Written by: Hannah KirnerLucas BlumSylvia Ebersberger 

Co-Authors for Malta: Andrea Grima and Paul Micallef Grimaud 

The implementation of the Data Act (Regulation (EU) 2023/2854) has entered a decisive phase across EU Member States, with national measures now in force to ensure compliance and effective enforcement. Malta has emerged as one of the first jurisdictions to establish clear competences and sanctioning powers under the Data Act – enforcement is now a reality. Germany has also taken a significant step forward in the implementation by publishing a new draft implementation act on 29 October 2025.

Designated Competent Authorities and Enforcement Regime in Malta

In Malta, the competent authorities tasked with monitoring and enforcing the Data Act have been designated.

The Malta Digital Innovation Authority (MDIA) is the data coordinator and competent authority for the application and enforcement of all provisions of the Data Act, except for Articles 23–31 and 34–35. This designation is established by Legal Notice 222 of 2025.

For infringements under the MDIA’s purview, Article 8(1) of Legal Notice 222 applies Articles 42, 43, 44, and Part IX of the MDIA Act (Chapter 591 of the Laws of Malta), establishing:

  • A maximum administrative penalty of up to 5% of the undertaking’s turnover in the calendar year preceding the infringement, for significant infringement.
  • Liability for administrators of a body corporate or persons purporting to act in such capacity.
  • A two-year prescription period for the initiation of proceedings to impose administrative penalty penalties, running from the date of the alleged infringement.
  • The appeals procedure for MDIA decisions.

The Malta Communications Authority (MCA) is the competent authority for the application and enforcement of Articles 23-31 and 34-35 of the Data Act. This is established by Legal Notice 222 of 2025 and confirmed by Legal Notice 224 of 2025, which adds these specific articles to the list of laws enforced by the MCA.

For infringements falling under the MCA’s remit, Article 8(2) of Legal Notice 222 applies Part VI of the MCA Act (Chapter 418 of the Laws of Malta). Part VI of the MCA Act establishes the MCA’s enforcement powers and, in Article 33(1), also includes a maximum administrative penalty of up to 5% of the undertaking’s turnover in the calendar year preceding the infringement, for significant infringement.

A third body, the Information and Data Protection Commissioner (IDPC), is designated by Legal Notice 223 of 2025 as the competent authority for monitoring the Data Act’s application, specifically in relation to the protection of personal data.

This national legal framework, including Legal Notices 222, 223, and 224 of 2025, designates the competent authorities and outlines the penalties and enforcement procedures for non-compliance with the Data Act. With the main provisions of the Data Act applicable since 12 September 2025, non-compliant entities now face a real risk of enforcement.

Draft Implementation Act Published in Germany

On 29 October 2025, the German Federal Cabinet (Bundeskabinett) published the draft Data Act Implementation and Enforcement Act (Gesetz zur Durchführung der Verordnung (EU) 2023/2854 – DADG). In particular, the DADG-draft establishes the Federal Network Agency (Bundesnetzagentur – BNetzA) as the competent authority for the application and enforcement of the Data Act. The BNetzA is designated as the central contact point for matters relating to the Data Act, including complaint handling for general or specific complaints, supervision, and inter-sectoral and inter-institutional coordination, such as with the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit – BfDI). The BfDI itself is designated to oversee data protection-related issues in connection with the Data Act. This diverges from the allocation of responsibilities for data protection oversight set out in the Federal Data Protection Act and constitutes a significant special mandate of the BfDI.

According to the draft-DADG-draft, the BNetzA shall be empowered to:

  • Oversee compliance, process complaints, and initiate investigations ex officio.
  • Issue orders and take necessary measures to ensure compliance with the Data Act requirements.
  • Impose penalties for incompliance with the Data Act.

Details on applicable penalties, as provided for by Article 40 of the Data Act, are set out in §15 of the draft-DADG-draft:

  • Administrative fines up to EUR5 million, or up to 2% of global annual turnover for gatekeepers (as defined in Regulation (EU) 2022/1925) for serious infringements.
  • Fines up to EUR500,000 for significant breaches, such as non-compliance with data access obligations.
  • Fines up to EUR100,000 for mid-level infringements, including improper use of data.
  • Fines up to EUR50,000 for minor violations.
  • Warnings may be issued for less severe cases.

The next steps in the adoption of the DADG-draft are readings in parliament (Bundestag), before adoption and entering into force of the law. Only then will sanctions and other supervisory measures provided for by the German authorities take effect.

Act Now to Ensure Compliance with the Data Act Now

With the Data Act now in force and national enforcement regimes established or on the way, companies active in Germany, Malta, and across the EU must urgently assess their compliance posture. The risk of administrative penalties has become real, with competent authorities empowered to investigate, issue orders, and impose substantial fines for non-compliance.

Disclaimer: This article was first published on ‘DLA Piper’ on 30/10/2025.