EU AI Act in Germany: KI-MIG & Enforcement

Q: Who enforces the EU AI Act in Germany?

BNetzA (Bundesnetzagentur) is designated as the primary market surveillance authority under the KI-MIG. BaFin retains jurisdiction for AI in financial services. BfArM covers AI medical devices. An independent AI Market Surveillance Chamber within BNetzA handles sensitive biometric AI systems used in law enforcement and justice.

Q: Do I need to notify my works council about AI deployment?

In many cases, yes, independent of the EU AI Act. German works council co-determination rights under the Betriebsverfassungsgesetz apply to technology affecting employees. AI for hiring, monitoring, or performance evaluation triggers consultation obligations. Start works council engagement early.

Q: Is there an AI regulatory sandbox in Germany?

Germany must establish at least one by August 2, 2026 under the EU AI Act. BNetzA is expected to coordinate. SMEs and startups have priority access under Article 57.

Q: What is the KI-MIG?

The KI-Marktüberwachungs- und Innovationsförderungsgesetz is Germany national law implementing EU AI Act requirements for market surveillance, authority designation, and penalty procedures. The Federal Cabinet adopted the government draft on 10 February 2026. It supplements the directly applicable EU AI Act; it does not replace it. Parliamentary procedure in the Bundestag and Bundesrat is ongoing.

KI-MIG: Germany's AI Act Implementation Law

The EU AI Act is a regulation, not a directive — it applies directly in all member states without national transposition. However, member states must designate national competent authorities, establish market surveillance structures, and set national penalty procedures. Germany is doing this through the KI-Marktüberwachungs- und Innovationsförderungsgesetz (KI-MIG).

The Federal Cabinet adopted the government draft on 10 February 2026. The draft is now in parliamentary procedure: it must pass through the Bundestag and Bundesrat before becoming enacted law. Germany missed the EU AI Act's August 2, 2025 deadline for designating national authorities, and the KI-MIG is being fast-tracked to close that gap.

National law: KI-MIG (KI-Marktüberwachungs- und Innovationsförderungsgesetz)

Primary authority: BNetzA (Bundesnetzagentur / Federal Network Agency)

Coordination centre: KoKIVO (Koordinierungs- und Kompetenzzentrum) within BNetzA

Responsible ministry: BMDS (Federal Ministry for Digital and State Modernisation)

Status: Government draft adopted 10 Feb 2026. Parliamentary procedure ongoing.

Data verification note: The KI-MIG is still in parliamentary procedure and may be amended. Verify current status at bmds.bund.de and BNetzA publications before relying on specific provisions.

Who Enforces the EU AI Act in Germany?

Germany's approach follows a multi-authority model. BNetzA takes the central role, but sector-specific authorities retain jurisdiction in their domains. If you're operating AI in financial services, healthcare, or employment in Germany, you don't just talk to one regulator.

Authority	Full Name	AI Act Jurisdiction
BNetzA	Bundesnetzagentur (Federal Network Agency)	Primary market surveillance for most AI systems. Hosts KoKIVO coordination centre.
BaFin	Bundesanstalt für Finanzdienstleistungsaufsicht	High-risk AI in financial services, banking, insurance.
BfArM	Bundesinstitut für Arzneimittel und Medizinprodukte	AI as medical devices.
BAuA	Bundesanstalt für Arbeitsschutz und Arbeitsmedizin	AI in workplace safety.
BfDI	Bundesbeauftragter für den Datenschutz	GDPR enforcement (overlaps where AI processes personal data).
KI-Kammer	Independent AI Market Surveillance Chamber (within BNetzA)	Sensitive biometric AI in law enforcement, border management, justice.

BNetzA isn't starting from zero — it already serves as market surveillance authority for Radio Equipment Directive and Ecodesign, and coordinates Germany's Digital Services Act implementation. The KoKIVO coordination centre within BNetzA will pool AI expertise centrally and make it available to other authorities, so interpretive guidance will largely flow from one hub even where a sector-specific regulator handles enforcement.

AI Regulatory Sandbox

Germany must establish at least one AI regulatory sandbox by August 2, 2026. BNetzA is expected to coordinate. SMEs and startups have priority access under Article 57. Monitor BNetzA publications for application procedures.

German enforcement authority structure showing BNetzA, BaFin, BfArM, BAuA and the independent AI Market Surveillance Chamber

Germany's multi-authority enforcement structure for the EU AI Act: BNetzA as central hub with sector-specific authorities.

Germany-Specific Compliance Considerations

Works Councils (Betriebsrat)

This is the uniquely German complication. Works councils have co-determination rights on technology deployment affecting workers under the Betriebsverfassungsgesetz (Works Constitution Act). AI systems for employee monitoring, performance evaluation, or hiring decisions trigger works council consultation obligations before deployment — independent of EU AI Act requirements. German deployers of Annex III Area 4 (employment) AI face dual notification: EU AI Act Article 26(7) workplace notification and works council consultation. Don't treat these as separate processes. Engage your works council early.

German Data Protection Law (BDSG)

The BDSG supplements GDPR in Germany with additional provisions on automated individual decisions (Section 37 BDSG) and employee data processing (Section 26 BDSG). AI systems processing employee data must comply with BDSG requirements on top of GDPR and EU AI Act obligations. That's three layers of regulation for a single HR AI system.

Industry Concentration

Germany has high concentrations of AI deployment in automotive (autonomous driving, manufacturing), financial services (banking, insurance), healthcare (medical devices, diagnostics), and industrial manufacturing (Industry 4.0, predictive maintenance). Companies in these sectors should anticipate sector-specific enforcement attention from BaFin, BfArM, and BAuA respectively.

If Your AI System Does This	EU AI Act Obligation	Additional German Obligation
Hiring / employee evaluation	Art. 26(7) workplace notification	Works council consultation (BetrVG)
Processes employee data	Art. 10 data governance	BDSG Section 26 employee data rules
Automated decisions about individuals	Art. 14 human oversight	BDSG Section 37 + GDPR Art. 22
Credit scoring / insurance	Annex III(5)(b) high-risk	BaFin supervisory expectations (MaRisk)

Get Started

EU AI Act Compliance Checker
Classify your AI systems Deployer Self-Assessment
Check your deployer obligations

Related guides: EU AI Act for HR & Recruitment (works council implications). EU AI Act for Financial Services (BaFin context). EU AI Act for Healthcare (BfArM context). EU AI Act vs GDPR (BDSG/GDPR overlap).

FAQ: EU AI Act in Germany

Who enforces the EU AI Act in Germany?

BNetzA (Bundesnetzagentur) is the primary market surveillance authority under the KI-MIG. BaFin handles AI in financial services. BfArM covers AI medical devices. An independent AI Market Surveillance Chamber within BNetzA oversees sensitive biometric AI in law enforcement and justice. The KoKIVO coordination centre within BNetzA provides cross-authority expertise.

Do I need to notify my works council about AI deployment?

In many cases, yes — independent of the EU AI Act. German works council co-determination rights under the Betriebsverfassungsgesetz apply to technology affecting employees. AI for hiring, monitoring, or performance evaluation triggers consultation obligations before deployment. Start works council engagement early.

Is there an AI regulatory sandbox in Germany?

Germany must establish at least one by August 2, 2026. BNetzA is expected to coordinate. SMEs and startups have priority access under Article 57. Monitor BNetzA publications for application procedures.

Does BaFin enforce AI Act compliance for banks and insurers?

Yes. BaFin retains sector-specific authority for high-risk AI systems directly linked to regulated financial activities. Companies under BaFin supervision should prepare for AI governance expectations aligned with existing supervisory frameworks like MaRisk and BAIT (being replaced by DORA requirements).

What is the KI-MIG?

The KI-Marktüberwachungs- und Innovationsförderungsgesetz — Germany's national law implementing EU AI Act market surveillance, authority designation, and penalty procedures. The Federal Cabinet adopted the government draft on 10 February 2026. Parliamentary procedure in the Bundestag and Bundesrat is ongoing. It supplements the directly applicable EU AI Act; it doesn't replace it.

Abhishek G Sharma

Founder & CEO, Move78 International Limited. 20+ years in cybersecurity and risk management. ISO 42001 LA, ISO 27001 LA, CISA, CISM, CRISC, CEH, CCSK, CAIGO, CAIRO.

About LinkedIn Move78

Operating in Germany? Start Your Compliance Check.

E1 Toolkit ($299): deployer evidence templates. E2 Workshop ($999): structured implementation for German operations. Advisory ($4,999) for multi-entity governance.

View Toolkits →

Disclaimer & Limitations

This guide is for educational and informational purposes only. It does not constitute legal or regulatory advice. The KI-MIG is in parliamentary procedure and may be amended before enactment. Verify all German national implementation details against official sources. Move78 International Limited is not a law firm. EU AI Act references are based on eu-ai-rules-engine v2.4.

EU AI Act in Germany: National Implementation, Enforcement, and Compliance Requirements