The German data protection market in the public sector will remain characterized in 2026 by the tension between established GDPR compliance and new requirements from eIDAS 2.0 and NIS2. Authorities and public institutions face the task of integrating existing data protection infrastructures with the requirements of digital identity.
Regulatory Dynamics: eIDAS 2.0 Meets GDPR
The implementation of the eIDAS 2.0 regulation forces German administrations to revise their data protection concepts. The European Digital Identity Wallet (EUDIW) requires new privacy-by-design approaches that go beyond classic GDPR compliance. Providers such as Governikus and the Bundesdruckerei are expanding their product portfolio with EUDIW-compliant solutions that combine data protection and user autonomy.
The NIS2 directive simultaneously tightens requirements for cybersecurity and data protection for critical infrastructure. Public IT service providers such as Dataport AöR and AKDB must adapt their security architectures by October 2024 – with direct implications for data protection management systems.
Market Development: Consolidation and Cloud Migration
The market for data protection software in the public sector shows consolidation trends. Large IT service providers such as Materna (Website) and msg systems (Website) are integrating data protection modules directly into their administrative cloud offerings. This bundling reduces integration effort for authorities.
At the same time, demand for sovereign cloud solutions is growing. The discussion about digital sovereignty is tightening requirements: data protection tools must not only be GDPR-compliant, but also guarantee that personal data is processed exclusively in EU data centers. Providers such as T-Systems Public (Website) are positioning themselves with sovereign cloud offerings.
Automation and AI-Driven Compliance
A growing trend is the automation of data protection processes. AI-driven tools automatically scan processing records, identify data protection risks, and suggest remedial measures. Capgemini Public Sector (Website) and Atos Public Sector DE (Website) already offer such compliance assistants as a module of their administration suites.
Administrative automation reinforces the need: when authorities automate processes, data protection impact assessments (DPIA) must become standardized and scalable. Providers are developing workflow-based DPIA tools that can be integrated into digital file systems.
OZG 2.0 and Data Protection: Conflict or Opportunity?
OZG 2.0 requires fully digital administrative services by the end of 2026. This digitalization pressure sometimes conflicts with data protection requirements: data minimization and user-friendliness often contradict each other. Proactive administration, which automatically offers services to citizens, requires extensive data linkages – tricky terrain for data protection officers.
Digital identity in Germany becomes the key: only if citizens themselves control which data they share can the conflict be resolved. The portal network must therefore integrate privacy dashboard functions that create transparency about data flows.
Outlook: Data Protection as a Differentiator
For providers, data protection is increasingly becoming a competitive advantage. Authorities demand detailed evidence of privacy-by-design architecture in tenders. Certifications according to ISO 27701 or the BSI C5 seal are becoming standard. NIS2 compliance reinforces this trend.
By 2027, the market is likely to differentiate more between generalists offering data protection as part of their compliance suite and specialists in privacy tech. The latter focus on zero-knowledge architectures and privacy-enhancing technologies (PET), which become particularly relevant for sensitive administrative processes.
The challenge remains: data protection must not block digitalization, but must protect citizen rights. Products that master this balancing act will shape the market.