Germany's Implementation Act for the EU AI Act

The German Federal Ministry for Digital Affairs has officially initiated the consultation process with the German Federal States and associations regarding the German EU AI Act implementing law. It has done so by publishing its ministerial draft bill (dated 11 September 2025).

In the following, we summarize the content of the ministerial draft bill and highlight particularly the upcoming legislative procedure, the planned supervisory and enforcement architecture, including powers, procedures and fines.

Summary

• The purpose of the draft bill is to establish the German supervisory/notification set‑up and procedures required by Regulation (EU) 2024/1689 (the AI Act) – notably designation of competent authorities, market surveillance, notification regime, and administrative fines procedure.
• The Federal Network Agency (Bundesnetzagentur or BNetzA) becomes the primary market surveillance authority and the national single point of contact in Germany; an independent AI Market Surveillance Chamber within BNetzA is created.
• Existing sectoral authorities remain in charge where EU product legislation already assigns market surveillance/notification roles (Annex I, Section A AI Act). In financial services, BaFin will supervise high‑risk AI used directly in regulated financial activities.
• Innovation instruments are further set out: at least one national AI “regulatory sandbox/lab” will be established by 2 Aug 2026 with prioritised access for SMEs/start‑ups; an authorisation regime for “testing in real‑world conditions” (including a 30‑day tacit approval rule).
• The draft bill does not change the AI Act’s substantive obligations. It establishes the framework for German enforcement.

What is the status in the legislative procedure – and what happens next?

The draft bill is still in the status of a ministerial draft bill (Referentenentwurf). A ministerial draft bill is initially circulated for inter‑ministerial coordination and consultation with federal states and relevant stakeholders (associations). The Federal Ministry for Digital Transformation and Government Modernisation (Bundesministerium für Digitales und Staatsmodernisierung) as responsible ministry has opened a consultation on the draft which is open until 10 October 2025.

After consultation, the ministerial bill will be put before the Federal Government of Germany (Bundesregierung – in the following also “Cabinet”). Upon receiving Cabinet approval, the ministerial draft bill becomes a government bill, and will be introduced to parliamentary proceedings. The proposal undergoes three parliamentary readings, which include committee examination and a public expert hearing; subsequently, the second chamber, the Bundesrat, participates in the legislative process as well.

Once the draft bill is adopted and published in the Federal Law Gazette, the act enters into force on the date specified. The current draft still contains placeholders that may change during the process. As this draft bill is unchanged for the most part in comparison to the draft bill discussed early this year – still under the former government – and a consultation already took place, we do not expect substantial changes to the draft or for the consultation to take very long.

Planned supervisory and enforcement architecture

BNetzA as market surveillance and notifying authority

The BNetzA is designated as the competent market surveillance authority unless a specific sectoral regime applies. It also acts as notifying authority in non‑sectoral areas. Where EU product legislation already assigns authorities (Annex I, Section A AI Act), those structures are retained.

Notably this applies to financial services. For high‑risk AI directly connected to regulated financial activities, BaFin (the Federal Financial Supervisory Authority - Bafin) will act as the market surveillance authority. The remit of BaFin is thereby extended beyond the EU minimum to ensure coherence with existing supervision. This is an important deviation from the otherwise central role of the BNetzA.

The draft implementing law does not foresee an active role of the data protection supervisory authorities in connection with market surveillance although this would have been possible under the AI Act. The Ministry communicated unofficially as reason for bundling competences with the BNetzA to have an innovation-friendly and bureaucracy-light implementation of the AI Act. The German data protection supervisory authorities criticised that they are not even named to monitor compliance of high risk AI systems in cases of Art. 74 para. 8 AI Act (high risk AI systems listed in point 1 of Annex III of the EU AI Act, as far as used for law enforcement etc.) but that this rather shall be done by BNetzA, too. The data protection supervisory authorities rather argue that the AI Act already assigns this task to the states data protection supervisory authorities, which should be reflected in the German draft implementation bill.

Within BNetzA, the AI Market Surveillance Chamber is established as a fully independent decision‑making body for particularly sensitive areas (such as High risk systems that are used for law enforcement purposes, border management and justice and democracy). This implements Art. 74 para 8 AI Act. An annual activity report of the AI Market Surveillance Chamber to the Parliament shall commence in the year 2026.

BNetzA will serve as the national single contact point (interface to the European Commission/AI Office and Member States) and will operate a central, accessible complaint office that forwards submissions to the competent specialist authority, Art. 70 AI Act.

Also a Coordination and Competence Centre (KoKIVO) will be established at BNetzA. The Centre shall pool AI expertise, support market surveillance / notifying / accreditation bodies, coordinate cooperation, and facilitate the development of codes of conduct under Art. 95 AI Act.

Powers, procedures and fines

The supervisory powers granted to the BNetzA and other market surveillance authorities mirror the powers set out in Regulation (EU) 2019/1020 on market surveillance (including on‑site measures and, where appropriate, remote/API access). Challenging measures imposed by a market surveillance authority will follow in general the national procedural rules for administrative matters including the review by the Administrative courts. In defined cases namely those stated in the harmonised legislation in Annex I of the AI Act, objections/appeals against measures imposed by a market surveillance authority will not have suspensive effect.

With regard to the imposition of fines, the German procedural law for regulatory offences will apply and the procedural framework laid down in the German Act on Regulatory Offences (Ordnungswidrigkeitengesetz – OwiG) as well as the German Criminal Procedural Code (Strafprozessordnung – StPO) will govern these proceedings. Court challenges of fines will be heard by the criminal divisions of the ordinary courts.

The draft bill foresees that sections 17 and 30 of the German Act on Regulatory Offences shall not apply. Both provisions govern the framework of setting a fine in terms of amount and fine range as well as the criteria when setting the fine (e.g. seriousness of the offence, financial circumstances of the perpetrator) or when a fine may be imposed on a company. Rather the draft bill foresees that these considerations are determined by the AI Act conclusively, with the level of fines being laid down in Art. 99 AI Act; the assessment of fines shall also follow the principles set out in the AI Act. Based on the exclusion of sections 17 and 30 of the German Act on Regulatory Offences, it remains to be seen how past decisions of the courts will be applied in connection with potential regulatory offences pursuant to the AI Act.

In the past, the German Federal Court of Justice (BGH) has ruled that the existence of an effective and well-functioning Compliance Management System (CMS) aimed at preventing regulatory offences can have a positive effect on the level of fines issued when applying sections 17 and 30 of the German Act on Regulatory Offences (which are declared not applicable here). Therefore it remains to be seen how a CMS influences the fine setting and can lead to a reduction of a fine under the AI Act. In any case having a robust CMS and amending it with a view to the obligations under the AI Act is of tantamount importance for companies to avoid breaches and potential fines.

Innovation instruments: AI labs and testing in real‑world conditions

By 2 Aug 2026, at least one national AI lab to test high-risk AI systems under real-world conditions must be operational, SMEs/start‑ups shall receive prioritised access subject to the criteria laid down in the EU AI Act. Testing of high-risk AI systems under real‑world conditions in outside labs (Art. 60 AI Act) requires prior approval. A 30‑day tacit approval to such plans applies if the authority does not respond in time.

Next steps and how we can support you

The German draft implementation law provides important clarity on how the EU AI Act will be enforced in practice, but also raises open questions, particularly regarding the role of German’s data protection authorities under the EU AI Act and the treatment of compliance management systems in fine proceedings. Companies and organisations providing or deploying AI should closely monitor the legislative process and start preparing their governance and compliance structures accordingly.

If you would like to better understand the implications for your business or have questions on how to adapt your compliance framework to the upcoming supervisory and enforcement architecture, please do not hesitate to reach out to us.