Chapter 1: Germany and the EU AI Act
1.1 Direct Applicability
The EU AI Act (Regulation (EU) 2024/1689) applies directly in Germany without the need for transposition into national law. As an EU Regulation, it takes precedence over conflicting provisions of German federal and state law. German organisations developing, deploying, or using AI systems must comply with the Act on the same timeline as all other EU Member States.
Germany has historically been one of the most active EU Member States in AI governance. The federal government published its national AI strategy (KI-Strategie) in 2018, updated it in 2020, and has since integrated EU AI Act implementation into its broader digital policy agenda. German enforcement bodies have been preparing for their supervisory roles since 2024.
1.2 German Institutional Landscape for AI Oversight
Germany's federal structure creates a multi-layered enforcement environment. The following institutions play defined roles in AI Act implementation:
| Institution | Role in AI Act Enforcement |
|---|---|
| Bundesnetzagentur (BNetzA) | Designated national market surveillance authority for AI systems |
| BfDI (Federal Data Protection Commissioner) | Data protection oversight for AI systems processing personal data; GDPR coordination |
| BaFin (Federal Financial Supervisory Authority) | Sector-specific oversight of AI in financial services |
| BSI (Federal Office for Information Security) | Cybersecurity requirements for AI systems; technical standards |
| BAuA (Federal Institute for Occupational Safety and Health) | AI in workplace safety contexts |
| State Data Protection Authorities (16 Landesdatenschutzbehoerden) | Regional data protection enforcement; GDPR compliance for AI |
1.3 The Bundesnetzagentur as Market Surveillance Authority
In January 2025, the German government designated the Bundesnetzagentur (Federal Network Agency) as the primary market surveillance authority for AI systems under the EU AI Act. This decision consolidated AI oversight in an agency that already supervised telecommunications, postal services, energy markets, and rail infrastructure.
The Bundesnetzagentur is responsible for:
- Monitoring compliance of AI systems placed on the German market
- Conducting inspections of AI providers and deployers
- Ordering corrective actions for non-compliant AI systems
- Imposing penalties for violations of the AI Act
- Coordinating with other national authorities and the European AI Office
- Participating in the European Artificial Intelligence Board
The agency established a dedicated AI supervision division in mid-2025 and has been building technical capacity, including hiring AI engineers and data scientists, to support its enforcement mandate.
1.4 Enforcement Timeline for Germany
| Date | Milestone |
|---|---|
| 2 February 2025 | Prohibited AI practices and AI literacy obligations in force |
| January 2025 | Bundesnetzagentur designated as market surveillance authority |
| 2 August 2025 | GPAI model obligations apply |
| 2 August 2026 | Transparency obligations; AI Office enforcement powers operational |
| 2 December 2027 | Annex III high-risk AI system obligations (Omnibus deferral) |
| 2 August 2028 | Annex I product-embedded AI obligations |
Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/
Quick Decision Matrix
Use this matrix to determine your AI compliance obligations.
| Your Situation | Risk Level | Priority Action | Go To |
|---|---|---|---|
| Deploying AI that affects employment decisions | High | Impact assessment required | Chapter 3 |
| Using AI for customer-facing services | Medium-High | Transparency obligations apply | Chapter 4 |
| Internal AI tools (analytics, automation) | Medium | Document and monitor | Chapter 5 |
| AI in regulated sector (finance, health) | High | Sector-specific rules apply | Chapter 3 |
| Procuring AI from third-party vendor | Medium | Vendor due diligence needed | Chapter 5 |
| Just exploring AI for the first time | Low | Start with governance framework | Chapter 2 |
5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.