Germany Now Has a Named AI Regulator

The law and who passed it

On 11 June 2026 the German Bundestag adopted the Gesetz zur Durchfuehrung der KI-Verordnung, known as the KI-Marktueberwachungs- und Innovationsfoerderungsgesetz or KI-MIG. The Federal Cabinet had approved the draft on 11 February 2026. The law was carried by the governing coalition of CDU, CSU, and SPD, while the AfD, the Greens, and the Left voted against it. As an objection law it does not require the consent of the Bundesrat, so its passage through the Bundestag effectively settles the national framework.

The KI-MIG is the national implementation of the EU AI Act, Regulation (EU) 2024/1689, which has been in force since 2 August 2024. The EU regulation sets the substantive rules. The German law decides who enforces them on German soil and how the oversight is organized. With this step Germany moves from an open question to a named authority, which is the practical fact that matters for any owner planning ahead.

What the Bundesnetzagentur will do

The KI-MIG designates the Bundesnetzagentur as the central market surveillance authority for artificial intelligence in Germany. The agency will build a coordination and competence center that bundles AI expertise and shares it with other responsible authorities, and it will operate an independent market surveillance chamber for high-risk systems. It also becomes the point of contact toward European institutions, which keeps Germany's position consistent with cross-border enforcement.

Alongside enforcement, the agency carries an advisory and innovation role. It will run a complaint office where citizens can report suspected AI violations, a service desk for small and mid-sized companies and startups, and at least one AI sandbox, a Reallabor, where new systems can be tested under supervision. For owners this means one named address that both checks compliance and offers a route to ask questions before a product reaches the market.

What owners should prepare now

The first task is an inventory. An owner should know which AI systems the business builds, buys, or embeds, and into which risk category each one falls under the EU AI Act. From there the duties follow: documentation, transparency where required, human oversight for higher-risk uses, and the cooperation and information obligations that the national law now backs with fines of up to 50,000 euros. None of this is exotic. It is record keeping and clear accountability, applied to a domain that previously had no named referee.

The second task is to assign ownership inside the company. Someone should hold the AI inventory, track the EU AI Act deadlines as they phase in, and keep a single contact line to the Bundesnetzagentur when a question arises. A short written policy on how AI is approved and used carries more weight with a regulator than a large but undocumented effort. The point is not to slow the business. It is to make the work legible to the authority that now exists.

Read next: Your AI Must Now Identify Itself  ·  The Data Act Opens Your Products