In Germany, there is no single regulatory regime that governs software. Instead, rules are scattered across different German laws. These laws cover several areas, including, i.a., intellectual property, trade secrets and IT law, data privacy and cybersecurity, telecommunications, contract law, consumer protection law, as well as laws specifically governing digital contents and digital services. Other, sector-specific laws may also apply with regard to software designed for specific use cases, such as medical software or when used within regulated industries.

• Protection of computer software and databases is provided via Copyright protection offered under the German Copyright Act (‘Urheberrechtsgesetz’, ‘UrhG’).
• Consumer rights in relation to contracts for the supply of digital content and digital services are regulated in Directive (EU) 2019/770 which has been transposed into national law in provisions of the German Civil Code (‘Bürgerliches Gesetzbuch’, ‘BGB’).
• Data privacy aspects relating to software are regulated by the General Data Protection Regulation (‘GDPR’), the Federal Data Protection Act (‘Bundesdatenschutzgesetz’, ‘BDSG’) and the Telecommunications-Telemedia Data Protection Act (‘Telekommunikation-Telemedien-Datenschutzgesetz’, ‘TTDSG’), the latter of which is in part based on the ePrivacy Directive 2002/58/EC (‘ePrivacy Directive’).

Computer software can be protected as an original work pursuant to Sec. 69a et seq. German Copyright Act (UrhG). These provisions are based on Directive (EU) 2009/24/EC on the legal protection of computer programs. Pursuant to Sec. 69a(3) UrhG, a computer program can be protected as a literary work if it is original in the sense that it is the author’s own intellectual creation. The protection for a computer program, as is the case with any other work protected by copyright, extends only to its expression in any form and not to the idea or the principles that underlie a computer program (Sec. 69a(2) UrhG). The copyright is held by the author(s) of the work, i.e., the software developer(s). Although copyright is not transferable under German law, a license may be granted pursuant to Sec. 31 et seq. UrhG. In case of an employment or service relationship, Sec. 69b UrhG stipulates that the employer is exclusively entitled to exercise all proprietary rights to the computer program unless otherwise agreed. The copyright to a computer program grants the right holder the right to authorise or prohibit reproductions, adaptations, the distribution of reproductions including rental and wire or wireless public communication of the computer program.

So-called ‘computer-implemented inventions’ may also be eligible for patent protection under German patent law. However, patent protection does not extend to algorithms or computer programs. In practice, patent law thus does not play such a significant role for the protection of computer programs.

Under German copyright law, the copyright to a program is generally granted to the programmer(s) who developed it. For a third party to exercise the rights of use of a computer program, they must be assigned to the company through an assignment agreement. However, if the developer is an employee who developed the program in performance of his or her employment or under the instruction of the employer, all proprietary rights are solely reserved for the employer except agreed otherwise (see Sec. 69b(1) German Copyright Act (UrhG)). The same also applies to service contracts.

Under current law, damages caused by defective software may be compensated by claims for damages under the Product Liability Act (Produkthaftungsgesetz) or under the general rules of German tort law.

Questions relating specifically to the liability of AI malfunctions have also been subject of lively debates in Germany. Some scholars have argued that damages inflicted by a malfunctioning AI may be addressed through existing means of contract or tort law. Others have argued that future legislation should provide for strict liability regimes for AI manufacturers or operators. Other proposals have employed insurance solutions to AI liability issues.

On a European level, there are proposals for a new Product Liability Directive (COM(2022) 495) to overhaul the Product Liability Directive 85/374/EEC and for an AI Liability Directive (COM(2022) 496). The two drafts, both published in September 2022, complement each other and propose a liability framework for defective products. While the Product Liability Directive continues the no fault-based liability system and extends its scope to software (including AI systems) and digital services that affect how a product works, the AI Liability Directive will ensure protection from harm caused by AI system by alleviating the burden of proof for claims based on the fault-based liability regimes under national law.

The use and misuse of software is generally governed by end user license agreements (EULA) under German copyright, as are the consequences for misuse (or breach of license). The rules governing licensing agreements for copyrighted software are laid out in Sec. 31 et seq. German Copyright Act (‘Urheberrechtsgesetz’, ‘UrhG’). Depending on the licensing terms of the agreement, the copyright holder can choose to grant proprietary licenses or free/open-source licenses. Additionally, the copyright holder may grant exclusive or non-exclusive, revocable or irrevocable licenses and can decide whether or not to limit the rights of use with regard to time, space and content. Finally, the misuse of software may be criminally liable under German criminal law.

Rules governing the provision of software between software vendors and customers are scattered across several German laws. Depending on how the software is provided, different rules stipulated in the German Civil Code may apply. These are, i.a., the rules governing purchase agreements (Sec. 433 et seq. BGB) or lease agreements (Sec. 535 et seq. BGB), depending on whether the software is to be sold to the customer permanently, rented or provided via a cloud solution (Software-as-a-Service) for a specified period of time. Depending on the applicable law, different rules regulating customer warranty apply in case of faults.

In addition, the rules provided in Directive (EU) 2019/770 on consumer rights in relation to contracts for the supply of digital content and digital services have been transposed into national law in provisions of the German Civil Code, namely in Sec. 327a et seq. BGB. These rules do not apply in relation to B2B customers.

Regarding the use of cloud technology, there are sector-specific regulations restricting the use of cloud-based services (Sec. 25b Banking Act (‘Kreditwesengesetz’, ‘KWG’), Sec. 5(3) Stock Exchange Act (‘Börsengesetz’, ‘BörsG’), Sec. 80(6) Securities Trading Act (‘Wertpapierhandelsgesetz’, ‘WpHG’) and Sec. 32 Insurance Supervision Act (‘Versicherungsaufsichtsgesetz’, ‘VAG’)).

In addition, extensive guidance on the use of cloud-based services and outsourcing has been issued by the conference of the German data protection supervisory authorities (‘Orientierungshilfe – Cloud Computing’ of 9 October 2014) and the Federal Financial Supervisory Authority (‘BaFin’) (‘Merkblatt – Orientierungshilfe zu Auslagerungen an Cloud-Anbieter of November 2018). Furthermore, the Federal Security Agency (BSI) has issued a catalogue containing criteria for the secure use of clouds which has become a widely accepted standard and may also be required to be adhered to by many public entities (‘Cloud Computing Compliance Criteria Catalogue – C5:2020 ‘). In 2022, the European Data Protection Board investigated the use of cloud services in the public sector and published a respective report on the coordinated enforcement action on 17 January 2023. The various German state data protection supervisory authorities have also issued guidance on the use of specific cloud services on a regular basis.

In general, there is only very limited room under German law as regards the limitation of liability due to strict laws on general terms and conditions in the German Civil Code (Sec. 307 et seq. BGB) even in B2B transactions. However, to the extent possible, companies often limit their liability by excluding slight negligence. This is possible, as long as the exemption from liability does not relate to cardinal obligations. In addition, liability for damages can only be excluded for damages which are neither typical for the contract nor foreseeable. A level of cap for the B2B sector at around EUR 1m or up to 3 times of the yearly remuneration can be deemed a market standard level of cap in Germany.

Due to restrictions stemming from German laws on general terms and conditions (Allgemeine Geschäftsbedingungen, AGB) in Sec. 307 et seq. German Civil Code (BGB), wilful and deliberate breaches are always excluded from financial caps on the software vendor’s liability. In addition, data protection and data security breaches will often likely be excluded. In some cases, confidentiality breaches may also be excluded from financial caps, although regularly, the agreement of contractual penalties will often prove a more sensible alternative in this context.

Only for customized software or software developed by smaller companies, escrow providers are sometimes used in the context of software source codes in Germany. However, in some cases, escrow agreements can be crucial for a customer’s business. In particular, Enterprise Resource Planning (ERP) contracts may provide for an obligation to keep the software source code in escrow. In this case, companies often rely on notaries or attorneys for escrow services. Finally, professional escrow service providers can also be deployed although there is not a definitive market leader in the field.

Software is subject to export controls under Regulation (EU) 2021/821 (“Dual-Use Regulation”) if it is deemed a “dual-use item”, i.e., software that can be used for both civil and military purposes. This includes, most notably, software which can be used for the design, development, production or use of nuclear, chemical or biological weapons or their means of delivery, including all items which can be used for both non-explosive uses and assisting in any way in the manufacture of nuclear weapons or other nuclear explosive devices.

For these kinds of software, an authorisation must be obtained before the it is exported outside the EU. They are listed in Annex I of the Regulation and span several areas, including nuclear materials, facilities and equipment, special materials and related equipment, materials processing, electronics, computers, telecommunications and information security, sensors and lasers, navigation and avionics, marine, as well as aerospace and propulsion.

There are no specific regulations under German law which govern IT outsourcing transactions in the technology sector.

German labour law provides for strict rules regarding the termination of employment relationships. In the case of outsourcing, provisions of the German Dismissal Protection Act (Kündigungsschutzgesetz, ‘KSchG’) on termination for operational reasons may apply. Significant hurdles may include the required social selection of the employee to be dismissed, the necessary hearing of the works council, the mass dismissal notification to the Federal Employment Agency that may be required, and special protections against dismissal that may apply to certain employees.

Additionally, under certain circumstances that have been outlined further by the Federal Labour Court (‘BAG’) (see, e.g., decision of 24 January 2013, 8 AZR 706/11), the outsourcing of IT services may also be considered a “transfer of an undertaking” (‘Betriebsübergang’) (or of a part of an undertaking) pursuant to Sec. 613a of the German Civil Code (BGB). This requires that the identity of the company be preserved. In this respect, relevant criteria for the assessment are, i.a., the nature of the business in question, whether a transfer of tangible assets has taken place, the value of intangible assets at the time of the transfer, the takeover of the main workforce by the new owner, the transfer of customers and supplier relationships, the degree of similarity between the activities carried out before and after the transfer and the duration of any interruption of such activities.

In case an outsourcing is deemed a transfer of an undertaking, the employees, assets or third-party contracts would transfer automatically to the supplier and their employment relationships cannot be terminated.

However, if a contracted external service provider is engaged and it does not make use of personnel or operating resources such as premises, hardware or software of the engaging company for the performance of the same activities, but instead performs the activities with its own resources, there is no “transfer of an undertaking”.

The provision of communications-related services is subject to regulatory supervision by the Federal Network Agency (‘Bundesnetzagentur’, ‘BNetzA’). It is tasked with ensuring fair competition and transparency in, among others, the telecommunications sector. In addition, ensuring telecommunications and postal service providers’ compliance with privacy obligations which is subject to regulatory supervision by the Federal Commissioner for Data Protection and Freedom of Information (‘Bundesbeauftragter für den Datenschutz und die Informationsfreiheit’, ‘BfDI’).

Communications networks and/or services are regulated by the Telecommunications Act (TKG). It provides the legal framework for the operation of telecommunications networks and facilities and for the provision of telecommunications services. The purpose of the TKG is to promote competition in the telecommunications sector and efficient telecommunications infrastructures through technology-neutral regulation and to ensure adequate and sufficient services throughout Germany (Sec. 1(1) TKG).

For the commercial operation of telecommunications networks or the provision of telecommunications services, no license or authorisation is required. Instead, electronic communications networks and services are subject only to a ‘general authorisation’ (as required in Article 12 EECC). This general authorisation covers, among others, the provision of electronic communications networks and services, usage of radio spectrum in relation to electronic communications networks and services and the right to have applications for the necessary rights to install facilities and/or for the necessary rights of use for numbering resources considered.

Thus, a telecommunications operator or service provider is only required to notify the Federal Network Agency (‘Bundesnetzagentur’) without undue delay of any intended commencement, change or termination of the operator’s/service provider’s activity and of any changes to its name or company name, legal structure or address (Sec. 5(1) TKG).

Due to the federal structure of the Federal Republic of Germany there are both a Federal Commissioner for Data Protection and Freedom of Information (‘Bundesdatenschutzbeauftragter’, ‘BfDI’) and 17 independent state data protection supervisory authorities which are responsible for overseeing and enforcing data privacy laws in the public and private sector. Generally, private sector entities are supervised by the state supervisory authorities.

In Germany, the protection of personal data is primarily governed by the General Data Protection Regulation (‘GDPR’) and the Federal Data Protection Act (‘BDSG’). The GDPR has introduced fundamental data protection principles (Article 5 GDPR), specific lawful bases for the processing of personal data (Article 6 et seq. GDPR) and a multitude of data subject rights (Article 12 et seq. GDPR), including, among others, information rights, a right of access and to be forgotten as well as restrictions to automated decision-making and profiling. The GDPR also introduced data breach notification obligations, some of which must be fulfilled within a narrow 72-hour timeframe (Article 33, 34 GDPR). These data protection rules can be enforced through significant fines or claims for immaterial damages in case of non-compliance (Article 82, 83 GDPR).

Special regulations on the protection of personal data relating to the use of telecommunications services and telemedia are provided in the Telecommunications Telemedia Data Protection Act (‘TTDSG’). Sec. 3 TTDSG stipulates the secrecy of communications that, among others, telecommunications service providers and telecommunications networks operators are obliged to maintain. In addition, Sec. 25 TTDSG stipulates that the storing of information on the end user’s terminal equipment or the accessing of information already stored on the terminal equipment shall only be permitted if the end-user has consented on the basis of clear and comprehensive information. This requirement is particularly relevant to the use of cookies. The TTDSG was passed to transpose the e-Privacy Directive 2002/58/EC. The conference of the German data protection supervisory authorities has released guidance on the TTDSG and the rules applicable to cookies on 20 December 2021.

Pursuant to Article 83(4)-(6) GDPR, the maximum fine ranges from EUR 10m to EUR 20m or, in the case of an undertaking, 2% to 4% of the total worldwide annual turnover of the preceding financial year, respectively, whichever is higher. The amount of an administrative fine is dependent on the circumstances of each individual case and shall be effective, proportionate and dissuasive (Article 83(1), (2) GDPR). The European Data Protection Board has issued Guidance on the calculation of fines in its Guidelines 04/2022 of 12 May 2022.

Pursuant to Sec. 28(2) TTDSG, the maximum fine amount possible for a breach of telecommunications and telemedia data protection rules is EUR 300,000.

Often there are clauses that mandate compliance with the respective data privacy laws as cardinal obligations. Apart from such clauses, technology contracts in Germany do not and should generally not include references to external data protection regimes and it is not common for these contracts to include such references. However, references to other data protection regimes are commonly found in data processing agreements.

To enforce the provisions of the EU’s proposed Artificial Intelligence Act (‘AI Act’), each member state will have to designate a competent supervisory authority overseeing the enforcement of the AI Act. In addition, privacy-related violations may also be enforced by the Member State data protection supervisory authorities. European and German data protection law cannot be derogated away by the parties of an agreement.

The deployment and use of artificial intelligence will be governed by the European Union’s AI Act. The Act will be the world’s first comprehensive law regulating artificial intelligence and is set to reach an agreement in December 2023. The proposed Act stipulates different obligations for providers and users of AI systems depending on the risk of harms associated with each of the respective AI systems.

Under the proposed rules, AI systems deemed a threat to individuals will be categorized as “unacceptable risk AI” and will be banned entirely. These include, i.a., social scoring, real-time remote biometric identification systems, such as real-time facial recognition, and cognitive behavioural manipulation of people and certain vulnerable groups.

So called “High-risk systems” which can endanger individuals’ safety or fundamental rights will not be banned entirely but will have to be assessed before their market entry and throughout their entire product lifecycle. High-risks systems are defined in the AI Act and cover several areas and sectors, including, for instance, law enforcement, biometric identification, employment and others.

“Limited-risk AI” will also be covered by the AI Act, although the obligations relating to these kinds of AI systems will only cover minimal transparency requirements to ensure that individuals make informed choices. In particular, users of the AI systems must be informed that they are interacting with an AI system. Generative AI systems and foundational models (such as ChatGPT, DALL-E, etc.) will be subject to specific transparency requirements.

The regulation aims to protect individuals against unmanageable risks and harm inflicted by AI systems while also enabling development and research in the field of artificial intelligence. In essence, the rules shall ensure that AI systems be “overseen by people”, and be “safe, transparent, traceable, non-discriminatory, and environmentally friendly” according to the European Parliament’s position.

The rules can be enforced through sanctions of up to 1% to 7% of a company’s worldwide annual turnover for the preceding financial year or EUR 5m to EUR 40m, whichever is higher, depending on the respective provision that has been violated.

The EU AI Act will also provide for specific rules governing foundation models, including large language models and generative AI systems. Given the advent of generative AI applications in the end of 2022, European lawmakers came to conclude that amendments to the AI Act proposal would be necessary to cater to these recent developments.

In June 2023, the European Parliament passed a revised negotiating position on the AI Act which also includes additional rules concerning foundational models. In contrast to so-called “general purpose AI”, foundation models will be subject to a stricter set of rules. The AI Act defines general purpose AI as an “AI system that can be used in and adapted to a wide range of applications for which it was not intentionally and specifically designed” while foundational models are defined as an “AI system model that is trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks”. The main differences between the two notions therefore relate to differences in training data and adaptability, as well as the possibility to use the system for intended purposes.

The transparency requirements proposed for foundation models include an obligation to disclose that content was generated by an AI system, an obligation to prevent the model from generating illegal content and a requirement to publish summaries of the data used for training subject to copyright.

In Germany, the supervisory authority responsible for overseeing the blockchain and blockchain-related assets and securities is the Federal Financial Supervisory Authority (‘Bundesanstalt für Finanzdienstleistungsaufsicht’, ‘BaFin’). The BaFin is tasked with examining whether transactions of new market participants or new business models are subject to authorization under German financial supervisory laws, regardless of the underlying technology used. Additionally, one of the BaFin’s tasks is to help prevent money laundering in the German financial sector.

In addition, the European Securities and Markets Authority (‘ESMA’) will take on an important role in regulatory convergence and will obtain detailed information on significant cryptocurrency providers under the enacted MiCA regulation. Finally, the European Banking Authority (‘EBA’) will supervise issuers of significant asset-referenced tokens and significant stablecoins.

The areas of blockchain, crypto and other digital assets and securities have seen a rapid development of new rules and laws on a European and national level. As recently as May 2023, the European Parliament and European Council have passed the Regulation on Markets in Crypto-Assets (EU) 2019/1937 (‘MiCA’) which aims to increase investor protection and contribute to the functioning of the financial markets. It will likely be fully applicable in early 2025 and establishes rules for the public offering and admission of cryptocurrencies and stablecoins which will require an authorization. The regulation does not cover transactions related to Non-Fungible Tokens (‘NFTs’) or Security Tokens.

In late June 2023, the Transfer of Funds Regulation (EU) 2023/1113 (‘TFR’) also came into force. The TFR regulation requires crypto providers to identify their customers so that transfers of crypto assets can always be traced back and suspicious transactions can be blocked. The regulation will apply from 30 December 2024.

On a national level, several laws have recently been amended to cater to the specific risks and peculiarities of crypto. The German Banking Act (Kreditwesensgesetz, ‘KWG’) was amended to include a definition of crypto assets and to govern crypto depository services. Providers of crypto depository services have to obtain a license with the BaFin and are under its supervision.

The Electronic Securities Act (Gesetz über elektronische Wertpapiere, ‘eWpG’) introduced electronic securities and crypto securities. To ensure a legally secure acquisition of electronic and crypto securities the Act provides for the entry of the securities in electronic registers under supervision of the BaFin. In addition, the law contains various investor protection provisions.

Blockchain transactions may also be subject to the GDPR if they contain personal data.

The nature of certain blockchain based assets remains a contentious issue. Generally, both fungible and non-fungible tokens are not assigned any property or “absolute” rights under current legislation. Sec. 2(3) of the Electronic Securities Act (eWpG) provides that electronic and crypto securities are objects (“things”) capable of conferring property rights. However, under German law, cryptocurrencies and NFTs are subject to fragmentary protection only. Whether or not crypto transactions can already be adequately reflected by the law is a question controversially discussed by legal scholars. Hence, effective remedies for the recovery of fungible or non-fungible tokens in the case of misappropriation only exist in specific cases, the conditions of which remain debated.

In Germany, search engines and marketplaces will be under regulatory supervision by the digital services coordinator (‘DSC’) – a role yet to be established in Germany in light of the prospective applicability of the recently enacted Digital Services Act (‘DSA’). The German government has announced already that it plans to establish a respective advisory board to be tasked with the DSC’s supervisory duties. As regards very large online platforms (VLOPs) and very large online search engines (VLOSEs) as introduced by the DSA, the EU Commission is the competent supervisory authority overseeing and enforcing the provision of the DSA.

Search engines and marketplaces will be regulated by the Digital Services Act (‘DSA’), which will become fully applicable on February 17, 2024. The Digital Services Act provides for a single set of rules to protect users and combat illegal contents online. It regulates both the obligations and the liability of intermediary services, including hosting service providers, online platforms, online marketplaces and online search engines. In addition to certain content moderation obligations – which are particularly, although not solely, relevant to social media platforms – the DSA imposes stringent transparency reporting obligations and requires online platforms and search engines to establish internal complaint-handling and dispute-settlement mechanisms. To protect users, deceptive practices such as dark patterns are banned, and minors must not be subject to ads based on profiling.

Online marketplaces allowing consumers to conclude distance contracts with traders must ensure the traceability of traders by requiring their contact details before admitting them to the marketplace. In addition, consumers must be provided with required pre-contractual information, compliance and product safety information.

Most notably, under the DSA, very large online platforms (VLOPs) and very large online search engines (VLOSEs) will be subject to far-reaching transparency and compliance obligations. In particular, they must implement systemic risk assessments in the earliest design stages of new products, conduct annual risk assessments and adopt a crisis response mechanism. To ensure advertising transparency, VLOPs and VLOSEs must compile a publicly available repository with details on advertisements displayed on their platforms, including whether the advertisement was targeted towards a group, the relevant parameters and the total number of recipients reached.

Additionally, search engines are regulated by the Digital Markets Act (‘DMA’) which became applicable on 2 May 2023. The DMA targets “gatekeepers”, i.e., large digital platforms providing “core platform services” in at least three Member States and sets out rules to ensure fair and open digital markets. The DMA applies, i.a., to search engines, social networking sites and messaging services, provided that they are very large in size, turnover or market capitalization and numbers of monthly active users and yearly active business users, provide an important gateway for business users towards their end customers and have an “entrenched and durable position”.

The DMA has introduced a broad range of obligations for platforms acting as “gatekeepers”. This includes limiting their ability to impose unfair terms on competitors and consumers. They must allow third parties to interoperate with their services and access data generated on their platforms. “Gatekeepers” are also prohibited from favouring their own services in rankings or preventing customers from connecting with other businesses outside their platform.

Besides the DSA and the DMA, other obligations stem from European or national laws governing data privacy and personality rights which provide for certain individual rights. For instance, users of search engines enjoy a right to erasure (or “right to be forgotten”) and to be delisted from search results pursuant to Article 17 GDPR.

Supervision of social media platforms subject to the Digital Services Act will be carried out by both the EU Commission (for very large social media platforms) and the digital services coordinator yet to be designated by the German government. In addition, other laws that also apply to social media sites are enforced by several German authorities. For instance, laws regulating hate speech and other illegal conduct on social media platforms are enforced by the Federal Office of Justice (‘Bundesamt für Justiz’), and criminal content reported on the basis of these laws can be prosecuted by the Federal and State Criminal Polices Offices (‘Bundes-/Landeskriminalämter’). Finally, the State Media Authorities have the authority over video sharing platforms, among others.

In Germany, social media platforms are regulated by a complex multitude of laws that constitute different degrees of content moderation obligations, depending on the respective kinds of platform providers.

Pursuant to the general principle of Sec. 7, 8-10 TMG (which are based on the e-Commerce Directive), host and access providers are only responsible for their own contents and are generally not required to monitor third party information transmitted or hosted by them or to investigate circumstances that indicate illegal activities. However, once host providers have become aware of illegal activities or third-party information, they are required to remove the information or to disable access to it without undue delay (so-called ‘notice and takedown’) and are henceforth liable for such information.

These general principles will continue to apply under the newly enacted Digital Services Act (‘DSA’). However, the DSA will provide for a host of additional obligations for online platforms and search engines, the most stringent rules of which will apply to very large online platforms (VLOPs) and very large online search engines (VLOSEs). Most notably, certain kinds of platforms are subject to a variety of content moderation obligations. Platforms will have to act against “illegal” content and provide for a notification mechanism allowing the flagging of content considered by users to be illegal content.

In addition, content moderation obligations also stem from German national law, e.g., the NetzDG (‘Netzwerkdurchsetzungsgesetz’) which aims at combatting hate crimes and other illegal conduct on social networks by requiring user reporting procedures. Other acts that contain content moderation obligations include the AVMSD (Directive (EU) 2018/1808) that obliges video sharing platforms to protect minors from harmful content and the general public from hate and violent messages as well as terrorist, racist and xenophobic material and child pornography. These rules have been transposed into national law across various laws, among them the TMG (Sec. 10a-10b), the Media State Treaty (‘Medienstaatsvertrag’, ‘MStV’) and the Youth Media Protection State Treaty (‘Jugendmedienschutz-Staatsvertrag’, ‘JMStV’). Other child protection regulations (such as the Youth Protection Act) provide for similar obligations. Under Regulation (EU) 2021/784 (‘TCO’ Regulation), host providers are obliged to remove or disable access to terrorist contents within one hour.

Finally, the Digital Markets Act (DMA) which applies since May 2023 also covers (large) social networking sites and imposes several obligations on them, such as, allowing interoperation with their services.

In respect of copyright-infringing content, Article 17 of Directive (EU) 2019/790 (‘DSM’ Directive) stipulates certain content blocking obligations for powerful platforms that host and make available to the public large quantities of copyrighted materials.

The regulation of data flows (both personal as well as non-personal) and of digital platforms will likely continue to form one of the defining regulatory topics in the coming years. Additionally, the rapid advances in the field of artificial intelligence will require equally swift and decisive measures by both legislators and authorities to ensure that the provisions of the AI Act, once in force, will be effectively enforced.

Finally, current and future developments in the cybersecurity landscape (most notably, the imminent transposition of the NIS2 Directive into member state law and the development of several cybersecurity directives and regulations, such as the Cyber Resilience Act and the Cyber Solidarity Act) are set to elevate the overall level of cybersecurity across the EU but will also significantly extend the range of obligations for companies.

As of yet, such provisions are not common but coming. ESG (environmental, social and corporate governance) criteria are, however, already part of larger compliance obligations that companies may commit to.