Search results for: AI

Quantum computing is poised to profoundly reshape the cybersecurity landscape, with significant legal and regulatory implications. By introducing fundamentally different computational methods, enabling the simultaneous processing of multiple possibilities, quantum computing has the potential to undermine and ultimately render many traditional encryption techniques ineffective. The result is a significant systemic risk across critical infrastructures, including financial systems, communications networks, and digital identity frameworks. The risk is not theoretical: threat actors are already “harvesting” encrypted data with a view to decrypting it once quantum capabilities mature.

Regulators are signalling that organisations cannot afford to wait. With expectations shifting toward quantum‑resilient security, businesses that fail to assess and plan for the transition could face significant enforcement, reputational damage, and litigation risk. As quantum computing converges with AI to accelerate cyber threats, the message is clear: quantum readiness is no longer a future concern—it is a present-day priority. Key steps include identifying and prioritising cryptographic assets, building quantum resistant measures into technology environments, embedding quantum risk into governance and risk assessments, and planning for a structured transition to quantum‑resistant standards. Early action will be critical to maintaining compliance and resilience as the threat landscape evolves.

Our full article – a review of the legal implications of quantum computing and its ability to overcome current cryptography methods – is available on our Algorithm to Advantage insights page.

The KRITIS Umbrella Act (Dachgesetz zur Stärkung der physischen Resilienz kritischer AnlagenKRITISDachG) has been in effect since March 17, 2026. For operators of critical infrastructure in Germany, this means: new obligations, tight deadlines, and hefty fines require swift action. For the first time, the law establishes a cross-sector legal framework to strengthen physical resilience and applies to operators of critical facilities across ten sectors – ranging from telecommunications, energy, and transportation to healthcare and space. In this article, you’ll learn who is affected, what obligations exist, how regulatory responsibilities are distributed, and what penalties apply for violations.

  1. The five most important takeaways for your company
  • The registration requirement takes effect on July 17, 2026 – affected operators must register with the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und KatastrophenhilfeBBK)/Federal Office for Information Security (Bundesamt für Sicherheit in der InformationstechnikBSI) within three months of being identified as a critical infrastructure. Attention: Immediate action required – those who fail to act now risk fines.
  • Broad scope of application: The law addresses operators of critical infrastructure in ten sectors.
  • Comprehensive operator obligations: The list of obligations follows a comprehensive all-hazards approach.
  • Significant risk of fines: Violations of key operator obligations may result in fines of up to EUR 1,000,000.
  • Personal responsibility of management: Management is personally responsible for approving and monitoring resilience measures (Sec. 20 KRITISDachG).
  • Background and Objectives of the KRITISDachG

The KRITISDachG serves to implement the CER Directive on the resilience of critical entities (Directive (EU) 2022/2557). The objective is to ensure the maintenance of key economic and societal functions in the event of natural disasters, technical failures, sabotage, or other hybrid threats, specifically through cross-sectoral minimum standards for the physical protection of critical infrastructure. It thus supplements existing regulations on IT security – particularly the amended national BSI Act (BSIG) as the central implementing instrument of the NIS2 Directive (Directive (EU) 2022/2555) – with a physical component.

  • Sectors Affected

The law applies to operators of critical facilities, i.e., natural or legal persons as well as other organizational units that have a decisive influence on facilities that are essential for the provision of critical services (see Sec. 2 nos. 1 – 4 KRITISDachG).

The law defines ten sectors in Sec. 4 (1) KRITISDachG: information technology and telecommunications, energy, transport and traffic, finance, social security services and basic income support for job seekers, healthcare, water, food, space, and municipal waste management.

Which services are to be classified as critical within the individual sectors and the criteria according to which facilities are considered significant for the provision of critical services will be determined separately by a statutory ordinance issued by the Federal Ministry of the Interior (Bundesministerium des InnernBMI) (Sec. 4 (3) and 5 (1) KRITISDachG). Facilities that meet these criteria are considered critical facilities.

“Criticality” is therefore presumed to exist if a facility is necessary to provide a critical service and exceeds a threshold value specified in the statutory ordinance (Sec. 5 (1) sentence 1 no. 2 KRITISDachG). The threshold is determined based on the population to be served, with a population of 500,000 generally serving as the basis (Sec. 5 (2) sentence 2 KRITISDachG).

A state-level exemption clause allows the federal states to classify regionally significant facilities below the threshold as critical (Sec. 5 (7) KRITISDachG) – such as a hospital indispensable to the region or a water supply system.

Affected companies typically include energy suppliers, telecommunications providers, network operators, municipal utilities, airports, ports, and railway hubs, hospitals and pharmaceutical companies, water suppliers, data centers, and large food producers and logistics providers.

Federal government agencies that perform exclusively national security, defense, or law enforcement functions are largely exempt (Sec. 7 (1) no. 2 and (2) sentence 2 KRITISDachG).

  • Key Obligations and Sector Exemptions

A defining feature of the new legal framework is a multi-tiered resilience system that links government risk analyses with comprehensive operator obligations. In doing so, the law adopts a so-called all-hazards approach: every risk – from natural disasters to sabotage and terrorist attacks to human error – must be included in the risk analysis.  

An overview of the core provisions:

  • Cross-sectoral risk analyses by federal and state ministries for critical services (Sec. 11 KRITISDachG),
  • Registration with the BBK/BSI within three months of identification as a critical facility, no earlier than July 17, 2026 (Sec. 8 (1) KRITISDachG),
  • Risk analysis (Sec. 12 KRITISDachG) for the first time no later than nine months after registration (Sec. 8 (7) KRITISDachG), thereafter as needed, but at least every four years,
  • Resilience measures and resilience plan (Sec. 13 KRITISDachG) for the first time no later than ten months after registration (Sec. 8 (7) KRITISDachG), including emergency response teams, physical security, access controls, emergency power supply, and staff training,  
  • Reporting obligations: Upon request, evidence of compliance with these obligations must be provided (Sec. 16 KRITISDachG), and incidents must be reported immediately, no later than 24 hours after becoming known (Sec. 18 (1) KRITISDachG),
  • Personal responsibility of management for approving and monitoring resilience measures (Sec. 20 KRITISDachG).

The core of these requirements consists of resilience obligations under Sec. 13 KRITISDachG. To specify these obligations, the BMI may establish cross-sectoral minimum requirements (Sec. 14 (1) KRITISDachG). In addition, operators or their industry associations have the option of proposing industry-specific resilience standards (Sec. 14 (2) KRITISDachG). Sector-specific requirements issued by federal ministries or state governments are only permissible on a subsidiary basis and in agreement with the BMI (Sec. 14 (3) and (4) KRITISDachG). The provisions on sector-specific requirements will not take effect until January 1, 2030, in order to give priority to the development of industry-specific standards (see Sec. 14 (2) KRITISDachG).

Furthermore, the law provides for sector-specific exemptions to avoid double regulation (Sec. 4 (2) nos. 1 – 3 KRITISDachG):

  • These apply to operators in the financial sector who are already subject to the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), as well as operators in the IT and telecommunications sector for whom a resilience and security regime exists under the NIS2 Directive and its national implementation in the BSIG. In these areas, key operator obligations – such as risk analysis and risk assessment (Sec. 12 KRITISDachG), ensuring resilience (Sec. 13 KRITISDachG), and providing evidence (Sec. 16 KRITISDachG) – are exempted, while the registration requirement (Sec. 8 KRITISDachG) and provisions regarding national risk analyses and assessments (Sec. 11 KRITISDachG) continue to apply.
  • Similar exemptions apply to operators of critical facilities in municipal waste management and in the social security/basic income support sector, although risk analysis and assessment obligations (Sec. 12 KRITISDachG) expressly remain in effect.
  • Penalties for Violations

Violations of key operator obligations may result in fines of up to EUR 1,000,000 as well as administrative orders. The graduated fine scale depends on the nature and severity of the violation. It has been increased from a maximum of EUR 500,000 to EUR 1,000,000 compared to the government draft (as of November 2025).

If managers violate their duty to approve the specific resilience measures to be taken pursuant to Sec. 13 (1) KRITISDachG as appropriate and to continuously monitor their implementation (Sec. 20 (1) KRITISDachG), they are liable to their organization for damages caused through negligence (Sec. 20 (2) KRITISDachG); the governing body remains ultimately responsible.

  • Competencies of the Authorities

Responsibility for critical services lies with different federal (Sec. 3 (2) nos. 1 – 12 KRITISDachG) or state authorities (Sec. 3 (6) KRITISDachG), depending on the sector, such as the BMI (for critical services provided by federal administrative bodies) and the Federal Network Agency (BundesnetzagenturBNetzA) (e.g., for critical telecommunications services).

The central contact point for ensuring cross-border cooperation with contact points in other Member States (Art. 9 (2) CER Directive) is the BBK, Sec. 3 (1) KRITISDachG.

The BBK is the competent authority for imposing administrative fines for violations of registration requirements; in all other cases, the competent (sector-specific) authority pursuant to Sec. 3 (2) sentence 1 KRITISDachG (Sec. 24 (3) KRITISDachG) is responsible.

  • Conclusion and Outlook

With the KRITISDachG, the national legislature supplements existing resilience requirements – which until now have been primarily focused on cyber and information security – with physical security requirements. Within the framework of a risk-based “all-hazards approach,” the KRITISDachG establishes continuous and comprehensive resilience management for operators; at the same time, sector-specific exemptions consider the goal of avoiding double regulation.

Even though critical services, resilience obligations, and minimum standards are yet to be specified by statutory ordinance (upon whose entry into force the previously applicable BSI-Kritisverordnung will be repealed), it is advisable for the affected sectors to review the new legal requirements at an early stage, especially since the KRITISDachG provides for substantial fines for violations.

Organisations increasingly use AI-enabled tools throughout the recruitment process. These tools screen CVs, score suitability, run online assessments, and analyse behaviour. They can speed up hiring and may help reduce the human bias found in traditional recruitment. However, their use often clashes with data protection rules that limit decisions based only on automated processing. On 31 March 2026, the Information Commissioner’s Office (ICO) published a report and draft guidance on automated decision-making in recruitment. The report draws on evidence from more than 30 employers. It also includes public perception research reflecting views from graduates, civil society, government, trade unions, and industry bodies.

A key finding is that many employers fail to recognise that they are using automated decision-making (ADM). As a result, they do not put essential safeguards in place. These safeguards include transparency, bias monitoring, accountability, and respect for data subject rights. The ICO’s message is clear. Employers must follow the guidance. Where organisations fall short, the ICO signals that enforcement action may follow.

Summary of the ICO’s Key Findings

Most employers told the ICO that they use automated tools only for decision support. In practice, however, the evidence showed that many tools make decisions without meaningful human involvement. The ICO stresses that human involvement must be active and genuine. It cannot be a token step or a rubber-stamping exercise.

A human must be able to influence the decision before it takes effect. They must have the authority, discretion, and competence to change the outcome. If this standard is not met, the process counts as solely automated. This remains true even if a person appears in the decision chain.

The Impact of the Data (Use and Access) Act

The new Data (Use and Access) Act (DUAA) offers greater flexibility for employers using automated tools in recruitment. Under Article 22 of the UK GDPR, the law treated automated decision-making as largely prohibited, with narrow exceptions. The DUAA reframes this position. It creates a right to challenge automated decisions, supported by safeguards, rather than a general ban.

This change gives employers more scope to use automation, provided they put proper protections in place. Where special category data is involved, however, the stricter rules still apply.

Two Routes for Employers from the ICO

The ICO sets out two options for employers:

  1. Acknowledge solely automated decision-making.
    Employers can accept that the process lacks meaningful human involvement. They must then recognise that they are carrying out ADM and apply the required safeguards.
  2. Ensure meaningful human involvement.
    Employers can redesign their processes so a human plays a genuine role in each decision for each candidate.

This second option sets a high bar. For organisations handling large volumes of applications, it will often prove impractical. In reality, many employers will need to follow the first route.

The ICO’s Required Steps Where Decisions Are Solely Automated

Where employers rely on solely automated decision-making, the ICO expects them to take several steps.

First, employers must identify a lawful basis for processing. The DUAA removes the previous limitation to consent or contractual necessity in recruitment, provided no special category data is involved. Employers may now rely on legitimate interests.

Second, employers must provide clear and timely transparency. They must explain how the automated decision works and its likely effects. A brief mention hidden in a general privacy notice will not be sufficient.

Third, employers must implement safeguards. Candidates must know about the automated process. They must have the chance to make representations, request human review, and challenge the decision.

Fourth, employers should carry out fairness testing and bias reviews. This includes questioning vendors about their own bias testing during procurement. Employers should also run trials, monitor outcomes over time, and share clear information about the tools’ accuracy and performance.

Finally, employers must complete data protection impact assessments (DPIAs). The ICO found that many existing DPIAs lack the detail needed to meet legal requirements.

What This Means for Organisations

Organisations should review their use of AI in recruitment. They should assess whether processes involve solely automated decision-making. This is particularly relevant where CV filtering, suitability scoring, or behavioural assessments play a role.

DLA Piper works closely with clients to support compliant use of ADM in recruitment. This work includes developing due diligence processes to assess fairness and bias in vendor tools. It also includes drafting transparency information that meets the ICO’s expectations at each stage of recruitment and preparing detailed DPIAs and legitimate interests assessments.

DLA Piper also helps clients design processes for handling candidate objections and requests for human review. Awareness of data protection rights is growing. Candidates increasingly exercise these rights, often using AI-generated requests. This area demands careful attention. The ICO’s guidance provides limited operational detail, making practical legal support especially valuable.

For organisations operating across borders, DLA Piper uses its global network to align UK and EU approaches to automated decision-making. In the EU, organisations must consider not only the GDPR but also the AI Act. You can view our Data Protection Laws of the World to gain insight on any current or upcoming regulations that may affect you. You may also view our AI Laws of the World to understand the ever-changing landscape of AI regulation.

Providers of online coaching services take note: The German Federal Court of Justice (BGH) has recently provided clarity on which coaching offerings qualify as “distance learning” and thus, fall under the approval requirement of the German Distance Learning Act (FernUSG).

Anyone offering digital coaching models without the required official approval is taking a major risk. In such case, provider’s instructional contracts may be considered void. Customers may reclaim all fees paid and providers might even face fines.

After the BGH ruled in 2025 that common online coaching formats and other digital instructional models may fall under the definition of “distance learning” according to the FernUSG (BGH – Judgment of June 12, 2025 – III ZR 109/24), many coaching providers became concerned.

Under Section 12 (1) FernUSG, distance learning courses require official approval. This approval, granted by the Central Office for Distance Learning (“ZFU”), comes at a cost. And it applies to each individual course, meaning that providers offering several different courses must obtain approval for each one separately. For providers, the decisive question as to whether their offering has a lawful and economically viable basis is therefore: Are their coaching models classified as distance learning?

In our Regulatory wake-up call last year, we outlined when providers must expect their instructional models to be subject to approval. The assessment hinges on the definition of distance learning set out in Section 1(1) FernUSG: distance learning refers to the

  • contractual and remunerated transmission of knowledge and skills,
  • where the provider and participant are exclusively or predominantly physically separated,
  • and where the provider or their agent monitors the learner’s progress.

We pointed out the key elements of this definition and noted that the term “participant” covers not only consumers but also businesses. Accordingly, the FernUSG also applies to B2B coaching contracts. We further outlined how providers can obtain the required approval from the ZFU, and what steps they must take if they failed to secure approval and are now facing potential refund claims. In February 2026 the BGH has further clarified the criteria for distance learning (BGH – Judgment of February 5, 2026 – III ZR 137/25). In this ruling, the BGH addressed the requirement of “physical separation”, on which the classification as distance learning stands or falls.

The prevailing view in the literature has long argued that the requirement of physical separation cannot be understood as referring merely to providers and participants being located in different places. Rather, it must be understood to require that the delivery of instructional content and its reception by the participant take place at different times, i.e. asynchronously. This interpretation was based on the purpose of the FernUSG, which was designed to address the specific risks associated with learning formats in which teaching and learning are separated not only spatially but also temporally, thereby limiting direct interaction and control. However, the BGH had not previously confirmed this interpretation. In its decision of 12 June 2025, the court explicitly raised the issue but ultimately left it unresolved.

Meanwhile, voices have also emerged opposing the requirement of asynchronicity. They rely on the clear wording of Section 1 (1) FernUSG, which contains no such requirement. It was argued that the protective purpose of the FernUSG is also engaged by live online coaching, because the risk posed by dubious coaching providers is significantly higher online. Moreover, according to the reasoning of the government’s draft of the FernUSG, the legislature acknowledged the possibility that instruction can be transmitted into another room and yet required only spatial and not temporal separation.

In its February 2026 ruling, the BGH has now expressly affirmed this requirement asynchronicity. The judgment also provides important guidance on distinguishing permissible pricing from usurious pricing in coaching contracts.

Distance learning only where knowledge is transmitted “asynchronously”

According to the BGH, the decisive factor is the purpose and intent of the historical legislator when the FernUSG was enacted in 1976. The legislator sought not only to distinguish distance learning from in‑person instruction, but especially from direct instruction. In direct instruction, knowledge is transmitted through direct communication, giving participants – similar to in‑person settings – the opportunity to contact the provider directly and without effort. By contrast, the essence of distance learning lies in the participant working through materials provided by the provider independently and with flexible scheduling.

When the FernUSG was enacted, the legislator did not foresee the possibility of real-time interaction via online platforms. The legislator may have recognized the possibility of transmitting instruction into another room, but not the possibilities of synchronous, bidirectional communication that exist today. Therefore, the BGH has now clarified that the statutory requirement of physical separation between provider and participant only fulfills its intended purpose where the structure of the course reflects the core characteristic of distance learning: asynchronous communication. In other words, the instructional content must be delivered at one point in time and retrieved by the participant at another. The risk posed by dubious providers does not alter this conclusion. Customers are protected from dubious providers through other regulations.

This has important practical consequences. The BGH makes clear that online instruction involving real-time interaction between provider and participant does not qualify as distance learning within the meaning of the FernUSG. Even if teaching takes place exclusively online, formats such as live virtual classrooms, webinars with direct interaction or other synchronous teaching settings fall outside the statutory concept of distance learning.

For providers of digital coaching, this distinction is highly relevant: whether a format is structured synchronously or asynchronously determines whether the FernUSG applies at all – that is, whether contracts concluded without ZFU approval are void or not.

Compliance checks are essential when structuring hybrid models

Providers offering both live teaching units and additional learning materials for independent use must exercise particular caution, when assessing whether their services fall within the scope of the FernUSG, in order to avoid financial disadvantages and potential regulatory sanctions.

Under Section 1 (1) FernUSG, it is sufficient for “predominant” physical separation (more than 50%) to exist for the model to qualify as distance learning. Thus, for hybrid models, the decisive factor is the focus of the instructional contract, namely whether the synchronous or asynchronous components predominate.

When making this determination, the BGH stresses that what matters is not how the instruction is delivered in practice, but what the parties contractually agreed upon. It is irrelevant how the actual instruction occurred or to what extent the learner made use of the individual services. Consequently, contractual design becomes a critical compliance factor in hybrid models. Key questions include:

  • How often and to what extent are real‑time teaching sessions agreed?
  • Do these sessions provide for direct interaction?
  • What specific materials (scripts, learning videos, etc.) are to be provided?
  • Does the live instruction constitute the core of the training program, with materials being merely supplementary? Or is the reverse true?

Through careful contractual structuring, providers can proactively avoid having their offerings classified as distance learning.

Pricing may be based on market rates – even if the coaching market is generally characterized by “exorbitant prices”

Providers will also take note of the BGH’s statements regarding pricing. Much of the effort involved in providing coaching takes place in the preparatory stages – often invisible to the participant. While participants may perceive the fee as disproportionately high when compared to the actual time spent in live sessions, providers must rely on the fee to cover their overall preparatory work.

In the case at hand, the plaintiff argued that the objective value of the coaching services was grossly disproportionate to the fee charged, rendering the contract immoral and void under Section 138 (1) of the German Civil Code (BGB). Under German case law, contracts are typically considered immoral where the objective value of the performance is roughly twice the value of the counter performance. In such cases, providers risk nullity of the instructional contract and may not receive compensation even for services already rendered. The plaintiff considered these requirements to be met and therefore demanded reimbursement of the fee she had paid. The defendant provider countered that the fee was in line with market rates. The plaintiff would have none of that, asserting that the coaching market was generally characterized by “exorbitant prices” and that comparable learning videos were available online at much lower cost.

The BGH rejected the plaintiff’s reasoning. Whether comparable learning videos can be purchased at significantly lower prices is irrelevant, as such videos represent only part of the contractual performance. The objective value of coaching services is determined by the customary and economically still reasonable fee, which can be established through a market comparison.

The BGH’s statements offer legal certainty for providers: they may base their pricing on the customary market rates for comparable coaching services.

Strengthening your coaching model under the updated legal framework

Providers can now assess with greater certainty whether their offerings fall within the scope of the FernUSG and how pricing risks are evaluated under German law. At the same time, the rulings underscore the importance of careful contractual structuring and thoughtful product design, especially for hybrid formats. For providers, this is an opportune moment to review existing models and ensure that both regulatory and contractual frameworks support sustainable business operations.

On 10 February 2026, the Federal Government adopted its official government draft (Regierungsentwurf) for the AI Market Surveillance and Innovation Promotion Act (KI-Marktüberwachungs- und Innovationsförderungs-GesetzKI-MIG), setting out Germany’s supervisory architecture, enforcement powers, and penalty regime for AI systems under the EU AI Act (Regulation (EU) 2024/1689).

In our earlier overview of EU AI Act implementation across key Member States, we noted that Germany’s national implementation remained underway, with a ministerial draft (Referentenentwurf) dated 11 September 2025. The new government draft is an update of the earlier ministerial draft – especially in relation to competent authorities and administrative fines – and marks the official start of the legislative process.

Supervisory Architecture

Germany has opted for a hybrid supervisory model: no new agency, but a strong central authority supplemented by sector-specific regulators.

BNetzA as central authority: The German Federal Network Agency (BundesnetzagenturBNetzA) will be the default market surveillance authority (Sec. 2 (1) KI-MIG), the single point of contact for the EU AI Office (Sec. 6 KI-MIG) and the central complaints office (Sec. 8 KI-MIG). BNetzA will also operate at least one AI regulatory sandbox with priority access for SMEs, start-ups, and research institutions (Sec. 13 KI-MIG).

Coordination and Competence Centre (KoKIVO): Established within the BNetzA (Sec. 5 KI-MIG), KoKIVO pools AI expertise centrally and makes it available to other competent authorities. For companies, this means interpretive guidance will largely flow from one hub, even where a sector-specific regulator is appointed.

Sector-specific authorities: Existing regulators responsible for harmonised EU product legislation (such as medical devices, machinery, radio equipment) will retain competence for AI systems related to those products (Sec. 2 (2) KI-MIG).

Media service providers: There is a notable exception for the media sector. AI systems used by media service providers (as defined in the European Media Freedom Act, Regulation (EU) 2024/1083EMFA) for journalistic or advertising purposes are supervised by the “responsibility of the competent authorities under state law”; these are the state media authorities (Landesmedienanstalten) rather than BNetzA (Sec. 2 (8) KI-MIG). This division of responsibilities ensures compliance with the constitutional requirement of state neutrality in media supervision.  The German federal states intend to lay down the relevant supervisory and competence rules for the state media authorities in the planned State Treaty on Digital Media (Digitale-Medien-Staatsvertrag).

BaFin for financial services: The Federal Financial Supervisory Authority (Bundesanstalt für FinanzdienstleistungsaufsichtBaFin) will receive a broad mandate to supervise AI systems connected to regulated financial activities (Sec. 2 (3) KI-MIG). Supervised entities include credit institutions and insurers, as well as crypto-asset service providers and pension funds (among others). BaFin will develop its own cybersecurity testing guidelines for high-risk AI systems, in agreement with BNetzA and the market surveillance authority under the Cyber Resilience Act (Regulation (EU) 2024/2847) (Sec. 10 (2) KI-MIG). This ensures the EU DORA Regulation (Regulation (EU) 2022/2554) remains the lex specialis, exempting these entities from the standard joint cybersecurity guidelines developed by BNetzA and the federal cybersecurity authority, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI). BSI will exercise this role on a transitional basis until a dedicated market surveillance authority is formally designated under the Cyber Resilience Act (Sec. 10 (4) KI-MIG).

Independent AI Market Surveillance Chamber: For certain sensitive high-risk AI systems an independent three-member chamber (KI-Marktüberwachungskammer) is created within BNetzA (Sec. 2 (5) and 4 KI-MIG), namely

  • biometric AI systems (Annex III No. 1) when used for law enforcement, border management, or justice/democratic processes,
  • as well as all high-risk AI systems in the areas of
    • law enforcement (Annex III No. 6),
    • migration, asylum and border control (Annex III No. 7),
    • and justice and democratic processes (Annex III No. 8).

The KI-Marktüberwachungskammer operates with complete independence and reports annually to the Bundestag. The draft explains why DPAs were not chosen: divergent interpretations, jurisdictional fragmentation, and competition for scarce AI specialists. The chamber’s mandate does not extend to reviewing individual deployment orders (e.g., judicial authorisations for real-time biometric identification) – only to market surveillance of the systems themselves (Sec. 4 (5) KI-MIG).

Federal states carve-out: Where public bodies of the Federal states place AI systems on the market, put them into service or use them, market surveillance will fall to the authorities designated under the respective state law, not to BNetzA (Sec. 2 (6) KI-MIG). This constitutionally required allocation (Eigenstaatlichkeit der Länder) means that companies supplying AI systems to state-level government clients – such as state police forces, courts, or social welfare offices – might need to also engage with the relevant state authority rather than BNetzA.

Investigative and Enforcement Powers

International companies should be aware of the robust enforcement toolkit granted to authorities under the draft law.

Extensive Inter-Agency Information Sharing: German market surveillance authorities are explicitly permitted to exchange information with each other, including personal data and business and trade secrets, if strictly necessary to fulfill their tasks (Sec. 9 KI-MIG) . While bound by confidentiality, this creates a highly networked environment where findings can be seamlessly shared between authorities like the BNetzA, the Data Protection Authorities (DPAs) or the Federal Cartel Office (Bundeskartellamt).

Remote Access and External Experts: Authorities can exercise their investigative powers remotely via Application Programming Interfaces (APIs) or other technical means. They are also permitted to hire external third-party experts (Verwaltungshelfer) to assist with technical processes and investigations (Sec. 11 (2) KI-MIG).

Unannounced Inspections: Inspections of premises and vehicles can be conducted unannounced during regular business hours, and even outside these hours to prevent urgent threats to public safety and order (Sec. 11 (3) KI-MIG).

Immediate Enforcement: Legal challenges (objections and lawsuits) against decisions made by BaFin, or decisions regarding specific products like medical devices and radio equipment, have no suspensive effect (keine aufschiebende Wirkung) (Sec. 11 (7) KI-MIG). This means companies must comply with the regulatory order immediately, even while appealing it.

Enforcement Tactics: The explanatory memorandum highlights that authorities will proactively police the market through anonymous test purchases (mystery shopping) in e-commerce and physical stores, and by cooperating closely with customs authorities and online platforms.

Administrative Fines

EU AI Act fines apply directly. But German administrative offence procedures will apply (Sec. 16 KI-MIG), displacing Sec. 17 and Sec. 30 (1) and (2) of the German Administrative Offences Act (Ordnungswidrigkeitengesetz).

The KI-MIG will also add supplementary national fines of up to EUR 50,000 for violations not covered by Art. 99 of the AI Act, including failures related to information transmission (Art. 21), fundamental rights impact assessments (Art. 27), duties of notified bodies (Art. 45) and explanations to affected persons (Art. 86 (1)) (Sec. 15 KI-MIG).

Strict Obligations Upon Ceasing Business (Liquidation)

For international companies setting up German subsidiaries or appointing a German authorised representative (Bevollmächtigter), the draft contains requirements regarding the end of a business lifecycle. If the provider or the authorised representative ceases its business activities, the legal obligation to retain all AI Act-related documentation automatically transfers to the person responsible for the liquidation or the insolvency administrator (Sec. 18 KI-MIG).

Whistleblower Protection

The government draft will also amend Germany’s Whistleblower Protection Act (Hinweisgeberschutzgesetz) to explicitly cover violations of the EU AI Act (Art. 2 of the draft). This means that persons who report AI Act violations will benefit from the full protections against retaliation available under German whistleblower law, implementing Art. 87 of the EU AI Act.

Innovation Promotion

BNetzA will operate an AI Service Desk (which it has already started to establish), deliver awareness and training programmes (especially for SMEs), and advise public-sector bodies on AI system classification (Sec. 12 KI-MIG). The AI regulatory sandbox extends priority access to research institutions and universities (Sec. 13 KI-MIG). For real-world testing of high-risk AI outside sandboxes, a tacit approval mechanism applies: if the authority does not respond within 30 days, the test is deemed approved (Sec. 14 (2) KI-MIG).

Next steps

The adoption of this government draft marks the official start of the legislative process. Although this is not yet the final law, the government has signaled a clear intent to fast-track proceedings given that the EU AI Act’s implementation deadline of 2 August 2025 has already been missed.

We expect the Bundestag to debate the draft in the coming weeks. Stakeholders should pay close attention to potential amendments, particularly regarding the exact delineation of powers between the BNetzA and other authorities as well as the entry-into-force date after enactment.

NIS2, the EU’s second Network and Information Systems Directive, is not going anywhere. While the swathe of organisations newly in scope of the EU’s hallmark cybersecurity directive may have hoped that the EU’s recent announcements on regulatory simplification (including the Digital Omnibus) might have reduced their compliance burden, in some cases the EU is actually proposing to expand the scope of NIS2 further.

In a set of proposed targeted amendments to the NIS2 Directive announced on 20 January 2026 (the “Proposal“), the European Commission has suggested a significant change to the organisations in scope of NIS2 that will be of particular note for entities that are operators of Submarine Data Transmission Infrastructure (SDTI). Under the Proposal, operators of SDTI would fall under the scope of NIS2 as a “sector of High Criticality” and as such, presuming they meet the relevant size criterion, will be “essential entities” triggering higher levels of regulatory supervision, proactive audits, and accountability requirements (including personal liability considerations) all of which could require careful mapping, particularly in complex consortia models.

Building on our recent analysis of the Proposal, this article takes a closer look at the specific changes suggested to bring SDTI squarely into scope, and why SDTI stakeholders should track this closely over the coming months. To note, whilst some organisations operating infrastructure in this space may have already been in scope of NIS2 as providers of public electronic communications networks and services or cloud computing service providers, the Commission is now proposing to specifically target the SDTI sector more broadly. This development reflects the Commission’s intention to harmonise cybersecurity obligations across critical infrastructure and address growing geopolitical and cyber-related risks which it sees as particularly pertinent to undersea communications systems.

What is the change?

As noted by the Commission in their proposals, SDTI has historically been operated by entities already falling within NIS2’s scope (including public electronic communications networks / services or cloud service providers). However, not all SDTI operators fall neatly into these categories, and some entities may operate or lease SDTI without being captured by NIS2. For example:

  • operators of non-public electronic communications networks; and
  • entities leasing or co-operating portions of infrastructure to public network providers.

The proposed inclusion of a specific new category of SDTI within the scope of NIS2 therefore seeks to capture all types of entities operating in submarine data transmission, recognising the increasing risks to submarine data transmission infrastructure and their resulting high criticality.

It is not surprising then that under the proposed amendments to NIS2, SDTI is defined broadly. It includes not only the subsea cables themselves but any infrastructure essential to their operation, such as landing stations and the terrestrial portions of the network (i.e. the “fronthaul” between the beach manhole and the landing station segments).

The expanded definition recognises the complex and distributed architecture of SDTI and the essential role it plays in the resilience of the EU’s digital ecosystem. Harmonising the oversight of SDTI operators’ cybersecurity compliance under NIS2 is intended to bolster the resilience, redundancy planning and security of Europe’s digital backbone.

Who could be brought into scope?

In the last several years, the submarine cable industry has seen rapid transformation and convergence, with “big tech” hyperscalers establishing and owning many of the major new submarine cable routes for their own internal capacity requirements, rather than being owned and operated by traditional telecom companies. On our reading of the amends, such large players in the industry would now appear to be caught under NIS2 in respect of any such use.

Another feature of the sector is the use of consortium-based arrangements for construction and operation of submarine cable systems. Here, each consortium member will own and operate an agreed number of fibre pairs on the cable system for their own purposes. Prior to the Commission’s Proposal, there was some uncertainty as to whether the use of one fibre pair on a cable as a public electronic communications network/ provision of a public electronic communications service would cause the full system to be subject to NIS2, especially in relation to shared infrastructure (such as repeaters, branching units, SLTE equipment and cable landing infrastructure). The Commission’s Proposal simplifiers matters, as it makes it clear that all submarine cable system operators which will be caught. This is potentially a significant change for consortia cables.

Crucially, NIS2 applies to specific entities not to corporate groups as a whole. A corporate group that owns or co-owns cable infrastructure may therefore have a single SDTI-related entity that falls into scope and that entity must independently meet Annex I obligations.

There are however a number of questions which arise from the proposed amends which have not yet been unpacked by the Commission. For example, it is unclear how the territorial reach of NIS2 will apply to SDTIs and whether it will be a requirement for the relevant cable to physically land in the EU in order for it to be caught under NIS2, or whether a non-EU landing cable might be caught if the “customer” entity is EU. This might be the case where an organisation buys capacity on a US to UK cable, with terrestrial fibre up to a point, and then capacity on a UK to EU cable. It is currently unclear whether such arrangements would be covered, and it is likely that current jurisdictional rules applying under Article 26 of NIS2 may require specific amends in anticipation of this and similar scenarios.

Enhanced Compliance Burden

If the proposals to include SDTI in the scope of NIS2 are realised, operators will face:

  • mandatory implementation of “appropriate and proportionate” cybersecurity measures including supply chain security requirements.
  • Three-stage notification obligations upon the occurrence of a “significant incident” (where an “incident” is defined as an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, and the “significance” is based on availability of the service and impact – we do not therefore consider this would include incidents entailing physical damage to the cable), with an early-warning notification required within 24 hours, a follow up within 72 hours and a comprehensive report within 1 month of the organisation’s becoming aware of the incident.
  • Management-body accountability, including duties to approve and oversee cybersecurity measures and to receive mandatory cybersecurity training. Supervisory authorities are able to suspend management functions pending breach resolution and management bodies may be subject to personal liability for non-compliance.

Since the majority of SDTI providers are likely to surpass thresholds for small and medium-sized entities (which are made up of entities which employ fewer than 250 persons and have an annual turnover not exceeding EUR50 million/ balance sheet EUR43 million), they are likely to be classified as “essential” rather than important entities, and be subject to the additional burden or pro-active enforcement measures, including unplanned audits, temporary suspension of cybersecurity certifications and management functions and financial penalties of up to €10 million or 2% of global annual turnover, whichever is higher.

Governance Issues for Consortia

As stated above, Submarine cable systems are frequently owned and operated by consortia and fibre-pairs might be allocated on a long-term basis (by contracts known as “IRUs”) to third parties. This raises structural questions regarding which entity is responsible for NIS2 compliance, for example:

  • Who is the operator?
  • Which party must ensure cybersecurity controls are implemented across shared infrastructure?
  • Which party should be deemed responsible for compliance with NIS2, or would a model of joint responsibility be required?
  • Who must meet the 24-hour incident reporting clock?
  • How should responsibilities be allocated contractually, especially where cable management is outsourced to a landing-party operator or a third-party system supplier?

In the absence of clear EU-wide guidance, these issues will need to be addressed contractually within relevant agreements such as joint build agreements, Construction & Maintenance Agreements (C&MAs) or landing party agreements.

When is the Proposal likely to become law?

Given the significant delays already seen in NIS2 implementation, and the fact that the Proposal will have to go through trilogue, it is likely that the Proposal (whether or not unamended) will not become law until the very end of 2026, or more realistically, sometime in 2027, and then with an additional 12 months on top of that for its transposition into Member State laws. Accordingly, SDTI entities should anticipate varying timelines, supervisory expectations and registration requirements across Member States once the change is adopted.

What to do now?

To get ahead of the Proposal coming into force (if it were to be in its current form), STDI stakeholders may want to consider the following actions:

  1. run a targeted applicability assessment to identify SDTI entities that may newly fall within scope of NIS2;
  2. perform a gap analysis against NIS2’s core requirements, focusing on incident reporting readiness and cybersecurity risk management measures;
  3. map consortia and landing-party contracts, inserting clear NIS2 cybersecurity responsibility, and flow-downs, audit and notification provisions; and
  4. identify current cybersecurity governance arrangements, testing their alignment to the management body requirements, and personal liability, under NIS2.

For more information on NIS2, and cyber security governance generally, please reach out to your DLA Piper contact.

Conceptually, you think of IoT devices, but the CRA has a far broader scope of application. In this article we examine one of the tricky nuances – distinguishing between a digital product and SaaS under the CRA.

The EU’s Cyber Resilience Act (CRA) looks to reshape product cybersecurity by imposing uniform baseline requirements on “products with digital elements” placed on the EU market. The CRA forms part of the EU’s wider Digital Decade architecture, which includes other cyber security laws such as NIS2 and DORA. One of the key scoping assessments for technology providers/users is the treatment of software delivered as a product, versus software delivered as a service (SaaS). In broad terms, the CRA targets hardware and software made available as products, including embedded and on‑premise software. Pure cloud‑native SaaS is generally excluded unless it is part of, or necessary for, the product’s core functionality. This distinction drives design choices, go‑to‑market models, contractual allocations and compliance strategies.

The Cyber Resilience Act at a glance

The CRA introduces essential cybersecurity requirements for products with digital elements throughout their lifecycle. The CRA aims to reduce products vulnerabilities, ensure manufacturers remain responsible throughout the product lifecycle, improve transparency, and strengthen cybersecurity standards. Manufacturers must implement the familiar-sounding securebydesign and securebydefault development processes, conduct risk assessments; maintain technical documentation; perform conformity assessments and, if approved, affix CE markings. There are requirements on vulnerability handling and incident reporting. Further, manufacturers should determine a product support period and clearly set out the end of that period. Importers and distributors assume due‑diligence and reporting obligations as part of their roles. Critical products face stricter assessment, including the involvement of regulatory bodies and other EU agencies. Enforcement powers, in the event of failings, include market surveillance, corrective measures and penalties.

The CRA entered into force on 10 December 2024 and applies, in full, from 11 December 2027. Transitional periods apply, with rules for managing and reporting vulnerabilities handling obligations coming into effect on the 11 September 2026.

The CRA’s centre of gravity is “products with digital elements” i.e. hardware or software products with a direct or indirect data connection to a device or network. The concept of ‘digital element’ and the requirement for a ‘connection’ to a device or network should be interpreted broadly. A connection can take various formats – physical or logical, direct or indirect – and a product may have multiple forms of connection simultaneously. For CRA purposes, our view is that what matters is whether the product has any such connection, rather than the specific technical mechanism involved.

Finding the line: SaaS vs SaaP(roduct)

The decisive question is not whether something is “software,” but whether it is made available as a product placed on the market (this is not limited to physical products), as opposed to a service. That framing has practical consequences for cloud‑first businesses.

At one end of the spectrum, embedded firmware, endpoint agents, operating systems, network equipment and IoT devices will ordinarily be within CRA scope. They are marketed and supplied as discrete products, typically licensed or sold, installed or embedded, and updated via supplier channels.

At the other end, pure SaaS offerings i.e., cloud‑hosted applications consumed via the internet without local installation and not presented to the market as a distinct product, are distinguishable as services rather than products. These may then be excluded from the reach of the CRA. Those services are already addressed by adjacent cyber security regimes, notably NIS2 which includes digital service providers and DORA, specifically for financial services ICT.

The challenge with this distinction is that the CRA does capture “remote data processing” within its scope when it is essential to the product’s core functions. While that does not transform every remote capability into a CRA‑regulated product, it does mean an assessment should be carried out as to whether the remote component is part of the product itself and necessary for its intended functionality, and not an ancillary cloud feature. For example, the Commission’s FAQs outline that standalone software that can be downloaded and installed on a device, e.g. a mobile app from an app store or program downloadable from a website will be caught.[1] It could, based on other examples, be argued conversely that an online chat function to help with financial interrogation is not, as it is likely to be ancillary. Of course, legal analysis based on the facts is always required. 

The question of what is “essential” to a product lies on a complex middle ground, where scoping turns on architecture, packaging and commercial presentation. For example:

  • Software “plus cloud” bundles. If a vendor supplies an endpoint agent or on‑premise component that only functions with the vendor’s back‑end, the combined system may be treated as a product with digital elements whose core functionality depends on remote processing. In this case, the on‑premise component would likely fall under the CRA, and the remote component may also be captured if it is necessary for the product to operate as intended.
  • Featuregated SaaS reliance. Where a locally installed product functions offline but there is gate access to cloud based advanced features, CRA may apply if those features are needed for the product’s main use. Where the offline baseline is genuinely complete and the cloud features are optional add‑ons, the remote service may be considered outside the CRA’s scope. This should be carefully considered and clearly documented.
  • Clouddelivered software that behaves like a product. Some providers “stream” applications or deliver packaged workloads into the customer environment under a subscription. If the delivered component runs in the customer’s environment and is marketed as software, it may fall within CRA scope, notwithstanding a subscription based hosted arrangement.

These considerations have strategic implications. Shifting capability from an on‑premise component to a purely remote feature may reduce CRA exposure, only to push it into the reach of other EU cyber-security rules, such as NIS2. Conversely, integrating core functionality into a product can help demonstrate CRA compliance but requires robust development practices, vulnerability disclosure processes, technical documentation and conformity assessments.

Practical implications for product strategy and compliance

For manufacturers and software publishers, the SaaS versus product boundary should ideally be a design‑stage decision, though we recognise this may be unrealistic in practice.  Where legal and compliance teams are tasked with understanding the CRA’s application, a mapping exercise of the organisation’s core offerings should be performed and documented findings where assessments around CRA application are made. This position should be kept under review as regulatory guidance evolves.

Pure SaaS providers, while generally out of scope of the CRA, should not assume a free pass. Cyber security outcomes will still be required up and down the supply chain. Customers will increasingly calibrate their procurement against CRA‑like requirements, when assessing resilience. Convergence around secure‑by‑design, vulnerability handling and coordinated disclosure is likely, regardless of the formal scoping outcome.

Key takeaways for the SaaS vs product boundary

In some cases, the distinction will be clear, but with the advanced functionality of online technologies, the use of SaaS terminology may be misleading. The CRA’s scoping turns on how functionality is delivered and how the offering is placed on the market.

Lastly, the CRA should also not be assessed in isolation as it rubs shoulders with many other EU digital and product laws, such as NIS2, DORA, GDPR, the AI Act and the Data Act to name but a few. For more information on that, keep up to date here: Navigating the EU Digital Decade | DLA Piper

For any questions relating to the CRA or other digital and data laws, reach out to the authors: Linzi Penman, Ryan Wheatley, Shervin Nahid, and Lorcan Burke.

[1] We have considered the CRA FAQs released at the end of last year and updated this year (available here), and the concept of remote data processing is expected to form part of separate guidance from the Commission.

Any cloud service provider seeking to offer cloud services to the German public sector will inevitably have to deal with the Supplementary Contractual Conditions for the Procurement of IT Services (Ergänzende Vertragsbedingungen für die Beschaffung von IT-Leistungen – “EVB-IT”). The EVB-IT were developed by the Federal/State/Local Cooperation Committee (Kooperationsausschuss ADV Bund/Länder/Kommunaler Bereich) in cooperation with the industry association BITKOM and are designed to establish standardized, legally robust contract frameworks for public IT procurement in Germany.

The primary purpose of the EVB-IT is to create legal certainty for both public contracting authorities and IT service providers. By providing predefined contractual structures, the EVB-IT facilitate procurement planning, enable reliable cost estimation and reduce legal risks in public-sector IT projects.

Growing Importance of Cloud Solutions in Public Administration

Cloud computing is becoming an increasingly important component of public-sector IT strategies in Germany. Recent studies show that while approximately 70% of public authorities still use cloud solutions cautiously – typically for less than 20% of their applications – this situation is expected to change significantly in the coming years. By 2028, more than half of German public authorities plan to increase the share of cloud-based applications to between 40% and 60%, while a further 16% anticipate that cloud solutions will account for more than 60% of their IT landscape.[1]

This rapid expansion highlights the growing relevance of cloud services such as SaaS, PaaS, IaaS and managed cloud services in the public sector.

Recognizing early on that cloud computing would become a cornerstone of public-sector IT, the EVB-IT framework was expanded in 2022 by introducing the EVB-IT Cloud – a contract standard tailored specifically to the realities of cloud-based services in public administration.

The EVB-IT Cloud consist of:

  • the EVB-IT Cloud Contract,
  • separate general terms and conditions,
  • a comprehensive technical criteria catalogue, and
  • additional annexes.

Since their introduction, the EVB-IT Cloud have become the authoritative standard contract for the procurement of cloud services by German public authorities. They are specifically tailored to the technical and regulatory characteristics of cloud computing.

Flexibility and Leeway Within the EVB-IT Cloud

Although the EVB-IT Cloud are standard terms, they give cloud service providers considerable leeway for contractual customization.

Unlike many other EVB-IT contract types, the EVB-IT Cloud explicitly allow certain elements of a provider’s own terms and conditions to take precedence. This applies in particular to:

  • reporting obligations,
  • service credit mechanisms in the event of unavailability, and
  • license models and usage metrics, i.e. the way in which cloud consumption is measured and billed.

For cloud providers, this flexibility makes it possible to preserve important aspects of established contractual concepts and operational processes, helping to narrow the gap between public-sector contracts and agreements with private customers.

In addition, the technical criteria catalogue provides broad configuration options. It enables contracting authorities to specify requirements such as data localization, backup concepts, availability levels, response and recovery times, update mechanisms and cooperation obligations, with varying degrees of flexibility. In practice, the catalogue serves as a central instrument for tailoring the EVB-IT Cloud to the needs of each individual procurement project.

Is the Use of EVB-IT Cloud Mandatory?

Despite the flexibility built into the EVB-IT Cloud, cloud service providers often seek to apply their own standard terms as comprehensively as possible. However, public contracting authorities are subject to strict legal constraints under public procurement and budgetary law, particularly when procuring cloud services.

At the federal level, authorities are obliged to use the EVB-IT as the contractual basis for IT procurement. This obligation is derived from Section 55 of the Federal Budget Code (Bundeshaushaltsordnung) and the corresponding administrative regulations.

At state level, several federal states have introduced comparable obligations in their State Budget Codes (Landeshaushaltsordnungen) and related administrative regulations. The extent of this obligation, however, varies significantly between the federal states.

The following overview summarizes which German federal states have adopted budgetary rules mandating the use of the EVB-IT.

Federal stateMandatory application
Baden-WürttembergYes, if the estimated contract value
> EUR 10,000
Bayern  Yes, if the estimated contract value is < EUR 216,000
BerlinNo
BrandenburgYes
BremenYes, but with the possibility of an exemption permit
HamburgYes
HessenNo
Mecklenburg-VorpommernNo, only recommended
NiedersachsenYes
Nordrhein-WestfalenYes
Rheinland-PfalzYes
SaarlandYes
SachsenNo
Sachsen-AnhaltYes, for the direct administration of the state of Sachsen-Anhalt
Schleswig-HolsteinNo
ThüringenNo, only recommended

In federal states that have not introduced an explicit budgetary obligation to apply the EVB-IT, public contracting authorities enjoy greater contractual discretion. This discretion is nevertheless limited by general public procurement law, including the principles of transparency, equal treatment and competition.

In practice, even where the use of the EVB-IT is not formally mandatory, contracting authorities frequently continue to follow the EVB-IT structure or use it as a reference framework to ensure legal certainty, procedural consistency and lower internal effort.

Local authorities are generally not directly bound by the budgetary regulations applicable to federal or state authorities. As a result, municipalities may, in principle, decide independently whether to base their IT and cloud procurement on the EVB-IT.

Whether and to what extent the EVB-IT must be applied therefore depends on the budgetary and procurement rules applicable to the individual municipality, as well as on any conditions attached to funding programs or inter-administrative cooperation arrangements.

Conclusion for Cloud Service Providers

Even within a standardized contractual framework, if applicable, the EVB-IT Cloud offer substantial room for practical and commercial adjustments, most notably through the optional precedence of selected provider terms and the flexibility of the technical criteria catalogue.

From a provider’s perspective, the German public sector can therefore represent an attractive customer provided that the structure, objectives and negotiation logic of the EVB-IT Cloud are properly understood and actively utilized.

Cloud service providers that approach the EVB-IT Cloud not as rigid, non-negotiable specifications, but as a structured yet adaptable framework, significantly improve their chances of concluding public-sector cloud contracts that are both economically viable and legally robust.

[1] https://www.protector.de/oeffentliche-verwaltung-setzt-verstaerkt-auf-cloud-dienste; accessed on 02.02.2026.

The European Commission has just unveiled its proposal for the Digital Networks Act (DNA). The DNA marks a fundamental shift from regulating traditional “electronic communications” to a broader, cloud-integrated ecosystem of “digital networks”.

In a nutshell: The DNA replaces the fragmented framework of the 2018 Electronic Communications Code (EECC) with a directly applicable Regulation. Unlike the EECC, which was a Directive requiring national transposition, the DNA applies immediately and identically across the EU. Its goal is to end the fragmentation of the EU’s 27 national markets to create a “Single Market” for connectivity by harmonizing authorization rules, centralizing spectrum management, and formally recognizing the convergence of telecommunications, cloud, and AI.

If your company provides cloud services, AI infrastructure, satellite connectivity, or cross-border digital communication tools, the DNA is no longer a peripheral concern. It is a core compliance and strategic priority.

Market Access: The “Single Passport” Procedure

The most significant and potential operational benefit for international providers is the Single Passport procedure (Art. 10 DNA). Currently, a provider wishing to offer services across all 27 EU Member States must navigate 27 different notification regimes and potentially over 1,000 varying national conditions.

Under the DNA:

  • One Notification: International providers wishing to operate in multiple EU Member States will only need to submit a single notification to one national regulatory authority. This notification grants the right to provide services in all EU Member States listed in the notification.
  • Reduced Friction: This generally reduces the administrative burden, subjecting providers to a streamlined, EU-wide set of rules rather than a patchwork of national conditions. However, it is also a new burden for some markets, where it introduces a mandatory notification requirement that has not been there before (e.g., in France).
  • Centralized Oversight: A new Office for Digital Networks (ODN), transformed from the current BEREC Office, will maintain a central database of all notifications.

Strategic Autonomy: Centralized Satellite & Spectrum Rules

The DNA takes bold steps to centralize resources that are critical for EU strategic autonomy.

  • EU-Level Satellite Authorization: Satellite connectivity is emerging as a cornerstone of the DNA. The proposal introduces a centralized EU-wide authorization (Art. 39 DNA) granted by the European Commission, replacing disparate national processes for satellite networks and spectrum use. Once a EU authorization is granted, no national authorization is required, allowing for immediate pan-European service provision. However, operators should note that they will be subject to EU-level spectrum fees and administrative charges to co-fund the ODN.
  • Harmonized Spectrum Management: To close the gap in mobile network quality, the DNA introduces indefinite license duration as the principle, with a mandatory minimum of 40 years where limited terms are justified (Art. 24 DNA). This is designed to ensure investment predictability and facilitate the rollout of advanced 5G and 6G networks.

The Infrastructure Mandate: The End of Copper

In a move that departs from the EU’s historical stance on technology neutrality, the DNA mandates a structured and orderly switch-off of legacy copper networks by 31 December 2035 (Art. 54 DNA).

  • The “Fibre-Only” Justification: The European Commission argues that fibre-to-the-home (FTTH) is the most future-proof and energy-efficient technology. While this limits the freedom to conduct business on legacy infrastructure, the legislator deems it justified by environmental and economic benefits.
  • Safeguards: To mitigate the impact, the switch-off is conditional. It generally requires 95 % of premises passed by a fibre network and the availability of affordable retail alternatives in a given area before the switch-off is triggered (Art. 57 DNA). Exceptions are allowed only where fibre deployment is not economically viable and no adequate alternative exists.

“Fair Share” and Access Regulation: What’s In and What’s Out

  • No “Fair Share” Tax: Contrary to the push by some telecom incumbents, the draft DNA does not include a mandatory “fair share” payment or direct traffic-based contribution from internet companies (CAPs) to telecom operators. Instead, the DNA shifts the focus to “Ecosystem Cooperation” (Art. 191 DNA). BEREC will publish guidelines to facilitate technical and commercial cooperation, and a new facility for voluntary conciliation will be introduced to help parties reach agreements (Art. 192 DNA).
  • Modernized Access Obligations: The Significant Market Power (SMP) regime remains, but NRAs must now prioritize EU harmonized access products (e.g., specific wholesale fibre products) before imposing specific national remedies (Art. 81 DNA). Complex and rarely used provisions regarding co-investment and functional separation have been removed to simplify the framework.

The Convergence Trap: Are You Now a “Network Provider”?

The DNA explicitly moves beyond “pipes” to “Digital Networks” that are “cloud- and AI-based” (recital 16). While the Commission claims it does not seek to regulate cloud services directly, the line is blurring. The draft DNA targets the “extended connectivity ecosystem” (recital 2). If your AI platform or Cloud service integrates deeply with network infrastructure for low-latency delivery (e.g., edge computing), you may find yourself pulled into the DNA’s scope regarding resilience, security, and interoperability.

Resilience and “Strategic Autonomy”: The New Red Flags

In a climate of heightened geopolitical risk, the draft DNA introduces a “Union Preparedness Plan for Digital Infrastructures” (Art. 6 DNA).

  • Supply Chain Scrutiny: The Act emphasizes the need to address ICT supply chain risks, particularly for 5G, subsea cables, and “critical network segments”.
  • Interoperability Mandates: Interoperability requirements can be imposed on number-independent messaging services if they reach a “significant” mass and threaten end-to-end connectivity goals (Art. 68 DNA).

Full Harmonization of End-User Rights

Finally, the DNA introduces full harmonization for end-user rights to overcome the regulatory patchwork created by the previous Directive-based framework. By applying identical rules across the EU for contract information (Art. 95 DNA), duration (Art. 97 DNA), and switching (Art. 100 DNA), the draft DNA intends to significantly reduce administrative and compliance costs for providers operating in multiple Member States.

Timeline and Next Steps

Now that the European Commission has formally adopted the proposal (on 21 January 2026), the legislative process shifts to the Ordinary Legislative Procedure. This means the text is no longer a “draft” internal to the Commission but a formal legislative proposal that must be debated and approved by both the European Parliament and the Council of the EU. After its adoption the DNA is intended to enter into force 20 days after publication, with full application six months later with specific transitional periods (up to 36 months) for certain provisions, such as those for satellite authorization.

Conclusion: The Digital Networks Act is a double-edged sword. It offers a much-needed “Single Passport” and centralized satellite authorization for scaling, but it also mandates the retirement of copper and brings tech infrastructure under a tighter, more securitized regulatory umbrella. For international companies, the “regulatory cost of doing business” in Europe just evolved.

Further information

The European Commission has published additional documentation with the draft:

The ICO has, this week, published extensive guidance on its expectations on Agentic AI, ICO tech futures: Agentic AI | ICO. The UK data protection regulator’s core message is clear: the future of the success of this technology is rooted in accountability.

Investor expectations on the realisation of commercial benefits from AI deployment are increasing. Meanwhile, confidence in regulatory compliance via accountability principles is fundamental for trust. Of course, with trust comes commercial opportunities. As data protection lawyers at DLA Piper, we’ve distilled the core takeaways from the ICO’s guidance to flag the data protection innovation hotspots investors should ensure the UK tech sector is prioritising.

By focusing on privacy-centric AI, the ICO outlines that innovative technology companies can demonstrate they meet legal obligations by building products responsibly from the point of design.

Key points to note are:

  • Personal Privacy Management Agents: The ICO is keen to see agents that empower users to manage their own privacy. This includes AI that can interpret complex privacy notices or cookie banners on a user’s behalf, to avoid consent fatigue and build consumer trust that preferences will be respected. We’ve seen from experience that solutions which streamline user journeys gain more significant adoption facilitating higher risk processing, whilst preserving consumer trust.
  • Automating Compliance Responses: Agents could revolutionise how organisations handle data subject requests (e.g., DSARs), by ensuring tools can accurately search and compile relevant information, helping organisations respond more timeously and cost-effectively.  Of course, important guardrails will be required to ensure organisations don’t then provide people with hallucinated incorrect information. SLMs could ensure a privacy-focused approach (as the ICO recognises that smaller, more specialist, data training sets result in greater accuracy of outputs). Otherwise, human-in-the-loop remains necessary for this given the regulatory implications of getting DSARs wrong. As volumes increase, we can help ensure safety is prioritised whilst still ensuring companies obtain the benefit of efficiency gains.
  • Local Agents and Trusted Computing: There is a strong appetite for agents that process data locally on a user’s device. For example, an agent could scan for vulnerabilities without needing access to user’s personal information. For multi-agent tools, the ICO outlines opportunities to develop standardised secure communication protocols between agents. This is technically complex, and with the ICO’s new focus on the right to complain, we can help ensure / verify organisations have effective mechanisms for redress when things go wrong and multi-agents are involved.

Far from posing a roadblock, this section of the ICO’s guidance actively highlights significant opportunities for technology innovators. For companies building the next generation of AI tools, embedding ‘privacy by design’ is no longer just a compliance checkbox. The ICO considers demonstrating such responsible design could become a powerful market differentiator. We work closely with organisations developing privacy‑centric AI models, and good data governance. As such, reach out if you’d like guidance on whether an organisation is implementing the ICO’s expectations in practice, particularly with any data protection impact assessments for Agentic AI / SLM architectures.

You can also explore our Algorithm to Advantage Hub, offering key insights into Agentic AI and how you can make Agentic AI work for you.