Germany Enacts AI Market Surveillance Law
Germany has rolled out a new AI Market Surveillance and Innovation Promotion Act. The law combines stringent market surveillance, including auditing and intervention powers for non-compliant AI systems, with innovation support through funding and regulatory sandboxes. This dual approach requires companies serving the German market to build auditable, compliance-ready systems from the outset.
- This legislation serves as Germany's national implementation of the EU's broader AI Act, which establishes a tiered, risk-based approach to regulating AI systems across all member states. The German law specifies the domestic authorities responsible for enforcement and market surveillance, rather than creating new, substantive AI requirements. - The Federal Network Agency (Bundesnetzagentur or BNetzA) is designated as the central coordinating body and primary market surveillance authority. However, existing sector-specific regulators, such as the Federal Financial Supervisory Authority (BaFin) for financial services and the Federal Institute for Drugs and Medical Devices, will retain oversight for AI applications within their respective domains. - Supervisory authorities are granted comprehensive inspection powers, including the ability to examine source code and enter business premises to ensure compliance. For high-risk AI systems, this aligns with the EU AI Act's requirements for providers to establish robust risk management, data governance, and documentation processes. - A key component of the law is the promotion of innovation through "regulatory sandboxes," which are controlled environments where companies, particularly SMEs and startups, can test and develop AI systems under the guidance of competent authorities before a full market launch. This initiative is supported by an AI Service Desk to assist businesses with compliance. - The law establishes a Coordination and Competence Centre for Artificial Intelligence (KoKIVO) within the Federal Network Agency to harmonize oversight among the various authorities and serve as a national contact point for European bodies. - For AI systems used in employment contexts—such as recruitment, performance evaluation, or termination—the law classifies them as "high-risk," triggering specific compliance obligations for employers under the EU AI Act. This intersects with existing German labor and data protection laws, including GDPR's regulations on automated decision-making. - The legislation was approved by the German Federal Cabinet on February 11, 2026, and now moves to the Bundestag and Bundesrat for parliamentary approval. This follows a draft bill introduced on September 12, 2025, and a public consultation period. - While the German law provides a national enforcement framework, some industry groups have expressed concerns about the EU AI Act's approaching deadlines, such as the August 2026 effective date for high-risk systems, arguing that key harmonized European standards are not yet available.
