KI-MIG: Germany's AI Act Implementation Law
The EU AI Act is a regulation, not a directive — it applies directly in all member states without national transposition. However, member states must designate national competent authorities, establish market surveillance structures, and set national penalty procedures. Germany is doing this through the KI-Marktüberwachungs- und Innovationsförderungsgesetz (KI-MIG).
The Federal Cabinet adopted the government draft on 10 February 2026. The draft is now in parliamentary procedure: it must pass through the Bundestag and Bundesrat before becoming enacted law. Germany missed the EU AI Act's August 2, 2025 deadline for designating national authorities, and the KI-MIG is being fast-tracked to close that gap.
National law: KI-MIG (KI-Marktüberwachungs- und Innovationsförderungsgesetz)
Primary authority: BNetzA (Bundesnetzagentur / Federal Network Agency)
Coordination centre: KoKIVO (Koordinierungs- und Kompetenzzentrum) within BNetzA
Responsible ministry: BMDS (Federal Ministry for Digital and State Modernisation)
Status: Government draft adopted 10 Feb 2026. Parliamentary procedure ongoing.
Data verification note: The KI-MIG is still in parliamentary procedure and may be amended. Verify current status at bmds.bund.de and BNetzA publications before relying on specific provisions.
Who Enforces the EU AI Act in Germany?
Germany's approach follows a multi-authority model. BNetzA takes the central role, but sector-specific authorities retain jurisdiction in their domains. If you're operating AI in financial services, healthcare, or employment in Germany, you don't just talk to one regulator.
| Authority | Full Name | AI Act Jurisdiction |
|---|---|---|
| BNetzA | Bundesnetzagentur (Federal Network Agency) | Primary market surveillance for most AI systems. Hosts KoKIVO coordination centre. |
| BaFin | Bundesanstalt für Finanzdienstleistungsaufsicht | High-risk AI in financial services, banking, insurance. |
| BfArM | Bundesinstitut für Arzneimittel und Medizinprodukte | AI as medical devices. |
| BAuA | Bundesanstalt für Arbeitsschutz und Arbeitsmedizin | AI in workplace safety. |
| BfDI | Bundesbeauftragter für den Datenschutz | GDPR enforcement (overlaps where AI processes personal data). |
| KI-Kammer | Independent AI Market Surveillance Chamber (within BNetzA) | Sensitive biometric AI in law enforcement, border management, justice. |
BNetzA isn't starting from zero — it already serves as market surveillance authority for Radio Equipment Directive and Ecodesign, and coordinates Germany's Digital Services Act implementation. The KoKIVO coordination centre within BNetzA will pool AI expertise centrally and make it available to other authorities, so interpretive guidance will largely flow from one hub even where a sector-specific regulator handles enforcement.
AI Regulatory Sandbox
Germany must establish at least one AI regulatory sandbox by August 2, 2026. BNetzA is expected to coordinate. SMEs and startups have priority access under Article 57. Monitor BNetzA publications for application procedures.
Germany's multi-authority enforcement structure for the EU AI Act: BNetzA as central hub with sector-specific authorities.
Germany-Specific Compliance Considerations
Works Councils (Betriebsrat)
This is the uniquely German complication. Works councils have co-determination rights on technology deployment affecting workers under the Betriebsverfassungsgesetz (Works Constitution Act). AI systems for employee monitoring, performance evaluation, or hiring decisions trigger works council consultation obligations before deployment — independent of EU AI Act requirements. German deployers of Annex III Area 4 (employment) AI face dual notification: EU AI Act Article 26(7) workplace notification and works council consultation. Don't treat these as separate processes. Engage your works council early.
German Data Protection Law (BDSG)
The BDSG supplements GDPR in Germany with additional provisions on automated individual decisions (Section 37 BDSG) and employee data processing (Section 26 BDSG). AI systems processing employee data must comply with BDSG requirements on top of GDPR and EU AI Act obligations. That's three layers of regulation for a single HR AI system.
Industry Concentration
Germany has high concentrations of AI deployment in automotive (autonomous driving, manufacturing), financial services (banking, insurance), healthcare (medical devices, diagnostics), and industrial manufacturing (Industry 4.0, predictive maintenance). Companies in these sectors should anticipate sector-specific enforcement attention from BaFin, BfArM, and BAuA respectively.
| If Your AI System Does This | EU AI Act Obligation | Additional German Obligation |
|---|---|---|
| Hiring / employee evaluation | Art. 26(7) workplace notification | Works council consultation (BetrVG) |
| Processes employee data | Art. 10 data governance | BDSG Section 26 employee data rules |
| Automated decisions about individuals | Art. 14 human oversight | BDSG Section 37 + GDPR Art. 22 |
| Credit scoring / insurance | Annex III(5)(b) high-risk | BaFin supervisory expectations (MaRisk) |
Get Started
Related guides: EU AI Act for HR & Recruitment (works council implications). EU AI Act for Financial Services (BaFin context). EU AI Act for Healthcare (BfArM context). EU AI Act vs GDPR (BDSG/GDPR overlap).
FAQ: EU AI Act in Germany
These answers support practical triage. Confirm final classifications, reporting decisions, and legal obligations with qualified counsel or the relevant competent authority.
BNetzA (Bundesnetzagentur) is the primary market surveillance authority under the KI-MIG. BaFin handles AI in financial services. BfArM covers AI medical devices. An independent AI Market Surveillance Chamber within BNetzA oversees sensitive biometric AI in law enforcement and justice. The KoKIVO coordination centre within BNetzA provides cross-authority expertise.
In many cases, yes — independent of the EU AI Act. German works council co-determination rights under the Betriebsverfassungsgesetz apply to technology affecting employees. AI for hiring, monitoring, or performance evaluation triggers consultation obligations before deployment. Start works council engagement early.
Germany must establish at least one by August 2, 2026. BNetzA is expected to coordinate. SMEs and startups have priority access under Article 57. Monitor BNetzA publications for application procedures.
Yes. BaFin retains sector-specific authority for high-risk AI systems directly linked to regulated financial activities. Companies under BaFin supervision should prepare for AI governance expectations aligned with existing supervisory frameworks like MaRisk and BAIT (being replaced by DORA requirements).
The KI-Marktüberwachungs- und Innovationsförderungsgesetz — Germany's national law implementing EU AI Act market surveillance, authority designation, and penalty procedures. The Federal Cabinet adopted the government draft on 10 February 2026. Parliamentary procedure in the Bundestag and Bundesrat is ongoing. It supplements the directly applicable EU AI Act; it doesn't replace it.
Need More Practical Guidance?
Explore the free EU AI Compass tools and guides to classify your use case, understand your obligations, and move to the next compliance step.
Disclaimer & Limitations
This guide is for educational and informational purposes only. It does not constitute legal or regulatory advice. The KI-MIG is in parliamentary procedure and may be amended before enactment. Verify all German national implementation details against official sources. Move78 International Limited is not a law firm. National-law, sector-law, and non-EU comparison statements should be rechecked against official sources before board, audit, enforcement, or client reliance. EU AI Act references are based on eu-ai-rules-engine v2.8.