2025 coalition agreement – AI, data protection, cyber security and digitalisation
The coalition agreement published by the German political parties CDU, CSU, and SPD places significant emphasis on advancing digitalisation, with a strong focus on artificial intelligence (AI) and data use. The coalition has ambitious goals for the 21st legislative period: transforming Germany into a leader in AI, deregulating data protection law, enhancing cyber resilience, and – a perennial topic in previous coalition agreements – comprehensive digitalisation. Supporting these objectives is the creation of the first-ever dedicated Federal Ministry for Digitalisation and State Modernisation.
Artificial intelligence
The coalition agreement sets a notable precedent by addressing AI with greater specificity and ambition than before. The future governing parties are planning clear initiatives to strengthen Germany's competitiveness and digital sovereignty in the long term. The coalition agreement signals a clear shift towards deregulation and a more business-friendly regulatory environment.
Germany as an AI nation
The coalition partners have declared their goal of establishing Germany as an AI nation (lines 107 et seq.) and promise a “high-tech agenda” for Germany (lines 2503 et seq.). Proposed measures include significant investments in cloud and AI infrastructure (lines 108 et seq.), the use of AI real-world laboratories (line 2266), and the connection of AI and robotics (lines 107 et seq.).
The plan aligns with the EU's InvestAI initiative, aiming to bring one of the "AI gigafactories" funded under the initiative to Germany (lines 2192 et seq.). Additionally, the coalition partners want to prioritise AI within the federal research and innovation funding and, in particular, provide access to high-performance and supercomputing centres for research and universities (lines 2509 et seq.).
Innovation-friendly implementation of the AI Act
In the course of the technical and legal specifications of the AI Act (Regulation (EU) 2024/1689), burdens on businesses shall be reduced. The coalition aims for an innovation-friendly, low-bureaucracy approach when implementing the AI Act into German law (lines 2270 et seq.). Given the dynamic developments in this area, the coalition would like to adapt the European digital legal framework accordingly (lines 2271 et seq.).
It is still unclear how the future federal government will implement these measures, as it cannot directly influence European law but can, at most, initiate reforms. In this respect, it is more of a political declaration of intent.
Outlook
The coalition rightly highlights AI as a priority in the coming legislative period. The parties reject over-regulation of artificial intelligence and agree on a low-bureaucracy and innovation-open implementation and further development. However, many objectives remain vague, and significant questions around their practical feasibility remain unanswered. As expected, the coalition agreement also contains no concrete details on the financing of the planned AI investments and places all measures under a general budgetary financing reservation (line 1627).
Data use and data protection
In the area of data protection, the coalition agreement contains various deregulation approaches and measures to reduce bureaucracy.
Centralisation and reduction of bureaucracy in data protection
The coalition plans a comprehensive reform of the data protection supervision by consolidating competencies and responsibilities with the Federal Data Protection Commissioner (lines 2095 et seq.). In the interests of the economy, the new government plans to significantly expand the role and importance of the Federal Data Protection Commissioner, in particular, by adding the responsibility for data use and freedom of information.
This would mean that data protection authorities in the individual federal states would no longer be the primary point of contact for data protection matters, but rather a central body, which would represent a massive relief for businesses. Unsurprisingly, the future federal government is facing headwinds from the data protection authorities of various federal states and the Data Protection Conference (Datenschutzkonferenz, DSK). In particular, critics argue that the coalition's plans will neither reduce bureaucracy nor save costs.
The plans to enshrine the DSK in the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) (lines 2100 et seq.) to develop common standards adopt an unimplemented project of the former government.
Culture of data use and data sharing
The term “data law” is explicitly understood for the first time as an area of law in need of regulation. The future federal government plans to draft a national Data Code for this purpose. The coalition partners are striving for a culture of data use and data sharing that establishes a data economy, focuses on innovation and supports fundamental rights and freedoms. To this end, the coalition wants to remove legal uncertainties, unlock data troves, promote data ecosystems and focus on data sovereignty (lines 2238 et seq.).
In line with the Data Governance Act, the coalition also intends to introduce a right to open data from government agencies (lines 2244 et seq.). The coalition agreement does not discuss which measures are explicitly planned to achieve this. The relevant Directive (EU) 2019/1024 on open data and the re-use of public sector information, which already entered into force in July 2019 and which is supplemented by the Data Governance Act, remains unmentioned.
The general approach is consistent with efforts at the European level, such as those found in the draft Industrial Action Plan for the European automotive sector. The possibility of data use and data sharing is increasingly recognised as a factor relevant to competition.
Simplification of and sectoral exemptions from the GDPR
According to the coalition agreement, the use of existing leeway should ensure consistency, uniform interpretation and simplification for small and medium-sized enterprises (SMEs). In addition, the coalition partners want to ensure at European level that SMEs, non-commercial activities (e.g. in associations) and low-risk data processing (e.g. customer lists of craftsmen) are excluded from the scope of the General Data Protection Regulation (GDPR) (lines 2101 et seq.).
This initiative is welcome and aligns with recent statements by Irish EU Commissioner Michael McGrath on the planned simplification of the GDPR, particularly for SMEs.
Opt-out solution instead of active consent
The coalition parties want to develop solutions to replace data protection consent requirements with opt-out solutions (lines 2096 et seq.). This would be a welcome relief for businesses, as obtaining consent in compliance with data protection regulations is currently subject to high requirements. However, it is questionable whether the future federal government will be able to offer pragmatic solutions in this regard that are compatible with applicable European law.
What aspects are missing?
While the former government suggested to reform employee data protection requirements in its coalition agreement, there is no mention of such a plan in the 2025 coalition agreement. It remains to be seen what this will mean for the planned reform.
Cyber security
After the 2017 coalition agreement between the CDU/CSU and the SPD called for a European cyber security strategy, the 2025 coalition now emphasises to further develop the national cyber security strategy with the aim of clearly defining roles and responsibilities (lines 2676 et seq.). The strategy aims to strengthen digital infrastructures and optimise information security practices to protect against cyber threats and enhance national resilience.
Strengthening the BSI and cyber resilience
The Federal Office for Information Security (BSI) is to be strengthened and expanded into a central office for information and cyber security issues. Furthermore, the future government plans to strengthen communication networks for crisis and classified communication and further develop the national cyber defence centre (lines 2676 et seq.).
The future governing parties also envisage a stronger focus of intelligence services on the cyber and information domain, including through the creation of a new specialised technical central office involving the Central Office for Information Technology in the Security Sector (ZITiS) (lines 2682 et seq.).
The national cyber security approach of the new government aims not only to counter current cyber threats, but also to build sustainable capacities that should serve Germany in global cyber competition. The focus on network security and cyber defence represents a pragmatic approach to strengthening national resilience. It remains to be seen to what extent the – mostly only hinted at – plans will actually be implemented.
The coalition agreement also mentions the urgent and overdue implementation of the NIS 2 Directive into national law (lines 2681 et seq.) but without providing concrete amendment approaches. In particular, no conclusions can be drawn about the fate of the government draft presented by the former government in this regard. However, the coalition agreement clearly states that bureaucratic “gold-plating” when transposing EU law into national law should be avoided (line 2014).
NIS 2 implementation
The coalition agreement also stipulates that components for critical infrastructure must be subject to high security standards. It is noteworthy that a previous version of the coalition agreement contained the statement that ‘in future, only components from trustworthy countries’ may be used. This wording is no longer included in the current version. The text now refers only to ‘trustworthy components’ – the geographical aspect has been omitted (lines 282 et seq.).
Digitalisation
In their coalition agreement, the future governing parties have placed a strong focus on digitalisation. The planned creation of a new Ministry for Digitalisation and State Modernisation is clear evidence of this. Some projects are already known from previous coalition agreements.
Direction of Digital Policy: Digital networking and sovereignty
The coalition parties are striving for a digitally sovereign Germany. To achieve this, digital dependencies should be reduced by developing key technologies, securing standards, and protecting and expanding digital infrastructures. In addition, the new government plans to create -integrated and resilient European value chains for key industries (lines 2140 et seq.). This applies particularly to the defence sector (lines 4179 et seq.).
Digitalisation of administration and justice
Massive digitisation processes are planned, particularly in the area of administration. A “Digital-Only” approach aims to ensure administrative services are conveniently available online via a central platform. Along with the implementation of a digital citizen account and a digital identity, an EUDI Wallet is planned to be made available to both citizens and companies (lines 1802 et seq.). This approach is not new: the last CDU, CSU and SPD government already presented the “Digital Germany 2020” programme in its 2017 coalition agreement.
In the area of justice, the new government plans to implement the Federal Justice Cloud and to introduce a justice portal with a communication platform, enforcement register and other citizen services (lines 2024 et seq.).
