KI-MIG: who supervises artificial intelligence in Germany?

For a long time, Germany lacked a clear answer to a simple question: who actually enforces the EU AI Act here? Since 11 June 2026 there is one: the Bundestag passed the national implementing act and designated the Bundesnetzagentur as the central AI supervisor. Its core piece carries the abbreviation KI-MIG.

That ends a long standstill — but the law is not yet in force as of 26 June 2026. We explain what the KI-MIG governs, who will supervise what, which deadlines and fines apply, and what it means for regulated companies in construction, healthcare, law and finance.

What is the KI-MIG?

The KI-MIG is the "AI Market-Surveillance and Innovation-Promotion Act" — Article 1 of the "Act implementing Regulation (EU) 2024/1689". It transposes the EU AI Act into German law and mainly governs which authorities supervise AI in Germany. The Bundestag passed it on 11 June 2026; the Bundesrat's approval was still pending on 26 June 2026.

An important framing: the KI-MIG is not a standalone law but the central article of an omnibus act. The EU AI Act, as a regulation, applies directly; but member states must organise national enforcement — designate authorities, set procedures, shape sanctions. That is exactly what the KI-MIG does. It does not create the substantive obligations anew; it creates the infrastructure through which those obligations are enforced in Germany.

This deliberately distinguishes the article from our deployer checklist on the Article 50 transparency duties: that one is about the EU level — which obligations apply from 2 August 2026. This one is about the national level — who supervises and enforces them.

Who supervises artificial intelligence in Germany?

The central body becomes the Bundesnetzagentur — as a market-surveillance and notifying authority and as a coordination and competence centre (KoKIVO). But "central" does not mean "exclusive": actual market surveillance partly stays with sectoral authorities, insofar as tasks are not assigned to other specialist authorities. For certain fundamental-rights-sensitive high-risk systems, an independent AI market-surveillance chamber is added on top.

The Bundestag's text archive puts it soberly: the Bundesnetzagentur will be designated "as the market-surveillance authority for compliance with the AI Regulation, insofar as this task is not assigned to other specialist authorities". The sharpened reading "central market-surveillance authority" that ran through many headlines — for example at heise online — captures the thrust, but obscures the hybrid model: product- and sector-specific supervision stays where the expertise already sits.

The coordination and competence centre (KoKIVO)

Within the BNetzA, the KI-MIG establishes the Coordination and Competence Centre for the AI Regulation (KoKIVO). It bundles cross-authority expertise and coordinates the cooperation of the competent national market-surveillance and notifying authorities — so that horizontal legal questions are answered uniformly rather than each authority taking its own line. Because the law is not yet in force, the BNetzA speaks here of intended structures.

The independent AI market-surveillance chamber

For certain — especially fundamental-rights-sensitive — high-risk AI systems, an independent, non-directable AI market-surveillance chamber is to be created at the BNetzA. It has three members chaired by the BNetzA president and oversees, among others, biometrics in law enforcement, border and migration control, and justice and democracy. This concerns only certain high-risk systems; the bulk stays with the specialist authorities. The obvious rationale — the fundamental-rights sensitivity of these applications — follows the logic of the EU regulation; as a verbatim statement of the Bundestag it is not documented.

AI service desk for companies

In addition, the Bundesnetzagentur runs an AI service desk as a contact point for companies — designed above all for small and medium-sized enterprises and start-ups that have questions about the classification, documentation and conformity of their AI systems. The service desk is a function of the BNetzA as a whole, not of the KoKIVO.

When does what apply? Deadlines and transition periods

Per the Bundesnetzagentur, market surveillance applies from 2 August 2026 for high-risk AI under Annex III and from 2 August 2027 under Annex I. These dates mark when the market-surveillance competence for high-risk systems formally exists — not necessarily when the policed substantive obligations themselves apply; the latter are postponed by the Digital Omnibus, explained below, to a likely 2 December 2027 (Annex III) and 2 August 2028 (Annex I). The EU deadline for designating authorities — 2 August 2025 under Art. 70 of the AI Act — had long passed by then. Germany was thus around a year late, due not least to the change of government in 2025; the government draft was only adopted by the cabinet on 11 February 2026.

Concretely, Art. 70(2) of the AI Act requires member states to make public by 2 August 2025 how their competent authorities and single points of contact can be reached electronically. This designation — what the KI-MIG now delivers — is part of the regulation's governance layer.

The Digital Omnibus postpones the high-risk obligations — not the supervision date

A common confusion is worth clearing up: under the preliminary trilogue agreement of 7 May 2026, the EU "Digital Omnibus on AI" postpones the substantive high-risk obligations — for standalone systems (Annex III) to 2 December 2027, and for systems embedded in regulated products (Annex I) to 2 August 2028. The governance date of 2 August 2026 — authority designation, Article 50 transparency duties, sanction powers for general-purpose AI — remains unaffected. It is precisely this authority designation that the KI-MIG must deliver; it is not relieved by the Omnibus.

The Omnibus itself is also not yet finally in force as of 26 June 2026: the EU Parliament adopted the text on 16 June 2026 (423 in favour, 57 against, 174 abstentions); formal adoption by the Council was scheduled for 29 June 2026, followed by publication in the Official Journal. And it postpones deadlines — it abolishes no obligations.

Which fines apply — and who imposes them?

The KI-MIG itself sets only one national fine: up to 50,000 euros for certain breaches governed by the KI-MIG (§ 15) — including cooperation and information duties as well as a high-risk operator's duty to enable the affected person's explanation under Art. 86 of the AI Act. The well-known ceilings — up to 35 million euros or 7% of worldwide annual turnover, 15 million / 3%, 7.5 million / 1% — come directly from the EU AI Act (Art. 99), not from the German law. The confusion is widespread but costly in argument: "Germany imposes fines of up to 35 million euros" would simply be wrong.

Only the first row is set by the German KI-MIG itself; rows two to four are set directly by the EU AI Act (Art. 99). In practice this means: the nationally adjustable lever is small; the real risk sits in the directly applicable EU regulation.

Is the KI-MIG already in force?

As of 26 June 2026: no. The Bundestag passed the law on 11 June 2026 — in the version amended by the Committee on Digital Affairs, with the votes of CDU/CSU and SPD, against the votes of AfD, Bündnis 90/Die Grünen and Die Linke. But the Bundesrat must still approve it. The next regular Bundesrat plenary session is 10 July 2026. Until then, the KI-MIG is a passed but not-yet-in-force bill.

This framing matters because it is often shortened. Anyone who writes today that Germany has an AI supervision law overstates the status. The accurate version is: the Bundestag has passed it; the last hurdle — the Bundesrat — is still pending. We keep this article's dateModified honest and recommend checking the current status before making binding decisions.

What does the KI-MIG mean for regulated companies?

For data-sensitive industries — construction, healthcare, law, finance — the KI-MIG mainly means two things: there will be clearly addressable supervisory and contact bodies (Bundesnetzagentur, KoKIVO, AI service desk), and high-risk obligations demand documentation, traceability and auditability. Anyone running AI locally and traceably can produce exactly this evidence more easily.

That is not a coincidence but architecture. A grounded AI platform on your own hardware logs which data fed into an answer, keeps access permission-aware, and makes every use traceable in the audit trail — the technical evidentiary basis a market-surveillance authority will want to see in case of doubt. Anyone who also keeps data flows in-house (see Security & data sovereignty) reduces the attack surface and the number of places where documentation has to be created in the first place. This holds across industries — from construction to the clinic, where the same logic applies: sensitive data that must not leave the building.

To be clear: Lokalaise is an enabler, not legal or compliance advice. Whether and how your AI systems classify as high-risk and which obligations follow is something to clarify with your legal department and, where applicable, the competent authority.

Your next steps

Three questions help you situate your own position on the KI-MIG:

1. Classification: Do you know which of your AI systems might qualify as high-risk (Annex III) under the EU regulation — and thus fall under market surveillance in future?
2. Evidence: Can you demonstrate today which data fed into an AI answer, who had access, and how the system is configured?
3. Data sovereignty: Does sensitive data leave your premises for AI use — and if so, is that compatible with your documentation and confidentiality duties?

Where you hesitate, a closer look pays off. In a short demo we show you how a local, permission-aware AI delivers traceable answers — and records the evidence a future supervisor will want to see from the outset.