pursued by the protection against mass dismissals.

Facts

The parties disputed the validity of a termination for operational reasons in the context of a plant closure due to insolvency. The plaintiff had been employed by the insolvent debtor as a machine setter and operator since October 1, 2016. A works council had been formed at the insolvent debtor; at the time of filing for insolvency, it employed a total of 43 employees.

After the opening of insolvency proceedings and the appointment of the defendant as insolvency administrator, the latter decided, based on the offers received, to close down the business and sell off individual assets. In a letter dated February 11, 2025, the defendant initiated negotiations with the works council on a reconciliation of interests and a social plan, the consultation procedure pursuant to § 17 (2) KSchG (German Employment Protection Act) and the works council hearing pursuant to § 102 BetrVG (German Works Constitution Act).

However, the consultation letter dated February 11, 2025 contained contradictory information regarding the number of employees to be laid off: the introduction mentioned 61 employees to be laid off, while the attached table only listed 31 employees. The subsequent mass dismissal notification dated February 25, 2025 then mentioned 34 employees to be laid off.

On February 25, 2025, the defendant and the works council concluded a reconciliation of interests and a social plan. The plaintiff was given notice of termination by letter dated February 26, 2025, effective May 31, 2025.

The plaintiff considered the termination to be invalid, among other things because of the incorrect implementation of the consultation procedure and the notification of mass dismissals. The Hagen Labor Court upheld the action for protection against dismissal.

The decision

The Hamm Regional Labor Court amended the first-instance judgment and dismissed the action. In the opinion of the court, the termination is valid.

First, the Hamm Regional Labor Court found that the works council hearing had been conducted properly. The defendant had initiated the hearing procedure together with the consultation procedure and the negotiations on the reconciliation of interests, and had provided the works council with a draft reconciliation of interests, a draft social plan, and a list of personnel. These documents set out the reasons for the dismissals and the employees affected by the dismissals, including their social data. Since social selection was not necessary due to the closure of the business, the defendant did not have to provide the works council with all social data.

With regard to the consultation procedure, the court stated that the obviously incorrect figure of 61 employees to be laid off did not prevent the procedure from being carried out properly if the works council was able to recognize the error. The number stated significantly exceeded the total number of employees working for the insolvent debtor and was therefore obviously inaccurate for the works council. The works council was able to determine the actual number of employees to be laid off from the attached table and the list of personnel.

Even if one were to regard the contradictory information as a significant lack of information, this would have been remedied, in the opinion of the Hamm Regional Labor Court, by the works council's final statement in the reconciliation of interests. In this statement, the works council confirmed that it had been provided with the relevant information and declared the consultation process to be concluded. If incorrect or contradictory information has no impact on the works council's decision-making process and is obvious to the works council, a lack of information can be remedied by a final statement from the works council.

The Hamm Regional Labor Court also considered the mass dismissal notification to be valid, even though the defendant had stated a slightly too high number of 34 employees. The court emphasized that not every violation, even a minor one, must result in the invalidity of all dismissals if it has no impact on the activities of the employment agency. Stating a slightly too high number of employees to be dismissed does not invalidate the dismissal if this did not prevent the Employment Agency from finding solutions to the problems raised by the intended mass dismissal.

Practical Information

The decision of the Hamm Regional Labor Court gives employers and insolvency administrators a certain degree of legal certainty when carrying out mass redundancies. Obvious errors in the figures provided in the consultation letter do not automatically render the redundancies invalid if the works council was able to recognize the error and the correct information was apparent from the other documents.

Nevertheless, the utmost care must still be taken when drafting the consultation letter and the mass layoff notification. On the one hand, the decision is not yet final, and the Hamm Regional Labor Court has allowed an appeal due to the fundamental importance of the case. It therefore remains to be seen how the Federal Labor Court (BAG) will assess these issues. On the other hand, it remains unclear which errors in the consultation procedure and in the mass layoff notification are considered "minor."

The legislature is implementing EU Directive 2024/1226, which aims to establish uniform and effective criminal sanctions law in the EU.

The most important new regulations at a glance:

From administrative offense to criminal offense

At the heart of the reform is a comprehensive revision of the provisions on penalties and fines in the Foreign Trade and Payments Act (AWG) and the Foreign Trade and Payments Ordinance (AWV).

Numerous intentional violations that were previously considered only administrative offenses will now be criminal offenses. These include violations of financial sanctions and transaction bans, as well as the concealment of assets to circumvent sanctions. The possibility of voluntary disclosure to avoid punishment (Section 22 (4) AWG) no longer applies in these cases.

Elimination of the "48-hour grace period"

The previous grace period regulated in Section 18 (11) AWG will be abolished without replacement. EU sanctions will thus apply immediately upon publication. Although the explanatory memorandum to the law acknowledges that practical implementation difficulties in individual cases could negate the intent required for criminal liability, the risk for companies will nevertheless increase significantly.

Criminal liability even in cases of recklessness for dual-use goods

In future, recklessness will be sufficient for criminal liability in the case of violations in connection with dual-use goods (Section 18 (8a) AWG-RegE). This increases the risk, particularly in operational export and import processes with complex goods classification.

New criminal liability for violations of reporting requirements

The criminal liability for violations of reporting requirements is also being expanded. Under certain conditions, the universal obligation to report information on sanctioned funds and economic resources (Section 18 (5a) AWG-RegE) will be punishable by law, increasing the risk even outside of standard export control functions. Professional groups authorized to provide legal representation remain exempt from this obligation.

New trust administration for subsidiaries of Russian corporations

In response to the 18th EU sanctions package, § 6a AWG-RegE creates a national framework for public-law trust administration. This is intended to ensure that domestic companies can continue to operate despite sanctioned ownership structures. In addition, the new Sections 6b to 6g AWG-RegE regulate the share guardianship, which is intended to ensure the company's quorum.

Corporate fines: Maximum amounts quadrupled

The reform is particularly painful for companies in terms of sanctions: the maximum corporate fine increases from EUR 10million to EUR 40 million – plus skimming of profits or saved expenses.

Criminal violations of sanctions by individual employees can thus entail existential risks for the entire company.

Classification: More deterrence, more responsibility

With this amendment to the law, Germany is consistently following the European line of strengthening the enforcement of sanctions as a security and economic policy instrument. The reform is not merely a "technical update," but a clear change of course toward genuine criminal deterrence. For companies, this means a significant increase in liability and reputational risks.

Recommended action: Act now instead of reacting later

The message from lawmakers is clear: lack of awareness and organizational shortcomings no longer provide protection. Companies should use the new regulations as an opportunity to review their sanctions compliance. We recommend focusing in particular on the following areas:

• Review your compliance culture: Embed the importance of sanctions compliance explicitly in your corporate culture ("tone from the top") and review your contractual safeguards with respect to business partners (sanctions clauses).
• Risk-based training concepts: Train not only your specialist departments, but all employees who come into contact with sanction-relevant processes – from purchasing and sales to financial accounting.
• Procedural and technical adjustments: Ensure that your internal processes and IT systems enable new listings to be implemented in real time. The elimination of the grace period requires immediate responsiveness.
• Careful classification of goods: The new criminal liability for recklessness in the area of dual-use goods requires an even more robust and comprehensively documented classification of goods.
• Implementation of reporting procedures: Define clear internal processes and responsibilities for fulfilling the extended reporting requirements so that information about sanction-relevant matters does not leave the company.

This article was written in collaboration with our research assistant Jakob Döllner.

I. Function of "data rooms"

Data rooms are intended to serve as infrastructure for the controlled, cross-company exchange of data between economic and public actors. Unlike traditional data transfers, data is not collected centrally or permanently transferred, but remains with the respective data owner. It is used via technically secure access mechanisms that allow the scope, purpose, and duration of data use to be bindingly defined.

For companies, data rooms thus fulfill a key function at the interface between cooperation and control. They make it possible to make data accessible for external use without revealing trade secrets or jeopardizing one's own competitive position. At the same time, they create standardized structures for bringing together data from different sources in an interoperable manner – for example, along complex supply and value chains.

In practice, data rooms address three key areas of application in particular. First, they facilitate data exchange within networked production and supply chains, for example to meet transparency, sustainability, or traceability requirements. Second, they form the basis for new data-based business models in which companies can provide and monetize data on a temporary, purpose-specific, or usage-dependent basis without losing complete control over the data. Third, data rooms support the fulfillment of regulatory obligations by enabling structured, traceable, and legally compliant access to relevant data.

II. Landscape of (European) data rooms

1. Sectoral data rooms

In Europe, a large number of sectoral data rooms have recently been announced and gradually established as part of the European data strategy. These data rooms are tailored to specific economic sectors or areas of society and are being developed at different stages of maturity. There is no uniform organizational form; rather, existing data infrastructures, platforms, and initiatives are gradually being integrated into sectoral data spaces and linked together via common governance and interoperability structures.

The central sectoral data spaces include, in particular, data spaces for industry and manufacturing, mobility, energy, agriculture, finance, the environment, tourism, media, education, research, and public administration. The European Commission refers to these as "Common European Data Spaces," which are intended to form a European single market for data.

In the industrial sector, the European manufacturing and industrial data space is being shaped primarily by industry-specific initiatives. Based on the architecture and governance specifications of Gaia-X, data spaces are being created that enable data exchange along industrial value chains. Prominent examples include Catena-X for the automotive industry and Manufacturing-X as a cross-industry initiative for the manufacturing industry. These data spaces focus on industrial use cases such as supply chain mapping, traceability, quality data, maintenance information, and product-related sustainability data.

In addition to industry, other sectoral data spaces are in various stages of development. The mobility data space bundles data from transport, logistics, and infrastructure and links to existing national and European mobility platforms. The energy data space addresses data on generation, grid operation, and consumption in the context of the energy transition. The agricultural data space aims to facilitate the exchange of farm, machinery, and environmental data between agricultural businesses, manufacturers, and public authorities. In addition, there are data spaces for environmental and climate data, financial data, media and cultural data, and tourism and education data.

These business-related data spaces are supplemented by sectoral data spaces with a strong public focus. These include, in particular, data spaces for science and research, which aim to exchange and reuse research data, as well as data spaces for public administration, such as for procurement, legal, or administrative data. These data spaces are often closely linked to existing European infrastructures and serve to harmonize and improve access to public data sets.

2. EHDS

With the Regulation on the European Health Data Space (EHDS), the EU has created its first sector-specific data space with a directly binding legal framework. The Regulation entered into force on March 26, 2025, and key obligations will apply from March 26, 2027 (we reported).

The EHDS aims to standardize the structuring, exchange, and use of electronic health data across the EU for both medical care (primary use) and research, innovation, and policy-making (secondary use). Unlike other sectoral data spaces, the EHDS is not designed as a voluntary cooperation infrastructure, but as a binding regulatory data space order.

However, its core component is the introduction of binding interoperability requirements for electronic health records (EHR systems). Manufacturers and providers of such systems must ensure that their products support the European exchange format specified by the Commission and comply with the technical requirements for security, access control, and logging. Conformity must be demonstrated by means of appropriate declarations and labels. For certain digital health and wellness applications, additional transparency and information requirements apply if interoperability with EHR systems is claimed.

At the data provision level, the EHDS requires data owners such as hospitals, medical practices, and other healthcare providers to make electronic health data available in a structured, interoperable manner for the intended purposes. For secondary use, processing is only permitted in pseudonymized or anonymized form. Access to this data is provided via national health data access points, which review and approve applications based on legally defined criteria.

The use of health data is strictly limited in terms of content. Research, innovation, statistical evaluations, and certain AI applications are permitted; marketing purposes or the development of products that pose a health risk are expressly excluded. Data processing must take place in secure, controlled environments and is subject to comprehensive logging and information requirements.

III. Legal framework

Data rooms do not operate in a legal vacuum, but are embedded in a multi-layered European legal framework that increasingly standardizes access to data, its use, and the organizational design of data ecosystems. Both horizontal data protection regulations and sector-specific requirements, which apply cumulatively depending on the data room, are decisive in this context.

The central starting point remains general data protection law. Insofar as personal data is processed in data rooms, the provisions of the GDPR apply without restriction, in particular with regard to lawfulness, purpose limitation, data minimization, and transparency. In many data rooms, therefore, a clear separation between personal and non-personal data is necessary; for secondary use, pseudonymization or anonymization requirements are regularly added. In addition, requirements for technical and organizational measures as well as for the logging of accesses must be taken into account.

This forms the basis for specific European data legislation. The Data Governance Act creates a regulatory framework for trustworthy data sharing, in particular by regulating data intermediary services and data altruism structures. For data spaces, this means that certain actors – such as operators or intermediaries – may be subject to regulatory requirements regarding neutrality, transparency, and governance. At the same time, the Data Governance Act promotes the creation of structured data access, in particular for the reuse of protected public data.

The Data Act supplements this framework by clarifying access and usage rights to data and establishing binding requirements for the interoperability of data spaces (we reported). It addresses industrially generated data in particular and obliges data owners to provide or make data available under certain conditions. Also relevant for data spaces are the requirements for fair contract terms, the protection of trade secrets, and technical interfaces that are intended to enable switching between data processing services.

In addition, sector-specific legal acts are of considerable importance. The EHDS exemplifies that individual data spaces can be designed with detailed obligations through their own regulations, for example, regarding data formats, access points, permissible uses, or secure processing environments. Comparable developments could also emerge in other areas, such as in the context of environmental, mobility, or financial data.

Cross-cutting considerations also include requirements under competition law and the protection of trade secrets. Data rooms must be designed in such a way that they do not enable the exchange of information that restricts competition and that sensitive company information remains adequately protected. This applies in particular to governance structures, access rules, and the design of common standards.

IV. Conclusion and outlook

Data rooms are increasingly evolving from experimental cooperation models to structural components of the European digital and data order. While sectoral data rooms have so far been largely shaped by funding projects and industry-specific initiatives, ongoing regulation at the European level is leading to a significant consolidation of legal requirements. The European Health Data Space, at the latest, makes it clear that data spaces are not only infrastructure, but can also represent binding legal regulatory frameworks.

For companies, this development means that data rooms can no longer be understood exclusively as voluntary innovation spaces. Rather, depending on the industry and use case, direct or indirect participation and adaptation obligations are emerging, for example through interoperability requirements, standardized data formats, or regulatory access mechanisms. Even where there is no explicit legal obligation, data spaces have a de facto binding effect, for example as a prerequisite for integration into supply chains or data-based cooperation models.

Against this background, it is advisable to engage in strategic consideration of the relevant data spaces at an early stage. This initially involves the systematic identification of those sectoral data spaces that are already important for one's own business model today or are likely to be important in the future. On this basis, existing data stocks, IT systems, and interfaces should be reviewed to determine the extent to which they are interoperable, standardizable, and legally usable.

This article was created in collaboration with our student employee Emily Bernklau.

Supervisory board office – not a passive supporting role

Many supervisory board members still see their position as a "well-paid leisure activity." However, this understanding of their role contradicts the legal obligations under Section 111 AktG. The supervisory board must inform itself about its control tasks and may not limit itself to passive acknowledgment. It must ask questions, request reports, and critically examine the information provided by the management board. This applies in particular to the area of compliance, where omissions can quickly lead to corporate liability.

Scope of the monitoring obligation

The supervisory board monitors the management (Section 111 (1) AktG). The limitation to a maximum of ten mandates (Section 100 (2) sentence 1 no. 1 AktG) and the obligation to hold two meetings per year (Section 110 (3) AktG) do indicate that this is a secondary activity. Nevertheless, monitoring the original management tasks of the management board remains its core task (BGH, judgment of July 4, 1977 – II ZR 150/75).

New Federal Court of Justice ruling: Duty to inquire and investigate

The Federal Court of Justice emphasizes that the supervisory board may not accept inadequate reporting pursuant to Section 90 AktG (Federal Court of Justice, judgment of October 14, 2025 – II ZR 78/24, para. 21). It must actively inquire and, if necessary, conduct its own investigations. If it fails to do so, it is liable.

Even in the case of a dormant company, the supervisory board may not wait for the management board to report. It must request reports at least quarterly in accordance with Section 90 (2) No. 3 AktG (Federal Court of Justice, judgment of October 14, 2025 – II ZR 78/24, para. 25).

Monitoring also includes measures for the early detection of developments that could jeopardize the company's existence (Section 91 (2) AktG) and the establishment of a compliance management system/CMS (LG Munich I, judgment of December 10, 2013 – 5 HKO 1387/10). The supervisory board must obtain information, review reports, document its measures, and convene the annual general meeting if necessary (Sections 90, 111 AktG). It must also ensure that the management board does not exceed the scope of the company's purpose (Federal Court of Justice, judgment of October 14, 2025 – II ZR 78/24, para. 18).

Compliance and distribution of tasks in GmbHs and AGs

The decision of the Federal Court of Justice shows that compliance obligations do not only apply to listed stock corporations. In limited liability companies and smaller corporate structures, too, the question arises as to how responsibility for compliance is distributed. The legal requirements differ, but the principle remains the same: managers must identify risks at an early stage, prevent legal violations, and ensure a functioning organization.

Compliance in limited liability companies

In a GmbH, the management bears the central responsibility for the organization of the company (Section 43 GmbHG). This also includes the obligation to set up an appropriate CMS. The management must analyze risks, create internal guidelines, establish whistleblower systems, and ensure that employees are trained.

The shareholders' meeting has no operational management function, but can influence compliance structures by issuing instructions or appointing additional managing directors.

If there is a supervisory board – for example, in a co-determined limited liability company (GmbH) – it assumes a monitoring function similar to that in stock corporation law. Here, too, the following applies: A supervisory board may not rely on reports, but must actively inquire, obtain information, and initiate external audits if necessary.

Compliance and distribution of tasks in the AG

In an AG, the distribution of tasks is more clearly structured. The management board bears overall responsibility for the organization of the company (Section 76 (1) AktG). This necessarily includes the establishment of an effective CMS that prevents legal violations and identifies risks at an early stage.

The supervisory board monitors these measures (Section 111 AktG). It must ensure that the management board fulfills its organizational duties and intervene if any deficiencies are identified. Current case law – in particular the ruling of the Federal Court of Justice (BGH) of October 14, 2025 (II ZR 78/24) – makes it clear that the supervisory board not only receives reports, but must also actively check whether the compliance structures are appropriate.

This also includes the duty to monitor compliance with the company's purpose and to stop undesirable developments at an early stage. Compliance is therefore an integral part of good corporate governance, regardless of the size or activity of the company.

Practical note

The new ruling makes it clear to supervisory boards that they are obliged to actively gather information and monitor the company. Even "dormant" companies need lean but effective reporting: quarterly reports that provide transparency on liquidity, obligations, pending projects, and any plans to resume business. This structure reduces liability risks and makes it easier for the supervisory board to fulfill its duties. As a result, impermissible business activities (e.g., expansion into unrelated business areas) are identified and stopped at an earlier stage. In this regard, the Federal Court of Justice (BGH) has emphasized that the supervisory board must prevent the company from exceeding its corporate purpose (BGH, judgment of October 14, 2025 – II ZR 78/24, para. 18). With regard to the obligation to establish an effective CMS, it follows that the management board may be liable for damages for a lack of an internal control system, even during the period of suspended business activity, if this leads to administrative offenses or criminal offenses within the company.

I. Data protection and data processing

In the area of data protection law, a selective but legally significant further development of the Federal Data Protection Act (BDSG) is on the horizon at the national level for 2026. This is due in no small part to the recent decisions of the European Court of Justice on scoring by credit agencies (SCHUFA case law), which clarified the scope of application of Art. 22 GDPR and called into question the previous national regulatory approach. At the same time, there are still uncertainties regarding the interaction between the GDPR and national implementing legislation, particularly with regard to permissible national specifications.

The planned amendment to the BDSG focuses primarily on the handling of automated decision-making processes and credit ratings ("scoring"), which has been the subject of legal and political controversy for years. In its ruling of December 7, 2023, the ECJ clarified that even the automated generation of a probability value by a credit agency can constitute an "automated decision" within the meaning of Art. 22 (1) GDPR, provided that this value is decisive for a third party's decision, such as granting a loan. This means that scoring as such is generally subject to the prohibition of automated individual decisions, unless one of the narrowly interpreted exceptions in Article 22(2) GDPR applies.

Against this background, the German government intends to add a new Section 37a to the BDSG, which will regulate scoring procedures and comparable automated assessments. The aim is to create an independent national legal basis for permissible automated decision-making within the meaning of Art. 22 (2) (b) GDPR and, in particular, to specify in more detail the requirements for permissible data categories, transparency, decision-making logic, and appropriate protective measures. The planned regulation is thus intended to explicitly follow the limits set by the ECJ and at the same time provide a practicable framework for data-driven business models.

The planned regulations are closely linked to the provisions of the GDPR and make use of the opening clauses provided therein without departing from the EU legal framework. At the same time, there is still a risk that special national regulations will lead to increased complexity, especially for companies that operate data-driven business models in several member states.

II. Data Act & data access

The Data Act is also increasingly becoming the focus of practical application at the national level. Although the regulation applies directly and uniformly in all member states, its actual effect depends largely on national enforcement and the design of supervisory structures. In Germany, the division of responsibilities between federal and state authorities has not yet been conclusively clarified and is the subject of ongoing consultations. In particular, it remains unclear which authorities will be primarily responsible for enforcing the new data access rights and how these responsibilities will relate to existing data protection supervisory mechanisms.

Of particular importance is that key obligations under the Data Act, in particular the obligation to provide product and service data in a user-friendly manner, will also apply to newly placed connected products from September 2026 (we reported). This means that data access will no longer be treated solely as a contractual or organizational issue, but as a product feature that must be guaranteed from a technical perspective. For manufacturers and providers, this means that data access and data portability requirements must already be integrated into development and design processes.

At the national level, 2026 will show the extent to which the competent authorities are able to effectively enforce the new access rights while at the same time appropriately resolving overlaps with existing data protection and regulatory regimes. This creates an additional need for coordination for companies, as data compliance will no longer be organized solely in accordance with the GDPR, but increasingly also in accordance with cross-sector data access rules.

III. Digital law enforcement and security

In the area of digital law enforcement and security, 2026 in Germany will be marked primarily by preparatory implementation and adaptation measures. The E-Evidence Regulation, which will apply throughout the EU from August 2026 (we reported), and European cybersecurity regulations, particularly in the context of the NIS 2 Directive and the Cyber Resilience Act, will be particularly significant in this regard. These regulations will change both access to electronic evidence and the requirements for dealing with security incidents and digital risks.

At the national level, this will primarily result in the need for adjustments to criminal procedure law and administrative practice. Law enforcement agencies will have to integrate new instruments for the cross-border securing and disclosure of electronic data, while at the same time establishing clear responsibilities and procedural processes within the federal security architecture. In this context, companies are increasingly taking on a mediating role between investigative interests and the protection of personal data.

Of particular practical importance is the increasing involvement of private providers of digital services in investigative and security measures. The E-Evidence Regulation will enable law enforcement authorities to directly oblige service providers across borders to disclose or secure electronic evidence, in some cases with very short legal implementation deadlines. For affected companies, this means a significantly increased organizational and legal pressure to act, as corresponding orders must be reviewed at short notice, implemented technically, and at the same time classified in terms of data protection law. In parallel with this, national implementation measures in the area of cybersecurity are leading to further clarification of reporting obligations in the event of security incidents and vulnerabilities.

IV. Administrative digitization

The digitization of administration is another key focus of German digital law. Unlike traditional regulatory acts, it is not primarily aimed at companies, but it does have significant indirect legal effects by establishing new digital access, identification, and procedural standards. Particularly important in this regard are the national implementation of the European Digital Identity Wallet, the continuation of register modernization, and the establishment of uniform technical infrastructure for digital administrative services.

With regard to the introduction of the Digital Identity Wallet, the main focus in 2026 will be on creating the legal and organizational conditions. This includes issues of jurisdiction, security architecture, certification of participating actors, and the integration of existing administrative and business processes. Even though the mandatory provision of the wallet will not take effect until the end of 2026, important decisions will be made in the course of this year that will shape the future use of digital identities in administration and business.

At the same time, the modernization of registers is continuing. The gradual connection of central registers and the implementation of the once-only principle mean that data retrieval between authorities is becoming increasingly automated. This raises not only technical issues, but also questions relating to data protection and organizational law, particularly with regard to transparency, access controls, and responsibility for data quality. This is complemented by the development of so-called " " basic services and platform structures, which are intended to set uniform federal standards for digital administrative services as part of a "Germany Stack."

V. Recommendations for action for companies

Against the backdrop of the developments described above, companies should use 2026 to align their existing digital compliance structures specifically with national implementation and enforcement issues. The focus here is less on introducing completely new processes and more on adapting existing processes to specific national requirements and new regulatory interfaces. Particularly where European requirements are supplemented by national regulations, administrative practices, or supervisory structures, there is an increasing need for clear responsibilities and robust internal procedures.

In the area of data protection, it is advisable to review existing data-based evaluation and decision-making procedures, in particular scoring models and comparable automated processes, at an early stage with regard to possible national specifications. In the context of the Data Act, companies should also analyze their product and data architectures to determine whether data access rights are adequately represented from a technical and organizational perspective and whether interfaces with users and authorities are designed in a practical manner.

In addition, preparatory measures in the area of digital law enforcement and cybersecurity are becoming increasingly important. Companies should ensure that official requests for electronic data and reports of security incidents can be processed in a legally compliant manner within short time frames. Especially for small and medium-sized enterprises, which often have limited human and technical resources, it is crucial to bundle the requirements at an early stage and integrate them pragmatically into existing compliance and risk management structures.

VI. Conclusion and outlook

For German digital law, 2026 marks less of a new beginning and more of a phase of practical testing of existing regulations. The focus is on the national specification, enforcement, and organizational implementation of European requirements and individual national adjustments, particularly in data protection law. At the same time, administrative digitization is gaining importance as a de facto regulatory framework and is increasingly shaping the legal framework for companies. In practice, the decisive factor will be the extent to which new obligations, regulatory requirements, and digital interfaces can be designed in a coherent and manageable manner.

This article was created in collaboration with our student employee Emily Bernklau.

Further parliamentary deliberations remain to be seen. Should any changes arise during the legislative process, we will report on them in a timely manner.

Which companies and products are affected?

A statutory repair obligation will be introduced for manufacturers of product groups listed in Annex II of the Directive for which EU law already stipulates reparability requirements under product specific ecodesign delegated acts. These include, among others, washing machines, dishwashers, refrigerators, smartphones, tablets and — regarding their batteries — e bikes and e scooters. The product groups are expected to be progressively expanded. If the manufacturer is located outside the EU, the corresponding obligations apply to its authorised representative or to the importer or distributor of the products.

What obligations are coming?

• Repair obligation

Manufacturers must offer consumers repair services for the usual lifespan of the defective product concerned. This statutory repair obligation applies only to products for which consumers do not or no longer have statutory remedies for lack of conformity; it therefore complements sales law remedies.

Repairs must be offered within a reasonable period and at a reasonable price. According to the draft bill’s explanatory memorandum, manufacturers may factor in, in addition to cost coverage, customary profit margins for repair services. For further details of the repair obligation — particularly the consequences of inadequate repairs — reference is made in part to provisions of the law governing contracts for work and services.

Because the right to repair constitutes an independent statutory claim by consumers, entering into a separate repair contract is not mandatory, and according to the explanatory memorandum the repair may not be made conditional upon the conclusion of such a contract. The parties are, however, free to enter into a repair contract voluntarily, provided that this does not derogate from the mandatory statutory repair provisions to the detriment of the consumer.

Manufacturers are also obliged to offer spare parts and tools, which they make available for the repair of their goods, at a reasonable price. As a rule, they may not create technical or software-based obstacles to repair and may not impede the use by independent repairers of original spare parts, used spare parts, compatible spare parts and spare parts manufactured via 3 D printing.

• Information obligation

For as long as the repair obligation exists, manufacturers must make information about repair services easily accessible, clear and comprehensible, and available free of charge. For typical repairs, price lists must also be published on a publicly accessible website.

In addition, the European Repair Information Form will be made available to companies (manufacturers, sellers, and other repair service providers). This may be used to fulfil statutory information obligations when entering into a repair contract.

• Amendment of warranty rules

In addition to durability, reparability will in future form part of the usual quality of goods. A lack of reparability can therefore in itself trigger claims for lack of conformity.

Repairs carried out under the statutory remedies regime are also to be incentivised by leading to a one time extension of the limitation period for warranty claims by a further 12 months vis-à-vis consumers, and therefore from two to three years. Under German law, the interaction with section 212 BGB (recommencement of the limitation period by acknowledgement) will need to be clarified as currently, acknowledgement of an obligation to provide a replacement product already restarts the two year limitation period for the item as a whole, and acknowledgement of an obligation to repair restarts the limitation period in respect of the specific defect.

What happens next?

The Federal Government aims for timely implementation of the Directive by 31 July 2026. If the act is adopted as intended, the right to repair and the associated information obligations will apply from that date of entry into force regardless of the date of purchase of the relevant products. By contrast, the sales law provisions, in particular the extended limitation period in case of repairs, will apply only to purchase contracts concluded on or after 31 July 2026.

What should companies do now?

Given the planned near term introduction of the right to repair, manufacturers of the affected product groups should already review their infrastructure for repair services outside the legal warranty and, where necessary, establish or adapt it. This includes, in particular, the strategic decision whether the repair services are to be provided directly by the manufacturers or by third parties as subcontractors (e.g., specialist retailers). Contracts should be adjusted accordingly and information flows ensured. In addition, relationships with suppliers should be reviewed and, where appropriate, adapted to ensure the availability of the spare parts and tools necessary to meet the repair obligation. Companies should also prepare now to adapt their websites and customer communications regarding repair services in order to meet the information obligations in good time.

I. EU-Mercosur Agreement: Regulatory Framework

The EU-Mercosur Agreement is designed as a comprehensive trade agreement that, in addition to removing tariff barriers to trade, reorganizes access to service markets and investment conditions in particular. In addition to traditional customs regulations, the agreement contains cross-sectoral commitments on market opening, equal treatment of foreign suppliers, and transparency of government regulatory measures. Of particular relevance to companies is the fact that the cross-border provision of services – including digital and data-based services – is legally facilitated and institutionally secured.

At the same time, the agreement explicitly enshrines the principle that the contracting parties retain their regulatory autonomy. Particularly in sensitive areas such as the protection of personal data, public security, or ensuring the stability of digital infrastructure systems, the parties' right to maintain or further develop independent and even restrictive regulations is confirmed. This does not imply mutual recognition of regulatory standards or harmonization of legal requirements.

The easier integration of companies from Mercosur countries into European value and supply chains also means that existing data protection, security, and technology-related obligations are becoming more relevant across borders. The agreement thus forms the starting point for increased application and enforcement of EU digital law in an international context without shifting its substantive standards.

II. Data protection implications

The EU-Mercosur Agreement does not lead to any substantive change in the data protection requirements of the GDPR. The legal requirements for international data transfers, in particular when cooperating with companies in third countries, remain unchanged for EU companies. In this respect, the agreement neither establishes new transfer mechanisms nor does it facilitate data transfer in terms of data protection law.

Nevertheless, the agreement brings about a structural shift in the framework conditions for the data economy. Facilitated cross-border service provision and greater economic integration of the Mercosur countries will mean that data processing involving third countries will become more frequent, more permanent, and more integrated into core business processes in the future. Whereas international data transfers have previously been project-related or sporadic in nature, they may now become an integral part of ongoing business models, for example in the areas of cloud services, IT services, support, and analysis functions.

This development changes the practical implementation of data protection compliance rather than the legal assessment. Compliance with the GDPR is thus moving away from a case-by-case transfer review and toward a continuous management and control task. European companies must ensure that data protection guarantees are not only formally agreed upon, but also permanently implemented and reviewed in organizational, technical, and contractual terms. In particular, issues of transparency, access by government agencies in third countries, and the actual enforceability of agreed-upon protective measures are gaining in importance.

III. Impact on cybersecurity

In the area of cybersecurity, too, the EU-Mercosur Agreement does not lead to any material change in existing EU legal requirements. The relevant obligations to ensure the security of network and information systems and to safeguard digital products and services apply regardless of the country of origin of the companies involved. In this respect, the agreement does not establish new security standards or mutual recognition of national cybersecurity regimes.

Structurally, however, the agreement changes the composition and scope of digital supply and value chains. Easier access to the European market means that providers from Mercosur countries are increasingly involved in security-related functions, for example as cloud, hosting, or software service providers or as suppliers of digital components. Cybersecurity risks are thus increasingly shifting to international cooperation and outsourcing structures, without any change in the EU legal standard for security requirements.

For European companies, this means a shift in focus from purely technical security to a more governance-driven cybersecurity strategy. The selection, contractual integration, and ongoing monitoring of external service providers are becoming increasingly important, as security incidents or vulnerabilities at third-party providers can have a direct impact on a company's own compliance and the functionality of its central systems. In particular, there are increasing requirements for risk analysis, incident management processes, and the ability to identify and address security-related events early on, even along international supply chains.

IV. Mercosur and artificial intelligence

In the field of artificial intelligence, too, the EU-Mercosur Agreement is structurally acting as an accelerator of cross-border AI-related value creation. Although the content of the EU regulatory framework will not change, the facilitation of digital services will particularly benefit the outsourcing of development, training, and operational services, as well as the integration of external providers into data- and computation-intensive processes. AI systems intended for the European market or used in the EU can thus make more frequent use of components, models, or services developed or operated in Mercosur countries.

This internationalization is changing the requirements for AI governance in companies. While regulatory standards remain unchanged, the complexity of organizational control of AI systems across national and corporate boundaries is increasing. Responsibilities for training data, model architectures, updates, and ongoing operations must be clearly assigned, even if individual technical or operational steps take place outside the EU. At the same time, transparency, documentation, and traceability of development and decision-making processes are becoming increasingly important, as they are prerequisites for compliance with European AI requirements in international constellations.

V. Recommendations for action

Against the backdrop of the agreement, EU companies should not fundamentally realign their existing digital compliance structures, but they should review their international resilience. The increasing involvement of service providers, technology partners, and value creation stages from Mercosur countries requires, in particular, greater integration of legal, IT, purchasing, and compliance functions.

It is therefore advisable to organize cross-border digital services and data processing not just as individual cases, but as permanent and scalable structures. Companies should check whether their contractual, technical, and organizational arrangements are sustainable even with growing use, longer terms, and more complex supply chains, and whether they enable consistent control.

In addition, the transparent allocation of responsibilities is becoming increasingly important. Regardless of whether services are provided internally or by external partners, it should be clearly defined who is responsible for security, data processing, system operation, and compliance with regulatory requirements, and how this responsibility is controlled in practice. A lack of clarity in international cooperation models increasingly harbors legal and operational risks.

Finally, companies should review their existing risk and control processes to ensure that they are effective even in internationally distributed structures. This includes, in particular, robust escalation and communication channels, central documentation of relevant decisions, and the ability to consistently implement regulatory requirements across country and company boundaries.

VI. Conclusion and outlook

The EU-Mercosur Agreement does not lead to a material reorganization of European digital law, but it does change the practical framework conditions for its application. Facilitated economic cooperation means that cross-border digital services, data processing, and technological dependencies are becoming increasingly important. For companies, this means that the focus is shifting less toward new legal requirements and more toward questions of organizational implementation, management, and control of existing obligations. Against this backdrop, the ability to effectively implement digital compliance in internationalized structures is increasingly becoming a decisive competitive and risk factor.

This article was created in collaboration with our student employee Emily Bernklau.

However, in its decision of December 2, 2025 (C-492/23), the ECJ has now given new impetus to the old principles. For data protection violations, there should be exceptions to the notice and take down procedure, at least for operators of online marketplaces. Under certain circumstances, they should also be liable without prior positive knowledge.

I. Starting point: The "Russmedia" case – setting the course for platform liability?

The ECJ's decision was triggered by questions referred by the Romanian Court of Appeal "Curtea Apel Clui." In the original proceedings, the plaintiff took action against the operator of an online marketplace on which an unknown third party disseminated defamatory facts about the plaintiff. Specifically, the plaintiff was associated with offering sexual services due to the publications of the unknown third party. However, photos of the plaintiff and her telephone number were also published. The plaintiff informed the operator Russmedia Digital about the publications, whereupon the latter removed the content from the online marketplace within less than an hour. However, the content had already been reproduced in the meantime, so that it could be found on various other websites at the time of deletion. In the proceedings, the plaintiff claimed non-pecuniary damages from Russmedia Digital. She invoked violations of her right to her own image and her honor. In addition, she complained about the unlawful processing of her personal data.

The Romanian courts were unable to agree on how to deal with the case legally. Ultimately, the case ended up before the Court of Appeal in Romania, which decided to refer it to the ECJ.

II. The ECJ ruling

The ECJ first took a decisive step and did not assess the case according to the provisions of the eCommerce Directive or the DSA, which continued the requirements of the eCommerce Directive, but based its assessment on data protection law and, more specifically, on the GDPR. It then found that the plaintiff's data published by the unknown third party was indeed personal data within the meaning of Art. 4 (1) GDPR. The ECJ even considered it to be sensitive data under Art. 9 GDPR, as the content also concerned the plaintiff's sex life.

Another decisive factor was the assessment of responsibility, in this case whether Russmedia Digital should also be classified as a joint controller under Article 4(7) GDPR. From the perspective of the ECJ, this is to be affirmed and follows from the fact that Russmedia Digital grants itself all rights in its general terms and conditions, including the use, distribution, reproduction, and deletion, without giving a valid reason, of the content published on the online marketplace. While the unknown third party is primarily responsible, according to the ECJ, Russmedia Digital can at least be held jointly responsible.

This joint responsibility means that platform operators will in future be required to identify and monitor illegal content before it is published. In addition, according to the ECJ, a check should be carried out to ensure that the content to be uploaded can actually be attributed to the person publishing it. Finally, the ECJ also stipulates that the identities of all persons authorized to publish content must be recorded and verified by the operator of an online marketplace.

Even more far-reaching is the ECJ's final requirement that operators of online marketplaces must actively prevent publications containing sensitive data from being reproduced and disseminated on other websites.

The ruling therefore sends a decisive message to operators of online marketplaces: as soon as there are violations of the Data Protection Regulation, in particular Art. 9 GDPR, operators must act even before the illegal content is published. The key difference is that the liability privilege of platforms, which generally provides for liability only after positive knowledge of the illegal content, does not apply in the case of data protection violations.

III. BGH: The Renate Künast case

The ECJ's decision is also interesting in light of the legal dispute between former Consumer Protection Minister Renate Künast and the mega-corporation Meta. The BGH had suspended the proceedings to await the ECJ's decision in the Russmedia case (BGH decision of February 18, 2025 – VI ZR 64/24). Ms. Künast was initially successful in the first instance before the Regional Court of Frankfurt am Main, but on appeal she was only granted injunctive relief, not damages. However, both courts assumed that the assessment of the case was subject to the principles of liability for interference developed by the Federal Court of Justice. It was only when the case was brought before the Federal Court of Justice that the latter recognized that the case fell under data protection law. In this respect, the Federal Court of Justice considered it appropriate to suspend the proceedings for the time being.

The wait may have been particularly worthwhile for Ms. Künast, as the ECJ has already ruled that Meta bears joint responsibility for the personal data on its various platforms (ECJ ruling of June 5, 2018 - C-210/16) and, on the other hand, the ECJ has, with its new decision, virtually ruled out the possibility that Meta can successfully invoke liability privileges under Art. 6 DSA. In this respect, Ms. Künast is moving forward with tailwinds from Luxembourg to the final instance before the Federal Court of Justice.
You can read more about the Renate Künast case here.

IV. Practical advice

In practice, the ECJ's decision means in particular that operators of online marketplaces should check as soon as possible whether they are responsible under data protection law for the personal data of third parties published on their sites. If this is the case, ongoing monitoring of the lawful processing of personal data is both advisable and necessary. Consequently, proactive behavior on the part of platform operators is required. They can no longer invoke mere ignorance and the notice and take down procedure under the DSA with regard to data protection violations. The ECJ has made this clear.

I. In brief – What can be expected?

• Clearer responsibilities and thus prevention of parallel proceedings by regional authorities and the Federal Cartel Office
• In contrast: (Unnecessary) potential procedural delays at the expense of the parties involved in the merger
• More planning effort, but also better predictability for the parties involved in so-called mixed cases
• From the perspective of the Federal Cartel Office: Risk of an extensive abolition of hospital merger control and thus the lack of competition law review of increasingly monopolistic structures

II. Planned changes in detail

The new Section 186a GWB is intended to replace Section 187 (10) GWB, which created an exception for hospitals from merger control in the Hospital Care Improvement Act (“Krankenhausversorgungsverbesserungsgesetz“ – KHVVG). This is intended to address legal uncertainties with regard to the scope of application and procedure.

The amendments and transfer to a separate provision (Section 186a GWB-E) clarify the procedure: According to paragraph 1, at the request of the merging parties, the procedure is to be carried out primarily at the regional level. However, this is subject to the condition that the merger is within the meaning of Section 37 GWB, in which at least two hospitals within the meaning of Section 107 (1) SGB V or individual medical departments of different hospitals, such as specialist departments, are merged in whole or in part. Outpatient care units such as medical care centres (“Medizinische Versorgungszentren“ – MVZ), which are already not covered by the definition of a hospital in Section 107(1) SGB V, are explicitly excluded. In addition, preventive care and rehabilitation facilities are also not covered by the definition of a hospital and therefore remain subject to the merger control regulations.

A notification is only admissible and necessary if the scope of merger control (Sections 35 et seq. GWB) has been opened. The application must be submitted to the regional authority or authorities responsible for hospital planning in the states in which the hospitals or medical departments involved in the merger are located.

The notification is aimed at confirming that the competent regional authority considers the merger of the hospitals or individual medical departments involved to be necessary to improve hospital care.

In terms of content, both the criterion of "cross-location concentration" (“standortübergreifende Konzentration“), which was previously contained in Section 187 (10) sentence 1 no. 1 GWB, and the previous criterion, according to which the merger must not "conflict with any other competition law provisions" according to the available information of the regional authority responsible for hospital planning, have been deleted. However, competition concerns may still be taken into account in the decision of the competent regional authorities due to the obligation for the regional authorities to consult with the Federal Cartel Office before issuing the so-called confirmation of necessity (Section 186a (2) sentence 2 GWB-E).

If the merger affects other markets, in particular for outpatient medical services, these are not subject to the confirmation of necessity by the regional authorities and are not covered by the exempting effect of the confirmation of necessity.

Section 186a (1) sentence 3 GWB-E stipulates that if several regional authorities are responsible for hospital planning, they can only decide by mutual agreement with a joint confirmation or rejection. If no agreement can be reached, the notification shall be deemed rejected after the expiry of the three-month period (previously a two-month period) in accordance with paragraph 2 sentence 4. The period specified in sentence 4 may be extended by the competent regional authority with the consent of all parties involved in the merger. If the merger only affects markets in which hospitals within the meaning of Section 107 (1) of the German Social Code, Book V (SGB V) provide services within the meaning of Section 39 (1) sentence 1 SGB V and provided that the regional authority issues the confirmation of necessity within the deadline, the procedure is concluded at this point and the merger may be carried out as there is no obligation to notify.

If the competent regional authority has rejected the notification pursuant to Section 86a (1) sentence 1, or if the presumption of rejection pursuant to paragraph 2 sentence 3 applies, proceedings before the Federal Cartel Office shall be initiated pursuant to Section 186a (3) sentence 1 no. 1 GWB at the request of the parties to the merger. The same applies pursuant to paragraph 3 sentence 1 no. 2 in so-called "mixed cases" in which the confirmation of necessity has been granted but the merger project does not exclusively affect markets in which hospitals within the meaning of Section 107 (1) SGB V or medical departments of hospitals provide services within the meaning of Section 39 (1) sentence 1 SGB V. These mixed cases should – once confirmation of necessity has been obtained – only be subject to review by the Federal Cartel Office with regard to the other markets (e.g. for outpatient medical services or medical care centres). When assessing the question, whether the parts of the merger that do not concern hospital markets are subject to a notification requirement under Section 39 GWB, the part of the merger to which the confirmation of necessity under paragraph 1 sentence 1 applies shall not be taken into account when assessing the turnover thresholds under Section 35 GWB.

According to Section 186a (5) GWB-E, this provision shall only apply to mergers that are completed by 31 December 2030. Thereafter, the exception already provided for in Section 187 (9) GWB shall apply again.

III. Conclusion and recommendation for action

The planned new regulation in Section 186a GWB-E creates to some extent more clarity and efficiency when assessing hospital mergers. The clear responsibility of the regional planning authorities and the precise definition of the scope of application reduce the previous uncertainty in individual questions and rule out parallel proceedings. However, the elimination of the option to make a notification directly to the BKartA in the absence of cross-location concentration inevitably leads to considerable delays, particularly in cases that are unproblematic in terms of substantive law, already due to the one-month publication period (Section 186a (2) sentence 3 GWB-E).

In mixed cases, it is advisable for companies to consider at an early stage whether it is possible and valuable to notify the project separately. If applicable, the part of the project that exclusively concerns hospital markets must be notified to the regional authority responsible for hospital planning, and any parts that go beyond this must be notified directly to the Federal Cartel Office.

The starting point for the lawful handling of overtime by works council members is Section 37 (3) of the Works Constitution Act (BetrVG), which grants a right to paid time off to compensate for works council activities that, for operational reasons, must be performed outside the individual’s working hours. Only if time off cannot be granted within one month for operational reasons must the time spent be remunerated as overtime.

The statutory structure is therefore mandatorily two-tiered: time off takes priority; remuneration is secondary.

II. Requirements for overtime within the meaning of Section 37 (3) BetrVG

Overtime in the works-constitution sense first requires that the activity constitutes necessary works council work which – had it fallen within working hours – would have triggered release from work under Section 37 (2) BetrVG. The decisive reference point is the individual working time of the respective works council member. What matters is solely whether the official duties had to be performed at a time when there was no contractual duty to work. Finally, there must be operational reasons, i.e., circumstances within the employer’s sphere (nature of the operation or workflow) that compel action outside the individual’s working hours. Typical constellations include rotating shifts or meetings and assemblies required by operational necessity that occur outside individual working hours.

By contrast, there are no operational reasons where overtime is caused merely by the internal organization of works council activities (so-called council-related reasons). Nor does a high volume of necessary works council work generally lead to operationally induced overtime, as long as the duration and scope – prompted by the employer – do not reach an unusual level.

III. Priority of time off in lieu

The right to time off in lieu is the statutory rule and takes precedence over any monetary compensation. A works council member cannot demand remuneration instead of time off, nor can the employer unilaterally grant remuneration in place of release from work. Time off must be granted within one month after the works council activity performed outside working hours. If this period expires without time off being granted, the entitlement to time off does not automatically convert into a monetary claim (see also Section VI).

IV. Assertion, notification, and Information

Unless the employer is otherwise aware, the works council member must promptly notify when and for how long they worked outside their regular hours. Mere notification of the activity (e.g., spreadsheets) does not suffice to assert the claim to time off; an explicit request for release from work is required. On the employer side, it is permissible and sensible to require brief details of the operational reasons necessitating activity outside personal working hours. The information pertains to extraneous prerequisites of the claim and not to the substantive works council activity itself.

V. Employer’s right to determine the timing of time off

The employer has a unilateral right to determine the timing of time off. This constitutes an instruction on the distribution of working time within the meaning of Section 106 of the Trade Regulation Act (GewO) and must comply with equitable discretion. The preferences of the works council member must be taken into account unless there are conflicting operational interests. Release from work may be granted in a continuous block or in segments (e.g., by the hour) to reconcile operational needs with individual preferences. The claim is subject to collective agreement exclusion periods and general limitation rules. Employers should therefore ensure prompt processing and robust documentation.

VI. Remuneration as overtime: a narrow exception

Mere inaction by the employer or the expiry of the one-month period does not automatically convert the time-off entitlement into a claim for remuneration. Remuneration requires that the works council member has duly requested time off and that the employer has refused to grant it due to objective operational reasons.

VII. Particularities for fully released works council members

For fully released works council members, an employer-determined time off allocation is excluded because the duty to work is suspended. Nevertheless, the priority of time off still applies. If a fully released member performs necessary works council activities outside their free time for operational reasons, they must independently assess whether and when to take time off. A remuneration claim does not arise even if the volume of necessary works council work makes taking time off practically more difficult. Pure workload is not an operational reason within the meaning of Section 37 (3) sentence 3, second half-sentence BetrVG. In overload situations, broader general or specific releases or targeted training of additional works council members should be considered to enable an appropriate division of tasks.

VIII. Practical recommendations for employers

Employers should establish clear internal processes. First, ensure prompt notification and an explicit request for time off by the works council member, including brief details of the operational reasons and the time involved. Second, exercise the right to determine timing within the bounds of equitable discretion, document the decision, and manage the one-month period. Third, treat remuneration strictly as a narrow exception: require proper assertion in advance, and only remunerate where objective operational reasons prevent time off within one month. Fourth, set clear guidelines for fully released works council members on taking time off independently and provide for options such as additional releases or training to avoid council-related bottlenecks.

IX. Common pitfalls and how to avoid them

A frequent mistake is paying remuneration too quickly without a prior, properly asserted claim to time off or without objective operational reasons preventing time off. This contravenes the priority of time off and risks an impermissible benefit to the works council member under Section 78 sentence 2 BetrVG.

It is also problematic to confuse council-related organizational shortcomings with operational reasons. Organizational issues that can be optimized within the self-organization of the works council do not justify remuneration.

Finally, it is a common misconception that the expiry of the one-month period automatically triggers a payment obligation. Without proper assertion and objective reasons for refusal, the entitlement to time off remains in place.

Conclusion

Employers act lawfully if they respect the priority of time off, systematically review the prerequisites for entitlement, actively manage the one-month period, and apply the narrow remuneration exception only where there are objective operational reasons. For fully released works council members, organizational solutions are the appropriate path, not an expansion of remunerable overtime.

The significant restriction of investment opportunities for financial investors in tax consulting firms that was feared last year (see also our article of September 17, 2025) is unlikely to materialize (for the time being).

The draft bill for the Ninth Act Amending the Tax Consultancy Act has not progressed further to date, as no agreement could be reached within the federal government. According to press articles, there are differing views between the Ministry of Finance, which wants to stick to the planned new regulation, and the Ministry of Economics, which apparently has considerable reservations about the draft. A meeting of the Federal Cabinet to discuss the draft, scheduled for the last quarter of 2025, was canceled at short notice; a new date has not yet been set.

Regardless of this, the interest groups representing the liberal professions have taken a clear position. In a joint statement dated December 3, 2025, several chambers and associations expressly advocated strengthening the ban on third-party ownership and warned that external capital investments could jeopardize the independence of the liberal professions.

It is therefore currently unclear whether and in what form a new legislative attempt will be made to turn the draft bill into law. Against this background, the regulatory environment for potential investments in this area must continue to be closely monitored, as further developments are to be expected.

Space sustainability, as addressed in the EUSA, covers both, sustainability in space and sustainability on Earth. The provisions on sustainability in space aim to reinforce space debris mitigation measures and, for the first time, introduce rules on light and radio pollution. For sustainability on Earth, the EUSA for the first time introduces binding obligations to conduct life-cycle assessments of space activities through environmental footprint calculations.

These provisions aim to ensure the sustainable conduct of space activities and to create new opportunities through the definition of in-orbit servicing activities.

In summary:

Sustainability – in Space and on Earth

• sustainability, as used in the EUSA, encompasses both sustainability in space and sustainability on Earth
• sustainability on Earth means environmental sustainability and the preservation of Earth’s natural environment

Addressees – Who is addressed by the sustainability requirements?

• Sustainability in space requirements directly apply to

1. Union launch operators
2. Union spacecraft operators to the extent not falling under the research and education exemption
3. Third-country space operators

• Environmental sustainability requirements apply in addition to the above also to Union Launch Site operators, however, Union spacecraft operators are exempted until 31 December 2031 if they qualify as small-sized enterprises or if they fall under the exemption for research and education
• Suppliers of any of the foregoing are also (indirectly) affected since

1. directly addressed stakeholders are required by the EUSA to require their suppliers to provide all necessary data for their EF calculation and declaration obligations
2. suppliers will need to adapt their products and services to meet new specifications and requirements imposed upon them by the direct Space operators subject to the EUSA

As a result of the foregoing, the entire supply chain is either directly or indirectly affected, not only the space operators and space service providers.

Requirements – What are the main obligations?

• Sustainability in space requirements:

1. Union launch operators: limit planned release of debris into Earth’s orbit, ensure protection against fragmentation, manage end-of-life disposal, and submit a space debris mitigation plan
2. Union spacecraft operators: limit debris generation, limit accidental fragmentation, implement end-of life disposal measures, adopt a failure disposal plan, submit a space debris mitigation plan and submit a plan to mitigate light and radio pollution.
3. Third-country space operators: implement above-mentioned measures if not provided for otherwise in international contracts mandated by the EUSA or in case of an equivalence decision by the EC

• Environmental sustainability requirements:

1. Union launch / launch service / spacecraft operators: calculate the environmental footprint (EF) of space activities along the value chain and obtain EF certificates for the authorization process
2. Third-country space operators: subject to the same requirements unless exempted under an international agreement or an equivalence decision

Emerging activities – In Space services and operations

• In-space services and operations (ISOS) activities are, for the first time bindingly regulated in the EU
• ISOS covers services performed on assets in space, including tasks such as inspection, rendezvous, docking, repair, refuel, reconfiguration, manufacturing, assembling and disassembling, re-use, recycling, removal and transport of operational, non-operational and debris in space.

EU Council so called “compromise text” as of 5 December 2025

A so called “compromise text” published on 5 December by the Danish Presidency of the Council of the EU introduces changes specifically regarding sustainability, such as:

• removal of specific brightness magnitude threshold (≥7) as part of the light and radio pollution provisions;
• removal of the requirement to demand adherence from suppliers;
• EF verification is assigned to the Qualified Technical Body responsible for assessing technical requirements.
• Launch site operators no longer fall within the scope of the EUSA or the environmental sustainability requirements.

In more detail:

I. Sustainability as used in the EUSA

The EUSA defines “sustainability” as sustainability in space and sustainability on Earth, however the text does not provide a definition for sustainability in space.

In light of the reference to UNOOSA Long-term Sustainability Guidelines (LTS Guidelines) in Preamble 7 EUSA, and the parallels between the provisions in the EUSA and the LTS Guidelines, it can be inferred that sustainability in space corresponds to the LTS Guideline description

“the ability to maintain the conduct of space activities indefinitely into the future in a manner that realizes the objectives of equitable access to the benefits of the exploration and use of outer space for peaceful purposes, in order to meet the needs of the present generations while preserving the outer space environment for future generations”.

Sustainability on Earth, on the other hand, is also termed environmental sustainability and consequently specifically targets the Earth´s natural environment (Art. 5/60 EUSA).

1. Union Launch Operators

A launch operator operates a launch vehicle to transport space objects (from Earth to) outer space.

a) Sustainability in Space

Launch operators shall comply with space debris mitigation measures and submit space debris mitigation plans for the launch activities listed in detail in Art. 61 EUSA, inter alia regarding the design of launch vehicles and deployment components with a view to the requirements reflected in Annex II, point 1.1.1 and with the aim to avoid fragmentation due to internal causes or collision.

Union launch operators must also submit space debris mitigation plans at the time of authorisation application, including a debris-control plan, and an end-of-life mission disposal plan.

b) Environmental sustainability requirements

Union launch operators shall calculate the environmental impact of their launch activities (environmental footprint) and submit both aggregated and disaggregated datasets related to this calculation to the EC “before” (with ?) the authorisation application.

The EC will specify the calculation and verification methods considering scientifically sound methods and international standards aligned with the Commission Recommendation 2021/2279 of 15 December 2021 on the use of the Environmental Footprint (EF) methods.

To carry out the EF calculation, the Union launch operator shall contractually require all necessary data needed from suppliers (Art. 96/3 EUSA). Small-sized suppliers are exempt from this contractual obligation until 31 December 2031 (Art. 96/8 EUSA). However, primes are on the other hand NOT exempted from requiring small-sized enterprises to provide such data if the SME is a supplier.

The EF calculation shall cover all stages of the launch activity, including design and development of the launch vehicle, its manufacturing, operation of the launch stage, and completion of the tasks of the launch vehicle orbital stage.

At the time of the authorisation application, the Union spacecraft operator shall submit the EFD, an EF certificate, the aggregated and disaggregated datasets related to the EF calculation and the proof of transmission of those datasets to the EC (e.g. receipt issued by the EC).

Small-sized Union launch operators are exempt from EF calculation and declaration until 31 December 2031.

2. Union Spacecraft Operators

“Spacecraft” means a space object carrying out a specific function in outer space, such as communication satellites, navigation satellites, or Earth observation satellites.

Although not expressly stated in the EUSA, space stations and space vehicles transporting small-sats, cargo, or crew shall also be regarded as spacecrafts, since space transportation and exploration are defined as space activities under the EUSA (Art. 5(13) EUSA).

The EUSA sets out sustainability requirements that must be satisfied prior to authorisation, and Union spacecraft operators are required to demonstrate compliance with these requirements and submit the relevant plans and certification at the time of the authorisation application.

a) Sustainability in space requirements

The Union spacecraft operators shall demonstrate compliance with space debris mitigation measures, and light and radio pollution limitation measures, and shall submit space debris mitigation plans and light and radio pollution limitation plan, in general (not in all detail) as launch operators, as detailed in Art 70 EUSA.

b) Environmental sustainability requirements

Union spacecraft operators shall calculate the environmental impact of their space activities (environmental footprint) and submit the aggregated and disaggregated datasets related to this calculation to the EC before (with?) the authorisation application.

In order to calculate the EF, the Union spacecraft operator is required to demand all needed data from its suppliers (Art. 96/3 EUSA), including, in its current version of the EUSA, from SMEs of all sizes. The EF calculation shall cover all the stages of the space activity that the spacecraft operator is planning to conduct including design and development of the spacecraft, manufacturing phase of the spacecraft, the operation and end of life of the spacecraft.

At the time of the authorisation application, the Union spacecraft operator shall submit the EFD, an EF certificate, the aggregated and disaggregated datasets related to the EF calculation and the proof of transmission of those datasets to the EC (e.g. receipt issued by the EC).

3. Union Ground Segment Operators

“Ground segment” means the segment of space infrastructure located on Earth, including ground stations, terminals, terrestrial equipment to communicate with space objects, mission control centres, test and assembly centres, launchpad and launch sites.

Union launch site operators are responsible for the operation, control and maintenance of facilities used in the launch process. Sustainability in space requirements on space debris mitigation are primarily directed at launch operators that are responsible for the operation, control and monitoring of the launch process of a space object.

Environmental sustainability requirements, however, are also applicable for launch site operators in addition.

Union launch site operators shall calculate the environmental impact of their space activities (environmental footprint) and submit the aggregated and disaggregated datasets related to this calculation to the EC before the authorisation application. The EC would transmit those datasets in the Union database and issue a proof of receipt to the Union launch site operator.

4. Third-country Space Operators

If no equivalence decision has been issued by the EC for the third-country from which a space operator intends to provide space services or space-based data into the Union, that third-country operator shall in general be subject to the EUSA sustainability requirements.

The following, however, stands out:

• If a third-party space operator only provides ground station as a service to the Union spacecraft operator in accordance with the Art 19-c of the EUSA, it shall still be considered as the third-country space operator and subject to environmental sustainability requirements on the EF calculation and declaration.
• A third-party space operator that solely provides ground station services to the Union spacecraft operator shall also share all necessary data with the Union spacecraft operator for its EF calculation and declaration.
• A third-country space operator providing launch services (third party launch operator) may, upon request by a Member State, be exempted from space debris mitigation measures for launchers if the Member State demonstrates that access to and use of the third-country launch operator is in the public interest of the EU (Art. 19 EUSA).
• Third-country space operators that are small-sized enterprises or research and education institutions are (as EU operators) exempt from EF calculation and declaration obligations until 31 December 2031 (Art 15/1,2, Art. 96 EUSA).

5. Indirectly Affected Stakeholders

The EUSA sustainability provisions extend to the Union ground station as a service provider, manufacturers of launch vehicle and spacecrafts, as well as indirectly, to their suppliers within the supply chain.

Union launch operators and Union spacecraft operators, that manufacture their own launch vehicles or spacecraft, are required to impose contractual obligations on their suppliers to ensure that the design and manufacturing of the components align with the EUSA. Accordingly, suppliers are obligated to adopt and remain compatible with the EUSA sustainability in space requirements (Art. 74 EUSA).

Although the EUSA does not explicitly state this, Union spacecraft operators, if they procure the spacecraft from a manufacturer, shall also initiate a contractual obligation with the manufacturer to ensure that the design and components of the spacecraft are EUSA compatible. In such cases, the spacecraft manufacturer and its suppliers must adopt and remain compliant with EUSA sustainability in space requirements.

Although third-country space operators are subject to the same sustainability-in-space requirements, they do not appear to be required to impose contractual obligations on their manufacturers or suppliers to ensure that launch vehicles, spacecraft, and components are EUSA-compliant. This point may require clarification.

Union launch operators, Union spacecraft operators, and Union launch site operators shall require data from their suppliers by contract (as Union space operators are manufacturers of their own launch vehicle/spacecraft) to calculate EF of space activities. In this case, suppliers are under contractual obligations to provide data necessary for the EF calculation (Art. 96/3 EUSA).

Even though this is not explicitly mentioned in the EUSA, if a Union space operator procures the space object from a third-party manufacturer, it shall require by contract from the manufacturer all data necessary for EF calculation. In turn, the manufacturer must also obtain data from its suppliers.

Lastly, the Union ground station as a service provider is not directly subject to the authorization obligation under the EUSA. However, the ground station of a spacecraft operation must be taken into account for EF calculation as part of the operational phase of the space mission. Therefore, it appears that the Union spacecraft operator that purchases ground station services from a Union ground station shall receive all necessary data for EF calculation and declaration.

II. Exemptions and Easements

The EUSA provides exemptions or lighter regimes for certain operators regarding sustainability provisions of the EUSA in Art 10, 62 and 96.

1. Exemptions applicable to Sustainability in Space

Union space operators conducting research and education missions (Union research and education spacecraft operators) are exempted from certain space debris mitigation and light and radio pollution requirements as reflected in Article 62.

The above-mentioned exemptions for Union research and education spacecraft operators also apply to third-country space operators conducting research and education missions.

A third-country space operator providing launch services (third party launch operator) may, upon request by a Member State, be also exempted from space debris mitigation measures for launchers if the Member State demonstrates that access to and use of the third-country launch operator is in the public interest of the EU (Art. 19 EUSA).

2. Exemption from Environmental sustainability requirements

Union spacecraft operators that are small-sized enterprises or research and education institutions conducting In-orbit Demonstration and Validation (IOD/IOV) missions are exempted from EF calculation and declaration obligations (Art. 10/4 EUSA). The EUSA does not provide either a reference or a parallel exemption for third-country space operators in this regard.

The Union spacecraft operators that are small sized enterprises or research and education institutions conducting space operations other than IOD/IOV are exempted from EF calculation and declaration obligations until 31 December 2031 (Art. 96/8 EUSA). By reference to Art. 96 in Art.15/1 for third-country spacecraft operators and in Art. 15/2 for third-country launch and launch site operators, third-country space operators that are small-sized enterprises or research and education institution are likewise exempted from EF calculation and declaration obligations until 31 December 2031.

III. Union Space Label Framework and Voluntary Measures for Sustainability

The EUSA announces that the EC will develop a Union Space Label Framework to promote adherence to high standards for the protection of space activities and will adopt an implementing act to govern the Union Space Label Framework by further legislative action.

1. Implementing Acts and Labelling Schemes

The implementing act is announced to cover a template for the elements and duration of the Union Space Label Scheme and provide the candidate scheme(s) or updates on the existing scheme(s). The Union Space Label schemes aim to harmonize and further develop standards, good practices, and behaviours in the space sector, and to incentivize space operators to adopt them. Holding a Union Space Label would be of particular value to space operators in the context of national public procurement procedures in the Member States (Art. 109/1 EUSA). It would likewise be used for promotional purposes and as evidence to investors of the implementation of sustainability in space and environmental sustainability measures.

The Union Space Label Framework will consist of Union Labelling scheme(s) addressing different requirements including sustainability.

• The sustainability in space requirements of the Union Space Label Framework shall be related to the limiting the risks associated to space debris, reducing light and radio pollution, and enabling ISOS.
• The environmental sustainability requirement of the Union Space Label Framework shall be related to contributing to the reduction of the environmental impacts of space activities.

The Union Space Label Framework may specify three levels of protection such as basic, substantial or high. All information shall be provided and updated on a dedicated website maintained by the EU Space Agency. The Union Space Labelling Schemes and the Union Space Labels shall also be publicised on the same website.

2. Addressees and procedure

The EUSA does not explicitly specify who the addressees of the Union Space Label are. It only refers to space operators that intend to obtain such a label. The Union Launch operators, the Union spacecraft operators and the third-country space operators shall submit their application to the EU Space Agency accompanied by a technical file showing the fulfilment of the requirements of the Union Space Label Scheme for which the Union Space Label is sought.

The EU Space Agency shall provide an assessment on the application to the EC and the EC shall take the final decision on the application. If the application is approved by the EC, EU Space Agency shall issue Union Space Labels to the applicant operators for a duration specified by the implementing act.

The EU Space Agency shall also supervise the use of the Union Space label by operators. As part of supervision, the Agency shall verify the compliance of the operator with the Union Space Label requirements either on its own initiative or upon receipt of a complaint.

Union launch operators, the Union spacecraft operators, and the third-country space operators that hold a Union Space Label shall inform the Agency in case they detect any irregularities on their labelled space mission that may affect compliance with the Union Space Label scheme(s) requirements.

Greenwashing in space operations is also prohibited by the EUSA. Any false or misleading advertising, or use of the Union Space Label or of a logo that may be confused with a Union Space Label, is not permitted. Member States are asked to adopt effective, proportionate, and dissuasive sanctions for breaches of this obligation, and notify the EC accordingly (Art. 31 EUSA).

IV. ISOS as an Emerging Activity for the Sustainability in Space

ISOS activities refer to services to actively remove a non-functional space object/space debris from the orbital environment. Moreover, this includes docking with a space object to extend its mission life, and examining the condition of the space object by approaching it with a servicing object (rendezvous). In the longer term, ISOS is expected to include in-orbit recycling, manufacturing, assembly, and disassembly of space objects within the orbital environment.

ISOS is defined as one of the disposal methods that a Union spacecraft operator or third-country space operator can use as part of their space debris mitigation measures. The EUSA further provides technical requirements for the authorisation and supervision of ISOS.

1. General principles on the performance of ISOS

To receive ISOS, the Union spacecraft operators or third country space operator’s spacecraft, namely the client objects, shall be equipped with dedicated Spacecraft Service Interfaces (SSI). (Art. 101/3 EUSA)
In order to provide ISOS to a client object, both the Union ISOS provider (servicer) and the client object operator shall conclude a dedicated ISOS contract, and the client object operator shall explicitly and unequivocally consent to the start of the agreed ISOS.

The ISOS contract shall include a dedicated service plan describing the mission concept and infrastructure of both, the client object and the servicer spacecraft.

The client object and servicer spacecraft shall be designed and manufactured, and the ISOS mission shall be designed in a way that limits collision risk.

At the end of the mission, both the servicer spacecraft and the client object shall be left in a sustainable state after the separation.

2. Coordination between the servicer spacecraft and the client object

The control centres of the servicer spacecraft and the client object shall share all necessary data for the ISOS activity in order to ensure coordination.

Unless the client object is a debris, the Union ISOS provider and client object operator shall identify which control centre will be responsible for the conduct of the joint operations for each phase of the ISOS.

3. Design of the servicer object

The design of a servicer object and the service concept of the ISOS provider shall be compatible with the client object, whether it is a functioning spacecraft or debris.

4. Due diligence obligations

The Union ISOS provider shall take all necessary measures to prevent interference with and disruption to a third-party space object. If the ISOS provider cannot prevent interference or disruption, it should adequately mitigate potential adverse impact of ISOS over third-party spacecrafts.

The ISOS provider shall define a safety zone in reference to a third-party space object that will trigger non-engagement or withdrawal of the ISOS mission.

In the event of adverse impact on a third-party space object, the ISOS provider shall immediately notify the operator of the affected object.

The Union ISOS provider shall closely cooperate with collision avoidance service providers, including during the operational phase.

5. Safety of operations

Safety measures for approach, service operation and separation phase are defined in Annex VIII.

For the approach phase, the Union ISOS provider shall set out standby or transit points.

For the service operation phase, the Union ISOS provider shall conduct a GO or NO-GO test at every appropriate sequence defined for the operation and only continue the operation when a GO condition is met.

At each phase (approach, service and separation), the servicer spacecraft shall be able to assess the collision risk between the servicer spacecraft and the client object and autonomously manoeuvre to avoid collision with the client object.

6. Prior testing

Union ISOS providers shall carry out in-orbit tests at least before engaging in the first service operation, or the first step of such an operation. These steps may only be conducted if the servicer object poses no danger to any space object. Before carrying out any irreversible operations (such as deorbiting, disposal manoeuvre, passivation, modification on the client object), the provider must ensure that the test results support safe execution.

V. The Compromise Version of the EUSA Published by the Council of the EU

On 5 December 2025, the Danish Presidency of the Council of the EU proposed a compromise text that proposes changes to the EUSA also regarding space sustainability and environmental sustainability provisions.

It should be noted that this proposal is not yet an official re- draft of the EUSA but an opinion of the (outgoing) Danish presidency of the European Council on the draft EUSA, which has been shared with the public and the European Parliament. A move, which is “special”.

The compromise text proposed changes to the EUSA, also some slight changes to the space debris mitigation measures for launchers, light and radio pollution, and supply chain engagement:

• in Art. 61 regarding space debris mitigation measures for launchers, the obligation to design launch vehicles for demise during atmospheric re-entry and for uncontrolled re-entry is removed;
• the brightness threshold for satellites under the light and radio pollution provision in Art. 72 is removed;
• the obligation for Union space operators to require their suppliers by contract to ensure the conformity of satellites or components with the design and manufacturing requirements is removed (Art. 74).

Moreover, it seems that Union launch site operators are no longer within the scope of the environmental sustainability requirements, as “the launch site operator” is removed from the definition of space operator in Art. 5.

Exemptions and easements regarding sustainability in space and environmental sustainability remain the same; the only change is the redrafting of the provisions under a different chapter titled “Lighter Regime”, in a – allegedly - more compact form to avoid duplication.

VI. Conclusion

The sustainability pillar is the least developed of the three pillars of the EUSA, yet it represents a significant advancement when compared with existing national space laws of the Member States and in other spacefaring countries outside the Union. Light and radio pollution measures, environmental footprint calculation and declaration based on a uniform methodology, and the Union Space Label are provisions introduced to the space sector for the first time.

The mandatory sustainability measures in space and on Earth introduced in the EUSA, aim to ensure the sustainable conduct of outer space activities. The Union Space Label would incentivize good practices and responsible behaviour among space operators. Furthermore, the regulation of in-orbit servicing (ISOS) activities, which contribute to the removal of orbital debris, the extension of spacecraft lifetimes, and the promotion of a circular space economy, would likewise support the sector’s growth.

It should, however, be noted that, while the EUSA provides for bold and ambitious sustainability requirements in the space sector, the EU is in other contexts at the same time taking steps to simplify and reduce the scope of its Earth-related sustainability rules, most notably through the Corporate Sustainability Reporting Directive (CSRD), the Corporate Sustainability Due Diligence Directive (CSDDD), and the EU Taxonomy, all revised under the Omnibus package. These adjustments are particularly significant for SMEs, who are being exempted from mandatory reporting obligations, and the data requirements placed on them by companies within the CSRD scope are being reduced.

By contrast, the exemptions and easements on the sustainability requirements introduced under the EUSA for SMEs, remain very limited, and often apply only within a defined timeframe until 31 December 2031. Although the EUSA represents a significant step in integrating sustainability principles into the space sector, the potential technical, administrative, and financial burdens it may impose on operators, particularly SMEs, remain critical concerns. Consequently, it appears to be highly plausible that Omnibus-like easements will be introduced for the EUSA’s sustainability requirements, to strike a balance between ambitious policy objectives and the need to ensure that all SMEs can realistically meet them without being overburdened.

About the co-author

Dr. Merve Erdem Burger

Co-founder of Swiss Space Law Forum, independent space law consultant

Dr. Merve Erdem Burger currently runs her independent space law & policy consultancy in Switzerland and Türkiye, and provides specialized training in space law for academic institutions and government agencies. Before establishing her consultancy, she completed her post-doctoral research at the Chair of Public International Law, Faculty of Law, University of Neuchâtel, Switzerland, where she also taught International Space Law in the Master of Law program.

Judgments of the Austrian Federal Administrative Court

In two rulings, the Austrian Federal Administrative Court dealt with the purchase and processing of personal data by credit agencies. The two rulings were based on a legal dispute between the initial complainant, an address publisher, and a credit agency. The credit agency had acquired personal data of the first complainant from the address publisher and subsequently processed it for credit assessment purposes. Consent pursuant to Art. 5 I a GDPR was not obtained. The court ruled that both the transfer of data and the subsequent processing by the recipient were in violation of data protection laws.

In previous decisions, the Austrian Administrative Court had already ruled that the unlawful collection of data by a client also results in the unlawfulness of the subsequent transfer of this data by the same client (VwGH ruling Ra 2017/04/0034 Rn. 43; VwGH ruling Ra 2019/04/0054, margin note 41). The data protection authority extends this to the effect that the unlawfulness of the original data collection generally results in the inadmissibility of data processing by the recipient (DSB Austria, decision of March 24, 2023 – D124.3816 2023-0.193.268 para. 43). This would mean that, in the vast majority of cases, data that has been collected unlawfully could not be further processed lawfully by third parties either.

The BVwG did not expressly follow this line of reasoning. Rather, it based its decision on the general principles according to which all processing must comply with Articles 5 and 6 GDPR. Since both the address publisher and the credit agency independently violated the principle of purpose limitation, the continued effect of the error was not relevant. In more recent decisions, the data protection authority itself and the Administrative Court have also shown themselves to be more open to the lawful further processing of unlawfully collected data.

Assessment by the BfDI

On December 22, 2025, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) published a guide on data protection and AI in public authorities. Particularly with regard to AI models, the question arises as to the impact of the unlawfulness of data collection on subsequent further processing by third parties. The BfDI does not assume that an unlawfully developed AI model can never be used lawfully. Rather, the requirements for an obligation to investigate must be determined on a case-by-case basis based on the specific risk.

Assessment by the ESDA

The European Data Protection Board (EDPB) also does not assume that illegality has a blanket effect. In its Opinion 28/2024 on data protection aspects related to AI models, it advises supervisory authorities to examine on a case-by-case basis the impact of the unlawfulness of the initial processing on subsequent processing carried out by another controller.

Conclusion

This means that the question of the extent to which the unlawfulness of the collection of data by one party alone results or may result in the unlawfulness of the processing by another party is subject to a case-by-case assessment. In view of the assessments of the BfDI and the EDSA, it is not possible to assume a blanket consequence of error. Rather, a GDPR violation can be counteracted by taking appropriate measures when acquiring potentially unlawfully collected data. A well-thought-out data protection concept is crucial in this regard. In particular, the careful selection and review of contractual partners, as well as the review of the legal basis for the receipt and further processing of received data, are of great importance. Care should also be taken to ensure that the GDPR compliance of the data provided is adequately safeguarded by contract. If there is no concept in place that is commensurate with the risk, the further processing of the data may be contrary to the GDPR and result in data protection claims.

Facts

An unknown person published an advertisement on a classifieds platform under the name of the claimant. The ad offered sexual services and used a photo and a telephone number for this purpose. The operator removed the ad after receiving a corresponding notice. By that time, however, the ad had already been copied and disseminated on other websites. The data subject took legal action against the operator, inter alia, for infringements of the GDPR.

Key statements of the CJEU

1. Platform operators may be controllers of data uploaded by a user.
   In this specific case, the CJEU classified the operator as a controller. The decisive factors included the framework conditions for publication (including structure and presentation) specified by the operator and extensive rights to the content.
2. No hosting liability exemption for GDPR responsibility.
   According to the CJEU, the hosting liability exemption does not shield the operator from responsibility under data protection law. Unlike the DSA’s “notice and action” concept, it is therefore not sufficient to react only once the operator has knowledge. Infringements of data protection law should be prevented proactively.
3. Specific preventive obligations, especially under Article 9 GDPR.
   Platforms should, prior to publication, identify content that contains special categories of personal data, verify the identity of the person posting it, and assess whether there is a lawful basis (in particular, consent). In addition, appropriate measures should prevent or limit the unlawful copying and dissemination of such content.

Significance for practice

The judgment is likely to affect platforms where users can typically post content relating to third parties, especially in sensitive contexts (sexual content, health-related content, etc.). The decisive factor is less the label (“host provider”) than whether, by virtue of the platform design and rights to the content, the operator appears as an actor that determines (at least in part) the purposes and means of the processing.

What companies should do now

Role and platform-model review: Does your platform design meet the CJEU criteria (rights to content, control over presentation, anonymity, monetisation/commercial exploitation interest)? The results of this review must be documented (accountability).

Pre-upload governance for sensitive content: Detection and escalation processes for potential Article 9 GDPR relevance (text/image/metadata), including a “stop/review” workflow.

Risk-based user verification: Identity verification at least where higher-risk third-party content can be posted; clear evidence and declarations of entitlement/authorisation.

Protection against redistribution: Implement technical and organisational measures (TOMs) to limit copying and reuse, technically and organisationally, especially for sensitive content. In addition, monitoring and response paths should be established.

Ensure DSA processes dovetail properly: The notice-and-action mechanism has proven to be a reliable tool for issue resolution. It enables swift responses to notices and should be used as an additional line of defence alongside preventive GDPR measures.

Conclusion

“Russmedia” significantly strengthens data subjects’ rights and shifts platform compliance towards the pre-publication phase, at least where sensitive third-party content is involved. Operators should now align their platform model and processes so that they can robustly implement preventive GDPR measures and evidence compliance under the GDPR.

I. AI Regulation

Although the AI Regulation has been in force since August 2024, its practical relevance for companies will increase significantly, particularly in 2026. Individual obligations already apply, such as ensuring adequate AI competence among employees working with AI systems and certain transparency requirements, for example when interacting with chatbots or labeling AI-generated content (we reported on this in Data Protection Update No. 208). However, the actual regulatory change will take place with the broad applicability of the regulation from August 2, 2026.

From this date, comprehensive requirements will apply in particular to high-risk AI systems used in sensitive areas such as human resources management, performance evaluation, lending, access to education, or essential services. Providers and operators of such systems will then have to implement structured risk management throughout the entire life cycle of the AI system, maintain detailed technical documentation, and ensure that training, validation, and test data are suitable, representative, and as free from bias as possible. In addition, there are obligations to log data, monitor operations on an ongoing basis, and establish effective human oversight mechanisms. Serious incidents and malfunctions must also be reported to the competent authorities.

The Digital Omnibus announced by the EU Commission could modify these requirements in specific areas or extend their implementation period, in particular to avoid double regulation and reduce the burden on companies. However, no concrete relief measures have been decided upon yet.

II. E-evidence

From August 18, 2026, the E-Evidence Regulation will apply directly in all member states and will fundamentally change the way electronic evidence is handled (we reported on this in Data Protection Update No. 215). From this date, law enforcement authorities in the EU will be able to request electronic data directly from service providers in other EU member states for the first time without having to go through national legal assistance procedures. The core instrument is the European Production Order, which can be used to request certain inventory, access, and traffic data across borders.

In particular, it regulates a uniform, EU-wide procedure for accessing electronically stored evidence in communication, hosting, and other online services. The regulation sets binding deadlines within which service providers must respond to orders and, for the first time, establishes clearly structured requirements for securing data to prevent its deletion or alteration during ongoing investigations. At the same time, it prescribes a standardized communication channel via a secure IT system, which standardizes and accelerates the exchange of information between authorities and companies.

When it comes into force in August 2026, new organizational requirements will also become binding. Service providers offering their services in the EU without being established there must be accessible via a designated legal representative in the Union from that date onwards. The regulation thus clearly shifts responsibility and cooperation obligations to companies, making them key players in cross-border law enforcement in the digital space.

III. Data Act

Although the Data Act has been applicable since September 12, 2025 (we reported on this in Data Protection Update No. 200 and No. 214), another key part of its obligations will take effect on September 12, 2026. From that date, the obligation under Article 3(1) will apply to all connected products and related services placed on the market after that date. This means that the Data Act will become a product and development-related compliance requirement for manufacturers and suppliers by 2026 at the latest.

At the heart of the regulation is the obligation to design connected products and associated services in such a way that product data and associated service data are accessible to users by default. Data access must be simple, secure, and free of charge, and the data must be provided in a comprehensive, structured, commonly used, and machine-readable format. Where technically feasible, the data must also be directly accessible, i.e., without intermediate manual processes or separate requests. This covers not only the actual usage or sensor data, but also the metadata required for its interpretation and use.

With this regulation, the Data Act shifts the focus from purely contractual obligations to "access-by-design" requirements. From September 2026, manufacturers must ensure that data access is technically provided for as early as the development and product design stages.

IV. Cyber Resilience Act

The Cyber Resilience Act (CRA) came into force in December 2024, but its obligations are also staggered. The year 2026 is particularly important for companies, as key obligations for manufacturers of products with digital elements will take effect for the first time on September 11, 2026. From this date, Article 14 CRA will apply, which stipulates mandatory reporting obligations for actively exploited vulnerabilities and serious security incidents.

From this date, manufacturers must report identified vulnerabilities and security incidents that significantly compromise the security of a product to the competent market surveillance authorities within tight deadlines. The aim is to enable authorities to identify risks to users and the internal market at an early stage and to take coordinated action. The reporting obligation applies regardless of whether the product concerned is already fully CRA-compliant and requires appropriate internal processes for the detection, assessment, and escalation of security incidents.

The remaining substantive obligations of the CRA, in particular those relating to cybersecurity requirements throughout the product life cycle, technical documentation, CE marking, and the mandatory provision of security updates, will not become fully applicable until December 11, 2027.

However, it remains to be seen whether the Digital Omnibus will modify individual obligations and, in particular, implementation deadlines for the CRA (see below).

V. eIDAS 2.0

With the reformed eIDAS Regulation ("eIDAS 2.0"), the focus in 2026 will be on the practical introduction of the European Digital Identity Wallet (EU Digital Identity Wallet, "EUDI Wallet") in particular (we reported on this in Data Protection Update No. 218). While the regulation itself already sets the legal framework for a uniform digital identity across Europe, 2026 will be the year in which pilot projects and technical specifications give rise to the first binding applications on the market.

From 2026, member states will be required to provide their citizens and businesses with at least one EU-compliant digital identity wallet. This wallet will enable users to securely store identity data, credentials, and attributes—such as ID card data, driver's licenses, professional qualifications, or payment information—and disclose them selectively to public authorities and private providers. For companies, this means that they will have to adapt to new forms of digital identification and authentication.

2026 is also particularly relevant for large online platforms and regulated services, which may in future be obliged to accept the EU wallet as a means of identification where legal identification is required. This makes eIDAS 2.0 a central component for digital administrative services, financial and telecommunications services, and platforms with high requirements for identity verification and fraud prevention.

VI. Digital Omnibus

With the so-called Digital Omnibus, the European Commission has announced a comprehensive initiative (we reported on this in Data Protection Update No. 219 and No. 223) that is likely to become significantly important for European digital law in 2026. Unlike the regulations described above, this is not a stand-alone set of rules with directly applicable obligations, but rather a legislative package aimed at simplifying, harmonizing, and reducing the burden of existing digital law regulations.

The Digital Omnibus builds on several legal acts that have already been adopted, in particular the AI Regulation, data protection law, and other digital regulatory instruments such as the Data Act and CRA. Among other things, adjustments to deadlines, clarifications of obligations, and better coordination of parallel compliance requirements are being discussed in order to avoid double regulation and disproportionate burdens, especially for small and medium-sized enterprises. The focus is less on lowering protection standards in terms of content and more on fine-tuning the existing regime.

From a legal perspective, it should be noted that the Digital Omnibus will still be in the legislative process in 2026. Specific changes and their scope are therefore currently open and dependent on negotiations between the Commission, Parliament, and Council.

VII. Recommendations for action for companies

Against the backdrop of the developments described above, companies should use 2026 to review and further develop existing digital compliance structures in a targeted manner. In many areas, it is less a matter of new policy decisions than of the consistent implementation of already known regulatory requirements.

Companies that use or develop AI systems should clarify at an early stage whether existing or planned applications are classified as high-risk AI within the meaning of the AI Regulation and align their governance structures accordingly. By 2026 at the latest, robust processes for risk management, documentation, human oversight, and incident reporting must be established. Regardless of this, training and awareness concepts for AI competence and standardized transparency notices should already be implemented now to avoid short-term compliance gaps.

Providers of digital services should take the e-evidence regulation as an opportunity to fundamentally review their internal processes for regulatory inquiries. In particular, clear responsibilities, robust escalation processes, and technical requirements for the timely processing of disclosure and preservation orders must be established. Companies without a branch in the EU must prepare in good time to appoint a legal representative and ensure that their documentation and archiving obligations are covered organizationally.

Manufacturers of connected products and providers of connected services should make targeted use of 2026 to ensure Data Act readiness in product development. New products placed on the market in the EU from September 2026 onwards must already be technically designed in such a way that direct, standardized, and free data access is possible for users. This requires close coordination between legal, IT, product management, and development departments and should be integrated into development processes at an early stage.

In the area of cybersecurity, it is advisable to implement functioning processes for detecting, assessing, and reporting security incidents and vulnerabilities by September 2026 at the latest. Even though the full CRA obligations will not apply until 2027, the reporting obligations effectively serve as a preliminary stage to comprehensive CRA compliance and should not be viewed in isolation.

Finally, companies should actively monitor developments surrounding eIDAS 2.0 and examine in which business processes the integration of the EU Digital Identity Wallet will be necessary or strategically sensible in the future. Early technical and organizational preparation can create competitive advantages, especially for regulated industries and platforms.

VIII. Conclusion and outlook

The year 2026 will be marked by the further concretization and application of key European digital regulations. For companies, implementation issues will be at the forefront, while new policy regulations will initially play a subordinate role.

At the same time, the regulatory environment remains in flux. With the Digital Omnibus, further adjustments are foreseeable, the specific details of which are still open. Companies should monitor these developments and keep their compliance structures flexible in order to be able to respond appropriately to new requirements.

A neighbouring heritable building right is understood to be a heritable building right that is established for an existing or yet-to-be-built building that extends over one or more neighbouring properties and cannot be divided at the property boundaries. The essential feature of a neighbouring heritable building right is therefore that only part of the building is located on the heritable building property itself, while other parts of the building are or are to be erected on one or more neighbouring properties.

Facts

In the underlying case, the legal predecessor of a trading group, as the holder of a heritable building right, agreed with a community of heirs, as the owner of the property, on a heritable building right on a piece of land for the construction of a large department store. The contract expressly allowed neighbouring properties to be included in the development. At the same time, an obligation to subsequently separate the parts of the building was provided for so that an independent building could remain on the heritable building property.

The shopping center, whose building complex comprised five properties and could not be separated without destruction at the boundaries, was built in the 1980s. When the holder of the heritable building right stopped paying the rent, the community of heirs enforced foreclosure. The holder of the heritable building right defended himself on the grounds, among other things, that the heritable building right agreement was void due to the inadmissibility of a neighbouring heritable building right.

Decision

In its ruling of 19 December 2025 (BGH, ruling of 19.12.2025 – V ZR 15/24), the Federal Court of Justice confirmed the admissibility of neighbouring heritable building rights and expressly abandoned its previous contrary case law.

According to the Federal Court of Justice, a heritable building right can be established for a uniform building that extends beyond property boundaries. Section 1 para. 3 of the Heritable Building Rights Act (Erbbaurechtsgesetz - ErbbauRG) does not preclude this. The provision regulates the spatial restriction of the heritable building right. However, such a restriction can only be said to exist if the spatial scope of the heritable building right is limited to part of the heritable building property. This is precisely not the case with a neighbouring heritable building right, which rather envisages the extension of the scope of exercise beyond the heritable building property.

The conflicts that the historical legislator had in mind when creating Section 1 para.3 ErbbauRG resulted from the division of a building between different beneficiaries. However, the creation of a neighbouring heritable building right does not in itself lead to the coexistence of different beneficiaries. Conflicts between different beneficiaries in the case of a neighbouring heritable building right generally only arise upon its termination or reversion. The restriction of the heritable building right to part of a building is only to be regarded as inadmissible if it takes place within the boundaries of the encumbered property, whereby the Federal Court of Justice leaves open whether only a horizontal or also a vertical restriction is inadmissible in this respect.
Insofar as the inadmissibility of neighbouring heritable building rights has been derived in part from past Senate rulings in literature and case law, the Federal Court of Justice expressly no longer adheres to this view.

Conclusion

The decision provides welcome legal certainty, particularly for complex real estate projects. Neighbouring heritable building rights are permissible. Section 1 para. 3 ErbauRG does not prohibit the creation of a heritable building right for a uniform building extending beyond property boundaries. In practice, this means greater planning and investment security for large-scale, cross-border projects, but also high requirements for the drafting of contracts to deal with the property law issues arising from the termination of the neighbouring heritable building right.

In addition to the neighboring heritable building right, the tried-and-tested structure of a comprehensive heritable building right continues to exist as a further form of cross-border development based on a heritable building right.

The now appropriately renamed Carbon Dioxide Storage and Transport Act (KSpTG) will enable the permanent storage of carbon dioxide in underground rock strata for commercial purposes. At the same time, the act creates a uniform legal framework for the transport of carbon dioxide through pipelines for the first time.

The aim of the law is to reduce hard-to-abate industrial emissions through the use of carbon capture and storage (CCS) and carbon capture and utilization (CCU) technologies, thereby making a decisive contribution to achieving climate neutrality in Germany.

The amendment of the Act on the Prohibition of Dumping of Waste and Other Materials or Objects on the High Seas (Hohe-See-Einbringungsgesetz), necessary for the transport of CO₂ to the Exclusive Economic Zone and the amendment of Article 6 of the London Protocol enabling CO₂ export for injection abroad, remain to be approved by the Bundestag. In light of the estimated ten-year timeline for planning and developing storage projects in Germany and its Exclusive Economic Zone, the proposed legislative amendments are vital to fulfilling European climate targets.

Technical background

Carbon dioxide emissions are one of the main causes of global climate change. Comprehensive, rapid, and sustainable measures to reduce greenhouse gases are necessary to limit global warming. These include, among other things, significantly reducing carbon dioxide emissions by expanding renewable energies and increasing energy efficiency.

However, there are also emissions that cannot be completely avoided even when using technologically advanced and climate-friendly processes. Examples of this are lime or cement production, where CO₂ emissions are generated as a result of the process even when renewable energy is used. Furthermore, the necessary technology has not yet advanced sufficiently in other sectors to entirely eliminate emissions. In case of such emissions that are either unavoidable or exceedingly challenging to avoid, CCS and CCU technologies are an essential tool for minimizing the impact of CO₂ emissions on global warming, especially in cases where the emissions themselves cannot be prevented. Emissions are to be captured directly at their origin and subsequently stored or recycled.

In a CCS process, the carbon dioxide produced in industrial processes is captured, transported via special pipelines to a storage site, and permanently stored in underground rock strata. Accordingly, greenhouse gases are captured and prevented from being released into the atmosphere, thereby initially averting their harmful climate impact – even if the actual emissions do not decrease.

In a CCU process, the captured carbon dioxide is reused as a raw material for industrial processes, for example in the production of fuels or construction material.

Both technologies are designed to reduce the impact of CO₂ emissions and complement traditional climate protection instruments for reducing emissions.

Climate policy background

In the Federal Climate Action Act (Bundes-Klimaschutzgesetz), Germany has committed itself to achieving greenhouse gas neutrality by 2045 at the latest. This goal can only be achieved if, in addition to the conversion of the energy supply, significant reductions are also made in energy- and resource-intensive industries. Especially, the impact of emissions that are difficult or impossible to avoid on the atmosphere must be urgently reduced.

In light of these circumstances, the German Government considers the use of CCS and CCU to be an indispensable part of a comprehensive climate strategy. The amendment to the KSpG addresses the conclusions of the evaluation report pursuant to Section 44 of the previous version of the KSpG, which highlighted the necessity for an explicit legal framework regulating large-scale CO₂ capture and storage.

EU legal background

The new regulation is closely linked to European climate policy. It implements key provisions of Regulation (EU) 2024/1735 – the so-called Net Zero Industry Act (NZIA). Under the NZIA, member states are required to accelerate the expansion of key climate-relevant technologies and ensure a minimum annual CO₂ storage capacity of at least 50 million tons within the EU by 2030. By amending the KSpG, Germany intends to make a key contribution to achieving the European climate targets.

Previous legal situation

The previous KSpG essentially only applied to research, testing, and demonstration projects.

Its scope was limited exclusively to carbon dioxide storage facilities that were applied for before January 1, 2017, and in which no more than 1.3 million tons of carbon dioxide were to be stored annually. Furthermore, annual carbon dioxide storage in Germany was strictly limited to a maximum of 4 million tons. The purpose was to evaluate the opportunities and risks relating to CO₂ storage, without enabling large-scale technical use.

Actual, large-scale storage projects were not permitted under the previous legislation. Furthermore, the law only covered carbon dioxide storage facilities; no legal framework for the systematic transport of carbon dioxide through pipelines was in place.

The amendment of the KSpG removes these previous restrictions and adapts the legal situation to the current requirements of industrial and climate policy.

Key aspects of the amendment

The aim of the reform is to enable and facilitate the permanent storage of carbon dioxide on a commercial basis. The new name – Carbon Dioxide Storage and Transport Act – reflects the expanded scope: in addition to storage, the transport of CO₂ by pipeline is now also treated as an equal subject of regulation.

Expansion of the scope of application – offshore and opt-in

The previous, highly restricted scope of application under Section 2 (1) of the KSpG (old version) has been significantly expanded. The restriction to research and demonstration projects has now been replaced by the possibility of using CCS technologies on an industrial scale.

The focus is on offshore CO₂ storage in the German continental shelf and the Exclusive Economic Zone. The objective is to ensure that permanent storage is conducted offshore, i. e. outside sensitive land areas. Storage within the 12-nautical-mile zone remains prohibited.

Storage on the mainland remains prohibited in principle, with the exception of research projects. While the previous legislation allowed the federal states the option of prohibiting storage through an "Opt-Out," the KSpTG reverses this approach: Now, the federal states can actively determine through an "Opt-In" that permanent storage of carbon dioxide is permitted on their territory or in certain regions.

This will enable the federal states to open up for CCS projects in a controlled manner, taking into account criteria such as acceptance, safety, climate protection effects, environmental impacts, transport routes, and costs for industry.

If a planned storage complex extends across the territory of several federal states, storage is only permitted in accordance with Section 2 (5) sentence 2 if all affected states have given their consent or if the state in which the injection is to take place concludes a corresponding state treaty with the other states.

Expanded definitions

Specifically, the amendment contains a long-anticipated, more precise and expanded definition of "carbon dioxide pipeline." In the future, this will include not only pipelines that transport CO₂ to a storage site, but also those that transport it for other purposes – such as to industrial facilities as part of CCU projects. The law thus takes into account technological advancements and the increasing interconnection between production, use, and storage.

Transportation – Alignment of the planning approval process with the Energy Industry Act (Energiewirtschaftsgesetz – EnWG) and determination of overriding public interest

A key aspect of the reform is the simplification of the planning approval and authorisation procedure for carbon dioxide storage projects.

The planning approval procedure for carbon dioxide pipelines will be aligned with the procedure for pipeline projects under the EnWG by modifying the general, fundamentally applicable provisions of the Administrative Procedure Act (Verwaltungsverfahrensgesetz – VwVfG) with reference to the standards of the EnWG. Due to the close alignment with the rules of the EnWG, the administration and project developers should be able to build on their experience from procedures under the EnWG.

The draft provides for several discretionary criteria for weighing up the interests affected by the project within the framework of the planning approval process.

Section 4 (1) sentence 3 expressly states that the construction, operation, and modification of carbon dioxide pipelines are in the overriding public interest. The principle of overriding public interest is not recognised in protected marine areas.

In addition, when weighing up the interests involved, particular consideration must be given to the fact that carbon dioxide pipelines serve climate protection and contribute to reducing carbon dioxide emissions in Germany.

Another discretionary specification for consideration in the context of planning approval is the general decision to assume that, in case of the bundling of carbon dioxide pipelines with existing hydrogen pipelines, there is no additional impairment of other interests. Pipelines that do not extend beyond the area of an industrial site are exempt from this obligation, Section 4 (3). In principle, projects for the construction, operation, and significant modification of carbon dioxide pipelines are to be given priority in the planning approval and planning authorisation procedures (Planfeststellungs- und Plangenehmigungsverfahren), Section 4a (5). Section 4a (2) allows existing gas, hydrogen, and product pipelines to be reclassified for the transport of carbon dioxide without the need for a new planning approval procedure.

Section 4b provides for the possibility of expropriation if the construction and operation of a pipeline serves the public interest and extends the scope of application not only to transport to storage facilities, but also to transport for use as a raw material source for carbon compounds or, in the case of CO₂ extracted from the atmosphere, to transport to storage facilities.

Carbon dioxide storage – Overriding public interest and new regulations on approval requirements

Sections 11 et seqq. regulate the construction and operation of carbon dioxide storage facilities. These are legally defined as "a spatially defined area consisting of one or more rock strata for the purpose of permanent storage, as well as the necessary underground and above-ground facilities from the point of delivery of the carbon dioxide stream to the injection facility." They require planning approval by the competent authority. The construction and operation of carbon dioxide storage facilities are also in the overriding public interest, as long as they are not located in a protected marine area, Section 11 (1) sentence 2. In view of the narrow definition of the term "carbon dioxide storage facility," the infrastructure that is usually required upstream of or between the pipelines and the storage facility does not fall within the scope of the law.

In accordance with the planning approval process, the public must be notified about the project at the latest by the time the application is submitted.

For significant changes to existing carbon dioxide storage facilities, the planning approval decision may be replaced by a plan authorisation to be granted under a simplified administrative procedure in accordance with Section 74 (6) VwVfG under the conditions set out in Section 11 (2).

Section 13 (1) sets out comprehensive material approval requirements for carbon dioxide storage facilities. The public interest must not be compromised and the project must not conflict with overriding private interests. The long-term safety of the storage facility and the protection of groundwater as source of drinking water must be guaranteed; there must be no danger to humans or the environment.

When planning the project, precautions must also be taken to prevent significant irregularities in accordance with the state of the art in science and technology in order to avoid harm to humans and the environment. So-called coverage provisions, i. e., in summary, the annually determined security for the obligations arising from operation, decommissioning, and aftercare, including liability, must be made. The operator must ensure that carbon dioxide flows comply with legal requirements.

Section 13 (2) also specifies the required content of the planning approval decision. The authorisation or approval decision may be subject to time limits, conditions, a reservation of revocation, or requirements. In order to comply with the regulations, further conditions, amendments, or additions to the conditions are possible until the "transfer of responsibility," i. e., the point in time at which the operator's aftercare obligations are transferred to the state, at the earliest 40 years after the completion of decommissioning.

Non-discriminatory access

According to Section 33 (1), operators of carbon dioxide pipeline networks and storage facilities are obliged to grant other companies access to their carbon dioxide pipeline network and storage facilities in a non-discriminatory, reasonable, and transparent manner.

No connection of coal-fired power plants

According to Section 22 (4), only the transport and storage of CO2 released by coal combustion is now prohibited.

Conclusion and outlook

While some details of the KSpTG may be criticised, it nonetheless provides a solid and pragmatic uniform legal framework for the complex CCS and CCU technologies currently in the planning phase. Given lengthy planning periods required for storage projects in Germany, it remains to be seen whether and to what extent domestic industry will choose storage capacities in Germany or instead collaborate with more advanced projects in other European countries. The development of the pipeline network and the initiatives of individual federal states towards an opt-in solution will also be decisive factors.

This article was written in collaboration with our research assistant Elsa Pauline Neumann Doolan.

Introduction of the 1-cent share

In future, companies will be able to issue shares with a (notional) par value of less than EUR 1, down to 1 cent. This is intended to remedy a disadvantage of the German AG that is sometimes relevant in practice when comparing legal forms with other countries. This has an impact, for example, on the structuring of restructurings or financing instruments for growth companies. For example, the issue of options to venture capitalists or employees currently requires a payment of at least EUR 1 per share, which may require a considerable capital investment, whereas this is not the case with a 1 cent per share. In addition, for companies with stock market prices of less than EUR 1, a reduction in the par value per share would make it possible to raise capital again without simultaneously consolidating shares.

Restructuring of the delisting regime

The StoFöG also reorganizes the delisting regime. In future, it will be permissible to switch from the regulated market to an SME growth segment (which in Germany effectively means Scale) without having to make a delisting purchase offer. Furthermore, delistings from an SME growth market will be treated in the same way as delistings from regulated markets and will require a purchase offer reviewed by BaFin that allows investors to exit in return for compensation. Uplistings to the regulated market, on the other hand, remain exempt from the offer requirement.

Against this backdrop, some companies in the regulated market are currently considering switching to Scale in order to reduce the regulatory burden. The motives for this can be manifold. A typical example is to escape BaFin's disproportionate sanctions practice, even by European standards. Minor offenses that ultimately do not really interest anyone are often punished with heavy fines. Unfortunately, the legislator is not addressing this issue – changing it would have been "location promotion." Other motives may include circumventing takeover law requirements in the future. In this case, a downlisting followed by a takeover without the regulations of the WpÜG (German Securities Acquisition and Takeover Act) and then a delisting 1 to 2 years later would be a way to legally avoid the minimum price rules of the WpÜG.

Prospectus law simplifications

Prospectus-free offerings will be made considerably easier in the future. From June 5, 2026, prospectus-free offerings of securities (in particular shares and bonds) with a volume of up to EUR 12 million (previously EUR 8 million) will be possible within 12 months. However, this previously applied per class, whereas in future it will apply per issuer. Previously, it was possible to issue a convertible bond of EUR 8 million and carry out a capital increase of EUR 8 million without a prospectus, for example; in future, this will be a total of EUR 12 million.

Another very important practical change is the deletion of the provision stipulating that these prospectus-free offerings of EUR 8 million to date and EUR 12 million in future must be carried out by an investment services company within the framework of investment advice and brokerage. As a result, bond issues by companies outside the financial sector as proprietary issues were in many cases not feasible under these exemptions. This will change in future. However, it should be noted that the disclosure requirements of case law, according to which "prospectus-like" core information must still be available, remain unchanged.

In the course of implementing the EU Listing Act, the liability provisions of the WpPG will also be extended to the new Annex IX document. In certain cases, this document replaces the prospectus and contains condensed basic information. In our practice, the Annex IX document has already gained considerable importance.

Conclusion

It can therefore be seen that there have been few changes in the legislative process with regard to the topics summarized here. The StoFöG is expected to come into force at the beginning of 2026. The 1-cent share and the adjusted delisting regime will be particularly relevant in practice. The simplifications in prospectus law and securities trading law are also welcome.

The 18th Chamber of the Hesse Regional Labor Court had to rule on the possibility of trade secret protection in ongoing unfair dismissal proceedings under Section 273a of the German Code of Civil Procedure (ZPO). The background to the decision was a dismissal dispute concerning extraordinary dismissal for disclosure of trade secrets and unauthorized secondary employment. The defendant requested that the information it had presented to justify the dismissal be classified as trade secrets and that access to the court documents and proceedings be restricted in order to protect them.

The court clarified that the new procedural protection of confidentiality also applies outside of classic trade secret disputes, meaning that measures to protect confidential information can also be requested in labor law proceedings for protection against dismissal. However, the protection afforded by Section 273a of the German Code of Civil Procedure (ZPO) requires that the information in question be identifiable and specifically demonstrable. A mere general description of how a surveillance method works is not sufficient.

I. Facts

The employer, part of the Deutsche Börse Group, terminated an employee's employment without notice, alternatively with notice, citing, among other things, that the employee had disclosed confidential information. In the subsequent unfair dismissal proceedings, after § 273a ZPO came into force, the employer requested that the information which the employee was alleged to have disclosed (specifically relating to a surveillance method) be classified as confidential and that access to written pleadings and exhibits be restricted, as well as that the public be partially excluded from the proceedings before the labor court.

The labor court rejected the motions: Although it is possible in principle to implement measures under Section 273a ZPO in labor court proceedings, in this specific case there was no information worthy of protection. In the case in question, the employer had only described the surveillance method in question in abstract terms.

II. Decision of the Hesse Regional Labor Court

The Regional Labor Court first emphasized the scope of Section 273a ZPO: Upon request, the court in civil proceedings, including labor court proceedings, may classify information as confidential and restrict access to it if it is credibly demonstrated that it may be a trade secret within the meaning of Section 2 No. 1 GeschGehG; there is no need for a "trade secret dispute" in the narrower sense. The standard is credibility, not full proof.

Measured against this standard, the employer failed: the functioning of the surveillance method was only described in abstract terms, without naming specific, reproducible pieces of information that distinguish it from standard market solutions. A "mode of operation" can only be information within the meaning of the GeschGehG if the description enables experts to reproduce it in an " " manner; mere buzzwords about data collection, AI use, and alert logic are not sufficient.

Nor does the blanket use of broad passages from written submissions and attachments replace the required identification. In particular, the court objects to the subsequent, extensive "re-classification as confidential" of the submission already filed without precisely identifying the information requiring confidentiality and without reference to specific, definable document content.

Consequence: Neither classification nor access restrictions were ordered; the appeal was dismissed with costs, and the appeal on points of law was not allowed.

III. Practical Information

Dismissals due to the disclosure of confidential information and unauthorized secondary employment or competition are not uncommon. One challenge is often to present the employee's violation in the dismissal protection proceedings without at the same time jeopardizing the confidentiality of sensitive information in the public dismissal protection proceedings.

The Hesse Regional Labor Court has now emphasized that protective measures under Section 273a of the German Code of Civil Procedure (ZPO) are also possible in labor law proceedings. Employers should take this into account at the outset of such proceedings and apply for the information to be classified as trade secrets in good time. From a procedural point of view, it is advisable to initially withhold information requiring confidentiality after Section 273a ZPO comes into force, to submit the classification application quickly, and to only disclose the information after an order has been issued in order to avoid uncontrolled dissemination. A comprehensive, retroactive classification of large parts of written submissions is generally not promising if the contents have already become public to the parties.

However, the LAG also emphasizes that protection can only be granted if the information in question is sufficiently specific and sensitive.

The Düsseldorf Regional Labor Court (LAG) has ruled that ordinary termination due to vulgar criticism expressed in Turkish, in the form of a Turkish idiom, was disproportionate in this specific case.

Background

The plaintiff has been employed by the defendant in shift work since 2020. In April 2024, the defendant had already issued him with a warning for leaving his workplace without authorization and for insulting his then supervisor.

Just a few months later, in August 2024, the plaintiff also got into an argument with his new supervisor. The employer claims that the plaintiff ignored a specific work instruction from his supervisor. He replied that she had no authority over him and was still a child. After the supervisor instructed him to leave the factory floor, the plaintiff replied in Turkish: "You fucked the mother of the shift."

The plaintiff argued that he had only said "You made the shift mother cry" in Turkish. He did not say the vulgar version. Rather, he had been misunderstood, partly due to the noise in the factory hall.

Decision

Unlike the labor court, the Düsseldorf Regional Labor Court ruled in favor of the employee.

After hearing the evidence, the appellate court was of the opinion that the employee had said the vulgar version, "You fucked the mother of the shift." However, according to witness testimony, this was not meant as a personal insult or to be understood as such. Rather, it was criticism of the shift management as such, expressed in vulgar language. The remark was not intended to disparage the supervisor as a person.

The angry remark was made in a conflict situation and thus under special circumstances. After weighing up the mutual interests, the appeals court concluded that the proper termination was disproportionate.

Summary

In the opinion of the Düsseldorf Regional Labor Court, the plaintiff's emotional outburst did not justify termination. The decisive factor here was probably that the remark was not directed at the supervisor as a person. It was not an insult, but "only" an emotional outburst of anger. Nevertheless, this proceeding could still have been a warning shot for the plaintiff to rein in his emotions somewhat in the future.

According to the Higher Regional Court of Frankfurt am Main, the extraordinary dismissal of a managing director who approved an unjustified higher classification and an equally unjustified allowance for works council members and the representative for severely disabled employees is effective.

Facts

The defendant operates public transport in Wiesbaden.

The plaintiff had been employed by the company since 1994 and had served as managing director since 2014, overseeing quality management, commissioning, accounting and sales, technical operations and planning, as well as data protection. At times, the plaintiff was also responsible for human resources.

The plaintiff was no longer responsible for human resources, but had approved allowances and higher classifications for works council members.

During an internal investigation into irregularities in management, these very allowances and higher classifications of works council members came to light, whereupon the plaintiff was dismissed without notice for cause.

Decision

The Higher Regional Court of Frankfurt am Main ruled that the termination was effective and that, in particular, there was good cause in that the plaintiff had participated in the unlawful favoring of works council members and the representative for severely disabled employees in accordance with § 78 (2) BetrVG (in conjunction with § 179 (2) SGB IX) and, in any case, had violated his monitoring and control duties as managing director.

The defendant bore the burden of proof for unlawful preferential treatment. However, it had fulfilled this burden by submitting several legally binding labor court decisions containing substantiated arguments regarding the unlawfulness of individual promotions and the granting of allowances.

In the opinion of the Higher Regional Court, the plaintiff then failed to refute this, as he did not present any objective reasons to justify these measures.

In the opinion of the Higher Regional Court, it was also irrelevant that the plaintiff was no longer responsible for human resources, as he was obliged to control and supervise the co-managing director responsible for this area on an ad hoc basis.

Finally, in view of the plaintiff's long service with the company, the dismissal was proportionate given the seriousness of the breaches of duty.

Although the Higher Regional Court considered the dismissal to be valid, the plaintiff was not acting in bad faith by asserting his bonus claims in court. He was entitled to these despite his breaches of duty.

Practical tip

Even where a business distribution plan exists for multi-member bodies, each member remains responsible for monitoring and supervising co-managing directors or board members as required. This applies in particular to the control of higher groupings and the granting of allowances for elected representatives.

A breach of this duty – provided it is properly documented – may then also justify extraordinary termination.

In addition, the decision, like other recent case law on the remuneration of works council members, shows that companies must closely monitor the salary development of committee members and, if necessary, initiate labor court proceedings on issues relating to the correct classification of these committee members in order to avoid their own (criminal and disciplinary) risks.

I. Legal framework: Transparency requirements of Article 50 of the AI Regulation

Article 50 of the AI Regulation contains a tiered system of transparency obligations that differentiates between providers and operators depending on the type of AI system and the role of the respective actor. The central idea is to ensure that natural persons can recognize whether they are interacting with an AI system or are being confronted with AI-generated or AI-manipulated content. At the same time, the standard takes into account the fact that transparency requirements are context-dependent and cannot or should not apply with the same intensity in every case.

The regulation focuses on transparency requirements for generative AI systems. Pursuant to Art. 50 (2), providers of such systems must ensure that synthetic audio, image, video, or text content is labeled in a machine-readable format and is recognizable as artificially generated or manipulated. Article 50 of the AI Regulation deliberately refrains from specifying concrete technical procedures, but formulates qualitative requirements for the effectiveness, interoperability, resilience, and reliability of the solutions used. At the same time, technical feasibility, content specifics, economic reasonableness, and the state of the art must be taken into account.

On the operator side, Art. 50 (4) AI Regulation contains specific disclosure requirements for particularly sensitive use cases (we reported). For example, deepfakes must be disclosed as artificially generated or manipulated in order to limit the risk of deception. However, for obviously artistic, creative, satirical, or fictional content, this obligation is mitigated and limited to appropriate disclosure that does not compromise the character of the work. Comparable transparency requirements apply to AI-generated or manipulated texts that are published to inform the public about matters of public interest (typically news), provided that there is no human review or editorial responsibility.

These obligations are flanked by Art. 50(5) of the AI Regulation, which stipulates that information must be provided in a clear, unambiguous, and accessible manner at the latest when the AI system or AI content is first encountered.

Against this background, Article 50 of the AI Regulation expressly provides for the development of practical guidelines and codes of conduct at Union level to specify the open terms and technical requirements, thereby creating the legal basis for the draft code of conduct for AI-generated content that has now been presented.

II. Key content of the draft

The draft code of conduct on the transparency of AI-generated content published by the European Commission is explicitly intended as a concrete implementation of the transparency obligations under Article 50 of the AI Regulation. It was developed by two multidisciplinary working groups and is based on extensive consultations with industry, academia, civil society, and Member States. The code is deliberately designed as a soft law instrument: it is not legally binding, but is intended to serve as a reference framework for the implementation of legal obligations and at the same time provide supervisory authorities with a uniform basis for assessment

1. Section 1: Obligations for providers of generative AI systems

Section 1 of the draft is aimed at providers of generative AI systems and aims to specify, in technical and organizational terms, the transparency obligations set out in Article 50(2) and (5) of the AI Regulation for the labeling technically reliable of audio, image, video, or text content. The code takes a clearly functional approach. It does not specify a particular technical procedure, but rather formulates binding basic principles, graduated obligations, and concrete measures that providers should use to ensure the labeling and recognizability of AI-generated or AI-manipulated content.

The central approach of the draft is a multi-layered labeling approach. The draft explicitly assumes that there is currently no single technology that can meet the legal requirements on its own. Providers therefore undertake to use a combination of several active labeling techniques that complement and reinforce each other. These include, in particular, machine-readable metadata, imperceptible watermarks and, where necessary, supplementary fingerprinting or logging mechanisms.

For content that allows metadata embedding, the code stipulates that information on the origin and creation process of the content must be included in the metadata and digitally signed. In addition, AI-generated or manipulated content must be marked with an invisible watermark that is as robust as possible against typical processing steps such as compression, cropping, or format changes. The draft leaves open whether these watermarks are set during training, inference, or in the output layer, but explicitly calls for the "best possible technically and economically viable" implementation. For particularly challenging content types – such as short texts – additional methods such as logging or hashing can be used to enable later attribution.

The code pays particular attention to responsibility along the value chain. Providers of base models, especially generative AI models for general use or with open weights, should implement marking techniques at the model level to make it easier for downstream providers to comply with transparency requirements. At the same time, overall responsibility for proper labeling remains with the respective provider of the AI system, especially in the case of multimodal outputs or the combination of several models.

In addition to labeling, Section 1 also requires that AI-generated content be traceably detectable. To this end, providers should provide free interfaces, APIs, or publicly accessible detectors that allow users and third parties to check whether content has been generated or manipulated by a particular AI system. The results must be explained in an understandable way and be accessible without barriers. In addition, forensic detection methods are required that also work when labels have been removed or damaged in order to counteract attempts at manipulation.

These technical obligations are accompanied by requirements for interoperability, standardization, and governance. Providers should adhere to open standards, support common verification infrastructures, and regularly test, monitor, and further develop their solutions. To this end, the code provides for adaptive threat models, documented compliance frameworks, and close cooperation with market surveillance authorities, among other things. Overall, Section 1 thus outlines a demanding but deliberately flexible implementation model that is intended to enable technological innovation while at the same time placing high expectations on the organizational and technical maturity of generative AI providers.

2. Section 2: Obligations for operators

Section 2 of the draft specifies the transparency obligations under Article 50(4) and (5) of the AI Regulation for operators of AI systems that use and distribute deepfakes or certain AI-generated or AI-manipulated texts. Unlike Section 1, which primarily focuses on technical labeling and machine-readable recognizability, the focus here is on the disclosure of the AI origin in a manner that is immediately perceptible to humans. The code expressly understands these obligations as a supplement to the technical measures taken by providers and places the responsibility for the specific design of transparency with those actors who actually publish or distribute content.

A central element of the operator section is the introduction of a uniform disclosure logic that should be recognizable and contextually appropriate throughout the EU. To this end, the draft initially provides for a common taxonomy that distinguishes between fully AI-generated content and AI-assisted content. This differentiation is intended to enable users to better assess the extent of AI involvement, particularly with regard to the potential for deception and the depth of content intervention. The taxonomy also serves as the basis for all further labeling and disclosure measures by operators.

On this basis, the code obliges operators to label deepfakes and AI-generated or manipulated texts on topics of public interest using a common icon. Until a uniform EU-wide symbol is developed, the use of a transitional icon is envisaged, which will generally consist of a two-letter abbreviation for artificial intelligence (e.g., "AI"). The icon must be clearly visible at first glance, unambiguously assignable, and placed in a position suitable for the medium in question. In the future, an interactive EU symbol is to be developed that not only indicates the AI origin, but also provides further information on the type and scope of AI processing, for example by linking to machine-readable provenance data from Section 1 of the Code.

The draft attaches great importance to context-specific disclosure. Adapted forms of disclosure are described for different formats such as real-time videos, recorded videos, images, audio content, or multimodal content. For example, videos may require the icon to be displayed permanently, while audio formats may require additional or alternative acoustic cues. For particularly intrusive content such as deepfakes, the code requires clear, timely labeling that is perceptible to the audience without additional interaction. At the same time, Section 2 takes into account the fundamental rights tensions that can arise in connection with transparency obligations. For obviously artistic, creative, satirical, or fictional works, a less stringent disclosure is provided for, which must not impair the enjoyment and expressiveness of the work. Nevertheless, even in these cases, appropriate references to the use of AI should be made in order to avoid deception and protect the rights of third parties.

Finally, the code contains special provisions for AI-generated or manipulated texts on matters of public interest. Operators must disclose such texts as a matter of principle, unless they have been subject to human review or editorial control and a natural or legal person bears editorial responsibility. In order to invoke this exception, the draft requires traceable internal processes and a documented assignment of editorial responsibility.

The material disclosure requirements are accompanied by organizational requirements. Operators should maintain internal compliance documentation, train employees, and establish mechanisms for reporting and correcting incorrect or omitted labels. The code also emphasizes the importance of accessibility: disclosures must also be perceptible to people with disabilities, for example through alternative text descriptions, audio cues, or sufficient visual contrasts. Overall, Section 2 positions operators as the central interface between technical labeling and public perception of AI content and assigns them an active role in protecting the information space.

III. Practical implications and recommendations for action

The draft code of conduct makes it clear that the transparency requirements of Article 50 of the AI Regulation in a timely mannershould be implemented, even if they will not be binding until August 2026. Although the code is not legally binding, it is likely to serve as a central reference framework for supervisory authorities and thus effectively set the standard for proper implementation. Providers and operators should therefore already take it into account when designing their compliance measures.

For providers of generative AI systems, this means in particular that the labeling and detectability of AI content must be understood as an integral part of system design. Subsequent implementation is only possible to a limited extent, both technically and organizationally. It is therefore recommended to evaluate suitable labeling and detection methods at an early stage and to establish documentation and testing processes for providing evidence to supervisory authorities.

Operators of AI systems are faced with the task of establishing clear internal processes for classifying, labeling, and disclosing AI content. This applies in particular to the handling of deepfakes, AI texts on topics of public interest, and the clear demarcation of editorially responsible content. Internal guidelines, training, and reporting processes can help to implement labeling requirements consistently and in a context-appropriate manner.

IV. Outlook and conclusion

The draft code of conduct provides an important clarification of the transparency requirements of Article 50 of the AI Regulation and sets a clear direction for future practice. Once the current consultation phase has been completed, a revised draft is to be presented in spring 2026, before the final code of conduct is expected to be published by mid-2026. The transparency obligations under Article 50 of the AI Regulation will become binding on August 2, 2026. Against this backdrop, it is already clear that transparency of AI-generated content will become a permanent compliance issue. Companies and public authorities would therefore be well advised to closely follow the further development of the code and to integrate transparency requirements into their AI strategies at an early stage.

This article was created in collaboration with our student employee Emily Bernklau.

With its proposal, the European Commission is responding to the structural weaknesses of the regulatory regime that have become increasingly apparent since it entered into force in 2021. Both regulations were originally intended to ensure a high level of safety and health protection while at the same time fostering innovation. In practice, however, the regulations proved to be above all complex and cost-intensive for industry and confronted medical device manufacturers, and in particular SMEs with innovative products, with immense challenges due to limited capacity at notified bodies, conformity assessment procedures that are difficult to plan and rules that inhibit innovation.

The comprehensive reform proposal is now intended to simplify the existing rules while maintaining the high level of safety, to reduce regulatory hurdles for innovative medical devices and to improve the predictability and cost efficiency of the conformity assessment procedure at notified bodies.

I. Simplification of the existing rules

A focus of the Commission’s proposal is on easing the burden on manufacturers, in particular for established medical devices and proven technologies.

• Classification: The classification rules are to be adjusted, as a result of which, in certain cases, medical devices such as reusable surgical instruments, accessories for active implantable medical devices and software will be classified in lower risk classes (Annex VIII MDR).
• Person Responsible for Regulatory Compliance (PRRC): The detailed qualification requirements are to be removed. For SMEs, when using an external PRRC, the PRRC’s availability will be sufficient, rather than a “permanent and continuous” presence (Art. 15 MDR/IVDR).
• Certificates and recertification: The previous maximum validity of five years is to be abolished. Instead of recertification, notified bodies are to conduct risk-appropriate periodic reviews for as long as the certificate remains valid (Art. 56 MDR; Art. 51 IVDR).
• Clinical evidence: The term “clinical data” is to be broadened, the use of clinical data from equivalent medical devices made more flexible and the possibility to base safety and performance exclusively on non-clinical data is to be strengthened (Art. 2 No. 48, Art. 61, Annex II and XIV MDR; Annex XIII IVDR).
• Well-established technologies: A definition for medical devices based on proven technologies (“well-established technology devices”) is to be created. These products are to be subject to simplified rules (Art. 2 No. 72, Art. 18, Art. 32, Art. 52, Art. 61, Art. 86 MDR).
• Repackaging and relabelling: The obligation to notify such activities and to submit a notified body certificate before making the product available on the market is to be eliminated (Art. 16 MDR/IVDR).

II. Reducing barriers for innovation and special products

The Commission's proposal also addresses areas in which the MDR/IVDR have so far been perceived as an obstacle to innovation or as a supply risk.

• In-house devices: The conditions for the manufacture and use of self-developed medical devices in healthcare institutions are to be relaxed. Transfers of in-house devices to other healthcare institutions will be permissible under certain conditions. Under the IVDR, the requirement that no equivalent product is available on the market is to be removed. Central laboratories for clinical investigations are to fall under the exemption (Art. 5(5) MDR/IVDR).
• Conformity assessment for breakthrough devices (BtX) and orphan devices: For new BtX and orphan devices, criteria and facilitations for conformity assessment are to be introduced for the first time. For legacy BtX and orphan devices with CE marking under the directives’ regime, ´grandfathering` is to apply (Art. 52a MDR; Art. 48a IVDR; Art. 120 MDR; Art. 110 IVDR).
• Regulatory sandboxes: To test new technologies, the European Commission and the Member States are to provide regulatory sandboxes (Art. 59b, c MDR; Art. 54b, c IVDR).
• Performance studies: Performance studies involving routine blood draws are to no longer require prior authorization. The notification obligation for studies on companion diagnostics (CDx) using leftover samples is to be eliminated (Art. 58 IVDR).

III. Predictability and cost efficiency of the conformity assessment procedure

The Commission’s proposal is also intended to make the conformity assessment procedure for medical devices, involving notified bodies, more predictable and efficient.

• Structured dialogue and external experts: For the structured dialogues between manufacturers and notified bodies already envisaged in the MDCG guidance, legal bases and clear procedures are to be created. External experts are to be involved for scientific and technical questions (Annex VII MDR/IVDR; Art. 106, 106a MDR; Art. 100 IVDR).
• Conformity assessment: The assessment of the technical documentation is to be limited, for low or medium risk, to representative products to a greater extent than at present. Remote audits are to be possible for notified bodies in justified cases and surveillance audits are generally to take place only every two years (Art. 52 MDR, Annex IX, X, XI MDR; Art. 48 IVDR, Annex IX, X, XI IVDR).
• Remuneration of notified bodies: Reductions in remuneration are to be possible for SMEs and for orphan devices. The European Commission is to be empowered to lay down the level and structure of remuneration (Art. 50 MDR; Art. 46 IVDR).

IV. Other important aspects

• Digital compliance tools: EU declarations of conformity, certain information and instructions for use can be provided electronically, information may be transmitted electronically and digital contact details may be stored in EUDAMED (Art. 19, Art. 52b, Art. 110a MDR, Annex I and VI MDR; Art. 17, Art. 48b, Art. 103a IVDR, Annex I and VI IVDR).
• Removal from the AI Act: Medical devices with artificial intelligence are to be moved in Annex I of the AI Act from Section A to Section B, so that for medical devices, as a rule, only the MDR/IVDR apply, in order to avoid duplicate provisions and overlaps between legal acts.

V. Conclusion and outlook

The Commission’s proposal represents a milestone for the medical devices sector. The European Commission now appears to have recognized that a regulatory system to protect patients and users which is based on highly complex and multi-layered rules reaches a tipping point in implementation if innovative and in some cases life-saving medical devices no longer make it to market in the first place. The fundamental simplification of regulatory requirements and procedures is therefore to be welcomed. However, the original legislative procedure for the MDR/IVDR and the ongoing procedure to reform European pharmaceutical law show how difficult the path to a binding legal act can be. It therefore remains to be seen which of the changes described, or any additional changes, will ultimately make it into the amending regulation to the MDR/IVDR.

EU Follow-on prospectus

The EU Follow-on prospectus is the new alleviated prospectus type for public offerings and admissions by issuers of securities that have already been admitted to a regulated market or SME growth market for at least 18 months. It replaces the existing simplified prospectus for secondary issues. Its content has been further streamlined and is based on the previous EU recovery prospectus, which was temporarily introduced during the COVID-19 pandemic to facilitate short-term capital raising. The Commission's draft specifies different minimum content requirements for shares and bonds.

Compared with the previous requirements, duplications are eliminated even more consistently, and information items have been deleted that can be assumed to be known based on existing publications resulting from the issuer's stock exchange listing and is available on its website. In particular, information on the issuer's business activities, the members of its management and supervisory bodies, its major shareholders, and its share capital will no longer be required. Annual and half-yearly financial statements must be included if they have been published within the 12 months prior to the prospectus approval; annual financial statements must be audited. Unlike the requirements for full prospectuses under the Listing Act, no management report or sustainability report needs to be included. In the case of profit forecasts, the requirements for their preparation and a confirmation of comparability with historical financial information and consistency with the issuer's accounting policies have been waived. Furthermore, a statement of capitalisation and indebtedness as of a date no earlier than 90 days old prior to the date of the prospectus will no longer be required. So far, this statement has been controversial in practice, as it requires key figures that could not be taken directly from the issuer’s balance sheet and sometimes even necessitated the preparation of an interim balance sheet. Also, various formal information items on the execution of the offering will no longer be required in future.

An EU Follow-on prospectus for shares must not exceed a maximum length of 50 DIN A4 pages. Nevertheless, it shall be subject to the same liability rules as a full prospectus but talking into account the information already disclosed to the public due to the existing admission to trading. An EU Follow-on prospectus only has to contain information that enables an assessment of the issuer's prospects and financial performance, as well as significant changes in its financial and business position that have occurred since the end of the last financial year, as well as essential information about the securities offered or to be admitted to trading, as well as the reasons for the issuance and its impact on the issuer.

The EU Follow-on prospectus may be used for an offer and admission to trading of securities that are fungible with the securities already admitted to trading, including the admission to trading on a regulated market of securities that are fungible with those previously admitted to trading on an SME growth market (so-called uplisting). However, if only debt securities of an issuer are admitted to trading on a regulated market or an SME growth market, the issuer cannot use an EU Follow-on prospectus for the admission of shares to trading on a regulated market.

EU Growth Issuance Prospectus

The new EU Growth issuance prospectus replaces the previous EU growth prospectus. The future growth prospectus is now only intended to be a single document.

In terms of content, the requirements for the prospectus summary will be aligned to the full prospectus, but otherwise the mandatory disclosures will be significantly reduced. Disclosures on corporate governance will either be significantly streamlined or deleted. Information on remuneration (including pension provisions), shareholdings of board members, major shareholders, significant contracts, and transactions with related parties will be largely deleted. Only a general section on corporate governance and conflicts of interest in relation to the issue of securities will remain. Furthermore, various technical details on the securities offering will be removed as mandatory disclosures, including details on stabilization and greenshoe options. In this respect, separate disclosure requirements apply in any case under MAR and its delegated acts, so that duplication in the prospectus appears unnecessary. On the other hand, information on the dilution of existing shareholders must be included in future, both on the assumption that they do not subscribe for new shares and on the assumption that they subscribe in full.

Annual and half-yearly financial statements must be included if they were published in the last 12 months prior to the approval of the prospectus; annual financial statements must be audited. For issuers of shares with a market capitalization exceeding EUR 200 million, the management report for the periods covered by the historical financial information, including any sustainability reporting, must be included. In the case of debt securities, ESG information must be included if they are advertised as taking into account environmental, social, and corporate governance factors (so-called ESG factors) or pursuing ESG objectives.

An EU Growth issuance prospectus for shares has a maximum length of 75 A4 pages. The same liability rules apply to it as to a full prospectus. However, it may be limited to the relevant reduced and proportionate information enabling investors to understand the prospects and financial performance of the issuer and significant changes in its financial and business position since the end of the last financial year, as well as its growth strategy and key information about securities, the reasons for the issuance and its impact on the issuer, including its overall capital structure, and the use of the proceeds. Unlike other prospectus formats, it is emphasized that the EU Growth Prospectus is intended to enable in particular retail to make informed investment decisions.

Conclusion

The new simplified prospectus formats, the EU Follow-on prospectus and EU Growth issuance prospectus, represent a further attempt to streamline prospectuses and reduce the effort involved in preparing them. The elimination of duplications and information that has already been published elsewhere is a positive development. However, the EU Follow-on prospectus competes with the so-called Annex IX document, which has already been used several times in the market and is significantly simpler. If the issuer wishes to provide more information, for example, in the case of a use proceeds requiring further explanation (such as the financing of an acquisition or a significant change in corporate strategy), the page limit of 50 A4 pages is likely challenging. The voluntary addition of further elements, such as an operating and financial review (also known as OFR or MD&A) deleted under the Listing Act seems hardly possible in that respect. In addition, such a simplified prospectus is unlikely to be suitable for placement with US investors.

An EU Growth issuance prospectus is also subject to a length limit, but this is more moderate at 75 A4 pages. However, the applicable liability standard is unclear – the reduction in scope and content contradicts the emphasis on retail investors as the addressee. Given German case law, it remains unclear what this means for the "average investor who understands how to read a balance sheet" assumed to be the typical addressee of a prospectuses for securities to be listed on the stock exchange. The extent to which this format therefore represents a genuine alternative for issuers hoping to gain easier access to the capital market is likely to depend on the complexity of their business model and the associated need to explain the risks and opportunities involved in an investment.

See also

• Update Capital Markets No. 56: Relief from prospectus requirements under the EU Listing Act
• Update Kapitalmarktrecht Nr. 50: Der Ausbau der Kapitalmarktunion durch den EU Listing Act
• Sickinger/Radke/Pfeufer, Erleichterungen für Anleihebegebungen unter dem EU-Listing Act
• Meyer in Habersack/Mülbert/Schlitt, Unternehmensfinanzierung am Kapitalmarkt, 5. Aufl. 2025, § 35, ISBN 978-3-504-40109-2

No obligation to disclose intermediate steps going forward

The issuer's obligation to disclose inside information to the public is one of the measures MAR provides for to prevent insider dealing. An issuer whose financial instruments are listed on a trading venue in the EU with its involvement is obliged to disclose inside information that directly concerns that issuer without undue delay. Until now, this obligation has also applied to intermediate steps in a protracted process. This refers to situations that consist of several intermediate steps leading to a final event, such as capital measures, mergers, or restructurings. However, if information about such processes becomes public at an early stage, it could mislead investors rather than improving transparency of information in the market. According to the Listing Act, in a protracted process, mere intermediate steps such as declarations of intent, ongoing negotiations, or progress made in the process no longer have to be disclosed to the public, even if they constitute inside information. Instead, in the future, only the final event of the protracted process must be communicated in an ad hoc announcement. This revised rule will apply from June 5, 2026. The Commission is authorized to establish a non-exhaustive list of such final events in a delegated act.

List of final events

In the draft delegated regulation, the Commission first lays down some basic principles applicable to the list of final events:

The determination of many of the final events listed is based on the decision of the issuer's governing body. If the issuer's decision requires the approval of the supervisory board, the supervisory board fulfils the role of the issuer’s governing body. Thereby, the Commission takes acknowledges the organizational principle that applies in two-tier board structures, particularly in the case of stock corporations under German law. The issuer's internal decision-making process should provide for the decision of the supervisory board to be taken as soon as possible after the decision of the management board to ensure timely disclosure of the final event. If a decision has been delegated to a committee or a specific person, that committee or person is deemed to fulfil the role of the issuer’s governing body.

If, on the other hand, under the applicable corporate law a measure requires the approval of the shareholders and, according to the list, the decision of the issuer's governing body is considered the final event, then the disclosure obligation is triggered by the decision of the governing body to submit a proposal to the shareholders for approval.

The list of final events in Annex I to the draft delegated regulation contains a total of 35 typical protracted processes divided into seven categories as follows

A. Business strategy: This category includes various events such as material agreements, e.g. for the acquisition or disposal of assets or subsidiaries, mergers, or corporate reorganisations, as well as the termination of material agreements.

B. Capital structure, dividends, and interest payments: This category includes capital measures, securities issues, share buybacks, the conversion of financial instruments, decisions on dividend payments or the postponement or cancellation of interest payments or redemption payments.

C. Financial information: This comprises the acknowledgement or approval of financial results or forecasts.

D. Corporate governance: The draft lists the appointment or dismissal (‘removal’) of members of the issuer’s governing bodies or managers holding a key role, as well as significant amendments to issuer’s basic documents such as the articles of incorporation or by-laws.

E. Interventions by public authorities: Twelve different examples of interactions with public authorities are mentioned in this category such as applications for a license or authorisation and their subsequent granting, rejection, and withdrawal, as well as award decisions and applications for insolvency or similar restructuring proceedings.

F. Credit institutions, insurance companies, and reinsurance companies: A separate category includes various supervisory measures relating to companies in the financial sector.

G. Legal proceedings, sanctions, delisting: Judicial and administrative proceedings, provisional legal protection measures, decisions on sanctions, and decisions on the delisting of the issuer form another category.

For kind of protracted process, the respective final event triggering the disclosure obligation in the form of an ad hoc announcement according to Art. 17 MAR is determined in abstract terms. In this context, the following basic principles can be established

• In the case of agreements, the signing with binding effect is decisive, or alternatively an equivalent act that leads to the issuer being legally bound. If an agreement has to be approved by the shareholders before the signing, the decision of the issuer's governing body to submit the agreement to the shareholders' meeting for approval is deemed the final event triggering disclosure.
• For most final events, the final decision of the issuer’s governing body constitutes the trigger event; if the approval of the shareholders is required, the governing body’s decision to submit the matter to the shareholders' meeting is the final event, as in the case of contracts.
• When the issuer applies for an official authorisation, the submission of the respective application is considered the final event.
• In the event of the granting, rejection, or withdrawal of an authorisation, the formal notification by the competent authority is decisive; any prior correspondence, including the exchange of a draft of the official decision, is irrelevant.
• In connection with the application for insolvency or restructuring proceedings, the decision of the issuer's governing body to file the respective application is the ad hoc relevant final event.
• Judicial or administrative decisions become trigger the disclosure requirement upon receipt of the notification of the decision by the issue, even where the decision may be or is subject to an appeal.
• In the case of a delisting, the relevant final events of the respective process are the final decision of the issuer's governing body to file for delisting and the receipt of the decision by the competent authority.

The list of final events is not exhaustive. In the case of protracted processes that are not included in the list, the issuer remains responsible for determining the final event of the process on a case-by-case basis. In doing so, it should document the reasons for identifying the final event and the relevant time for publishing the related ad hoc announcement to be able to prove compliance with the disclosure obligation to the competent authority (in Germany, the BaFin).

Restrictions on the right to delay disclosure

Conceptually, the Listing Act left the issuer's right to delay the disclosure of inside information (also known as “self-exemption”) largely unchanged. So far, the following conditions had to be met for this:

a) immediate disclosure is likely to prejudice the legitimate interests of the issuer,
b) delay of disclosure is not likely to mislead the public, and
c) the issuer is able ensure the confidentiality of the information.

From June 5, 2026, the criterion of "no misleading of the public" will be replaced by the following more specific wording:

(b) the inside information that the issuer intends to delay is not in contrast with the latest public announcement or other type of communication by the issuer on the same matter to which the inside information refers.

List of situations in contrast with the last public announcement or communication

The Commission has also been empowered to set out, in a delegated act, a non-exhaustive list of previous disclosures that could contrast with the inside information to be disclosed. This is intended to give issuers greater legal certainty when assessing whether such a conflict exists that would prevent them from delaying the disclosure of inside information. In cases of doubt, the issuer should also consider any previous announcements or communications. The draft delegated act of December 15, 2025 lists some typical examples of such circumstances in Annex II as follows.

• Forecasts, financial results, or business objectives,
• Environmental or social impact of a project or product,
• materially different information about the issuer's financial condition (e.g., the need for a capital increase or an extraordinary bond issue),
• Results or deadlines for a product or project under development,
• Capital structure of the issuer,
• Business strategy (such as the decision to enter a new geographic market segment),
• Core elements of a significant contract or significant transaction,
• Corporate governance of the issuer, including management structure and codes of conduct.

List of possible communications that conflict with the inside information to be disclosed

Finally, Annex III contains a list of the types of communications that issuers should take into account in their assessment whether a conflict exists. This includes all publicly available communications by the issuer or its representatives, including information disseminated on its website or via social media.

Conclusion

The draft delegated act on ad hoc disclosure is characterized by a clear effort to reduce legal uncertainty for issuers regarding questions of ad hoc disclosure and to make use of the simplifications with respect to protracted processes. The list of typical final events is particularly helpful, especially as it clearly follows consistently applied basic principles. From the perspective of German issuers, it is welcome that the role of the supervisory board of a German stock corporation is now acknowledged — in particular, that its required approval would be undermined if its approval could only be granted after the subject of its decision has already been made public.

However, the list is not free of contradictions. For example, in the case of a capital increase with prior preparation of a securities prospectus, different final events triggering dates for the latest ad hoc announcement are determined. The submission of a prospectus to BaFin with an application for its approval would have to be made public, even if the final decision on the capital measure has not yet been taken. If the issuer concludes that the submission of the prospectus in itself constitutes inside information, the only option might be to decide a delay of the disclosure, which requires the process and documentation known from applicable law.

Careful analysis and assessment of the facts in each individual case and documentation thereof therefore remain necessary. At least the delegated act provides useful guidance in this respect.

See also:

• Update Capital Markets No. 57: Listing Act – Listing Act – Overview of significant changes in the European market abuse regime for issuers
• de Boer/Birzele, Finaler Report der ESMA: Veröffentlichung von Insiderinformationen in zeitlich gestreckten Verfahren nach dem Listing Act ab Juni 2026, BondGuide 15/25 S. 32

The reform is intended to enable consumers to make more informed and sustainable purchasing decisions while effectively curbing misleading or vague environmental claims (read more on this topic here). Alongside new rules on green claims and early obsolescence, the EmpCo Directive introduces EU-wide, standardised pre-contractual information duties for the sale of goods to consumers.

To operationalise these duties, on 25 September 2025 the European Commission adopted Implementing Regulation (EU) 2025/1960 (the “Regulation”). It lays down the binding design and content of:

• a harmonised notice on the legal guarantee of conformity; and
• where applicable, a harmonised label for the commercial guarantee of durability.

Both instruments apply in store and online and, in practice, cover almost all physical goods sold B2C.

Member States must transpose the EmpCo Directive into national law by 27 September 2026. In Germany, the Federal Government has already presented, on 3 September 2025, the Draft Act to Amend Consumer Contract, Insurance Contract and Treatment Contract Law, which anchors the new obligations in Articles 246 and 246a EGBGB and closely mirrors the Directive's substance.

Taken together, these measures enhance transparency in consumer sales, make existing statutory rights more visible, and ensure that durability claims are backed by clear, verifiable commercial guarantees.

Who is affected?

The EmpCo Directive's requirements are cross-sectoral. All B2C retailers-ranging from electronics and household goods to fashion, furniture and toys, as well as online marketplaces-must make the harmonised notice on the legal guarantee of conformity clearly available at the point of sale and in the online checkout.

Manufacturers and brand owners are affected in particular where they offer a commercial guarantee of durability of more than two years. In such cases, the harmonised label for the commercial guarantee of durability must be used and the information required for that label must be provided to retailers. In practice, this calls for close coordination between manufacturers and distribution partners.

Mandatory information at a glance

Harmonised notice on the legal guarantee of conformity

A core innovation of the EmpCo Directive is the harmonised notice on the legal guarantee of conformity. It must be presented prominently to consumers before they are bound by a contract and, in clear and comprehensible language, reminds them of their rights where goods are not conform.

The notice refers to the minimum two-year duration of the legal guarantee of conformity under Union law and clarifies that national law may provide for a longer duration. The Regulation fixes the design and wording of the notice, including a QR code linking to the Your Europe portal with further information. Substantive edits are not permitted.

In physical stores, the notice must be displayed as a clearly visible poster; online, it must appear in a prominent position and, where the contract is concluded through an online interface, it must be shown in colour. The notice also clearly distinguishes the legal guarantee of conformity from any additional commercial guarantees.

Harmonised label for the commercial guarantee of durability (GARAN)

The second pillar is the harmonised label for the commercial guarantee of durability-the “GARAN” label. It must be used where a producer offers, at no additional cost, a voluntary commercial guarantee of durability that:

• covers the entire good,
• has a duration of more than two years, and
• is provided without additional costs or conditions.

The label is language-neutral and includes, among other elements, the title “GARAN”, a tick-mark symbol indicating guaranteed durability, a calendar symbol and the duration of the guarantee in years, a visual reminder of the legal guarantee of conformity, and a QR code to additional information. Only the following fields may be edited: the duration in years (“XX”), the producer’s name (“Brand/Trademark”), and the “Model identifier”.

For physical sales, a minimum size of 95 × 100 mm applies. Online, the label must be displayed in colour; a nested display is permitted provided that the full label appears upon the user’s first interaction. The objective is to draw a clear, easily understood distinction between the legal guarantee of conformity and any voluntary commercial guarantee of durability.

Legal consequences of non-compliance

The EmpCo Directive’s requirements will be implemented in Member States as market conduct rules; infringements constitute unfair commercial practices. In Germany, businesses face in particular injunctive relief actions by competitors and consumer associations, regulatory measures in cases of widespread infringements, and significant reputational risks.

Because the content, format and placement of the harmonised notice and the GARAN label are strictly prescribed, compliance depends not only on using these instruments but on implementing them in the required form and within the applicable timelines across all physical and digital sales channels.

Practical implications and recommended steps by 27 September 2026

Businesses should start implementation early. Manufacturers should review and, where needed, adjust packaging, in-box materials and product pages to integrate the GARAN label in good time and in the required format. Retailers must ensure prominent placement of the harmonised notice at checkout and on product and checkout pages.

Products accompanied by a commercial guarantee of durability of more than two years should be systematically identified and correctly labelled. Sales, customer service and marketing teams should be trained to communicate the legal guarantee of conformity and the GARAN label accurately. Given the formal requirements for online presentation, timely adjustments to UX design, IT and content management will be needed. Close coordination between legal, marketing and product functions is critical to meet the Regulation’s strict layout and content specifications reliably.

Key takeaways

• New mandatory information from 27 September 2026: EU-wide, standardised pre-contractual information duties for B2C sales of goods apply both online and offline.
• Legal guarantee notice is obligatory: All B2C retailers must prominently inform consumers of the legal guarantee of conformity, using a non-editable template.
• GARAN label for guarantees over two years: Where a producer offers a commercial guarantee of durability of more than two years at no additional cost and covering the entire good, the harmonised label is mandatory.
• Formalities matter: Colour requirements, minimum size, placement and full visibility-especially online-are compulsory.
• Competition law exposure: Breaches may trigger warnings, regulatory measures and significant reputational harm.
• Act now: Manufacturers and retailers should audit products and guarantees, update packaging and online displays, and align internal processes ahead of the go-live date.

Facts of the case

The plaintiff, who is black and had been employed as Head of Analytics at the defendant's company since January 2023, was insulted by his supervisor early in the morning during an offsite trip abroad in February 2023 while under the influence of alcohol in their shared hotel room by using the "N-word". He complained with reference to Section 13 of the General Equal Treatment Act (AGG) and demanded EUR 10,000 in compensation from the defendant employer. The defendant took other measures in response to the complaint. It issued a warning to the supervisor and required him to attend training on the subject of discrimination. In June 2023, the defendant issued the plaintiff with a notice of termination with modification. From then on, the plaintiff was to continue working as a "lead data analyst" under otherwise unchanged contractual conditions.

LAG: Violation of dignity, but no "hostile environment" – consistent response by the employer as a decisive factor

The LAG affirmed that the use of the "N-word" constituted a violation of dignity and clearly classified the term as racist discrimination.

However, it found that the second element of harassment under Section 3 (3) AGG, namely the creation of a "hostile environment," was not present. In line with BAG case law, the LAG ruled that isolated incidents did not, in principle, constitute a hostile environment unless they were particularly serious. This was to be decided on the basis of an overall assessment.

In the present borderline case, according to the LAG, factors against a pervasive hostility in the working environment prevailed, including the situational circumstances (external event, in the early hours of the morning, influence of alcohol, hotel room outside the actual place of work) and, above all, the consistent reaction of the employer. The LAG emphasized that the offense was only caused by the offensive behavior of a single person and that no hostile environment arose from other employees or even superiors joining in the offensive behavior, but rather that the defendant responded to the incident by sanctioning the superior. Specifically, the defendant clarified the facts of the case, issued a warning to the supervisor, and required him to attend training on the subject of discrimination – an overall picture that clearly does not tolerate discriminatory behavior.

The LAG considered the dismissal with the option of altered conditions, which was issued four months later and merely changed the plaintiff's title, to be valid. It found that there had been no violation of the prohibition of discrimination under Section 16 AGG. In applying the distribution of the burden of proof under Section 22 AGG, the LAG was unable to establish a connection between the plaintiff's complaint and the dismissal with the option of altered conditions. The defendant had plausibly argued that two teams had been merged. The dismissal was not reviewed against the criteria of Section 1 (1) KSchG, as the six-month waiting period – which also applies to dismissals with the option of altered conditions – had not yet expired.

Compliance measures in practice protect against AGG liability

The Federal Court of Justice (BGH) has already ruled in the past that an effective compliance management system (CMS) can reduce a fine under Section 30 OWiG and that optimizing the CMS in response to the fine proceedings can also have a positive effect on the assessment (BGH v. 09.05.2017 – 1 StR 265/16).

The current decision of the Regional Labor Court also sends a clear signal for labor law practice: an effective, documented, and practiced compliance mechanism can protect employers from AGG liability risks. Specifically, the court considers the employer's repressive compliance measures as evidence against the assumption of a hostile environment. Where companies act immediately, in a structured and proportionate manner after an incident of discrimination, they demonstrate that they have fulfilled their prevention and protection obligations under Section 12 AGG and undermine the assumption of structural tolerance of discriminatory behavior.

Practical note

The LAG's decision shows that an effective, risk-based, and actively implemented compliance management system is indispensable in a company. In addition to preventive measures such as codes of conduct, regular training, and transparent reporting channels, an effective CMS also includes repressive measures in particular. These include consistent internal investigations and sanctions under labor law.

If an allegation is made, the facts should be clarified immediately, appropriately, objectively, and documented as part of an internal investigation. Based on the findings, the necessary further measures should be initiated. The quality and traceability of these steps are expressly taken into account by courts in their overall assessment and, as the decision shows, can have the effect of excluding liability.

Right at the outset, the Commission addresses the scope of the directive. It covers all business practices in the B2C sector (read more on this topic here), i.e., any action, omission, or communication directly related to the advertising, sale, or delivery of a product to consumers.

"Implied" environmental claims

The use of general environmental claims is prohibited under the Directive. Until now, there has been uncertainty as to whether implicit claims, such as the use of certain colors, can also be considered environmental claims. The Commission clarifies that purely implicit elements such as colors or images without text do not in themselves constitute general environmental claims. However, when combined with written or verbal statements, they may constitute a general environmental claim. Certain visual elements, such as green leaves, water droplets, or nature-related symbols, may be perceived by the average consumer as implicit environmental claims. In combination with textual statements or logos, they may be subject to the requirements of the EmpCo Directive on general environmental claims.

Such visual design elements can also be perceived by the average consumer as a voluntary quality seal, especially when placed next to statements on sustainability. They then fall under the broad term of sustainability seal, with the result that the strict requirements for sustainability seals apply.

Environmental statements in sustainability reports

As the Commission clarifies, sustainability reports as required by the CSRD do not typically fall under the Directive, as they are usually mandatory and addressed to investors. However, if environmental statements from these reports are voluntarily used in advertising aimed at consumers, they are subject to the provisions of the EmpCo Directive.

Interplay between the EmpCo Directive and intellectual property

The relationship between the directive and intellectual property law is also addressed. In the Commission's view, labels, brand names, company names, and product names are covered by the directive regardless of whether they are protected by trademark law and must therefore meet the requirements for general environmental claims and sustainability labels. This applies in particular to brand or product names containing terms such as "green," "eco," or "climate neutral." If such a name proves to be misleading or a general environmental claim, the Commission believes that registration as a trademark may be refused on the grounds of infringement of unfair competition law.

Advertising with terms such as "organic" or “vegan”

For terms such as "organic" and "eco," which relate to the ecological/biological production of food, the Commission refers to sector-specific regulations (such as Regulation (EU) 2018/8489). These take precedence over the EmpCo Directive as more specific regulations. In these constellations, the EmpCo Directive therefore does not apply.

In contrast, the terms "vegan" and "vegetarian" depend on the context. If their use suggests an ecological or social advantage, this may constitute an environmental claim or a sustainability label, in which case the provisions of the EmpCo Directive apply.

Sustainability labels

With regard to sustainability labels, the Commission clarifies that such labels must either be established by a government agency of an EU member state or be based on a certification system. The use of sustainability labels established exclusively by a government agency of a non-EU country is therefore not permitted unless they are based on a certification system. In addition, the label holder and the independent body that verifies compliance with the label criteria must be different legal entities.

Advertising with social aspects

The discussion on the EmpCo Directive often focuses on environmental aspects. However, the directive also contains provisions on advertising with social characteristics of products, such as the payment of fair wages or social protection along the value chain. "Social characteristics" are now explicitly named as an essential product feature in the context of misleading business practices; misleading statements in this regard are explicitly prohibited.

Labels that refer to social characteristics also fall under the term "sustainability label" and must meet the same requirements as environmental labels.

Implementation deadline and existing products

Finally, the Commission comments on how to deal with products already on the market. Member States must implement the directive by March 26, 2026; it will apply from September 27, 2026. From that date, companies must comply with the requirements, including for existing products. No additional transition period is planned. Companies should therefore adapt their products and advertising in a timely manner and, if necessary, comply with the requirements of the directive by applying labels or providing additional information.

According to the Rheinische Post, the North Rhine-Westphalian State Office for Combating Financial Crime acquired the data carrier via a whistleblower. The authorities expect to find evidence of schemes designed to conceal assets. Reliable information on the size of the allegedly untaxed flows is not yet available.

Focus on the digital economy: influencers and international arrangements

A task force of the State Office for Combating Financial Crime has recently advanced proceedings in the creator/influencer economy (see Update Compliance 8/2025). Against the backdrop of cross-border payment flows and platform-based revenues, particular attention is being paid to accurate recording, allocation, and taxation of sales, as well as the use of foreign companies. The newly acquired data may open up additional lines of investigation in these segments.

Outlook: increased audit and investigative activity

Data purchases typically lead to wide ranging requests for information, cross check notices, and external audits. Taxpayers with foreign connections – especially those with structures in offshore jurisdictions – should expect that even formal anomalies (e. g. lack of economic substance, insufficient documentation, unexplained payment flows) can trigger in-depth audits. Companies and individuals should promptly review their international structures, payment channels, and reporting obligations, and ensure robust documentation.

Practical tip

Following evaluation of the data, the tax authorities – potentially in cooperation with public prosecutors – are likely to initiate numerous criminal proceedings on suspicion of tax evasion. Tax evasion is a criminal offense under Section 370 of the German Fiscal Code (AO). A particularly serious case generally starts at €50,000 in tax loss and regularly results in significantly harsher penalties.

In appropriate cases, a voluntary disclosure exempting from punishment pursuant to Section 371 of the German Fiscal Code (AO) may be considered.

This requires that, at the time of filing, the offenses have not yet been discovered, that all non time barred tax offenses of the same type are disclosed completely and accurately, and that the evaded taxes plus interest are paid without delay. If a notice initiating criminal tax proceedings is served, those affected should immediately retain specialized criminal tax defense counsel, request access to the files, and coordinate a defense strategy.

In the event of a search: notify counsel immediately, avoid spontaneous statements, and provide only necessary personal information. Ideally, keep an emergency card with counsel’s mobile number and clear internal instructions for reception, IT, and management.

An assistant referee in the third football league (3. Bundesliga) is not an employee of DFB Schiri GmbH, which is why legal recourse to the labor courts is closed.

Facts

The plaintiff has been assigned as a referee in the regional league since the 2021/2022 season. The next higher division, the 3rd league, is a professional league. Its matches are organized by the German Football Association (DFB). The defendant, DFB Schiri GmbH, is responsible for assigning referees, including assistant referees and fourth officials, to matches. To this end, it maintains so-called referee lists. Inclusion in the referee list for the 3rd league is achieved in particular by regional associations registering regional league referees for so-called DFB referee coaching positions. The plaintiff was not considered for the 2024/2025 season. As a result, the defendant did not offer him a framework agreement to work as an assistant referee in the 3rd league, which he considers to be discriminatory.

According to the framework agreement, an assistant referee is not obliged to take on match duties. Even after being assigned according to the availability entered in the DFBnet portal, assistant referees can still refuse their assignments. Assistant referees in the 3rd league are paid per assignment (without a basic fee); there are no video assistant referees in the 3rd league.

The plaintiff has filed a lawsuit with the labor court seeking compensation and damages under Section 15 AGG. The defendant has challenged the jurisdiction of the labor courts, arguing that the plaintiff did not work for them as an empoyee in the 3rd league.

Course of Proceedings

After the labor court ruled that the labor courts did not have jurisdiction and referred the case to the regional court, the regional labor court, upon the plaintiff's immediate appeal, declared that the labor courts did have jurisdiction. The defendant's appeal against this ruling was successful, resulting in the reinstatement of the first-instance decision.

Decision

According to the Federal Labor Court, if the plaintiff had been "hired," he would not have worked for the defendant as an employee. Neither the framework agreement nor the individual assignments as an assistant referee would have established an employment relationship between the parties within the meaning of Section 5 (1) sentence 1 ArbGG, Section 611a (1) BGB. The defendant cannot unilaterally instruct an assistant referee in the 3rd league to participate in a specific match as a member of the referee team on the basis of the framework agreement. If he does not agree to officiate a match, he does not face any sanctions under the DFB's referee regulations. If an assistant referee agrees to officiate a match in the 3rd league, the obligations arising from the framework agreement and the referee regulations are not subject to instructions and have not to be fulfilled in a personally dependent manner. The plaintiff would also not have worked for the defendant as a person similar to an employee within the meaning of Section 5 (1) sentence 2 ArbGG. In this respect, the necessary economic dependence was lacking.

Classification

The decision of the Federal Labor Court on assistant referees confirms with welcome clarity the essential considerations of previous case law on (main) referees:

At the beginning of 2020, the Lower Saxony Regional Labor Court had already ruled that neither the one-year fixed-term referee framework agreements nor the resulting match assignments indicated an employment relationship. Prior to this, in March 2018, the Hessian Regional Labor Court had already denied the existence of an employment relationship and taken into account the unique nature of the sport in its landmark decision on refereeing.

DFB victory with Heuking in Hanover: Referees are Independent
(Second Chamber of Lower Saxony Labor Court, judgement of February 12, 2020 (2 Sa 172/19))

Referees are not employees: Deutscher Fußball-Bund e.V., the German Football Association, successfully defends an appeal with Heuking Kühn Lüer Wojtek
(Hessian Regional Labor Court, judgement of March 15, 2018 (9 Sa 1399/16))

Own Account Transactions by managers and new regulation under the EU Listing Act

According to Art. 19 (1) MAR, persons discharging managerial responsibilities at an issuer shall report personal transactions involving shares or debt securities of that issuer, related derivatives, or other related financial instruments. This applies to managers of issuers who have applied for the admission or inclusion of their financial instruments to trading on a regulated market in the EU, a multilateral or organized trading facility in the EU (trading venue) or have participated in such an application. Managers subject to these reporting requirements are members of an administrative, management, or supervisory body of the issuer or senior managers with regular access to inside information relating to the issuer who are authorized to make strategic business decisions. In the case of stock corporations under German law, these are typically members of the management board or supervisory board. In addition, persons closely associated with a manager are also subject to reporting duties. This includes close relatives, but also legal entities in which the issuer's manager discharges managerial responsibilities, which are controlled by the manager, or whose economic interests largely correspond to those of the manager. The notification of a transaction must be made to the issuer and to BaFin. The issuer shall make public the notification so that the capital markets can take note of the transaction. This is because the regulator assumes that such personal transactions by managers can send a signal relevant for capital market participants.

Until now, the reporting requirement in Germany applied to transactions that were carried out after a total volume of EUR 20,000.00 had been reached within a calendar year. The increase in the reporting threshold, which will take effect on January 1, 2026, became possible as a result of the EU Listing Act, which provides for more flexible notification thresholds for directors' dealings in the EU member states. In addition to the reporting threshold of EUR 20,000.00 per year as provided for in the MAR, the respective competent national authority, in Germany BaFin, was authorised to raise the threshold to EUR 50,000 at its own discretion. BaFin has now made use of this option.

By raising the threshold, BaFin intends to strike an appropriate balance between the degree of transparency and the number of notifications, taking market conditions into account. Based on the reporting data for the years 2021 to 2024, this would result in fewer notifications of up to a third. However, large and significant parts of personal trading will remain captured by the notification requirement and will be made transparent to the market. The increase of the threshold is also intended to take into account the high organizational and financial costs incurred by the persons obliged to make a notification and by the issuers as a result of the notification and disclosure requirements, especially for small and medium-sized enterprises.

Prohibition of Dealing During Closed Periods Remains Unchanged

However, the prohibition to trade during so-called closed periods remains unchanged. Thereunder, persons discharging managerial responsibilities at an issuer may not engage in personal transactions or transactions for third parties in connection with the issuer's shares or debt instruments or with derivatives or other related financial instruments in the 30 days prior to the publication of interim or annual (financial) reports. This is intended to prevent insider dealing and ensure fair markets. According to the wording of MAR, this does not explicitly apply to persons closely associated with a manager. However, transactions involving or on behalf of closely associated persons may be captured by the prohibition to trade as indirect personal transactions or transactions for third parties. However, the prohibition does not apply to transactions prior to the publication of quarterly reports. This is because these reports are not considered interim reports within the meaning of the prohibition as set forth in MAR. Nevertheless, the general prohibition of insider dealing must be observed in these cases as well.

Prohibition of insider dealing and of unlawful disclosure of inside information

The prohibitions in Art. 14 MAR, i. e., the prohibition on insider dealing, recommending insider dealing, and the unlawful disclosure of inside information, continue to apply unchanged. Insider dealing pursuant to Art. 8 MAR is generally prohibited. This means that a person possessing inside information (insider) may not use this information to acquire or sell financial instruments, either directly or indirectly, for its own account or for the account of a third party. In addition, it is also prohibited to recommend that another person engages in insider dealing or to induce another person to engage in insider dealing. Cancelling or amending an order concerning a financial instrument using inside information also constitutes prohibited insider dealing. The unlawful disclosure of inside information is also prohibited. The prohibition of insider dealing and its preliminary acts is intended to strengthen confidence in the financial markets, lead to equal distribution of information among market participants, and thus ensure fair trading. The most part of the provisions on insider dealing are to be found in MAR. The German Securities Trading Act (WpHG) only contains provisions that supplement MAR and primarily deal with the criminal, administrative, and civil law consequences (see below).

Ad hoc disclosure and changes introduced by the Listing Act

The Listing Act amends the rules on ad hoc disclosure with effect from June 5, 2026. The basic principle remains unchanged: an issuer of financial instruments listed on a trading venue in the EU shall inform the public as soon as possible of inside information which directly concern that issuer. This principle is meant to limit the risk of insider dealing by ensuring a high degree of transparency regarding price-sensitive information. As the provisions on managers’ transactions, the ad hoc disclosure requirement also applies to issuers involved in initiating the listing of their financial instruments on a trading venue. The upcoming change concerns so-called "protracted processes." These are situations that consist of several intermediate steps until a final event occurs. Examples include M&A transactions, capital measures, or restructurings. In the future, intermediate steps that constitute inside information will no longer have to be published via an ad hoc announcement. This will only be required for the final event of the protracted process. The issuer will no longer be required to adopt a formal and documented resolution to defer the publication of an ad hoc announcement. To facilitate the distinction between intermediate steps and final events, the EU Commission has been empowered to adopt a delegated act. This is intended to specify, for certain protracted processes, when the final event is deemed to have occurred and must therefore be disclosed. ESMA already published a related proposal on May 7, 2025. The delegated act is expected to be adopted in 2025.

However, the issuer may only refrain from publishing an intermediate step if it ensures its confidentiality. Otherwise, it must publish it as soon as possible. This is the case if a rumour explicitly relates to undisclosed inside information (i. e. the intermediate step) and that rumour is sufficiently precise. In this case, it is assumed that confidentiality is no longer ensured. Issuers therefore have to monitor the information available on the market in order to identify and evaluate rumours. They must still be prepared to publish an ad hoc announcement about an interim step at short notice and have an up-to-date "shadow ad hoc announcement" ready for this purpose.

Insider dealing prohibitions and essential organisational requirements still apply

Irrespective of disclosure requirements being facilitated, essential organisational obligations still apply. If an interim step constitutes inside information, the related prohibitions have to be observed, in particular those relating to insider dealing and the unlawful disclosure of inside information. Issuers must also continue drawing up an insider lists.

Sanctions for violations

Violations of the prohibition of insider dealing, disclosure and notification requirements may result in fines and criminal penalties. A failure to make ad hoc announcements, late or incorrect ad hoc announcements, or directors' dealings are subject to fines. They may also be sanctioned as information-based market manipulation and, in the case of intent and influence on the market price of the financial instrument concerned, even punished with fines or imprisonment. Violations of insider dealing prohibitions are also subject to fines and, if intentional, even criminal penalties. The sanctions for violations of issuer obligations are primarily directed against the responsible managers; for the purposes of criminal prosecution, the disclosure hoc and other issuer obligations are "passed on" to them (Section 14 German Criminal Code (StGB), Section 9 Administrative Offenses Act (OWiG)). Findings of criminal market abuse in the form of prohibited insider dealing or market manipulation by executives can also result in corporate fines. These can amount to up to EUR 15 million or 15 % of the previous year's turnover of the company concerned.

Practical note

The reform of European market abuse law through the Listing Act is progressing. The raising of the threshold for reporting personam transactions by persons discharging managerial responsibilities by BaFin and the extension of exemptions from the trading ban during so-called closed periods will make things much easier. However, this should not obscure the fact that insider law continues to impose a number of behavioural and organizational obligations on issuers and their executives. Strict compliance with these obligations is essential, as the penalties for violations remain significant.

Issuers and executives must adapt their internal guidelines in line with the new requirements and align their monitoring accordingly. In the event of official investigations into suspected omissions or false reports – in the case of suspected administrative offenses by BaFin or suspected criminal offenses by the local public prosecutor's office – internal codes of conduct should generally be established, particularly for the event of searches.

See also

• Update Capital Markets No. 55: Listing Act – ESMA consults on simplifications for insider lists
• Update Capital Markets No. 57: Listing Act – Overview of significant changes in the European market abuse regime for issuers

Key points at a glance

The amended BSI Act (BSIG), as a central component of the NIS2 Implementation Act, significantly expands the scope of application: In the future, a large number of companies and organizations will be subject to the provisions of the BSIG. The sectors defined by the law and – depending on the area of activity – the respective legally defined thresholds for number of employees, turnover, and balance sheet total are decisive.

Affected companies are subject to extensive cybersecurity obligations. These include, in particular: registration, implementation, and documentation of information security risk management, as well as reporting of significant security incidents. See also the further information on our expertise website.

In addition, the NIS2 Implementation Act also brings changes to various other laws, such as the Energy Industry Act (EnWG).

What further steps need to be taken now?

The NIS2 Implementation Act does not provide for a transition period. This means that the new requirements will apply immediately from December 6, 2025. In particular, this means:

• Impact assessment: Companies are required to independently assess whether they fall within the scope of the NIS2 Implementation Act. The impact assessment should be clearly documented so that it can be submitted to the supervisory authorities if necessary.
• GAP analysis and implementation: Affected companies must check whether and to what extent they already comply with the legal requirements, in particular the new reporting obligations and the risk management requirements. Any missing measures and process gaps must be closed or adjusted as quickly as possible to ensure the necessary compliance. Verifiable documentation must be ensured here.
• Registration: The BSI provides for a two-stage registration process. According to this, an account must first be created in the digital service "Mein Unternehmenskonto" (MUK). The new BSI portal will then be activated on January 6, 2026. This will serve in particular as a registration and reporting point for significant security incidents. Registration must be completed within three months of the law coming into force.

If a significant security incident occurs before registration on the BSI portal, it must be reported using a provided online form. This ensures that reporting obligations can be fulfilled seamlessly, even if the portal infrastructure is still under construction.

Conclusion

With the NIS2 Implementation Act, German lawmakers have significantly tightened cybersecurity requirements in Germany. The organizational effort involved – from impact assessment and registration to operational implementation – should not be underestimated.

Companies that do not yet fully comply with the new legal requirements should therefore address this issue without delay. The following approach is recommended:

In the short term, the focus should be on assessing the impact, planning the registration process, and ensuring that incidents can be reported. At the same time, risk management should be reviewed and any necessary adjustments made.

EUDAMED is the central European database for medical devices and in vitro diagnostic medical devices. It collects the essential information on medical devices pursuant to Regulation (EU) 2017/745 (“MDR”) as well as on in vitro diagnostic medical devices pursuant to Regulation (EU) 2017/746 (“IVDR”). As EUDAMED has not yet been fully operational, mandatory use was suspended until the formal confirmation of its functionality. In the meantime, the corresponding registration obligations were largely fulfilled via national registers.

With the Decision, the European Commission now confirms the functionality of the following modules:

• Electronic system on registration of manufacturers, authorised representatives and importers
• UDI database and electronic system for the registration of devices
• Electronic system on Notified Bodies and certificates of conformity
• Electronic system on market surveillance

With this confirmation, a six‑month transition period for the mandatory use of the respective modules is initiated. The concerned modules must be used mandatorily by 28 May 2026.

For the modules on clinical investigations and performance studies as well as vigilance and post‑market surveillance, the confirmation of functionality is still outstanding. Their use is therefore not yet mandatory. Instead, depending on applicability, national registers may be used.

I. Overview: SaaS in the context of EU regulation

SaaS services occupy a special position in the European digital legal framework because they are simultaneously infrastructure, data processing environments, and often components of products or business processes. Their classification determines which obligations apply to data access, security, interoperability, or responsibility; the requirements vary considerably depending on the scope of functions. In addition, different regulatory logics overlap: platform regulation, security law, product law, and access rules each pursue their own protective purposes and regularly intersect in SaaS environments. This creates a challenge for companies to consistently align technical, contractual, and organizational decisions with the appropriate regulatory classification.

II. SaaS and the Data Act

With the Data Act coming into force in September 2025 and the Commission's proposals for the Digital Omnibus now available, which clarify key terms and relax or redefine individual obligations (we reported), companies will have a clear but challenging legal framework for dealing with SaaS services.

1. SaaS as a "connected service" (Art. 2 No. 6)

SaaS services become "connected services" when they are functionally linked to a networked product and enable or significantly expand its use in practical operation. This is often the case when machines, vehicles, or devices do not process their operating data locally, but instead make it available, evaluate it, or exchange it with each other via a cloud application. The cloud platform then becomes part of the product ecosystem because without it, users would not be able to access the data generated or use key functions of the product. For the provider, this means that it acts as the data owner within the meaning of the Data Act and must provide users with legally secure access to product and service data ( ). Users are entitled to information and to the transfer of data to third parties of their choice, and the technical design of the service must ensure that this data access is actually feasible. This applies in particular to real-time retrieval, the provision of technical interfaces, and the obligation not to impede data transfer through contractual or technical barriers (we reported).

In practice, this becomes relevant, for example, when the SaaS service analyzes the operating status of machines, enables remote access, or serves as a communication interface between individual products. Such constellations mean that data that was previously held exclusively by the manufacturer is now available to the user and can also be made available to competitors at the user's request. At the same time, the provider must ensure that trade secrets are protected and only disclosed under appropriate confidentiality requirements. The Digital Omnibus draft strengthens these protective mechanisms by explicitly clarifying that data owners may refuse disclosure if there is a high risk that trade or business secrets could be disclosed in third countries with an inadequate level of protection. However, the refusal must be justified and remains limited to narrowly defined exceptional cases.

2. SaaS as a "data processing service" (Art. 2 No. 8)

Beyond specific product integration, many SaaS offerings fall under the regime for data processing services. This chapter of the Data Act applies to all cloud services that store, process, or provide data in a platform environment. The central objective is to remove barriers to switching and promote interoperability between services. This creates an obligation for SaaS providers to design their systems in such a way that customers can export data in a practical form and transfer it to another service. Contracts must contain clear information about the scope of services, technical dependencies, and the conditions for changing providers; in particular, switching or data exports must not be hindered by excessive fees or proprietary formats.

The Digital Omnibus addresses several practical problems in this regard. For SaaS services that are not "off the shelf" but have been highly customized to meet the individual requirements of a customer, the switching obligations are mitigated. Since such services are often not functional without extensive preconfiguration, their complete migration should not be enforced. The draft also provides relief for smaller providers: They are granted longer transition periods, are allowed to continue certain contract models, and can make exit procedures more pragmatic without jeopardizing the goal of the Data Act—the gradual elimination of lock-in effects. At the same time, key principles remain in place, such as the foreseeable ban on egress fees, which is considered essential for an open cloud market.

III. SaaS and the Digital Services Act

For many SaaS offerings, in addition to the Data Act, the question arises as to their classification as a hosting service within the meaning of the Digital Services Act. The decisive factor here is not so much whether a service is publicly accessible or restricted to a specific group of users, but rather whether users – be they companies, employees, or external partners – upload content, data, or other information to the system "on their own initiative." This requirement is regularly met by modern SaaS applications, as they typically provide functions for uploading, exchanging, or storing data. This means that they are subject to the general obligations for hosting services and must have procedures in place that enable the responsible handling of reported illegal content.

The DSA does not differentiate between B2C and B2B contexts; the only decisive factor is the provider's role as an intermediary for third-party content. As a result, SaaS providers must establish clear processes for reporting illegal content, make transparent decisions about its removal, and inform affected users. In addition, providers are expected to actively protect the integrity of their service and, in the event of serious criminal offenses, enable appropriate reports to be made to the authorities.

These requirements apply regardless of the size of the provider or the scope of the service. Unlike the additional obligations for very large online platforms, the basic obligations apply to all hosting providers and thus to almost all SaaS constellations. Companies that provide or use SaaS solutions should therefore ensure that their platforms have transparent reporting channels, structured review processes, and traceable documentation of decisions. This is particularly important when platforms are used as part of larger ecosystems, for example, to store technical documentation, communicate with customers, or manage machine-generated data.

IV. SaaS and AI Regulation

In the case of SaaS solutions that provide AI functionalities, the first question that arises is who is to be classified as the provider and who as the operator of the system within the meaning of the AI Regulation. These roles are not mutually exclusive, but may coincide or be distributed among several actors, depending on the organizational model. The decisive factor is the actual control over the system and the responsibility for how it is used. A company that develops an AI system itself or has it created for its own purposes is regularly both the provider and the operator because it controls both the technical design and the practical use. If, on the other hand, only the outputs of an AI system are used without controlling the technical processes or the operating environment, the company is merely a user of outputs, not an operator. The distinction is important because providers and operators are subject to different obligations under the AI Regulation.

For SaaS models, the constellation in which a provider makes the AI system available via a cloud-based platform and retains complete technical control over the system – i.e., the infrastructure, the model, and the background processes – is particularly relevant. In such cases, the customer decides when and for what purpose the AI system is used, while the provider ensures functionality, updates, monitoring mechanisms, and technical supervision. From the perspective of the AI Regulation, this suggests that the customer is the operator because they define the purposes of use, determine the input data, and evaluate the output, while the SaaS provider is to be classified as an additional provider if they market or make the AI system available for use under their own brand. The fact that the computing processes take place on the SaaS provider's servers does not change the customer's role as operator; in this respect, the provider acts within the customer's sphere of control and merely provides the necessary technical components.

The distinction between roles becomes particularly relevant in areas where SaaS-based AI systems are used in highly regulated fields of application, such as the processing of HR data or in imaging procedures. The AI Regulation classifies systems that make decisions about access to employment, personnel development, or performance evaluation, as well as systems that evaluate learning progress, exam performance, or study ability, as high-risk AI. This means that SaaS providers and operators are subject to far-reaching requirements in terms of data quality, documentation, human oversight, and risk management. For SaaS providers, this means that as soon as their system is used for such purposes, they must not only meet technical requirements, but also clarify whether they themselves are to be classified as providers, downstream providers, or operators. For customers, on the other hand, this means that when using an AI SaaS service for HR or educational purposes – such as automated application analysis, skills assessment, or adaptive learning systems – they are regularly considered operators and are therefore subject to the full high-risk regime themselves.

V. SaaS and other EU regulations

Beyond the Data Act, the DSA, and the AI Regulation, SaaS services are affected by other European regulations, although their scope of application varies depending on the nature of cloud-based services. This is particularly evident in the Cyber Resilience Act, which primarily targets "products with digital elements" and thus primarily covers hardware or locally installed software. Purely cloud-based SaaS services that are provided entirely via the provider's servers and do not require local components are expressly excluded from the scope of the CRA, according to Recital 12. Instead, depending on their design, they are subject to the requirements of NIS2, in particular if the SaaS service is classified as an essential or important service with relevance for corporate or sector security.

Another factor is the Accessibility Enhancement Act, which requires digital services to be designed to be accessible if they provide consumer-oriented functions. For SaaS providers, this becomes relevant, for example, if booking, service, or interaction processes that directly affect end users are handled via the application . An online booking function within a SaaS platform may therefore be sufficient to trigger the requirements for accessibility, perceptibility, and operability. This can also become important in the B2B environment as soon as a service is used not only internally but also as a customer interface.

Finally, the E-Evidence Regulation creates a binding procedure for the cross-border request of electronic evidence by law enforcement authorities. SaaS providers are thus obliged to respond to orders within very short deadlines – usually ten days, or eight hours in emergencies – and to provide stored communication or usage data. Since the regulation is aimed directly at digital service providers, SaaS providers must implement procedures to identify, review, and respond to requests in a timely manner. For companies that use SaaS services, this creates an additional layer of compliance because data processed or transmitted as part of the service may potentially be subject to such orders.

VI. Recommendations

For companies that offer or use SaaS services, it is becoming increasingly important to align technical and contractual structures with the new regulatory requirements at an early stage. The starting point should be a clear classification of the respective service, as the roles of connected service, data processing service, hosting provider, or AI operator trigger different obligations. In the area of connected products, it is advisable to design your own architecture in such a way that data access, transfer options, and protective measures for trade secrets are taken into account from the outset. Even SaaS providers without a product reference should check the extent to which change processes and data exports are technically feasible and what adjustments are necessary in the drafting of contracts.

When dealing with AI functionalities, careful role and risk classification is essential. Companies should document whether they are providers, operators, or users of an AI system and which processes need to be implemented for quality assurance, human oversight, and model management. Finally, it is advisable to create internal compliance structures that also take into account the requirements of the DSA, the E-Evidence Regulation, or the BFSG. These include documented reporting channels, transparent decision-making processes, security concepts in accordance with NIS2, and reliable procedures for responding to regulatory inquiries. Early coordination between legal, IT, product development, and purchasing makes it easier to effectively fulfill these obligations while maintaining operational flexibility.

VII. Conclusion

In the future, SaaS services will be operated in almost all areas of business under a significantly tighter European legal framework. With the Data Act, the DSA , and the AI Regulation, regulations are in place that fundamentally influence the operation, data architecture, and provider relationships of SaaS. The current draft of the Digital Omnibus provides additional clarity by redefining key terms and at the same time providing for transition periods and exemptions.

This article was created in collaboration with our student employee Emily Bernklau.

I. Background

The Competition Center already took legal action against Amazon at the end of 2023. The ruling of the Higher Regional Court of Frankfurt am Main on December 21, 2023 (Ref.: 6 U 154/22) meant that online marketplace operators such as Amazon, upon notification of a violation of market conduct rules, must check other offers for similar violations and, if a violation is identified, remedy it if necessary. It was not without reason that the proceedings were described as a landmark case for the Competition Center.

The Competition Center had used the well-known notice and take down procedure to alert Amazon to a number of offers that violated EU designation protection. The offers contained vegan milk substitutes that were labeled in an impermissible manner, namely as "soy milk," "oat milk," and "rice milk." Amazon then followed up on the reports and removed the offers in question.

However, due to Amazon's refusal to issue a cease-and-desist declaration, the Competition Center filed a lawsuit. The Frankfurt Higher Regional Court prohibited Amazon from allowing third parties to use designations such as "soy milk, rice milk, and oat milk." As a result of the ruling, Amazon now has an extended duty to review. The court made it clear that Amazon must not only remove reported content, but also proactively prevent similar violations.

Despite the appeal being admitted to the Federal Court of Justice, no supreme court decision was made on the matter. This was due to the fact that Amazon changed its corporate structure before the appeal proceedings were concluded, thereby bringing the proceedings to an end.

II. New lawsuit, new luck?

Now, the Competition Center has announced that it is filing another lawsuit against Amazon. The Competition Center is thus resuming its long-standing goal of achieving a landmark ruling that bindingly defines the scope of liability of platforms in cases where third parties violate competition law.

The lawsuit was again triggered by anti-competitive offers on the Amazon Marketplace. Third parties offered products on the Amazon Marketplace that were labeled with misleading information, such as outdated energy efficiency classes. Once again, the Competition Center used the tried-and-tested notice and take-down procedure to alert Amazon to the anti-competitive offers. And once again, Amazon initially complied with the notices by removing the reported offers. However, it did not take long before similar violations were found on Amazon Marketplace again.

The Competition Center responded by filing a lawsuit.

III. What does the Competition Center want to achieve?

Although the "notice and take down" procedure seems to work in principle, it cannot be said that Amazon does not remove reported content. However, how effective is this when similar or very similar violations can be found on the same platform again shortly afterwards? From the perspective of the Competition Center, this is definitely not sufficient, which is why it aims to create the so-called "Notice and Stay Down" procedure from the Notice and Take Down procedure.

IV. What would the "Notice and Stay Down" procedure mean for platform operators?

If the Stay Down procedure is approved by the courts, operators of online platforms, especially online marketplaces, can expect a significant increase in their monitoring obligations. Specifically, this could include the following obligations:

• Implementation of automated filter mechanisms to identify similar legal violations
• Further development and strengthening of internal compliance structures
• Continuous monitoring of offer data even after a reported violation has been removed

V. But why could this be particularly beneficial for European retailers?

The Competition Center argues in favor of introducing the notice and stay down procedure, in particular, on the grounds that otherwise unequal competition would arise because European retailers would have to comply with strict European requirements, while retailers from third countries would continue to benefit from the use of inaccurate or misleading information within the meaning of competition law.

In this respect, consistent application of the notice and stay down procedure could ensure that European traders and third-country providers have to meet the same requirements, as otherwise they would have to fear the platforms' automatic filter systems, which would consistently remove their offers.

VI. Outlook

If the Competition Center succeeds in obtaining a landmark ruling, this could mean a radical change for e-commerce. At the same time, it could ensure a level playing field among retailers, regardless of where they are based. Ultimately, it comes down to the question of how much responsibility platform operators have and what obligations arise from their responsibility. Perhaps the Federal Court of Justice will succeed in ruling on the matter this time.

The Hamm Regional Labor Court (LAG) has ruled that vacation entitlements that cannot be taken in the actual vacation year due to a prohibition of employment under the Maternity Protection Act (MuSchG) or due to parental leave are carried over to the next vacation year. However, this is not merely an extension of the carry-over period of the old vacation year.

Background

After the employee returned from parental leave in December 2024, the two parties disputed whether the plaintiff was still entitled to 13 days of additional leave under the collective agreement from 2021 and 2022.

The plaintiff was employed by the defendant five days a week as a sales assistant. The employment relationship was governed by the collective agreement (MTV) concluded between the North Rhine-Westphalia Trade Association and ver.di. According to the MTV, vacation must be granted and taken in the current calendar year if possible. In the event of a transfer, the vacation must be taken and granted in the first four months of the following calendar year. Otherwise, the portion of the vacation entitlement covered by the collective agreement expires.

From October 2021, the plaintiff was subject to a ban on employment without having already taken all her vacation days for the 2021 vacation year. The ban on employment was followed seamlessly by maternity leave and parental leave.

Decision

The Hamm Regional Labor Court is of the opinion that the plaintiff is also entitled to the 13 days of additional vacation entitlement under the collective agreement after her return from parental leave in December 2024. This entitlement will only expire on December 31, 2025.

Although, according to Section 7 (3) sentence 1 of the Federal Leave Act (BUrlG), leave must generally be granted and taken in the current calendar year, Section 24 sentence 2 MuSchG and Section 17 (2) BEEG [German Parental Leave Law] apply as special provisions. According to the court, possible provisions in the MTV were therefore also irrelevant.

The two special provisions mentioned above contain an exception to the principle that recreational leave must be granted and taken in the current calendar year. However, this is not merely an extension of the three-month carry-over period under Section 7 (2) BEEG. Rather, it constitutes an actual carry-over to the next calendar year or leave year. Only when this vacation year has expired – in this case, the year 2025 – can the vacation entitlement at issue here expire. This also applies to the additional vacation entitlement under the collective agreement. Here, too, the above-mentioned special provisions of the MuSchG and BEEG take precedence.

Summary

The above decision must be taken into account when planning leave and balancing leave entitlements. This means that even after several years of parental leave, "old" leave entitlements may become relevant again.

The Federal Labor Court (BAG) has clarified that, in order to assume gender-based pay discrimination, it is sufficient for a female employee to demonstrate and, in the event of a dispute, prove that a single male colleague receives higher pay for the same or equivalent work. This "pair comparison" with a single colleague alone triggers the presumption that gender discrimination exists. According to the BAG, the size of a comparison group or median values are no longer relevant.

If the employer cannot refute this presumption with clear, objective, and gender-neutral reasons, they must raise the salary of the disadvantaged employee to the level of the colleague specifically compared—in other words, make an "upward adjustment."

What was the case about – and what did the BAG decide?

In the case in question, the plaintiff, a department head, referred, among other things, to the internal remuneration dashboard in accordance with the Remuneration Transparency Act. This showed that a male colleague in a comparable position received a higher salary.

In the first instance, the Regional Labor Court had ruled that a pair comparison with only one comparator was not sufficient to assume gender discrimination and had based its decision on median values.

The Federal Labor Court has now significantly lowered this hurdle: a comparison with a single male colleague is sufficient to trigger the presumption of gender discrimination, which must be refuted by the employer. The employer must then demonstrate in court that the salary difference can be explained solely by objective, gender-neutral reasons.

Classification in the current legal Situation

The principle of "equal pay for equal or equivalent work" is derived from EU law (Art. 157 TFEU) and the German Basic Law (Art. 3 GG) and is enshrined in Germany in particular in the Pay Transparency Act and the General Equal Treatment Act (AGG).

The Federal Labor Court (judgment of January 21, 2021 – 8 AZ 488/19) had already ruled in 2021 that statistical evidence (e.g., a lower median wage for women) can be an indication of gender discrimination. In 2023 (judgment of February 16, 2023 – 8 AZR 450/21), the BAG clarified that "better negotiating skills" are not a justification for salary differences between men and women. The current ruling further refines the logic of circumstantial evidence by stating that a pair comparison with only one person of the opposite sex is sufficient to establish gender discrimination.

The BAG's position is in line with the EU Pay Transparency Directive (2023/970), which EU member states must transpose into national law by June 2026. The EU Pay Transparency Directive strengthens employees' rights to information about pay levels and criteria, requires greater transparency in recruitment (e.g., disclosure of the salary range before the interview and a ban on asking about previous salaries), introduces reporting obligations, and makes it easier for employees to enforce their rights. As soon as there is evidence of gender discrimination, the burden of proof shifts even more strongly to the employer. In addition, damages and fines may be imposed for violations of the directive's provisions.

What does this mean for employers in concrete terms?

The BAG ruling is already putting pressure on employers to act. The key message is clear: a single comparison with a comparable colleague of the opposite sex is sufficient for employers to have to explain and justify why salary differences exist. Those who cannot provide clear, objective, and gender-neutral reasons must pay the difference.

The Pay Transparency Directive, with its far-reaching obligations for companies, will further increase this pressure from 2026 onwards.

Against this backdrop, employers should review their remuneration practices, clearly describe roles and responsibilities, objectively evaluate positions, and define and document salary bands and salary levels based on objective and gender-neutral criteria (e.g., skills, responsibility, workload, and working conditions). The remuneration system must be objective, transparent, and verifiable.

Individual deviations from this remuneration system in specific cases should always be documented and substantiated with objective, gender-neutral reasons. After all, anyone who wants to justify inequalities needs reliable and non-discriminatory documentation of the decision. According to the case law of the Federal Labor Court (BAG), a general reference to "poorer performance" or "better negotiating skills" is not sufficient.

Against this backdrop, transparent and standardized remuneration structures will be indispensable for companies in the future. They reduce liability risk and ensure compliance with the EU Remuneration Transparency Directive, which must be implemented by June 2026.

We are happy to support you in developing and implementing a structured remuneration system and in ensuring legally compliant implementation of the requirements of the Remuneration Transparency Directive. A comprehensible and carefully documented remuneration structure helps to prevent potential risks of claims for damages due to gender discrimination and to reliably meet the requirements of the upcoming EU directive.

Deliberately untruthful statements made by an employee during legal proceedings may justify extraordinary termination without notice.

Facts

The parties disputed the defendant's ordinary termination with notice and then an additional extraordinary termination without notice declared in the proceedings. The defendant was a specialist retailer of e-bikes. The plaintiff had been employed by the defendant as a branch manager since the beginning of 2016. It was undisputed that there was no signed employment contract between the parties. In March 2023, the defendant sent the plaintiff a draft employment contract as an email attachment. In addition to a gross monthly salary for the plaintiff, this draft also provided for a bonus payment of EUR 10,000.00 plus two percent of the branch's profits in the event of a profitable financial year. It is undisputed that this draft contract was not signed by the parties. The defendant terminated the employment relationship in January 2024 with due notice and justified this termination on the grounds that the plaintiff was suspected of having sold bicycles and accessories on his own authority and without accounting for them, and of having retained the cash payments thus obtained. The plaintiff defended himself against this with an action for protection against dismissal filed within the prescribed period. In addition to the application for protection against dismissal, the plaintiff also asserted a claim for bonus payment. As evidence, he introduced a document into the proceedings entitled "Employment Contract (dated January 15, 2016)". This document specified a bonus payment that was similar in content to the terms in the draft employment contract dated March 14, 2023, but was recognizably different in wording. The plaintiff claimed that the parties had agreed on the content of this very document. The defendant disputed this claim as deliberately untrue and, during the proceedings, declared the extraordinary termination without notice of the employment relationship on the grounds of procedural fraud.

The Lingen Labor Court not only upheld the application for protection against dismissal, but also awarded the plaintiff the bonus claim he had asserted.

Reasons for the decision

The Lower Saxony Regional Labor Court considered the admissible appeal to be well-founded.

Insofar as relevant here, the judgment of the lower court was overturned and the action dismissed.
The Lower Saxony Regional Labor Court found that the employment relationship between the parties had been terminated by the defendant's extraordinary termination without notice due to attempted trial fraud.

The important reason required for extraordinary termination pursuant to Section 626 (1) of the German Civil Code (BGB) may also lie in a breach of the contractual duties of consideration pursuant to Section 241 (2) BGB. According to this provision, the parties to the employment contract are obliged to show mutual consideration for the rights, legal interests, and interests of the other party. If the employee knowingly makes untruthful statements in the (unfair dismissal) proceedings, he or she not only violates criminal law provisions, but in any case also violates the ancillary obligation to show consideration for the rights, legal interests, and interests of the employer, which continues to exist despite the termination of the employment relationship. It is irrelevant whether the untruthful statement is relevant to the decision, as it is sufficient that it could have been. In this respect, the (unsuccessful) attempt at trial fraud is equivalent to the completed offense. The wrongfulness of a false statement cannot depend on how obvious it is to the other party or the court, but only on whether the deceiver considers it suitable and intended to bring about a favorable outcome of the proceedings for him.

Only a statement of fact, i.e., a statement whose truth or falsehood can be proven, can be recognizably untrue. A statement is therefore false if it inaccurately reflects reality.

Termination for cause due to (attempted) litigation fraud therefore requires the intentional assertion of untrue facts with the aim of misleading the court, causing it to issue a judgment favorable to the deceiver, which leads to a financial disadvantage for the opposing party.

The assertion of a claim could also constitute conclusive deception about facts. Although legal opinions as value judgments cannot be the subject of deception, if the statements contain a core of facts that can be proven, deception can occur. This is the case if the demand for performance establishes a connection to an inaccurate factual basis or to facts justifying the claim.

The plaintiff sued for a bonus claim. The basis for the claim was to be the document he submitted as an employment contract from 2016. The plaintiff knew that this contract between him and the defendant had not been concluded. By conceding in the proceedings that the agreement submitted by the defendant essentially corresponded to his document, the plaintiff showed that he was aware that both parties had never agreed on the contract he had submitted. In doing so, he indicated that he had at least accepted the incompleteness and inaccuracy of his submission.

As a result, the court considered the plaintiff's statement of facts regarding the allegedly contractually agreed entitlement to bonus payments to be true, going beyond a mere legal opinion and having its factual basis in the contract document. The defendant was therefore able to present and prove both the objective and subjective elements of attempted litigation fraud in the proceedings.

Due to the seriousness of the attempted litigation fraud in the present case, a prior warning was also deemed unnecessary.

Practical tip

This decision shows that the factual basis of a claim – in this case, the contract document submitted by the plaintiff – can also be an assertion of fact and that a claim based on the document therefore not only represents an "erroneous" legal opinion, but also contains a statement of fact that is untrue.

When introducing documents into the (termination) process, employees are advised to ensure that they are accurate.

Employers are advised not to accept deliberately incorrect statements made by employees in court proceedings, but to take further action under labor law. In addition to applying for termination under Section 9 (1) of the German Employment Protection Act (KSchG), this may also include issuing an extraordinary termination without notice. This not only improves the employer's position with regard to the desired termination of the existing employment relationship with the employee, but also improves their position in settlement negotiations and increases the employee's willingness to reach an agreement. It should be noted, however, that the employer bears the burden of proof for any procedural fraud it alleges as grounds for termination. There must therefore be sufficient factual evidence for this, which should be carefully examined by the employer in advance.