🇩🇪Digital Operational Resilience Act in Germany
A comprehensive guide to Digital Operational Resilience Act compliance for organisations operating in Germany. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About Digital Operational Resilience Act
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
Digital Operational Resilience Act Enforcement in Germany
Germany has a complex data protection landscape due to its federal structure, with 16 state-level data protection authorities (Landesdatenschutzbeauftragte) plus the federal BfDI. The federal authority oversees telecommunications and postal services, while state authorities handle other sectors. Germany enacted the Bundesdatenschutzgesetz (BDSG) to supplement and implement the GDPR nationally, introducing specific provisions on employee data protection (Section 26 BDSG), video surveillance, and DPO appointment thresholds. German DPAs have been particularly active in enforcing cookie consent, employee monitoring, and data transfer requirements. The Hamburg DPA was among the first to act on Schrems II implications, and the Berlin Commissioner has imposed several notable fines on technology companies.
Data Protection Authority
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Key Enforcement Focus Areas in Germany
- Employee data protection and workplace monitoring
- Cookie consent and tracking enforcement
- International data transfers post-Schrems II
- AI and automated decision-making oversight
- DPO appointment and independence
Notable Enforcement Actions in Germany
H&M (Hennes & Mauritz)
Extensive employee surveillance at Nuremberg service centre including health, family, and religious details
Deutsche Wohnen SE
Failure to establish lawful data retention and deletion architecture for tenant data
1&1 Telecom GmbH
Insufficient authentication procedures at call centres enabling unauthorised data access
notebooksbilliger.de
Unlawful video surveillance of employees over two years without legal basis
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Germany
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".