OpenLobby.EU
Explore

DATEV eG

Die Genossenschaft DATEV ist als IT-Dienstleister Wegbereiter für die digitalen Geschäftsmodelle ihrer berufsständischen Mitglieder und für die kaufmännischen Prozesse des Mittelstands.

Lobbying Activity

Response to EU quantum Act

18 Nov 2025

As the European Commission prepares its next steps towards a Quantum Act, we would like to highlight that Quantum Key Distribution (QKD) should not be neglected. While Post-Quantum Cryptography (PQC) is rightly receiving significant attention, QKD offers a unique level of protection, particularly in domains where the highest levels of confidentiality are required. At present, the lack of standards and interoperability hampers broader adoption across the EU. Without a coordinated approach, QKD risks remaining fragmented, with isolated pilots instead of scalable, market-ready solutions. We believe the EU should take a leadership role by driving forward a European standardization strategy for QKD. Such a strategy would not only safeguard Europe's technological sovereignty in this security-critical domain, but also foster innovation and competitiveness, ensuring that European companies are at the forefront of shaping and deploying this key technology.
Read full response

Response to Digital package – digital omnibus

30 Sept 2025

We support the Commissions agenda to simplify the digital policy regulatory framework through the first Digital Omnibus. However, we would also like to emphasize that further simplification steps remain necessary, as this package will not resolve the most pressing issues. The most influential digital laws such as the GDPR, the CRA or the Data Actand their interplay are notably left unaddressed. On the upcoming Digital Omnibus, we would like to emphasize the following points. On Cybersecurity: Within the EU Cybersecurity Certification Framework (ECCF), duplicate certification structures at national level (e.g. C5 and EUCS) should be avoided. Certification brings added value to companies, in particular when it enables them to demonstrate their compliance in a legally binding manner. Harmonisation of the structure of the various certification schemes in line with the ISO system is essential to ensure comparability and consistency. The downstream initiatives required to implement the Cyber Resilience Act (CRA) are still pending and continue to be delayed. This means that the time remaining for proper implementation is too short. Implementation in companies must follow the guidelines and secondary legislation not pre-empt them. To enable realistic implementation, we recommend a stop the clock approach: the CRA's application period should be postponed by two years. Instead of developing new security frameworks (as was done in the context of NIS2 implementation), existing standards such as ISO 27001/27002 should be used. New security frameworks place a significant and unnecessary burden on companies, as different similar but not identical security frameworks must be reconciled and integrated. On the AI Act: One of the core elements of the AI Act the definition of an artificial intelligence system is vague, resulting in significant interpretative uncertainty (e.g., varying levels of autonomy or may exhibit adaptiveness). If there is no clear demarcation in the definition of AI systems, then, in the end, national courts will interpret the criteria. This will once again lead to a national patchwork, just as with the definition of personal data under the GDPR. The guidelines could have served as an opportunity to refine this definition and provide clarity, which would have greatly supported companies in their implementation efforts. Unfortunately, this opportunity was largely missed. The most helpful aspect of the current guidelines is the negative list, which delineates what is not considered an AI system. However, the negative examples are not very detailed. The guidelines should be urgently revised to include more detailed examples and practical scenarios. On a European Business Wallet: The European Business Wallet has enormous potential to significantly simplify everyday life for SMEs. A medium-sized company has around 200 administrative contacts per year in Germany, which are often cumbersome and paper based. All economically active persons, especially the self-employed, should be entitled to a European business wallet and also receive an organisational identity for this purpose without any unnecessary bureaucracy. The business wallet must be sufficient as the sole means of identification and must be able to reflect existing powers of representation. In addition, existing European and national initiatives should be integrated at an early stage in order to avoid parallel structures.
Read full response

Response to Apply AI Strategy

2 Jun 2025

See attached position paper
Read full response

Meeting with Angelika Niebler (Member of the European Parliament)

12 Feb 2025 · EU Data Policy

Meeting with Philippe Duponteil (Director Taxation and Customs Union) and

11 Feb 2025 · They want to discuss: - COM Roadmap on FISCALIS and future developments - Any specific info on Germany - eID – some basic info, plus any info related to Germany

Meeting with Marie-Hélène Pradines (Head of Unit Internal Market, Industry, Entrepreneurship and SMEs)

10 Feb 2025 · SME POLICY

Meeting with Luc Tholoniat (Director Economic and Financial Affairs)

10 Feb 2025 · Presentation of DATEV’s databases and analytical work on German firms

Meeting with Gabriele Bischoff (Member of the European Parliament, Shadow rapporteur) and Bayer AG and

24 Jan 2025 · Austausch mit dem Wirtschaftsforum der SPD e.V. zur Revision Eurobetriebsräte

Meeting with Stefan Berger (Member of the European Parliament)

15 Jan 2025 · Datenverarbeitung

Meeting with Markus Ferber (Member of the European Parliament)

13 Nov 2024 · SME Policy

Response to Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive

8 Jul 2024

DATEV welcomes the opportunity to provide feedback on the Commissions draft implementing act specifying the technical and methodological requirements of cybersecurity risk management measures and specifying when an incident shall be considered significant under the NIS2 directive. Significant incident We consider the general specification of when an incident shall be considered as significant as far too detailed. This assessment as also applies to the specific provisions for cloud computing service providers. In addition, the indicated thresholds are too low and seem to be arbitrary. Consequently, the problem arises that the specification does no longer do justice to the individual case. Moreover, this will lead to a disproportionate number of notifications overloading the supervisory authorities and overburden companies. A more abstract decision tree, as can be found at BSI, would be more target-oriented. According to the implementing act, a significant incident is defined as a cloud computing services being unavailable for more than 10 minutes. In some cases, this is without doubt a significant incident. However, there are cases in which such a technological failure is at least harmless, if not unimportant. For example, certain kinds of business software are in most of the cases used during certain hours of working days. If those are not available for 10 minutes on a weekend, this cannot be considered a significant incident. Article 7 (d) provides that an incident shall be considered significant when the integrity, confidentiality or authenticity of stored, transmitted or processed data related to the provision of the cloud computing service is compromised with an impact on more than 5 % of the cloud computing service users. However, it is not clearly defined what an impact, in that context, actually is. We propose an impact to be defined in in a more risk-based approach by referring instead to significant impact. Cybersecurity risk management The annex of the implementing act outlines the technical and methodological requirements of cybersecurity risk management procedures according to the NIS2. The annex is a state of the art and high-quality security framework. However, well established standards for security frameworks already exist, such as the ISO27001/ISO27002. For companies this would imply a considerable burden because the various similar but different security frameworks would have to be mapped and integrated in order to be compliant. Instead of aiming to draft a new framework, the Commission should rely on existing, practically tested and, thus, already established standards. We would like to point out that the proposed framework is drafted in such detail that it will be difficult, if not impossible, to implement it accordingly. Due to the very dynamic technological developments of our time, the framework is also at risk of becoming technologically outdated in a short time. More abstract formulations, again, could create remedies for those risks.
Read full response

Response to Report on the application of the General Data Protection Regulation

30 Jan 2024

DATEV welcomes the opportunity to provide feedback on the application of the GDPR. DATEV sees a need for improvement in the following four areas in particular. Clarifying Definitions and Terminology Further clarification is needed regarding the definition of personal data under Art. 4 GDPR. It needs to be specified under which conditions datasets containing personal data are considered as anonymous. Moreover, it remains unclear to what extent anonymous data, which can potentially be supplemented with information when passed on to third parties and thereby allowing clear personal references to be made, can be considered anonymous. Therefore, we endorse the German proposal to reduce uncertainties regarding the pseudonymisation and anonymisation of data, which was put forward in the preparation of the Council position on the evaluation and review of the General Data Protection Regulation (GDPR). Information Fatigue The information obligations under Art. 13 and 14 GDPR have led to an overload of information, which is neither requested nor acknowledged by the data subject. Particularly the very long and mostly confusing information in the form of data protection declarations do not lead to transparency for the data subject, as intended by the GDPR, but at best serves to fulfil a legal obligation on the part of the controller. Apart from additional guidance on the interpretation of the information obligations, it is necessary to clarify what information should be made available immediately to the data subject and whether additional information could be made available elsewhere. Consideration should also be given to clustering information relevant to data protection in order to prevent information fatigue. This can be achieved with the the implementation of standardised symbols as proposed in Art. 12 (8), which the EU-Commission has yet to put forward. Making the GDPR more SME-friendly Furthermore, SMEs in particular have difficulties to fulfil the far-reaching documentation requirements under the GDPR. We therefore support a differentiation of the documentation obligations in order to reduce the burden for SMEs. Concerning the documentation requirements, we recommend focusing more on the risk that the processing might cause to data subjects. This would be in line with the risk-based approach of the GDPR. Data Breaches As emphasized by Germany in the preparation of the Council position on the evaluation and review of the GDPR, companies face great uncertainties with regard to reporting personal data breaches. In particular, it remains unclear whether any further misconduct uncovered as part of the data breach notification can be used in the course of a subsequent investigation by the supervisory authority. While the German legislator recognized the conflict between the reporting obligation under the GDPR and the freedom of self-incrimination and therefore adopted a comprehensive prohibition of use, this point remains unclear on European level. It is therefore necessary to state clearly that such information must not be used for subsequent investigations.
Read full response

Response to Rationalisation of reporting requirements

28 Nov 2023

DATEV welcomes this initiative. We observe with concern the increasing governmental interventions and the resulting mounting administrative burden on businesses. The increasing red tape significantly impacts entrepreneurship, the competitiveness, and the innovative capacity of the EU. We see room for improvement in the context of IT security, handling of data, DAC 6, sustainability reporting standards for SMEs and posting of workers / business trips (A1 document). Please find attached our position paper.
Read full response

Meeting with Markus Ferber (Member of the European Parliament)

28 Nov 2023 · European statistics/PSR/FIDA

Response to European Sustainability Reporting Standards

7 Jul 2023

We appreciate the opportunity to comment on the draft ESRS Delegated Act. DATEV, as a leading provider of standard software for businesses, supports the development of reporting standards and taxonomies. We prioritize proportionality and consider the information needs of recipients based on the reporting entity's size. Sustainability is a guiding principle for DATEV as a cooperative. We welcome the concessions made in the latest version of the ESRS drafts, although they may not be extensive enough for the expanded scope of entities. While the reporting standards have been reduced, the draft ESRS Delegated Act still contains numerous textual data points. Large enterprises, previously unaffected by the NFRD, will now need to establish sustainability due diligence assessments and adapt internal processes and data collection procedures to handle this significant volume of textual data. Non-financial data has been challenging to access due to the lack of standardization and automation compared to financial data. Developing new systems and integrating them with existing ones is necessary for effective integrated reporting. We believe that the concessions in the ESRS transition periods are essential but may require further substantive adjustments based on evaluations conducted after the initial implementation for newly obligated entities. We have reservations about the materiality principle applied to all reporting requirements within the thematic ESRS. Conducting resource-intensive materiality analyses is necessary to determine which disclosures are material. Large companies, newly obligated under CSRD, must apply the principle of double materiality and integrate inside-out risks into their risk management systems, adding to the cost-benefit ratio challenges. Regarding the ESRS taxonomy, harmonization with EU standards alone is insufficient. National taxonomies for financial reporting, particularly for CSRD entities following local GAAP, must be considered and interconnected with the future ESRS taxonomy. For SMEs not subject to CSRD obligations, the draft ESRS Delegated Act is unsuitable for voluntary ESG reporting. The systemic, technical, and organizational disparities between SMEs and larger companies are not adequately addressed. Voluntary non-financial reporting by SMEs should account for these differences, which the ESRS currently overlook. The absence of drafts for ESRS for SMEs prevents a comprehensive assessment at present.
Read full response

Response to Evaluation of EU Directive on electronic invoicing in public procurement & Communication for EP and Council

5 Apr 2023

Regarding the current status quo, EN 16931 basically represents a solid framework for the creation of electronic invoices in the B2G environment, which needs to be further specified, concretized, and expanded regarding the planned application scenario in the context of "VAT in the digital age - digital reporting system based on e-invoicing in the B2B context". To be able to ensure automated further processing of electronic invoices both in the invoice exchange between traders and between traders and the tax authorities, it is necessary to precisely define and standardize the information which is relevant for further processing in the invoice core data set (mandatory fields). Any room for interpretation in the data extract of the invoice information contained in the invoice data set leads to additional work for the parties involved and stands in opposition to automation. For example, further standardization should be carried out in the core data set regarding the use of the type codes for the invoice categories (380, 381, 384 and 386) in connection with the signs for invoice items and item totals to eliminate the scope for interpretation that currently exists in the status quo of EN 16931 when processing information. In addition, some information relevant for further processing is currently not structured but can only be mapped via free text fields (e.g., partial final invoices and their VAT assessment, the referencing of several previous partial invoices and the mapping of cash discounts). These exemplary problem points could be minimized and optimized using additional fields in combination with supplementary business rules. The framework of EN 16931 should basically be designed to be able to map all information contained in the invoice core data set that is required for further processing in a structured manner. For this purpose, it is necessary, among other things, to add fields to the core data set that were previously only used as options or, if necessary, to outsource them to extensions. These points, which are essential for the standardization of electronic invoices, should be analyzed, discussed, and implemented by DG GROW and the responsible standardization committees with regard to the desired automated invoicing process.
Read full response

Response to VAT in the Digital Age

28 Mar 2023

DATEV welcomes the EU Commission's initiative to combat VAT fraud and to exploit the opportunities offered by digital technologies. In view of the different digital reporting systems for combating VAT fraud in the Member States, the European initiative is to be welcomed, especially the focus on combating fraud in cross-border cases and the interoperability of the different existing approaches. The aim must be to strike a balance between the state's interest in securing state revenue on the one hand and the business's interest in efficient, unbureaucratic processes on the other. We particularly welcome: Strengthening of e-invoicing ("default system" 2028) Basis CEN standard EN 16931 / interoperability Separation of the invoice transmission process from the reporting process Interoperability of national systems Concerns exists with regard to: 2-day deadlines for invoicing and reporting Scope of reporting not necessary for VAT purposes. Convergence and consequences for the clearance system (Italy) too far-reaching.
Read full response

Meeting with Pilar Del Castillo Vera (Member of the European Parliament, Rapporteur)

8 Feb 2023 · Data Act

Response to Cyber Resilience Act

2 Jan 2023

On September 15th, 2022, the EU Commission presented a proposal on a Cyber Resilience Act (CRA). DATEV fully shares the Commissions objective to increase the level of cybersecurity of both hardware and software products in the European Union. In order to unfold their full potential, the foreseen legal requirement should be feasible in practice and serve the intended purpose. The objective should be to establish the requirements needed to increase the cyber security of digital products. On the other hand, new unnecessary bureaucratic hurdles should be avoided wherever possible. The Commissions proposal does not yet strike the right balance. For the further legislative process, we would like to point out the need for improvement in the following areas: scope, definitions, security requirements, vulnerability handling requirements, critical products, and reporting obligations. Only then will the CRA be fit for purpose.
Read full response

Response to Instant Payments

6 Apr 2021

DATEV eG welcomes the opportunity to provide feedback on the European Commission’s Inception Impact Assessment on an initiative on instant payments in the EU. DATEV approves the EU Commission’s intention to foster SEPA Instant Payments in order to strengthen the Single Market of financial services and thereby to enhance Europe’s digital sovereignty. Today, only 64 % of market participants adhere to the SEPA Instant Credit Transfer Scheme. Thus, it seems to be reasonable that the EU Commission aims to increase the uptake of this scheme. When examining the proposed options that are presented in the impact assessment, we invite the EU Commission to consider the following aspects: 1. SEPA Instant Payment should support SMEs For SMEs, initiating instant payments may be part of complex processes, e.g. in the case of cash pooling. SMEs usually have different accounts at different credit institutions. Before paying salaries, they carry out cash pooling by transferring the missing amount to a specific account. Subsequently, they prefer to initiate only one SEPA Credit Transfer as a bulk transaction. In times of a pandemic, many SMEs may pay even more attention to liquidity than before to prevent possible liquidity stress. SEPA Instant Payments could support SMEs in this by enabling instant cash pooling. SMEs can only benefit from instant payments if credit institutions strictly adhere to the defined scheme. Some rules should be defined more precisely: • The availability of the credit must be guaranteed in approximately 10 seconds, the further processing of the money should then be possible immediately (e.g. in the case of cash pooling for a salary bulk transfer). • The time of visibility on the account statement must be defined identically between credit institutes (e.g. valuta date should be identical to the date of the transaction initiation). 2. SEPA Instant Payments should be customer friendly. Retailer usually need to focus on end-user needs, especially in e-commerce. End-user would however be disadvantaged by using SEPA Instant Payments in comparison to other payment methods, such as credit card schemes, online payments based on three-corner models or SEPA Direct Debit. In all these cases, transaction fees are normally paid by the retailer and not by the customer. With regards to Instant Payments, the situation is different: In many cases, customers must pay for the SEPA Instant Payment transaction. End-user might therefore tend to choose cheaper or free payment methods. Given that the EU Commission sees SEPA Instant Payments as "the new normal", the pricing of SEPA Instant Payments should be discussed. The fees for instant payments should be in a similar range as the fees for standard SEPA payments. In addition, the above-mentioned payment methods offer a certain level of buyers’ protection, which is greatly appreciated by end-consumers. If market payment solutions based on SEPA Instant Payment are lacking effective buyers’ protection mechanisms, customers will most likely opt for other market solutions that provide better buyers’ protection. The EU Commission should monitor whether buyer protection solutions are offered by market participants. If there are few or none, further measures may be needed in this regard to make SEPA Instant Payment a success.
Read full response

Meeting with Werner Stengg (Cabinet of Executive Vice-President Margrethe Vestager)

15 Jan 2021 · Gaia-X/ Data economy

Response to Legislative framework for the governance of common European data spaces

17 Dec 2020

DATEV eG welcomes the opportunity to provide feedback on the European Commission’s proposal for a Data Governance Act COM (2020) 767. Data access is essential for any successful European data-driven business model. Therefore, DATEV shares the European Commission’s overall objective to foster the availability of data by both increasing trust and by strengthening data-sharing mechanisms across the EU. The proposal introduces a number of promising measures, such as the introduction of single information points and secure processing environments for public sector data. However, we believe that the notification system and the requirements to be applied to specific data sharing services, as introduced in Chapter III, undermine the overall objectives of the proposal. Data Sharing Services: A balanced, limited and clear scope is necessary The objective of Chapter III of the Data Governance Act is to provide more trust to genuine independent intermediaries. They shall enable data holders to have greater control over their data. Although we support the aim of enhancing trust in data sharing services, the scope is too extensive and, moreover, causes uncertainty: 1. Art. 2 provides a definition for “data sharing” but does not include a definition of “data sharing intermediaries”. In its current wording, Art. 2 in conjunction with Art. 9.1 captures most data sharing activities. The clarification in Recital 22 is insufficient. We propose to include a definition of “data sharing service” in Art. 2. Article 2 - paragraph 16: A “data sharing service” means an information society service provided for the sole purpose of intermediating unaltered data between an indefinite number of data holders and data users, excluding services that aggregate, enrich or transform the data and licence the use of the resulting data. 2. The notification intends to ensure the quality and trust in independent data intermediaries. However, already existing businesses of data intermediation should not be required to adhere to the notification requirements. To date, we are not aware of any significant market failure that would justify regulating existing data intermediation services or increased red tape. Therefore, the notification for data sharing service providers should be voluntary. Article 9 – paragraph 1: The provision of the following data sharing services can be notified to the competent authority: 3. The term “data cooperative” (article 9 - paragraph 1 c) is introduced for intermediaries to empower SMEs or data subjects to make informed choices regarding their data. However, there is no need to specify the legal form for those data intermediation providers. This causes legal uncertainty and confusion, as there are already data cooperatives with a different business model and there are no justified reasons why other legal persons could not provide such services. We propose the following formulation: Article 9 – paragraph 1 c: data sharing service providers, that support data subjects or one-person companies or micro, small and medium-sized enterprises, who confer the power to the data sharing service provider to negotiate terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal person.
Read full response

Response to Legislative framework for the governance of common European data spaces

15 Jul 2020

DATEV welcomes the objectives the EU Commission is pursuing with the roadmap on a legislative framework for the governance of common European data spaces. • In order to provide the public sector as well as the European economy and the civil society with data of sufficient quality and quantity, the public sector should take a front-runner position. Despite all efforts made so far, there still is an enormous potential for the European data economy and for the public sector itself, which can use its existing data much more effectively. • The EU Commission rightly pursues the objective of supporting the use of data that companies voluntarily contribute to the general public good. Voluntary cooperative data exchanges between the private and public sector should be preferred and encouraged. Access or transfer of private sector data should only be mandatory in certain situations, such as pandemics. However, voluntary, cooperative solutions are also preferable even in these situations, since they are easier to implement and lead to faster results. • The quality of data is the sine qua non for any data driven applications. Therefore, we welcome the EU Commission’s ambition to put standardisation in the core of its initiative. • The EU Commission rightly pursues the objective to lower transactions costs in data sharing by supporting an emerging offer of data intermediaries. However, we would like to comment that the discussion around the novel data intermediaries is just at the beginning. A great deal of groundwork is still needed in order to find suitable models for business to business (B2B) and customer to business (C2B) relations and before we should think about certification schemes or labels. First steps that can be built upon are the papers published by Stiftung Neue Verantwortung: https://www.stiftung-nv.de/sites/default/files/designing_data_trusts_e.pdf & https://www.stiftung-nv.de/sites/default/files/20200428-datentreuhandmodelle.pdf. Furthermore, we welcome that the EU Commission suggests data trusts only in C2B relations, as their implementation for B2B relations remains questionable. In the B2B sector, the data trust model appears too weak to prevail against currently successful business models. The neutrality of the data trusts, which can be an advantage when it comes to B2C models, might turn out to be less appealing for companies.
Read full response