Coalition agreement 2025: The start of a new digital policy

Contents

On April 9, 2025, the future coalition partners CDU, CSU and SPD presented their coalition agreement for the 2025 to 2029 term of the German Bundestag in Berlin. A coalition agreement is not a law, nor is it merely an election program. Rather, it is a political commitment that is intended to serve the future federal government as a common basis for legislation, administration and political strategy work.

Tobias Haar

Tobias Haar is a lawyer specialising in IT law at Vogel & Partner in Karlsruhe. He also studied legal informatics and holds an MBA.

The agreement is not legally enforceable, but politically it is highly binding: it serves as a guideline for the ministries, the legislature and the administration. The new coalition agreement comprises 126 pages and is still subject to approval by the party committees. However, it is already the most precise and comprehensive digital reform manifesto of any federal government in history.

The central projects concern the fundamental realignment of administrative law, data protection, data policy and the regulatory framework for artificial intelligence and cybersecurity. For the first time, an independent Federal Ministry for Digital Affairs is also to be created – with a coordinating function for cross-departmental digital projects. This restructuring is of considerable practical importance for companies, public authorities and IT service providers. It requires a rethink not only in technical terms, but above all in legal terms.

Digital Ministry sets the pace for the new legal architecture

With the Federal Ministry for Digital Affairs, the federal government is for the first time drawing a clear structural consequence of the previous fragmentation of digital policy responsibilities. The ministry is to coordinate across departments, bundle strategic digital projects and, above all, manage the cross-departmental implementation of projects such as administrative digitization, digital identities, data policy and AI strategy.

In practice, this means that all digital laws and regulations – from administrative procedural law and IT security legislation to digitization funding programs – are to be developed under a single strategic leadership in the future. It is hoped that this will lead to increased consistency, accelerated procedures and coherent legislation.

In practice, this will create a new steering body that companies working with the public sector in particular will have to deal with. The Ministry of Digital Affairs will become a key player in the approval, standardization, and legalization of digital processes –, such as interoperability standards, interface guidelines and certification procedures.

Data and AI governance: the path to new legal foundations

In terms of content, the treaty covers a broad field that can only be described in legal terms as a separate legal matter: Data and AI governance. For the first time, the term "data law" is explicitly understood as an area of law in need of regulation. The German government is planning to draft a data code that will systematize existing regulations and create new instruments for data availability, processing, and use. The focus here is on the legitimization of data sharing: who is allowed to use data, in what way and with what rights for those affected?

The establishment of data trust models envisaged by the coalition agreement aims to create a legally secure intermediary structure. The aim is to create a legally secure intermediary between data owners, users and third parties. The political goals identified in a brief evaluation by the industry association Bitkom, including a binding interoperable ecosystem for data exchange –, can only be achieved through new, clearly defined civil and public law instruments. This also includes sector-specific data access obligations, for example in the healthcare, mobility and Industry 4.0 sectors.

At the same time, the implementation of the EU AI Act has been declared a priority task. The plan to create sector-specific real-world laboratories with legal freedom of experimentation will be flanked by a planned federal experimentation law. The use of AI systems is to be under human supervision, with clear regulations on liability, auditing and technical traceability. In addition, Germany should play a leading role in the development of secure AI – not only in terms of standards, but also in terms of infrastructure through funding programs for language models and dedicated data centers.

Data protection policy between de-bureaucratization and supervisory coherence

In the area of data protection, the current structure of supervision is being questioned. The coalition is planning an institutional reform in which the Federal Commissioner for Data Protection will be developed into a commissioner for "data use, data protection and freedom of information". This is not just a semantic re-designation, but reflects a clear shift in focus towards enabling data processing. The Data Protection Conference (DSK), previously an informal body, is also to be institutionalized by law and given coordination powers.

In legal terms, this is an attempt to achieve greater uniformity in the application of the GDPR, particularly for small and medium-sized enterprises and non-profit organizations. According to Bitkom's evaluation of data policy, the plan is to replace the previous diversity of data protection interpretations with "legal clarity and practicality". This is particularly relevant for data-intensive digital processes such as smart city infrastructures or AI-supported administrative decisions.

In the European context, Germany should also advocate for the compatibility of the GDPR with data use in the public interest, for example in public research or public services of general interest. This could lead to adjustments to the GDPR itself in the medium to long term, provided sufficient political support is achieved at EU level.

Surveillance measures straight out of the textbook

While the coalition agreement is ambitious in terms of digital policy and often surprisingly concrete, it is met with considerable skepticism in parts of civil society –, particularly where fundamental rights and informational self-determination are affected. Critical voices such as the editors of netzpolitik.org or the CCC speak of a "scary program for fundamental rights and freedoms" and criticize a digital strategy dominated by security policy in which civil liberties come under structural pressure.

For example, the planned expansion of state surveillance capacities in the digital space, including active cyber defence and the centralization of security authorities, is interpreted as a threat to the principle of separation between the police and intelligence services. The newly formulated plans for the monitoring of sources, data retention through the back door and automated video surveillance also give rise to fears that surveillance instruments will be further normalized, while counterweights to the rule of law such as judicial control or transparency mechanisms are not considered to the same extent.

The planned state-orchestrated release of data as part of open data and public welfare strategies is not fundamentally rejected, but is viewed under the suspicion that technocratic exploitation interests could be placed above individual rights. From this perspective, the frequently invoked digital sovereignty turns into state control sovereignty – with an open outcome for civil rights. Critics call for data protection to be addressed not only as a brake on innovation, but also as a "constitutive component of a democratically legitimized digital policy". The announced promotion of transparency and participation in digital legislative processes is considered "a touchstone for its credibility". Overall, it is foreseeable that the legislative period that is now beginning will also see some heated discussions about the restriction of fundamental rights in the context of IT security policy legislation.

Cybersecurity and digital resilience as a legislative imperative

The topic of cybersecurity is also being legally reorganized. The planned amendment to the BSI Act aims to transform the authority from an advisory body to a central body with the power to issue directives. This also involves new rights of intervention vis-à-vis operators of critical infrastructures, for example in the event of failure to implement security standards. The draft implementation of the NIS2 Directive – which must be transposed into German law – introduces new classifications and reporting obligations.

At the same time, the government is planning to put cloud infrastructures on a new legal footing. The aim is to implement a "sovereign administrative cloud" whose operation and security architecture must meet defined national and European requirements. The Bitkom evaluation explicitly emphasizes the intention to exclude untrustworthy providers of central infrastructure services. From a regulatory perspective, this will primarily affect procurement and security law – with potential conflicts with the principles of equal treatment under European law.

Another important topic is the legal control of data centers: the focus here is on energy efficiency, waste heat utilization and building law. The desired anchoring of digital infrastructure in climate policy leads to new regulatory requirements, for example in immission control, construction planning and energy law. In the future, companies that provide data center services will not only have to be certifiable from a technical perspective, but also from a regulatory perspective.

Conclusion

If the new coalition agreement is implemented, it will mark the beginning of a phase of intensive legal restructuring of the digital order in Germany. The introduction of a digital ministry, a planned data code, the national implementation of the AI Act, a reformed data protection supervisory authority, and a strategically secured cybersecurity architecture are all building blocks of a new governance structure. This structure will interlink technology, law, and political control more closely than ever before.

(ur)