Germany’s AI Implementation Act (KI-MIG): Who are the responsible supervisory authorities?

By Christoph Engelmann, Jan Geert Meents & Dr. Michael Stulz-Herrnstadt on March 12, 2026

On 10 February 2026, the Federal Government adopted its official government draft (Regierungsentwurf) for the AI Market Surveillance and Innovation Promotion Act (KI-Marktüberwachungs- und Innovationsförderungs-Gesetz – KI-MIG), setting out Germany’s supervisory architecture, enforcement powers, and penalty regime for AI systems under the EU AI Act (Regulation (EU) 2024/1689).

In our earlier overview of EU AI Act implementation across key Member States, we noted that Germany’s national implementation remained underway, with a ministerial draft (Referentenentwurf) dated 11 September 2025. The new government draft is an update of the earlier ministerial draft – especially in relation to competent authorities and administrative fines – and marks the official start of the legislative process.

Supervisory Architecture

Germany has opted for a hybrid supervisory model: no new agency, but a strong central authority supplemented by sector-specific regulators.

BNetzA as central authority: The German Federal Network Agency (Bundesnetzagentur – BNetzA) will be the default market surveillance authority (Sec. 2 (1) KI-MIG), the single point of contact for the EU AI Office (Sec. 6 KI-MIG) and the central complaints office (Sec. 8 KI-MIG). BNetzA will also operate at least one AI regulatory sandbox with priority access for SMEs, start-ups, and research institutions (Sec. 13 KI-MIG).

Coordination and Competence Centre (KoKIVO): Established within the BNetzA (Sec. 5 KI-MIG), KoKIVO pools AI expertise centrally and makes it available to other competent authorities. For companies, this means interpretive guidance will largely flow from one hub, even where a sector-specific regulator is appointed.

Sector-specific authorities: Existing regulators responsible for harmonised EU product legislation (such as medical devices, machinery, radio equipment) will retain competence for AI systems related to those products (Sec. 2 (2) KI-MIG).

Media service providers: There is a notable exception for the media sector. AI systems used by media service providers (as defined in the European Media Freedom Act, Regulation (EU) 2024/1083 – EMFA) for journalistic or advertising purposes are supervised by the “responsibility of the competent authorities under state law”; these are the state media authorities (Landesmedienanstalten) rather than BNetzA (Sec. 2 (8) KI-MIG). This division of responsibilities ensures compliance with the constitutional requirement of state neutrality in media supervision. The German federal states intend to lay down the relevant supervisory and competence rules for the state media authorities in the planned State Treaty on Digital Media (Digitale-Medien-Staatsvertrag).

BaFin for financial services: The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) will receive a broad mandate to supervise AI systems connected to regulated financial activities (Sec. 2 (3) KI-MIG). Supervised entities include credit institutions and insurers, as well as crypto-asset service providers and pension funds (among others). BaFin will develop its own cybersecurity testing guidelines for high-risk AI systems, in agreement with BNetzA and the market surveillance authority under the Cyber Resilience Act (Regulation (EU) 2024/2847) (Sec. 10 (2) KI-MIG). This ensures the EU DORA Regulation (Regulation (EU) 2022/2554) remains the lex specialis, exempting these entities from the standard joint cybersecurity guidelines developed by BNetzA and the federal cybersecurity authority, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI). BSI will exercise this role on a transitional basis until a dedicated market surveillance authority is formally designated under the Cyber Resilience Act (Sec. 10 (4) KI-MIG).

Independent AI Market Surveillance Chamber: For certain sensitive high-risk AI systems an independent three-member chamber (KI-Marktüberwachungskammer) is created within BNetzA (Sec. 2 (5) and 4 KI-MIG), namely

biometric AI systems (Annex III No. 1) when used for law enforcement, border management, or justice/democratic processes,
as well as all high-risk AI systems in the areas of
- law enforcement (Annex III No. 6),
- migration, asylum and border control (Annex III No. 7),
- and justice and democratic processes (Annex III No. 8).

The KI-Marktüberwachungskammer operates with complete independence and reports annually to the Bundestag. The draft explains why DPAs were not chosen: divergent interpretations, jurisdictional fragmentation, and competition for scarce AI specialists. The chamber’s mandate does not extend to reviewing individual deployment orders (e.g., judicial authorisations for real-time biometric identification) – only to market surveillance of the systems themselves (Sec. 4 (5) KI-MIG).

Federal states carve-out: Where public bodies of the Federal states place AI systems on the market, put them into service or use them, market surveillance will fall to the authorities designated under the respective state law, not to BNetzA (Sec. 2 (6) KI-MIG). This constitutionally required allocation (Eigenstaatlichkeit der Länder) means that companies supplying AI systems to state-level government clients – such as state police forces, courts, or social welfare offices – might need to also engage with the relevant state authority rather than BNetzA.

Investigative and Enforcement Powers

International companies should be aware of the robust enforcement toolkit granted to authorities under the draft law.

Extensive Inter-Agency Information Sharing: German market surveillance authorities are explicitly permitted to exchange information with each other, including personal data and business and trade secrets, if strictly necessary to fulfill their tasks (Sec. 9 KI-MIG) . While bound by confidentiality, this creates a highly networked environment where findings can be seamlessly shared between authorities like the BNetzA, the Data Protection Authorities (DPAs) or the Federal Cartel Office (Bundeskartellamt).

Remote Access and External Experts: Authorities can exercise their investigative powers remotely via Application Programming Interfaces (APIs) or other technical means. They are also permitted to hire external third-party experts (Verwaltungshelfer) to assist with technical processes and investigations (Sec. 11 (2) KI-MIG).

Unannounced Inspections: Inspections of premises and vehicles can be conducted unannounced during regular business hours, and even outside these hours to prevent urgent threats to public safety and order (Sec. 11 (3) KI-MIG).

Immediate Enforcement: Legal challenges (objections and lawsuits) against decisions made by BaFin, or decisions regarding specific products like medical devices and radio equipment, have no suspensive effect (keine aufschiebende Wirkung) (Sec. 11 (7) KI-MIG). This means companies must comply with the regulatory order immediately, even while appealing it.

Enforcement Tactics: The explanatory memorandum highlights that authorities will proactively police the market through anonymous test purchases (mystery shopping) in e-commerce and physical stores, and by cooperating closely with customs authorities and online platforms.

Administrative Fines

EU AI Act fines apply directly. But German administrative offence procedures will apply (Sec. 16 KI-MIG), displacing Sec. 17 and Sec. 30 (1) and (2) of the German Administrative Offences Act (Ordnungswidrigkeitengesetz).

The KI-MIG will also add supplementary national fines of up to EUR 50,000 for violations not covered by Art. 99 of the AI Act, including failures related to information transmission (Art. 21), fundamental rights impact assessments (Art. 27), duties of notified bodies (Art. 45) and explanations to affected persons (Art. 86 (1)) (Sec. 15 KI-MIG).

Strict Obligations Upon Ceasing Business (Liquidation)

For international companies setting up German subsidiaries or appointing a German authorised representative (Bevollmächtigter), the draft contains requirements regarding the end of a business lifecycle. If the provider or the authorised representative ceases its business activities, the legal obligation to retain all AI Act-related documentation automatically transfers to the person responsible for the liquidation or the insolvency administrator (Sec. 18 KI-MIG).

Whistleblower Protection

The government draft will also amend Germany’s Whistleblower Protection Act (Hinweisgeberschutzgesetz) to explicitly cover violations of the EU AI Act (Art. 2 of the draft). This means that persons who report AI Act violations will benefit from the full protections against retaliation available under German whistleblower law, implementing Art. 87 of the EU AI Act.

Innovation Promotion

BNetzA will operate an AI Service Desk (which it has already started to establish), deliver awareness and training programmes (especially for SMEs), and advise public-sector bodies on AI system classification (Sec. 12 KI-MIG). The AI regulatory sandbox extends priority access to research institutions and universities (Sec. 13 KI-MIG). For real-world testing of high-risk AI outside sandboxes, a tacit approval mechanism applies: if the authority does not respond within 30 days, the test is deemed approved (Sec. 14 (2) KI-MIG).

Next steps

The adoption of this government draft marks the official start of the legislative process. Although this is not yet the final law, the government has signaled a clear intent to fast-track proceedings given that the EU AI Act’s implementation deadline of 2 August 2025 has already been missed.

We expect the Bundestag to debate the draft in the coming weeks. Stakeholders should pay close attention to potential amendments, particularly regarding the exact delineation of powers between the BNetzA and other authorities as well as the entry-into-force date after enactment.