{"id":110046,"date":"2025-08-06T14:13:16","date_gmt":"2025-08-06T14:13:16","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=110046"},"modified":"2025-08-19T11:17:49","modified_gmt":"2025-08-19T11:17:49","slug":"germany-tmt","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/germany-tmt\/","title":{"rendered":"Germany: TMT"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-110046","comparative_guide","type-comparative_guide","status-publish","hentry","guides-tmt","jurisdictions-germany"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Lindenpartners<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2024\/07\/lindenpartners_MZ_pos_RGB.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Lindenpartners<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2024\/07\/lindenpartners_MZ_pos_RGB.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of TMT laws and regulations applicable in Germany<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 How are proprietary rights in software and associated materials protected?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Germany, proprietary rights in software and associated materials are protected through several mechanisms:<\/p>\n<ul style=\"padding-left: 0\">\n<li>First and foremost, Computer programs (including drafts and preparatory design materials) are protected under the German Copyright Act (UrhG) if they constitute individual works in the sense that they are the result of their author&#8217;s own intellectual creation. Ideas and principles underlying any element of the program, including its interfaces, are as such not eligible for protection (cf. Section 69a UrhG, which is based on Directive (EU) 2009\/24\/EC). As soon as new software that is eligible for copyright protection comes into existence, it is automatically (i.e. without any formal process to register the right) protected under the law.<\/li>\n<li>Computer programs &#8220;as such&#8221; are not eligible for patent protection, but inventions related to computer programs can potentially qualify for patent protection. Due to this high threshold, patent law in practice typically has rather limited impact on protecting computer programs.<\/li>\n<li>Software can also be protected under the German Employee Inventions Act, in particular if it\u2019s patentable.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under German law, the ownership of proprietary rights in software developed by a third party is not automatically vested in the customer. As software is typically classified as a creative work, the initial ownership of the copyright rests with the author(s). The customer may acquire exclusive rights of use regarding the program \u2013 but not the actual copyright itself.<\/p>\n<p>In the absence of any contractual provision, it depends on the context to what extent the customer automatically receives such rights of use. Here are two key rules:<\/p>\n<ul style=\"padding-left: 0\">\n<li>To allow employers to fully exploit programs created within an employment relationship, Section 69b of the German Copyright Act (UrhG) states that the employer alone is entitled to exercise all economic rights in the computer program that employed programmers have created in the performance of their duties or in accordance with their employer&#8217;s instructions. This statutory rule, however, typically does not apply to programmers who work as freelancers.<\/li>\n<li>Section 31 (5) of the German Copyright Act (UrhG) is a pivotal regulation that interprets the extent of usage rights in the software granted to the customer based on the intended purpose of the contract when there are no clear contractual rules. It safeguards the author\u2019s interests by ensuring they retain as many rights of use as possible without frustrating the underlying goals of the contract.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 Are there any specific laws that govern the harm \/ liability caused by Software \/ computer systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Germany, the legal framework regarding harm\/liability caused by software is currently primarily governed by two main laws:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The German Civil Code (B\u00fcrgerliches Gesetzbuch \u2013 BGB) contains general rules about contractual and tortious liability, which can be applied if software causes damage.<\/li>\n<li>Additionally, claims for damages can also be made under the Product Liability Act (Produkthaftungsgesetz) when a defect in a product causes damage. To what extent software falls under this Act is often still disputed under the current regime. However, it will likely be updated within the next two years in order to implement the revision of the underlying EU Product Liability Directive. The update will clarify that software and AI may constitute a defective product and is generally intended to tighten the liability rules, i.a. by broadening the range of potentially liable actors as well as lowering the burden of proof for claimants.<\/li>\n<\/ul>\n<p>Furthermore, the EU\u2019s current draft of an AI Liability Directive aims to establish a uniform set of rules to address non-contractual civil liability for damages caused by AI systems. Whereas the Product Liability Directive regulates the manufacturer\u2019s liability for defective products independent of fault, the AI Liability Directive is supposed to cover liability claims which are based on intent or negligence. The timeline of this directive is however still unclear.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 To the extent not covered by (3) above, are there any specific laws that govern the use (or misuse) of software \/ computer systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Sections 69a-69g of the Copyright Act (UrhG) contain specific rules on restricted acts when using software. This includes for instance restrictions on modifications or the distribution of computer programs, but also certain special rights for the licensee concerning, i.a.,<\/p>\n<ul>\n<li>back-up copies,<\/li>\n<li>text and data mining, and<\/li>\n<li>decompilation<\/li>\n<\/ul>\n<p>Some of these rights cannot be circumvented by deviating contractual provisions (cf. Section 69g Copyright Act).<\/p>\n<p>Sections 31 et seq. of the Copyright Act contain rules on how the rights of use regarding software IP are granted by the authors. These are important to observe, for example when drafting end user license agreements (EULA), as they might overrule contractual agreements between the parties to a certain extent. The copyright holder may grant, i.a., exclusive or non-exclusive, revocable or irrevocable licenses and he may limit the right of use regarding time, place and subject matter.<\/p>\n<p>Furthermore, the new Sections 327 et seq. of the German Civil Code (BGB), which implement the EU Directive 2019\/770\/EU, regulate the contractual aspects of providing digital content and services. They mainly apply to contracts between businesses and consumers (B2C) but may also allow for B2B recourse in contracts for digital products within the commercial supply chain.<\/p>\n<p>Finally, there are several criminal offenses related to the misuse of software. For example, Section 303b of the Criminal Code (StGB) addresses computer sabotage. The criminal offenses of spying on data (Section 202a of the German Criminal Code), interception of data (Section 202b of the German Criminal Code) and computer fraud (Section 263a of the German Criminal Code) can also be relevant.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (Licence and SaaS) \u2013 Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no technology-specific laws that govern the provision of software between a vendor and customer. The civil law classification under German law usually depends on the type of contract. Depending on the use and creation of the software, the provisions of the purchase contract, work contract, services contract or leasing contract may be applicable. Different regulations govern customer warranties in the event of defects. In addition, some laws are applicable depending on the parties involved, such as Sections 327 et seq. BGB in the case of consumer contracts for the provision of digital content and services.<\/p>\n<p>There are however some sector-specific regulations that govern the usage of cloud-based services, especially in the context of outsourcing (see question 10).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If \u2018yes\u2019, what would be considered a market standard level of cap?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under German law, there is generally limited flexibility concerning liability limitations due to strict regulations on standard terms and conditions outlined in the German Civil Code (Sections 307 et seq. BGB), even within business-to-business (B2B) transactions. Fixed caps in T&amp;Cs might often be deemed unenforceable if they concern essential contractual obligations. Companies often strive to restrict their liability by excluding liability for regular (as opposed to gross) negligence in individually negotiated cap agreements. In the SaaS context, a typical individually negotiated cap would limit any damage claims against the provider arising in a specific year to the amount of remuneration paid to the provider in the respective year (or a multiple thereof).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor\u2019s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>(a): Confidentiality breaches are sometimes excluded from cap agreements. As damages due to a breach of confidentiality are often difficult to prove, providers often additionally insist on fixed contractual penalties as a baseline for damages in case of a breach.<\/p>\n<p>(b) and (c): Breaches concerning data protection and data security are often excluded from caps on damages as many companies have concerns about high damages due to GDPR enforcement.<\/p>\n<p>(d), (e) and (f): IPR infringement claims, breaches of applicable law and regulatory fines are typically not as such specifically excluded from caps.<\/p>\n<p>(g): Financial caps in case of wilful and deliberate breaches are generally precluded under German contract law (Section 276 (3) of the German Civil Code (BGB)), which means unlimited liability is mandated by law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used? Is an equivalent service offered for cloud-based software?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Germany, holding software source code in escrow for the benefit of the software licensee is rather the exception than a normal practice. Escrow providers are occasionally engaged for software source code for custom-build software, products developed by smaller firms or where the software is vital to the licensee\u2019s operations, such as in the case of Enterprise Resource Planning (ERP) software. In such instances, businesses commonly enlist the services of notaries or legal practitioners to oversee escrow arrangements of escrow providers. Professional escrow service providers are also available for cloud-based software.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Are there any export controls that apply to software transactions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The export of software to other countries may require authorisation from the Federal Office of Economics and Export Control (BAFA) under certain circumstances. Authorisation is particularly required for the export of goods specifically designed or modified for military purposes. Also, for items with dual civilian and military applications (known as &#8220;dual-use goods&#8221;, cf. Regulation (EU) 2021\/821), certain licenses can be necessary. Additionally, license requirements may arise in particular from the Foreign Trade Act (AWG), the Foreign Trade Regulation (AWV), Regulation (EU) No. 258\/2012 (Firearms Regulation), Regulation (EU) 2019\/125 (Anti-Torture Regulation) and various embargo regulations (such as Iran or Russia).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">IT Outsourcing \u2013 Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>IT outsourcing is typically governed in sector-specific laws, in particular regarding the financial sector. These regulations are delineated in various provisions such as Section 25b of the Banking Act (KWG), Section 26 of the Payment Services Supervision Act (ZAG), Section 80 (6) of the Securities Trading Act (WpHG) or Section 32 of the Insurance Supervision Act (VAG).<\/p>\n<p>Regulators such as the Federal Financial Supervisory Authority (BaFin) and the Federal Office for Information Security (BSI) have issued detailed guidelines on how they interpret statutory requirements regarding IT outsourcing, IT security and cloud services.<\/p>\n<p>The provisions of the recently adopted EU Digital Operational Resilience Act (DORA), which governs IT security in the financial sector and will be applicable from 17 January 2025, will also likely become relevant soon.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">IT Outsourcing \u2013 Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>German labour law imposes strict regulations on terminating employment contracts, which might occur in cases of outsourcing. If the Protection Against Dismissal Act (KSchG) applies, the employer may only terminate an employment contract if it is \u201csocially justified\u201d. This means the termination must be based on reasons related to the employee\u2019s conduct, personal circumstances, or compelling operational requirements that prevent the continued employment of the employee in the business. If the termination is due to operational reasons, such as business reorganisation, the employer typically must apply correct \u201csocial\u201d criteria to determine which employees to let go. Certain categories of employees, such as pregnant employees or members of the works council, enjoy enhanced protection against dismissal.<\/p>\n<p>Individual staff members may also be protected by rights of a work council under the Works Constitution Act (BetrVG). For instance, the employer may have to inform the works council in full and in good time of any proposed \u201calterations\u201d which may entail substantial disadvantages for the staff and consult the works council on the proposed alterations (Section 111 BetrVG).<\/p>\n<p>Furthermore, outsourcing IT services might be considered a &#8220;transfer of operations &#8221; under Section 613a of the German Civil Code (BGB). In the event of a transfer of operations, the acquirer of the business enters into all existing employment relationships of the seller as a mandatory legal consequence. The termination of the employment relationship of an employee by the previous employer or by the new owner due to transfer of a business or a part of a business is ineffective (Section 613a (4) BGB).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and\/or services, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Telecommunications networks and services are mainly regulated in the Telecommunications Act (TKG). The purpose of the TKG is to promote competition in the telecommunications sector and efficient telecommunications infrastructures through technology-neutral regulation and to ensure adequate and sufficient services nationwide (Section 1 (1) TKG). The TKG contains regulations on market regulation, access regulation, fee regulation, abuse prevention, customer protection, information on infrastructure and network expansion, frequency regulation as well as public safety and emergency preparedness.<\/p>\n<p>The Telecommunications Digital Services Data Protection Act (TDDDG) contains, i.a., special provisions on the protection of personal data and privacy when using telecommunications services, in particular regarding confidentiality of telecommunications and the use of traffic or location data.<\/p>\n<p>Supplementary to the aforementioned laws, a multitude of regulations exist that cover distinct elements of telecommunications. The overarching purpose of these regulatory instruments is to facilitate the efficient functioning of telecommunications services, safeguard the rights of consumers and guarantee the security of information technology systems.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise any licensing or authorisation requirements applicable to the provision or receipt of telecommunications services in your country. Please include a brief overview of the relevant licensing or authorisation regime in your response.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The provision of telecommunications services in Germany is subject to a general authorisation regime under the TKG. Since the liberalisation of the telecommunications sector, the operation of public telecommunications networks and the provision of publicly available telecommunications services does not require an individual licence but instead requires a prior notification to the Federal Network Agency (Bundesnetzagentur) in accordance with Section 5 (1) TKG.<\/p>\n<p>This notification must include, i.a., the name and address of the undertaking, a description of the intended activity, and the planned date of commencement. Upon successful notification, the undertaking is entered into a public register and becomes subject to the general regulatory framework, including transparency obligations, customer protection measures, and network integrity requirements (cf. Section 5 (4) TKG).<\/p>\n<p>Number-independent interpersonal telecommunications services (such as email services or messenger services) are expressly exempted from the notification requirement under Section 5 TKG.<\/p>\n<p>In contrast, the use of scarce public resources, such as radio frequencies and numbering resources, remains subject to individual rights of use. Such rights must be formally granted by the Bundesnetzagentur in accordance with Sections 91 et seq. TKG (frequency usage rights) and Sections 108 et seq. TKG (number allocation). Depending on the spectrum, allocation may take place via administrative procedures or competitive processes, such as public tenders or auctions (cf. Section 100 TKG).<\/p>\n<p>Cross-border service provision within the European Economic Area (EEA) generally does not require additional authorisation due to the harmonised regulatory framework under the European Electronic Communications Code. However, non-EEA providers that target the German market may be required to appoint a legal representative in the EU and comply with the notification obligations under Section 5 TKG, depending on the specific nature of the service.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise the principal laws (present or impending) that govern access to communications data by law enforcement agencies, government bodies, and related organisations. In your response, please outline the scope of these laws, including the types of data that can typically be requested, how these laws are applied in practice (e.g., whether requests are confidential, subject to challenge, etc.), and any legal or procedural safeguards that apply.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Access to communications data by public authorities in Germany is governed by various national laws, particularly the TKG, the TDDDG, and the German Code of Criminal Procedure (Strafprozessordnung \u2013 StPO). These laws distinguish between different categories of data, such as customer data, traffic data, location data and content data, each subject to specific access and safeguard requirements.<\/p>\n<p>Pursuant to Section 3 TDDDG, telecommunications secrecy is protected as a fundamental principle. However, access may be granted under specific legal authorisations. Under Section 173 TKG, law enforcement agencies and certain regulatory bodies may obtain customer data via an automated information system. Access to extended subscriber data and traffic data requires a formal request under Section 174 TKG, which must be legally justified and proportionate, and is subject to judicial and administrative oversight. For example, access in criminal investigations may be based on Section 161 StPO, while preventive access by federal authorities may be based on Section 10 of the Federal Criminal Police Office Act (BKAG).<\/p>\n<p>The interception of communications and the retrieval of content data are governed by Section 170 TKG and typically require a judicial order pursuant to Section 100a StPO. Such measures are reserved for serious criminal offences and are subject to strict necessity and proportionality tests.<\/p>\n<p>General data retention obligations (Vorratsdatenspeicherung) are currently not enforceable in Germany. The Federal Constitutional Court and the Court of Justice of the European Union have declared previous legislative attempts incompatible with constitutional and EU fundamental rights. Instead, German law currently relies on targeted preservation requests under Section 100g StPO (the so-called \u201cquick freeze\u201d approach), which allows authorities to require telecommunications providers to secure specific data in individual investigations.<\/p>\n<p>Access requests are typically confidential and not disclosed to the data subjects during ongoing investigations. However, affected individuals must in principle be informed ex post unless an exemption applies. Legal remedies are available, including court proceedings and constitutional complaints. In addition, oversight is ensured through data protection authorities, judicial review and, in the case of intelligence-related access, through dedicated parliamentary control bodies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Mobile communications and connected technologies \u2013 What are the principle standard setting organisations (SSOs) governing the development of technical standards in relation to mobile communications and newer connected technologies such as digital health or connected and autonomous vehicles?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Federal Network Agency (Bundesnetzagentur), Germany&#8217;s main authority for infrastructure, promotes interoperability and standardisation with respect to information and communication technology by collaborating with various SSOs at national, European and international level. The following key SSOs are currently mentioned by the Bundesnetzagentur for mobile communications and connected technologies:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Mobile communications:<\/li>\n<\/ul>\n<p>The 3rd Generation Partnership Project (3GPP) is a global cooperation between standardisation bodies which includes the ETSI (European Telecommunications Standards Institute, a leading SSO in Europe). In 2019, 3GPP for instance published an initial package of 5G specifications.<\/p>\n<p>Recently, global research activities on 6G have gained significant momentum. In the radio sector of the International Telecommunication Union (ITU-R), initial work on 6G was launched in March 2021, the results of which will be incorporated into 3GPP in the future.<\/p>\n<ul style=\"padding-left: 0\">\n<li>Connected technologies:<\/li>\n<\/ul>\n<p>Machine-to-machine (M2M) communication refers to technologies that for instance enable automated exchange of data between devices. It encompasses various application areas such as e-health or automotive technology communication and plays a significant role in the Internet of Things (IoT). The standardisation of M2M is handled by different committees that focus on specific fields of application. OneM2M, a global partnership for standardisation of M2M, includes, i.a., the European SSO ETSI.<\/p>\n<p>Dedicated Short Range Communication (DSRC) is one of the technologies that can be used in vehicles for collision avoidance, congestion reporting or toll collection. Current standardisation activities on this topic are taking place at ETSI and 3GPP, among others.<\/p>\n<p>Intensive standardisation work has been going on at ETSI for several years in the area of Reconfigurable Radio Systems (RRS), which are expected to offer the possibility to support the needs of our networked world \u2013 including the Internet of Things (IoT) \u2013 e.g. by sharing frequencies between different services.<\/p>\n<p>For a comprehensive overview of other relevant SSOs in Germany, see the website of the Federal Network Agency (Bundesnetzagentur).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Mobile communications and connected technologies \u2013 How do technical standards facilitating interoperability between connected devices impact the development of connected technologies?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Technical standards facilitating interoperability between connected devices are crucial for the development of connected technologies. They play a vital role in ensuring seamless communication, fostering innovation, and driving market growth.<\/p>\n<p>Key legal frameworks in Germany include the Telecommunications Act (TKG), the Act on Electromagnetic Compatibility of Equipment (EMVG), and the Radio Equipment Act (FuAG). These laws transpose EU directives into national legislation and provide the legal basis for technical standards and interoperability requirements.<\/p>\n<p>For a comprehensive overview of relevant technical standards, the Federal Network Agency (Bundesnetzagentur) website serves as a valuable resource, offering information on standards, regulatory requirements, and developments in connected technologies and telecommunications.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 Please summarise the principal laws (present or impending), if any, that govern data protection, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data protection in Germany is primarily governed by the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). The Telecommunications Digital Services Data Protection Act (TDDDG) additionally regulates telecommunications secrecy and data protection for telecommunications and digital services.<\/p>\n<p>The GDPR ensures that personal data is processed lawfully (see Article 6 GDPR), fairly and in a transparent manner for specified purposes and imposes various obligations on companies. They must maintain records of processing activities (Article 30 GDPR), providing a comprehensive overview of their data processing operations. In case of data breaches, controllers are required to notify the supervisory authority and, in certain cases, the affected individuals (Article 33, 34 GDPR). Companies must implement appropriate technical and organisational measures to ensure data security (Article 32 GDPR), which may include encryption, regular testing, and measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems. In many cases, organisations are required to appoint a data protection officer (Article 37 GDPR) to oversee compliance and act as a point of contact for data subjects and supervisory authorities. Transfers of personal data to third countries outside the EU\/EEA are subject to strict requirements (Chapter V GDPR), often necessitating appropriate safeguards such as standard contractual clauses or binding corporate rules.<\/p>\n<p>The GDPR also grants data subjects extensive rights, including the right to information, access, rectification, erasure, and data portability.<\/p>\n<p>The BDSG complements the GDPR, providing specific local rules for data processing by public bodies and addressing particular processing situations. The TDDDG focuses on the protection of privacy in telecommunications and digital services, such as restrictions on storing information on user devices (Section 25 TDDDG).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The maximum sanctions for data protection breaches are primarily set by the GDPR. For the most serious infringements, fines can reach up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83 (5) GDPR). Less severe breaches may incur fines up to EUR 10 million or 2% of annual turnover (Article 83 (4) GDPR). The German Federal Data Protection Act (BDSG) also provides for criminal penalties in certain cases, including imprisonment up to three years (Section 42 BDSG). Additionally, the TDDDG allows for fines up to EUR 300,000 for specific telecommunications and digital services-related infringements (Section 28 (2) TDDDG).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Usually, technology contracts in Germany include clauses that mandate compliance with applicable data privacy laws as cardinal obligations. Beyond such general clauses, these contracts typically do not and should not include references to external data protection regimes, as the GDPR is directly applicable. It is uncommon for purely domestic contracts to reference external regimes like the CCPA. However, data processing agreements (as per Article 28 GDPR) commonly contain more detailed references to specific data protection requirements, which may include mentions of other relevant data protection regimes when international aspects are involved.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cybersecurity \u2013 Please summarise the principal laws (present or impending), if any, that govern cybersecurity (to the extent they differ from those governing data protection), including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity regulation in Germany is governed by a distinct legal framework that complements data protection laws such as the GDPR and the Telecommunications and Telemedia Data Protection Act (TDDDG). The core legislation is the Act on the Federal Office for Information Security (Gesetz \u00fcber das Bundesamt f\u00fcr Sicherheit in der Informationstechnik \u2013 BSIG), which establishes key obligations for operators of critical infrastructure (KRITIS) regarding IT security. Pursuant to Section 8a BSIG, such operators \u2013 including, for example, providers in the energy, water, healthcare, telecommunications or transport sectors \u2013 are required to implement appropriate organisational and technical precautions to protect their IT systems and must regularly demonstrate compliance to the Federal Office for Information Security (BSI).<\/p>\n<p>In addition, the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0), which amended the BSIG in 2021, significantly broadened the scope of cybersecurity regulations. It introduced the category of &#8216;companies of special public interest&#8217; (Unternehmen im besonderen \u00f6ffentlichen Interesse \u2013 UBI), as defined in Section 2 (14) BSIG. This category encompasses, for example, certain defence industry companies, large economically significant enterprises, specific financial market players, and operators of defined digital services. These entities are subject to enhanced obligations, including mandatory reporting of significant IT security incidents to the Federal Office for Information Security (BSI) as per Section 8b (4) BSIG, and requirements concerning the reliability of critical IT components and their suppliers, referenced in Section 9c BSIG.<\/p>\n<p>On the European level, the implementation of the EU Directive (EU) 2022\/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) is underway. Once transposed, it will significantly expand the scope of cybersecurity obligations. In addition to traditional critical infrastructure, it will also apply to a broader set of entities in sectors such as digital infrastructure (e.g. DNS service providers, cloud computing services), public administration, and manufacturing of critical products (e.g. medical devices, chemicals, electronics). The directive sets out harmonised rules on risk management, mandatory security incident notification and supervisory powers. Although the directive was originally to be implemented by October 2024, the legislative process in Germany has been delayed. Following early federal elections in February 2025, the parliamentary process for the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) could not be completed. A new timeline for implementation is expected to be determined by the new government.<\/p>\n<p>Other relevant cybersecurity provisions can be found in sector-specific regulations. The Telecommunications Act (TKG), for instance, imposes security obligations on telecommunications network and service providers, including requirements on availability, integrity and reporting of disruptions (cf. Section 165 TKG). In the financial sector, the Digital Operational Resilience Act (DORA) has been in effect since 17 January 2025 and imposes detailed ICT risk management and incident reporting obligations on financial institutions and designated ICT third-party providers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cybersecurity \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable cybersecurity laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The maximum sanctions for breaches of cybersecurity obligations in Germany depend on the specific regulatory framework and the category of the affected entity. Under the Act on the Federal Office for Information Security (BSIG), the Federal Office for Information Security (BSI) may impose administrative fines of up to EUR 2 million for certain infringements, such as failure to notify security incidents or inadequate technical and organisational measures (cf. Section 14 BSIG).<\/p>\n<p>The IT Security Act 2.0 further expanded the fining powers of the BSI, particularly in relation to violations by companies of special public interest (UBI). For instance, breaches of obligations regarding critical component certification or supplier reliability under Section 9c BSIG may lead to significant fines, though exact ceilings depend on the specific conduct and enforcement provisions.<\/p>\n<p>In addition, once implemented, the NIS 2 Directive (Directive (EU) 2022\/2555) will introduce harmonised sanction regimes across the EU, requiring Member States to ensure that competent authorities have the power to impose administrative fines of up to EUR 10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (cf. Article 34 NIS 2 Directive). This aligns with the sanction levels familiar from the GDPR and represents a considerable increase in potential exposure for affected entities. The German NIS2 implementation act (NIS2UmsuCG) is expected to transpose these requirements, with updated enforcement provisions.<\/p>\n<p>Sector-specific legislation may provide for additional or parallel sanctions. For example, under the Telecommunications Act (TKG), the Federal Network Agency (Bundesnetzagentur) may impose fines of up to EUR 100,000 for breaches of IT security-related obligations by network and service providers, such as failure to implement required protection measures or to report security incidents (cf. Section 228 TKG).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Which body(ies), if any, is\/are responsible for the regulation of artificial intelligence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Germany has not yet formally designated a single market surveillance authority for AI under the EU AI Act, which entered into force on 1 August 2024, and will become applicable in a phased manner. Key provisions, such as those on prohibited AI systems, already apply since February 2025. Rules for General-Purpose AI models will apply from August 2025, and most provisions, particularly for high-risk AI systems, will apply from August 2026.<\/p>\n<p>The Federal Network Agency (Bundesnetzagentur) is a key authority being considered for the role of market surveillance authority for AI, while the Data Protection Conference (Datenschutzkonferenz \u2013 DSK) has advocated for a co-regulatory approach. Sector-specific oversight is expected to remain with authorities such as BaFin (financial services), the Federal Cartel Office (competition), and the Federal Office for Information Security (BSI), depending on the risk category and use case.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Please summarise the principal laws (present or impending), if any, that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The primary law governing AI in the EU, including Germany, is the new EU AI Act. This comprehensive framework addresses risks associated with AI applications while promoting innovation. It adopts a risk-based approach, categorizing AI systems into four risk levels: unacceptable (banned), high (strictly regulated), limited (transparency requirements), and minimal (freely usable). Key aspects include prohibiting unacceptable risk AI practices, setting stringent requirements for high-risk AI systems, establishing obligations for deployers and providers, requiring conformity assessments before market introduction, and enforcing compliance through European and national governance structures. High-risk AI systems must undergo risk assessments, use quality data sets, ensure traceability, provide documentation, implement human oversight, and maintain robust security. The AI Act forms part of a broader EU policy initiative, including the Coordinated Plan on AI and the AI Innovation Package, aiming to balance safety, fundamental rights protection, and AI innovation. While already adopted, its full implementation in Germany is still in progress, with national authorities working on aligning their regulatory frameworks with the Act&#8217;s requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and\/or generative AI (including agentic AI)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The EU AI Act introduces specific legal provisions for Large Language Models and generative AI, particularly under the category of general-purpose AI models (Articles 51-55). It establishes distinct regulations for these models, especially those with systemic risk (Article 51). Providers of general-purpose AI models must maintain technical documentation, provide information to AI system providers integrating their models, comply with copyright laws, and publish summaries of training data content (Article 53). For models with systemic risk, additional obligations apply, including performing model evaluations, assessing and mitigating systemic risks, reporting serious incidents, and ensuring cybersecurity protection (Article 55).<\/p>\n<p>In addition to the AI Act, the deployment of generative AI solutions must comply with other relevant legal frameworks, such as works council co-determination rights and data protection regulations when processing personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Do technology contracts in your jurisdiction typically contain either mandatory (e.g. mandated by statute) or recommended provisions dealing with AI risk? If so, what issues or risks need to be addressed or considered in such provisions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The European Commission has published standard contractual clauses for public procurement of AI systems, with two versions available: one for high-risk AI and one for non-high-risk AI. These standard contractual clauses are designed for public bodies procuring AI systems developed by external suppliers. The clauses are not mandatory but provide a structured template that may influence future contracting standards, including in the private sector.<\/p>\n<p>For the private sector, there is no established standard for addressing AI risks in B2B contracts, as European and national legal frameworks on AI liability are still under development. However, to adequately address risks in private contracts, parties may consider including provisions that address:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Data quality and management, including data protection and privacy compliance<\/li>\n<li>Transparency and explainability of AI decision-making processes<\/li>\n<li>Performance metrics and quality assurance measures<\/li>\n<li>Liability and indemnification for AI-related errors or harm<\/li>\n<li>Ethical AI use and compliance with relevant guidelines or standards<\/li>\n<li>Intellectual property rights related to AI systems and training data<\/li>\n<li>Cybersecurity measures and incident response protocols<\/li>\n<li>Regular auditing and monitoring of AI system performance<\/li>\n<li>Human oversight and intervention mechanisms<\/li>\n<li>Provisions for system updates, maintenance, and decommissioning<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Do software or technology contracts in your jurisdiction typically contain provisions regarding the application or treatment of copyright or other intellectual property rights, or the ownership of outputs in the context of the use of AI systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Software and technology contracts involving AI systems typically contain provisions regarding intellectual property rights and ownership of outputs. This is especially relevant for solutions in the field of generative AI, such as text or image generators. Contracts usually specify that users obtain extensive usage rights to the AI-generated content. This is often the default position in standard terms of use, but the scope of these rights can vary. Many contracts also allow for commercial use of AI-generated content, particularly in paid versions of the service. However, some providers may restrict commercial use in free versions.<\/p>\n<p>When procuring AI solutions, companies should ensure that contracts clearly differentiate between the training phase, specifying which content can be used for training the AI model, and the application phase, defining ownership and usage rights of the AI-generated outputs.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Blockchain \u2013 What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The European Union has taken a leading global role in establishing regulations for the application of distributed ledger and blockchain technology in the financial market. Key initiatives include the Regulation on Markets in Crypto-Assets (MiCAR), the Transfer of Funds Regulation (TFR), and the Regulation on the establishment of a DLT Pilot Regime. These legislative measures aim to establish a consistent, standardised legal framework across Europe for the lawful handling and further experimentation with DLT in the financial sector. Through this unified regulatory approach, the EU acknowledges the potential of distributed ledger technology and seeks to address various challenges it presents, including those related to financial stability, market integrity, and consumer protection. Ultimately, these efforts are expected to foster greater trust among market participants.<\/p>\n<p>In Germany, the regulation of blockchain technology and digital assets is further governed by several key laws. The German Banking Act (Kreditwesengesetz \u2013 KWG) includes crypto-assets and crypto custody business as financial services, requiring authorisation from BaFin. The German Electronic Securities Act (Gesetz \u00fcber elektronische Wertpapiere \u2013 eWpG) allows for the issuance of electronic securities, including those based on blockchain. The Fund Jurisdiction Act (Fondsstandortgesetz \u2013 FoStoG) regulates investment funds that incorporate crypto-assets. Lastly, the German Crypto Asset Transfer Regulation (KryptoWTransferV) implements the FATF\u2019s &#8220;travel rule&#8221; to prevent money laundering through enhanced due diligence for crypto-asset transfers. These regulations aim to create a stable and trustworthy legal environment for the adoption and use of blockchain technologies and digital assets in Germany.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Search Engines and Marketplaces \u2013 Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Search engines and marketplaces are primarily regulated by two key EU legislations: the Digital Services Act (DSA) and the Digital Markets Act (DMA).<\/p>\n<p>The DSA provides a unified set of rules to protect users and combat illegal online content. It regulates obligations and liability of intermediary services, including hosting providers, online platforms, marketplaces, and search engines (Article 2 DSA). Key provisions include:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Content moderation obligations (Article 16 DSA)<\/li>\n<li>Internal complaint-handling and dispute-settlement mechanisms (Articles 20, 21 DSA)<\/li>\n<li>Transparency reporting requirements (Article 24 DSA)<\/li>\n<li>Ban on deceptive practices like dark patterns (Article 25 DSA)<\/li>\n<li>Restrictions on ads targeting minors based on profiling (Article 28 DSA)<\/li>\n<li>Traceability requirements for traders on online marketplaces (Article 30 DSA)<\/li>\n<\/ul>\n<p>Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) face additional obligations, including systemic risk assessments (Article 34 DSA), annual risk assessments (Article 35 DSA), and maintaining public repositories of displayed advertisements (Article 39 DSA).<\/p>\n<p>The DMA targets &#8220;gatekeepers&#8221; (Article 3 DMA) \u2013 large digital platforms providing &#8220;core platform services&#8221; in at least three Member States. It aims to ensure fair and open digital markets by:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Requiring interoperability with third-party services (Article 7 DMA)<\/li>\n<li>Allowing access to data generated on their platforms (Article 6 (10) DMA)<\/li>\n<li>Prohibiting self-preferencing in rankings (Article 6 (5) DMA)<\/li>\n<li>Ensuring users can connect with businesses outside the platform (Article 5 (5) DMA)<\/li>\n<\/ul>\n<p>In addition to these specific regulations, search engines and marketplaces must also comply with general data protection laws, particularly the General Data Protection Regulation (GDPR). Of particular importance in this context is the &#8220;right to be forgotten&#8221; (Article 17 GDPR), which allows individuals to request the deletion of personal data, including the removal of search results linking to such information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Social Media \u2013 Please summarise the principal laws (present or impending), if any, that govern social media and online platforms, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Germany, social media platforms operate within a complex regulatory framework that combines EU-wide regulations with national laws. The European Digital Services Act (DSA), forms a cornerstone of this framework, introducing comprehensive obligations for online platforms, with particularly stringent rules for very large platforms. It mandates content moderation procedures, transparency measures, and user protection mechanisms.<\/p>\n<p>Complementing this at the national level is the German Digital Services Act (DDG), which contains, i.a., provisions on dealing with violations of the law by users of digital services. The DDG replaced the Telemedia Act (TMG) and large parts of the Network Enforcement Act (NetzDG), which prior to the DSA required social media platforms to implement effective complaint management systems and promptly remove illegal content.<\/p>\n<p>The Interstate Treaty on Media (Medienstaatsvertrag) further regulates media diversity and user protection across various online platforms, including social media. Additionally, child protection regulations such as the Youth Protection Act aim to safeguard minors from harmful content on social media and other online platforms. The regulatory landscape remains dynamic, with ongoing adjustments to address emerging challenges in the digital sphere, requiring social media companies operating in Germany to continuously adapt to ensure compliance while maintaining their services.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Social Media \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable online safety laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the EU Digital Services Act (DSA), regulators may impose fines of up to 6% of a platform\u2019s total worldwide annual turnover for serious breaches, particularly by Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) (cf. Article 52 DSA). Violations may include failures in content moderation, transparency obligations, or systemic risk mitigation.<\/p>\n<p>In Germany, the Digital Services Act (Digitale-Dienste-Gesetz \u2013 DDG) governs national enforcement and empowers authorities to impose fines aligned with the DSA, for example for failure to report illegal content or to appoint a legal representative (cf. Section 33 DDG).<\/p>\n<p>The DSA and its national implementation through the DDG have largely replaced the former Network Enforcement Act (NetzDG), which had provided for fines of up to EUR 50 million for persistent failures to remove illegal content. These core enforcement functions now fall under the harmonised EU regime, where significantly higher penalties may apply.<\/p>\n<p>Additional sanctions may arise under sector-specific laws such as the Youth Protection Act and the Interstate Treaty on Media, particularly in cases involving child protection or audiovisual regulation. Relevant enforcement bodies include the Federal Office for the Protection of Minors in the Media (BPjM) and the State Media Authorities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Spatial Computing \u2013 Please summarise the principal laws (present or impending), if any, that govern spatial computing, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Spatial computing technologies such as augmented, virtual, or mixed reality are not yet subject to a dedicated legal framework in Germany. Instead, they are regulated through a range of existing cross-sectoral laws, depending on the specific use case.<\/p>\n<p>Where spatial computing involves the processing of personal data \u2013 for example, through motion tracking, facial recognition, or geolocation \u2013 the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) apply. The Telecommunications and Telemedia Data Protection Act (TDDDG) may also be relevant for device-based interactions.<\/p>\n<p>For hardware and immersive devices, product safety rules under the Product Safety Act (ProdSG) and the new EU General Product Safety Regulation (2023\/988) ensure that AR\/VR equipment meets applicable health and safety standards. If used in educational or media contexts, the Youth Protection Act and the Interstate Treaty on Media may also apply, particularly where minors are involved.<\/p>\n<p>Looking ahead, spatial computing may increasingly fall within the scope of upcoming horizontal digital legislation, including the AI Act, Data Act, and Cyber Resilience Act, depending on its integration with connected systems and AI functionalities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Quantum Computing \u2013 Please summarise the principal laws (present or impending), if any, that govern quantum computing and\/or issues around quantum cryptography, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Quantum computing is not yet governed by a dedicated regulatory framework in Germany or at the EU level. However, existing laws in the areas of cybersecurity, export control, and research funding provide a general legal structure relevant to the development and deployment of quantum technologies.<\/p>\n<p>At the EU level, the Chips Act and the Strategic Technologies for Europe Platform (STEP) promote quantum innovation through targeted investment and infrastructure support. The European Quantum Communication Infrastructure (EuroQCI) initiative further aims to establish a secure quantum communication network across the EU, with a focus on quantum key distribution (QKD).<\/p>\n<p>Quantum cryptography and quantum-resilient systems are also increasingly relevant under cybersecurity legislation. In Germany, the Federal Office for Information Security Act (BSIG) and the upcoming EU Cyber Resilience Act form the basis for evaluating encryption standards and future-proofing critical infrastructure against potential quantum threats.<\/p>\n<p>In addition, quantum technologies with potential military or surveillance applications may fall within the scope of the EU Dual-Use Regulation (Regulation (EU) 2021\/821), which imposes export restrictions on certain high-risk technologies.<\/p>\n<p>While the legal framework for quantum computing remains general and fragmented, further regulation is expected as practical applications and security concerns evolve.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Datacentres \u2013 Does your jurisdiction have any specific regulations that apply to data centres?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Germany does not have a single, dedicated legal framework governing data centres. However, operators and developers must comply with a complex mix of cross-sectoral and project-specific regulations, depending on the function, size, and classification of the facility.<\/p>\n<p>From a real estate and planning perspective, data centres must meet local zoning, construction and environmental permitting requirements. These are governed by federal and state-level building codes and, where applicable, the Federal Immission Control Act (BImSchG). If extensive cooling or backup power infrastructure is involved, energy and environmental permits may be required.<\/p>\n<p>Data centres that support essential services, such as those in the health, finance or telecom sectors, may qualify as critical infrastructure and are subject to additional cybersecurity obligations under the BSI Act (BSIG), including minimum technical standards and mandatory incident reporting.<\/p>\n<p>In terms of sustainability, the Energy Efficiency Act (EnEfG) imposes obligations for large data centres, including mandatory efficiency targets, reporting duties and energy re-use requirements. The act aims to align data centre operations with Germany\u2019s broader climate and digitalisation goals.<\/p>\n<p>The reliable energy supply and waste heat utilisation have also become central regulatory concerns, particularly in urban areas with high energy demand and limited grid capacity. Operators increasingly require negotiated solutions on grid access, power purchase agreements (PPAs), and district heating integration, particularly for hyperscale and co-location data centres.<\/p>\n<p>While no central licence is required to operate a data centre, the regulatory burden is high, and successful project delivery typically requires multidisciplinary legal advice across real estate, energy, planning, IT, and regulatory law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">General \u2013 What are your top 3 predictions for significant developments in technology law in the next 3 years?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ul style=\"padding-left: 0\">\n<li>Operational Enforcement of the EU AI Act and Evolution of AI Liability Frameworks<\/li>\n<\/ul>\n<p>The EU AI Act is rapidly moving into its operational phase, with national authorities focusing on implementation, risk classification, and market surveillance. We anticipate a sharp increase in regulatory guidance, standard-setting, and initial enforcement actions, particularly as key provisions for General-Purpose AI models became applicable in August 2025 and most obligations for high-risk AI systems will apply from August 2026. In parallel, the discussion around civil liability for AI-related harm will intensify. While the proposed AI Liability Directive was withdrawn, the need for clarity on how existing frameworks (like the revised Product Liability Directive) or new targeted initiatives will address damages, especially in high-risk applications such as healthcare, mobility, and employment, remains a key focus.<\/p>\n<ul style=\"padding-left: 0\">\n<li>Deepening Convergence of Cybersecurity, Digital Resilience, and Supply Chain Regulation<\/li>\n<\/ul>\n<p>The integration of cybersecurity and operational resilience frameworks will intensify significantly. This is primarily driven by the imminent full national application of the NIS 2 Directive (the German transposition, NIS2UmsuCG, is expected soon after delays), the Digital Operational Resilience Act (DORA), which has been fully applicable since January 2025, and the phased application of the Cyber Resilience Act (CRA), with first provisions applying from June 2026 and full application by December 2027. Technology service providers\u2014including cloud, software, and hardware vendors\u2014will face increasingly strict reporting, compliance, and third-party risk obligations. Regulatory scrutiny will broaden to cover entire digital service ecosystems and their supply chains, extending beyond traditional critical infrastructures.<\/p>\n<ul style=\"padding-left: 0\">\n<li>Broadening Reach of Data Governance and Platform Regulation into Traditional Sectors<\/li>\n<\/ul>\n<p>The practical application of the Data Act (fully applicable from September 2025), along with the already operational Digital Services Act (DSA) and Digital Markets Act (DMA), will continue to fundamentally reshape platform regulation, access to non-personal data, and B2B\/B2G data sharing. These horizontal regimes are set to increasingly impact sectors such as energy, health, mobility, and manufacturing, which historically operated under distinct regulatory schemes. We anticipate new regulatory disputes over interoperability, access obligations, and the evolving role of gatekeeper platforms in emerging technology contexts, including IoT, edge computing, and industrial AI applications.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">General \u2013 Do technology contracts in your country commonly include provisions to address sustainability \/ net-zero obligations or similar environmental commitments?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Sustainability-related provisions are not yet standard in most private-sector technology contracts in Germany, but their inclusion is increasing \u2013 particularly in large-scale procurement, public tenders, and long-term outsourcing or cloud service agreements.<\/p>\n<p>In the public sector, contracting authorities often include environmental criteria in award procedures, based on the Federal Climate Protection Act (KSG) and sustainability procurement guidelines. In the private sector, ESG-conscious companies may include contractual clauses addressing data centre energy use, green software practices, waste heat reuse, or renewable power procurement (e.g. PPAs) \u2013 especially in IT infrastructure and cloud service deals.<\/p>\n<p>Broader regulatory drivers such as the Corporate Sustainability Reporting Directive (CSRD), the Supply Chain Due Diligence Act (LkSG) and anticipated ESRS standards are beginning to influence tech contracts indirectly, as corporate clients increasingly require environmental transparency and lifecycle data from technology suppliers.<\/p>\n<p>While sustainability clauses are not yet market standard, they are becoming more common in response to compliance needs, reputational risks, and climate-related performance targets \u2013 particularly among listed companies and multinationals operating in Germany.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">8341<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/110046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=110046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}