The 2nd edition of the Commentary on IT Law, to which our partners Dr. Truiken Heydn, Dr. Michael Karger, and Dr. Thomas Stögmüller contributed as authors, will soon be published by Otto Schmidt Verlag. The commentary can be accessed online via juris.
On October 30, 2025, our partner Dr. Truiken Heydn will speak at the European Conference of the International Technology Law Association (ITechLaw) in London, together with Eugene Weitz and John Beardwood, on important contract clauses that may not be on everyone’s radar.
This will not be about the clauses on warranty and liability. If you would like to know more, you can still register here, but the number of participants is limited.
As of today (September 12, 2025), Regulation (EU) 2023/2854 (Data Act) applies.
What does the Data Act govern?
The Data Act governs data rights. This includes, among other things, data generated by connected devices in the context of Industry 4.0 applications and the Internet of Things (IoT).
Connected devices placed on the EU market must be designed in such a way that they enable the sharing of data. In addition, consumers must have the option of choosing less expensive repair and maintenance service providers or performing these tasks themselves, i.e., they must not be forced to commission the manufacturer to carry out repairs and maintenance by being denied access to data required for repair and maintenance.
Commercial users of equipment must have access to the data generated by that equipment in order to improve its efficiency and operation.
In particular: Cloud Computing
The Data Act is of particular importance for all providers and users of cloud computing. Cloud users must be able to switch to another cloud provider and migrate their data from their previous cloud provider to another cloud provider.
In particular, cloud providers are prohibited from making the switch dependent on payments, thereby effectively preventing the switch. However, until January 12, 2027, providers of data processing services may still charge reduced switching fees, but not after that date.
Model contractual terms and standard contractual clauses missing
Article 41 of the Data Act states that the Commission shall “before September 12, 2025” develop and recommend non-binding model contractual terms for data access and data use, as well as non-binding standard contractual clauses for cloud computing contracts.
However, these are not yet available. In the Commission’s press release of September 12, 2025, it states under “Next Steps” that the Commission will publish model terms for data sharing and standard clauses for cloud contracts – but it is unclear when.
What is available so far is the final report of the Commission’s expert group dated April 2, 2025, which contains proposals for model contractual terms and standard contractual clauses. However, this is not available in German, and it is also unclear whether the clauses proposed therein will ultimately remain unchanged.
A novelty outside Germany: B2B general terms and conditions law
Finally, special attention should be paid to the fact that the Data Regulation introduces, for the first time at EU level, a law on general terms and conditions that also applies to relationships between businesses (B2B). According to Article 13 of the Data Act, contractual terms concerning access to and the use of data or liability and remedies for the breach or the termination of data-related obligations, which have been unilaterally imposed by an enterprise on another enterprise, shall not be binding on the latter enterprise if they are unfair.
Until now, EU-level law on standard terms and conditions has only applied to relationships between businesses and consumers (B2C), such as Directive 93/13/EEC on unfair terms in consumer contracts.
However, the law on standard terms and conditions applicable in Germany is also largely applied by the Federal Court of Justice (BGH) in relations between companies, which is met with great incomprehension internationally in most cases. In Germany, EU directives such as Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services, have been implemented in Germany in an “excessive” manner in that the regress provisions in the supply chain upstream of consumer transactions in Section 327u of the German Civil Code (BGB) have been made mandatory between companies, whereas according to the directive, only the provisions relating to consumers need to be mandatory.
Update: List of currently responsible state authorities added
The Accessibility Enhancement Act (BFSG) will come into force on June 28, 2025. From this date onwards, various products and websites must be made accessible. There is currently a great deal of misunderstanding regarding the content of the “accessibility statement” that companies are required to provide. We explain the details.
Accessibility Enhancement Act – New obligations for companies
In our detailed article on the Accessibility Enhancement Act (BFSG), you can learn the basics, in particular who the law applies to.
We have also created a guide entitled “FAQ – Accessible Websites”, in which we explain the implementation of the BFSG from a technical perspective.
Accessibility statement in accordance with the BFSG
In addition to technical implementation, the BFSG also requires the provision of information in accordance with Annex 3 to the law. In recent weeks, the term “accessibility statement” has become established for this purpose.
This is somewhat unfortunate, as this term is actually already “reserved” for another statement, which leads to many misunderstandings in connection with the BFSG.
The BFSG requires service providers to
“have prepared the information in accordance with Annex 3, Number 1, and have made this information accessible to the general public in an accessible form; the provisions of the statutory order to be issued in accordance with Section 3, Paragraph 2, are decisive for making the information accessible.”
Annex to the BFSG: The accessibility statement
The law therefore refers exclusively to Annex 3, No. 1, which reads as follows:
The service provider shall indicate in its general terms and conditions or in another clearly perceptible manner how its service within the meaning of Section 1 (3) meets the accessibility requirements of the statutory order to be issued pursuant to Section 3 (2). The relevant information shall include a description of the applicable requirements and, insofar as relevant for the assessment, cover the design and implementation of the service.
In addition to the consumer information requirements under Article 246 of the Introductory Act to the Civil Code, the information shall, where applicable, include at least the following elements:
(a) a general description of the service in an accessible format;
(b) descriptions and explanations necessary for understanding the implementation of the service;
c) a description of how the service meets the relevant accessibility requirements listed in the statutory order to be issued pursuant to Section 3 (2);
d) the name of the competent market surveillance authority.
This requirement, which is relevant for the private sector, must be distinguished from the accessibility statement pursuant to Section 12b of the Disability Equality Act (BGG).
Accessibility statement in accordance with the Disability Equality Act
The BGG is a somewhat older law from 2002 that regulates the accessibility requirements that must be met by public authorities. These include, for example, federal administration offices.
The BGG does not apply to private companies.
Section 12b (1) BGG requires federal public authorities to publish an accessibility statement on their website.
The content of this statement is specified in Section 12b (2) BGG:
1. In the event that, in exceptional cases, the design is not completely accessible,
- the designation of the parts of the content that are not completely accessible,
- the reasons for the non-accessible design, and
- if applicable, a reference to accessible alternatives,
2. an immediately accessible, barrier-free option for contacting the agency electronically to report any remaining barriers and to request information on the implementation of accessibility,
3. a reference to the conciliation procedure pursuant to Section 16, which
- explains the possibility of conducting such a conciliation procedure and
- contains a link to the conciliation body.
Federal public authorities are therefore expressly obliged to identify non-accessible parts of the website content.
No listing of non-accessible parts according to BFSG
The information obligation under the BFSG does not include any obligation to list the non-accessible parts of the services (e.g., the website).
The explanatory memorandum to the BFSG expressly states:
This information to be provided by the service provider largely corresponds to the accessibility statement as provided for in Section 12b BGG. However, Directive (EU) 2019/882 does not require the service provider to also indicate in its information which parts of its service are not accessible and how the non-conformity is justified. This is not necessary because the service provider is fundamentally obliged to ensure complete accessibility.
Anyone who lists the non-accessible parts of their website in the declaration provides competitors, consumer centers, and qualified trade associations with a basis for warnings.
In addition, this publicly documents that one is violating the law and thus acting intentionally. This is likely to play a decisive role in the imposition of a possible fine.
Consequences of a non-accessible website
The law provides for several (simultaneous) obligations if the service does not comply with the requirements of the BFSG and the associated BFSGV:
- Prohibition of offering and providing the service (Section 14 (1) No. 1 BFSG)
- Taking the necessary corrective measures to ensure the conformity of the service (Section 14 (4) sentence 1 BFSG)
- Informing the market surveillance authority(ies) that the service does not meet the requirements of the BFSGV (Section 14 (4) sentence 2 BFSG)
The authority can then initiate a multi-stage procedure which, in the worst case, can lead to a ban on the provision of the service. In the case of websites, this means that the non-accessible parts of the website must be shut down.
In addition, fines may be imposed.
Who can help with the creation of the accessibility statement?
If you have your website managed by an agency, their support is essential for creating the accessibility statement in accordance with the BFSG. This does not mean that the agency provides legal advice, but rather that it clearly states the technical means by which accessibility has been achieved.
In addition, legal advice should always be sought when creating the statement. This is because, in addition to the technical requirements, the legal requirements for the information must also be met.
Since the statement must be created on a very individual basis, particularly with regard to the description of the service offered, the description that aids understanding of the service, and the specific technical implementation of the accessibility requirements, there are unlikely to be any suitable standard templates that can be used.
Ultimately, Appendix 3 to the BFSG is the “template” that must be completed by the company.
Where should the accessibility statement be placed?
Annex 3 to the BFSG stipulates that the information must be provided either in the general terms and conditions or “in another clearly noticeable manner.”
In our opinion, the specific information relating to the BFSG does not belong in the general terms and conditions. Instead, a separate page should be provided for this purpose and linked in the footer of the website.
Update: Competent market surveillance authorities under the BFSG
The federal states have concluded a state treaty to create a central market surveillance authority in Saxony-Anhalt. However, this state treaty has not yet been ratified by all federal states, so this authority has not yet been established.
Nevertheless, some federal states have appointed their own market surveillance authorities, which are responsible for the transitional period until the central authority for surveillance under the BFSG is established.
The following overview lists the market surveillance authorities of the federal states that we were able to identify based on publications in the respective law gazettes.
Overview
| State | Competent authority | Legal basis |
| Baden-Württemberg | No competent authority found | |
| Bavaria | For the administrative districts of Lower Franconia, Upper Franconia, Middle Franconia, and Upper Palatinate, the Trade Supervisory Office at the Government of Upper Franconia in Coburg is responsible. Authority name: Government of Upper Franconia – Trade Supervisory Office For the administrative districts of Swabia, Upper Bavaria, and Lower Bavaria, the Trade Supervisory Office at the Government of Lower Bavaria in Landshut is responsible. Authority name: Government of Lower Bavaria – Trade Supervisory Office | https://www.gewerbeaufsicht.bayern.de/marktueberwachung/bfsg.htm |
| Berlin | No competent authority found | |
| Brandenburg | No competent authority found | |
| Bremen | No competent authority found | |
| Hamburg | No competent authority found | |
| Hessen | Giessen Regional Council | Regulation on responsibilities under the Barrier-Free Accessibility Act (BFSGZV) |
| Mecklenburg-Western Pomerania | No responsible authority found | |
| Lower Saxony | No responsible authority found | |
| North Rhine-Westphalia | No responsible authority found | |
| Rhineland-Palatinate | Ministry responsible for social affairs | State ordinance on responsibilities under the Accessibility Enhancement Act |
| Saarland | Ministry of Labor, Social Affairs, Women, and Health | Ordinance on responsibilities for reviewing conformity of products and services under the Accessibility Enhancement Act |
| Saxony | Saxony State Directorate | Accessibility Enhancement Competence Regulation |
| Saxony-Anhalt | Saxony-Anhalt State Office for Consumer Protection | Regulation on competences under the Accessibility Enhancement Act |
| Schleswig-Holstein | Ministry responsible for social affairs | State regulation on the determination of the market surveillance authority under the Accessibility Enhancement Act (MübBFSGVO) |
| Thuringia | No competent authority found |
Name of the competent authority
Until the state treaty on the joint market surveillance authority enters into force, the market surveillance authority responsible for the respective federal state must be named in the accessibility statement.
Conclusion
From June 28, 2025, companies must not only comply with the basic accessibility requirements. They also provide the information specified in Annex 3 – for which already the term “accessibility statement” has become established.
It is important to ensure that this declaration does not put you in the “pillory” and publicly declare that you are not complying with the law.
We are happy to assist you in preparing your accessibility statement.
In a detailed article in the trade journal WRP, we have dealt in detail with the requirements for accessible websites. You can read the full text of the article here:
Accessible websites – An overview of the effects of the BFSG (in German)
On June 28, 2025, the Accessibility Enhancement Act (BFSG) will come into force, bringing with it numerous changes, particularly for website operators. The aim of the BFSG is to improve participation for people with disabilities and to implement EU Directive 2019/882.
Who does the law affect?
The BFSG is primarily aimed at companies in the B2C sector, in particular service providers in electronic commerce – which includes not only traditional online shops but also numerous other offerings on websites.
However, such service providers are exempt if they are micro-enterprises. This means that they have fewer than ten employees and an annual turnover or balance sheet total of no more than € 2 million.
Important: Even companies that are not directly covered by the BFSG – such as agencies or IT service providers that develop websites and other digital solutions for providers of B2C services – should be aware of the requirements of the BFSG and implement them in their services.
Their customers are obliged to offer accessible solutions. In order for these “suppliers” to remain competitive and meet the requirements of their clients, they too must design their products and services to be accessible.
Why accessibility is important
Accessible websites and services enable companies to tap into new target groups. It is not exclusively about people with disabilities, but also about older people or people with temporary limitations.
In addition, accessibility increases user-friendliness (UX) and strengthens a company’s image in the long term.
What are the requirements?
Websites must be clearly structured and should be compatible with screen readers and fully operable via keyboard. High contrast, alternative text for images, and accessible forms are also essential.
In addition, an accessibility statement must be published on the website—in an accessible format, of course.
Consequences of non-compliance
Companies that do not implement the requirements face fines of up to 100,000 Euro. The new market surveillance authority of the federal states for the accessibility of products and services, will be based in Magdeburg. It will be responsible for monitoring compliance.
In addition, warnings under competition law may be issued.
Our guide
We created in collaboration with Ria Weyprecht, owner and founder of the agency stolperfrei.digital, a guide. There you can finde advices how to make your website accessible.
The European Commission published the draft Data Act on February 23, 2022. The Data Act draft regulates the provision of data by the data owner to the user, to third parties and to public bodies and includes legal frameworks for data access and data use. The background to the regulation is that there is currently no legal regulation on data sovereignty and all parties involved rely on voluntary exchange.
With the Data Act draft, the European Commission now wants to clarify who may commercially exploit data and under what conditions this takes place. In addition, special provisions are made for micro, small and medium-sized enterprises as well as so-called “gatekeepers”.
Basic content of the draft Data Act
The draft regulates the exchange of user-generated data between companies and between consumers and companies. Large parts of the data collected by companies and by consumers in connection with networked devices and digital services must in future be made technically and legally accessible to users, who can then pass the data on to third parties.
The regulations in the draft include, for example, product requirements for easy and secure data access (“access by design and by default”), pre-contractual information obligations and the need for a usage agreement between data owner and user, data access claims and provision obligations, as well as regulations on data transfer by the data owner to third parties at the instigation of the user. However, it also regulates requirements for corresponding consideration (e.g., fairness, appropriateness) and criteria for abusive contractual clauses in order to protect smaller companies.
In addition, there are to be regulations for the transfer of data to public bodies and EU institutions, bodies and other bodies in emergency situations.
The draft also stipulates that the European Commission should provide non-binding model contractual conditions for data access and use. The member states are then to issue corresponding regulations on sanctions in the event of violations.
Addressees of the draft Data Act
The Data Act draft applies to
- All manufacturers of products and providers of related services placed on the market in the EU and users of such products or services;
- data controllers who provide data to recipients in the EU;
- Data recipients in the EU to whom data is provided;
- public bodies and EU institutions, bodies and agencies;
Similar to the GDPR, the regulations are also intended to apply to companies based outside the EU if they provide relevant services to customers in the EU.
Outlook
The European Parliament and the Council have adopted their positions on the draft and, like the member states, are calling for various amendments. Further negotiations will focus in particular on the scope of application of the Data Act, ensuring the protection of trade secrets, remuneration issues and regulations on provider switching and protection against unfair contract terms. On March 29, 2023, the first trilogue took place. However, as the positions of the Council and Parliament are not too far apart, an agreement is generally expected before the summer break or shortly thereafter.
Companies face an increasing push to use of open source software, both in their own software development and in the procurement of software from third parties.
The use of open source software or “free and open source software” has become standard in software development. Open source software is freely available on the internet, saves time and allows typical standard functions to be integrated without any development effort.
The term Free and Open Source Software suggests when the software is “free” in every respect. However, the use of the software requires acceptance of and compliance with the underlying licence conditions. Frequently, however, these are observed little or not at all, which can lead to considerable economic risks (including injunctive relief, claims for damages).
Therefore, it is essential, especially for software development companies, to fully comply with the obligations associated with the use of open source software. In order not to be surprised by the negative consequences of non-compliance, it is advisable to introduce internal processes for monitoring compliance within the framework of an open source compliance management.
What is Open Source Software?
Open source software is freely available, but can only be used under restrictions that are intended to enable further free use. For example, the Open Source Initiative (https://opensource.org/) published requirements to classification as open source software. Among other things, the source code must be available or be made available. Changes to the software must be permitted. The licence conditions used must not restrict distribution, no licence fee may be charged for the open source software and it must be permitted to market changes under the same conditions.
The various open source developers have gone different ways. Some use licences that allow use in conjunction with commercial products. Some oblige the user to combine the open source software only in conjunction with compatible licences or stipulate that their own licence conditions must apply to further developments or derivative works. This is also called “copyleft” or viral effect.
What impact does this have on commercial use?
For companies that only use open source software internally for their own purposes, there are hardly any restrictions preventing use. Occasionally, however, certain types of use are exempted.
However, if the open source software is made available to third parties or if it is incorporated into commercial software, it must be checked whether use and distribution in the intended way is covered by the underlying licence.
On the one hand, there are many licences that make this possible and even allow the use of commercial licence terms for the larger work. In contrast to commercial third-party products, the possibilities for use are usually more flexible here.
On the other hand, depending on the licence, the use of open source software can lead to restrictions. For example, if an open source software licenced under GNU General Public License (GNU GPL), is integrated the larger work cannot be distributed commercially or without disclosing the source code.
However, the type of use also plays a role here. Some licences (e.g. Affero General Public License) restrict commercial use to such an extent that use in connection with commercial SaaS services is restricted.
Other commitments
In addition to the fundamental question of the permissibility of use, some licences also provide for further obligations, e.g. passing on the licence conditions, disclosure of use, making available the source code of the open source software, naming the author.
Often, the developers know the concept of open source software, but not the associated restrictions and obligations. The consequences are usually a violation of the licence conditions and a resulting ban on using the open source software.
How do I reduce my risks?
First of all, an inventory should be made. Open source audits are a good way to do this, in which the source code of the own software and all open source components used are scanned. This allows you to find both obviously used open source software and so-called snipits that have been copied into the own code. The open source software should also be scanned completely in order to find third-party components it may contain.
There are various tools on the market that support the scan. Some of these can also be integrated into the development process. In this way, problematic developments can be discovered and eliminated at an early stage. In addition, the tools facilitate the creation of a Bill of Materials (BoM), a list of all matches with pieces of code, the version of the open source software, the respective download source and the applicable licence conditions.
It makes sense to whitelist unproblematic licences and blacklist problematic ones. All licences not listed would then have to be checked as necessary.
Awareness should be raised to the responsible employees and appropriate contractual regulations should be concluded with external developers.
In addition, the documentation measures should be summarised in a compliance programme.
Conclusion
The use of open source software brings both advantages and challenges. However, when the right components are selected and used in accordance with the conditions, it is often more interesting than commercial third-party products or in-house developments.
TCI partner Stephan Schmidt (Mainz), together with the Düsseldorf law firm MUTTER & KRUCHEN (M&A, corporate law), advised the shareholder of it relations GmbH on the sale to ALVARA | Digital Solutions.
ALVARA | Digital Solutions (a brand of ALVARA Holding GmbH) continues to grow. It relations GmbH is new to the corporate group of specialists for track & trace software solutions for the cash cycle and logistics. ALVARA | Digital Solutions adds an IT specialist that has been carrying out innovative IT projects for 25 years and, among other things, stands for the successful development of innovative and intuitively operated cash register systems. The intelligent branch checkout systems used by large bakery chain stores, restaurants, bars and retailers can be individually adapted and, in addition to central data maintenance and POS synchronisation, are also GDPD/GOBD-compliant and fiscally secure. The Coffeeboard system enables current discounts, promotions or image advertising to be effectively staged as an image or video via separate monitors in the checkout area so advertising can be centrally planned and managed.
Shortly before its 10th anniversary, the Mainz team of the law firm TCI has been strengthened with the experienced in-house lawyer and former general counsel Sabine Brumme as a full-time partner as of May. As a founding member of the firm, she was previously of counsel at TCI and will join the firm in full in the future. Previously, Sabine Brumme was General Counsel at the innovative AI provider arago GmbH and Deputy General Counsel at an international consulting firm.
Brumme started her legal career in 1997 at a savings bank association and was already active in IT and Internet law at that time. This continued at Bayerische Landesbank. She then spent more than 15 years at the consulting firm BearingPoint in various positions and held the position of Deputy General Counsel with legal responsibility for the software division there together with her team. In 2019, she moved to arago a provider of AI-powered cloud applications.
In addition to legal operations, her focus was on IT law, which she has been involved in since the beginning of her professional career. Brumme is experienced especially in complex, international negotiations of software, outsourcing and cloud contracts. In addition, she has been intensively involved with LegalTech in recent years.
Brumme has been associated with TCI for a long time: She is a founding partner of TCI and also previously worked with parts of the Mainz and Munich teams as of counsel at teclegal from 2009.
She has been a guest lecturer for the Institute of Information Law at the h_da University of Applied Sciences in Darmstadt and has supervised Bachelor and Master students there as well as at the Frankfurt University of Applied Sciences in the course of their final theses. She continues to be associated with the h_da through her work on the advisory board of the Institute for Information Law. She also sits on the advisory board of the “Intellectual Property Magazin”.
Brumme will support the team in the areas of IT law, data protection, international contract law and competition law. She will also expand the LegalTech, Legal Operations and Legal Outsourcing practice areas. She will build on existing international mandates.
Stephan Schmidt, TCI founding partner comments on the change: “We are very pleased that our long-time companion Sabine Brumme has decided to support us in the future as a partner with all her strength in the exciting subject area of IT law and to contribute to the fact that we can continue to advise our clients at the highest level, especially in the area of licensing and outsourcing.”
TCI is represented as a group of law firms with 14 partners and 3 associates at the offices in Berlin, Mainz and Munich since 2011. TCI’s industry focus is on “Technology”, “Communication”, “Information”, on which the short name and brand “TCI” is based. The legal focus is on technology-related contract law and litigation including arbitration, IT law, telecommunications law, public procurement and antitrust law, franchise and distribution law, employment law, copyright law and intellectual property law.
