Germany: Data center & Federal Ministry for Digital and State Modernization

It has now been around 100 days since the new German government took office. For the data center industry, this means the first 100 days of the new Federal Ministry for Digital and State Modernization - BMDS, headed by Federal Digital Minister Dr. Karsten Wildberger.

What has happened since then? In May 2025, the Federal Minister for Digital Affairs gave his first speech in the Bundestag and a keynote address at re:publica: The digital future needs an adequate digital infrastructure with data centers, which needs to be promoted.

At the beginning of July, the Federal Minister for Digital Affairs, together with the Hessian Minister for Digital Affairs, Prof. Dr. Kristina Sinemus, exchanged ideas with industry experts at the No. 1 data center location - Frankfurt am Main.

The Federal Minister for Digital Affairs reaffirmed the goal of making Germany a leading location for AI, which requires a data center strategy, among other things, to facilitate investment and speed up approval procedures.

Then, a first hint: the digital infrastructure should become less dependent on non-European providers, which is supposed to represent the desired digital sovereignty. From another speech in the Bundestag: "Only ... data centers located in the EU enable a future-proof AI infrastructure."

It is unclear whether this refers only to promoting European market participants or also to creating obstacles for non-European ones. The main concern is probably IT security. European cloud solutions should not be isolated, but rather "part of fair, open, and innovation-driven competition."

The ministry is developing: the departments have been filled, including those for "Digital Economy and Digital Sovereignty" and "Computing Infrastructure and Applications." The latter is tasked with developing the national data center strategy to promote the operation and establishment of data centers by the end of the year. The strategy is to define measures and an action plan such as:

• Facilitation of planning, approval, waste heat utilization, and power supply.
• Preferred locations for data center projects.
• European measures and initiatives.
• Transparency requirements for sustainability.

There is a consultation process with the data center industry, which will run until 21 September 2025 to gather practical suggestions.

At the same time, news arrived from Paris: At a public hearing before an investigative commission on the awarding of cloud computing contracts in light of "digital sovereignty" on June 10, the director of public affairs and legal affairs for the French representative office of a big tech company from the U.S. testified that he could not guarantee that no data would be disclosed without the consent of French authorities due to an order from the U.S. administration.

In its final report, the commission of inquiry considers the US government's ability to require companies to disclose cloud data (Foreign Intelligence Surveillance Act and Clarifying Lawful Overseas Use of Data (Cloud) Act) to be a significant risk.

What does this mean? It concerns contractual (confidentiality) obligations versus government orders, but also the territorial limits of such orders.

This issue is not entirely new. For example, some parents with school-age children will remember that various federal states instructed schools to close during the COVID-19 pandemic and not to use platforms from US companies for home schooling due to data protection concerns. Another example is the successful investigation and prevention of serious crimes based on information gained from foreign authorities.

What is it like in Germany? If a particularly serious crime is suspected, a German court can order an online search, which may also include remote access. This can initially be done secretly, with the person concerned being informed afterwards, which allows for subsequent legal protection.

If cloud computing data is stored on a server abroad, a transborder search requires the lawful and voluntary consent of the foreign cloud service provider. An informal request to the other country to secure data in advance is also conceivable, as is a formal request for legal assistance. To date, 65 countries, including the US, albeit with reservations, have agreed to this in the Cybercrime Convention.

Back in the here and now, the national data center strategy and action plan remain to be watched with interest. There is still a way to go before the consultation process for the strategy paper leads to draft legislative changes.

• The first thing that comes to mind is adjustments to the challenging requirements and deadlines for the development and operation of data centers under the Energy Efficiency Act introduced just under two years ago, which cover energy consumption efficiency (PUE), waste heat utilization and reporting obligations (which exceed European legal requirements).
• Legislative changes to facilitate and/or accelerate the approval of emergency power generators for data centers do not appear to be straightforward due to the legal interdependencies of the approval requirements and European legal requirements.
• Federal regulations for the designation of preference areas for data center projects, such as the planning requirements of the federal states to designate priority areas for wind energy under the Wind Energy Area Requirements Act or the promotion of open-space PV systems in preferred areas under the Renewable Energies Act, do not appear on the horizon.

We will further report on this.