Preview 2026: What's changing in European and German IT law?
In 2026, central innovations in European and German IT law will take effect – from NIS2 and AI and platform regulation to the new EU procurement strategy.
(Image: heise medien)
- Tobias Haar
The year 2026 will not be a year of major new headlines in European and German IT law, but a year of consolidation and correction. The building blocks of EU digital law enacted in recent years are beginning to have a widespread effect. At the same time, politicians are trying to correct errors in timing and overlaps with the Digital Omnibus Package. As a result, and beyond that, further practical changes in IT law are to be expected for companies and public bodies in 2026.
The focus will initially be on AI regulation. According to the current status, the vast majority of the provisions of the AI Act are to apply from August 2, 2026. In particular, the requirements for high-risk systems according to Annex III, the transparency obligations, and the governance framework with national supervisory authorities and a European AI Board. In parallel, the EU Commission's proposal for the Digital Omnibus Package is now available. This provides for stretching certain high-risk obligations over time and making their full applicability dependent on the availability of practical compliance support tools.
In practice, part of the burden from 2026 will likely shift towards 2027 and 2028, without questioning the basic concept of the risk-based approach. For IT practice, this means that in 2026, the focus will be less on the immediate threat of sanctions and more regarding how existing AI architectures can be assigned to the upcoming categories. What governance structures will be necessary to be auditable later.
Providing and transferring data
The Data Act, which has been in effect since September 2025 and will have a concrete impact on product life cycles for the first time from September 2026, is directly linked to the AI Act. The central obligation to provide data to users applies to connected products and associated services that are placed on the market after September 12, 2026. Manufacturers and providers of IoT platforms must design their contracts, API strategies, and export functions in such a way that they can technically and organizationally map these access and portability rights.
The Digital Omnibus discussion also aims here to cushion duplications in reporting obligations and overlaps with other cyber regulations, for example, when capturing and reporting incidents (Incident Reporting) and the right to switch cloud providers. Therefore, in 2026, further major regulation is less likely, but rather adjustments to the existing data architecture and a first wave of disputes surrounding the scope of Data Act rights in B2B contracts.
AI: copyright problematic
The most visible legal conflict at the intersection of AI and copyright is likely the case between GEMA and OpenAI. The Regional Court of Munich I ruled on November 11, 2025, that OpenAI infringes copyright on song lyrics from the GEMA repertoire by training and operating its language models. The model memorizes these texts and can reproduce them largely true to the original. The decision obliges OpenAI to cease and desist and pay damages and is considered the first landmark ruling in Europe on AI training on copyrighted content.
It is already foreseeable that this will not be the only instance. OpenAI has publicly stated that it is considering an appeal. Observers expect an appeal to the Higher Regional Court of Munich to be filed in 2026. This will address not only the dogmatic classification of training copies and model weights but also the standard for "memorization" and the boundary between permissible statistical use and impermissible reproduction.
This appeal procedure is central to the IT and content industry in two respects. Firstly, the Higher Regional Court will have to clarify whether and to what extent AI providers owe detailed proof of training data and technical measures against memorization. Secondly, the question arises whether certain core copyright terms such as "reproduction," "temporary reproduction," or "public performance" require interpretation under EU law in an AI context.
Decisions expected at European level
Observers expect that the appellate court or the Federal Court of Justice as a possible later revision instance will submit preliminary questions to the European Court of Justice. Thus, developing a European reference case for AI training from a German individual case. In 2026, procedural groundwork is likely to be laid for this, and interim measures will be discussed, while the actual substantive clarification could slip into the late twenties. In parallel, the public discussion about financial compensation for copyright holders for the adverse effects of generative AI on their work continues.
Parallel to AI and data law, security requirements are tightening. With the NIS2 Implementation Act, the Bundestag fundamentally reorganized German IT security law in mid-November 2025. The Bundesrat has already approved this law. Thus, the EU directive is being transposed into national law at short notice. The law comprehensively amends the BSI Act and significantly expands the circle of affected companies beyond the previous KRITIS world.
For Germany, 2026 will thus be the start year for the new reporting, risk management, and supervisory obligations. Companies that were not previously subject to the classic KRITIS regime now face the question of whether they fall under important or particularly important facilities within the meaning of the law. In terms of content, the regime introduces minimum standards for technical and organizational measures, tiered reporting obligations with tight deadlines, and significantly expanded intervention powers for the BSI.
This tightening is flanked by the Cyber Resilience Act (CRA), whose reporting requirements for security incidents are planned to apply from autumn 2026, and its further product requirements from the end of 2027. Manufacturers of connected products must organize their development and patching processes by 2026 at the latest so that they can demonstrate future CE conformity, including cybersecurity aspects. Together with DORA in the financial sector and sector-specific security regimes, a more densely woven regulatory network is emerging, which no longer treats IT security incidents merely as operational risks but as regulatory events with reporting, documentation, and governance consequences.
Videos by heise
Identity at the center
Another pillar of the digital single market that will become visible in practice in 2026 is the reform of the eIDAS framework. With eIDAS 2.0, the foundation for the European Digital Identity Wallet was laid in 2024, which, according to the new regulation, is to be offered by all member states by 2026. Citizens will be able to digitally hold sovereign documents such as identity cards and driver's licenses, as well as insurance certificates or university degrees, and sign them with qualified signatures.
For companies, this means a new identity infrastructure that can be integrated into registration and login processes. It also raises new compliance questions – for example, when dealing with attribute certificates that contain additional information, and regarding liability in the event of compromised wallets. In Germany, the introduction of the wallet coincides with another reform of electronic legal transactions. A legislative procedure currently underway shifts the deadlines for the complete electronic case file in the judiciary, previously set for January 2026, thus showing that the public sector continues to lag its digitalization ambitions.
The horizontal regulation of the platform economy through the Digital Services Act (DSA) and the Digital Markets Act (DMA) is entering a new phase in 2026. Under the DSA, very large platforms and search engines have been in a direct supervisory relationship with the Commission since 2024, which has initiated initial investigations into recommendation algorithms, advertising formats, and the handling of illegal content. At the end of 2025, the delegated regulation on research data access also entered into force, granting researchers extended data usage rights from very large platforms.
DSA: first sanctions expected
In 2026, it is to be expected that the first sanction decisions for systemic DSA violations will find their way to the Union courts, and courts will concretize the still relatively abstract due diligence and transparency obligations. The DMA has already demonstrated its impact in 2025 with high fines against Apple and Meta, which are also heeded far beyond the affected companies due to their steering effect on platform design. The lawsuits announced by the affected hyperscalers against these will likely occupy the General Court of the European Union (GCEU) in the first instance and the Court of Justice of the European Union (CJEU) in the last instance from 2026 onwards and shape the interpretation of key DMA terms such as "self-preferencing" or "anti-steering."
Data protection law also remains a dynamic field in 2026. The list of pending CJEU proceedings on GDPR issues is already extensive, ranging from the qualification of pseudonymized data to the requirements for damages and the attribution of joint responsibility. In parallel, a trend towards mass proceedings and collective enforcement models is emerging, which are directed particularly against large platforms and data-driven business models.
The Federal Court of Justice already clarified in 2025 that certain violations of the GDPR can also be pursued under competition law, i.e., possible violations of the rules of fair and honest competition. In 2026, it is to be expected that cease and desist claims and claims for damages arising from data protection violations will increasingly be linked in competition and civil proceedings. In combination with the Digital Omnibus proposal, which provides for more flexible use of personal data for AI training and fewer cookie banners in some areas, it is foreseeable that the CJEU and national courts will play a stronger corrective role. When the legislator adjusts the level of protection.
A debate with immediate IT relevance that is also likely to gain momentum in 2026 concerns public procurement. Under the heading of strategic industrial policy and digital sovereignty, the awarding of IT services, cloud infrastructures, and security products is coming to the fore. The EU Commission wants to reform public procurement: it should become simpler and more innovation-friendly. A possible preference for European companies will likely lead to some discussions. This is linked to demands from politics and industry to anchor Buy-European models at least selectively and, for example, to codify cloud switching capability as a procurement criterion. For IT providers, this means that in 2026, tender documents will increasingly consider issues of digital sovereignty, data localization, and open-source strategies than before. Disputes over the compatibility of national Buy-European concepts with the fundamental freedoms are foreseeable and will eventually concern the CJEU.
Conclusion
2026 will again be a year in which many aspects of IT law will be decided. What is particularly noteworthy, however, is that this will not happen through new paradigms, but through implementation, careful reduction of bureaucracy, and adaptation of existing legal acts to changed realities, as in data protection. For practice, this means fewer new legal texts and more focus on individual aspects. AI regulation, for example, shifts the focus from "whether" to "how." Through proceedings such as the expected appeal in the GEMA v. OpenAI case, it makes it clear how deeply courts will have to look into model architectures and training processes in the future.
Cybersecurity, with NIS2, CRA, and sector-specific regulations, is becoming a central governance factor, the disregard of which can have significant legal and economic consequences. At the same time, the Data Act, eIDAS Wallet, and DSA/DMA are interlinking data flows, identity management, and platform structures more closely than before. And finally, while the EU Commission's simplification agenda may streamline processes, it will also noticeably shift the level of protection in data protection and AI. Those who want to act proactively in IT law in 2026 must recognize these trends early and consistently embed them in their strategy.
(ur)
