Jens
Engelhardt
IT law continues to evolve with remarkable dynamism in 2026. Three regulatory strands shape the year: the Data Act unfolds its practical impact, the AI Act becomes concrete, and cybersecurity law receives a new foundation with the NIS-2 Implementation Act and the Cyber Resilience Act. In addition, there are groundbreaking court decisions – particularly on copyright in AI training. For companies, this means: those who do not adapt their IT contracts, data strategies, and compliance structures in time risk not only fines but also competitive disadvantages.
What does the Data Act mean for handling product data?
The Data Act has been in force since September 2025 and presents companies with tangible challenges. Manufacturers of connected products must grant users and authorized third parties access to the generated data – but what exactly falls under "product data" remains legally controversial. In literature, four key problem areas are identified: the distinction between direct access and indirect provision claims, the question of whether products that are only physically connectable are covered, and the protection of trade secrets in data sharing.
For cloud providers, the regulations on cloud switching in Chapter VI of the Data Act are of particular importance. New obligations facilitate changing providers, with the Federal Network Agency (BNetzA) acting as the supervisory authority, bringing telecommunications enforcement mechanisms into data law. Existing data licenses should be urgently reviewed – particularly with regard to the distinction between "access" and "use," trade secret protection, and the contract clause requirements after Art. 13 and Art. 25 of the Data Act. On a positive note: according to the prevailing opinion, there is no retroactive and therefore no immediate need for adjustment for existing contracts.
What specific obligations does the AI Act bring for 2026?
The AI Act (AI Regulation) is entering into force in stages and will become directly applicable in many parts in 2026. The requirements for AI competence in executive management under Art. 4 AI-VO have already been in effect since February 2025. From August 2026, the central regulations for high-risk AI systems apply, including conformity assessment and comprehensive documentation obligations. In addition, there are transparency obligations for AI-generated content, whereby an editorial exemption applies if content has undergone human review and a natural or legal person bears editorial responsibility.
At the national level, the Federal Ministry for Digital Affairs has presented a draft bill of the AI Market Surveillance and Innovation Promotion Act (KI-MIG). The BNetzA is to function as the central market surveillance authority, with special responsibilities, for example, for the BaFin in the financial sector. Companies that have AI projects implemented by external "integrators" should clearly regulate their role under the AI Regulation by contract.
What is the situation regarding copyright in AI training?
The judgment of the Munich I District Court (LG München I) of November 11, 2025 (Ref. 42 O 14139/24) caused a significant stir. In the proceedings of GEMA against OpenAI, the court found that the "memorization" of copyrighted song lyrics in language models constitutes a reproduction within the meaning of § 16 UrhG (German Copyright Act). Decisive: The text and data mining exception under § 44b UrhG does not automatically protect AI training with protected works. If, during training, not only information is extracted but works are reproduced, the exception does not apply.
In parallel, the ECJ received a request for a preliminary ruling on the question of whether the reproduction of press articles in chatbot responses constitutes communication to the public. The right to one's own voice is also affected: The LG Berlin II has decided that the AI imitation of a voice actor encroaches on the general right of personality. And the AG Cologne has emphasized the attorney's responsibility for AI-generated briefs – a violation of § 43a III BRAO (Federal Regulations for Attorneys) occurs if a brief contains non-existent sources.
What is changing in cybersecurity?
With the NIS-2 Implementation Act, which the Bundestag passed on November 13, 2025, the BSI becomes the central cybersecurity authority with expanded powers – both as a supervisory authority for affected companies and as the CISO of the federal administration. The law enters into force the day after its promulgation, without any further transition period. Moreover, executive managements face personal training obligations in the field of IT security.
In addition, the Cyber Resilience Act establishes, for the first time, horizontally applicable cybersecurity requirements for products with digital elements. Connected products – from home cameras to refrigerators to toys – must be developed under the "secure by design" principle in the future. The main obligations apply from December 2027, but manufacturers should already prepare their supply chains for the new SBOM (Software Bill of Materials) requirements. In addition, the KRITIS Umbrella Act is intended to create a uniform federal minimum standard for the physical protection of critical infrastructures.
How do IT contracts need to be adapted?
The density of regulations directly affects contract drafting. In agile software development with AI tools, hybrid models are increasingly prevailing: an MVP is agreed as a fixed-price milestone, followed by subsequent development on a time & material basis with budget caps. Release-based budgets and semi-annual contract reviews ensure planning security while maintaining flexibility. Particularly important here are clear regulations on the use of AI tools and the resulting (or non-resulting) IP rights.
In the area of data licensing contracts, the Data Act requires careful differentiation between raw data, enriched data, and insights, as well as precise definitions of purpose of use. For AI development contracts, new questions of risk allocation in autonomous systems and Agentic AI, liability distribution for AI-generated legal violations, and compliance obligations under the AI Act arise.
The case law on GTC clauses in IT contracts also remains relevant: price adjustment clauses in subscription contracts without an obligation to reduce prices are invalid, and performance restriction clauses in streaming GTCs are subject to content control. It is also noteworthy that WhatsApp text messages can preserve the agreed written form under § 127 II BGB (German Civil Code) – voice messages, however, cannot.
What should companies specifically do now?
The challenge lies less in individual legal acts than in their interplay: Data Act, AI Act, NIS-2, Cyber Resilience Act, and GDPR must be implemented in a coordinated manner. A structured data audit is the first step – what data falls under the Data Act, and who has access rights? In parallel, companies should establish AI governance before the external requirements fully take effect: internal guidelines for the use of AI, documentation of the systems used, and clear responsibilities.
The existing contract portfolio should be systematically checked for compliance – especially IT and data contracts, license models, and development agreements. In cybersecurity, requirements must be detailed down to the subcontractor level. And last but not least, management and operational teams must be sensitized to the new legal duties – the training obligation for executive boards under the NIS-2 Directive is only the beginning.
How are you handling the new data and AI compliance requirements in your company? Which contract models work for you in agile AI-supported software development?