この記事は現在英語でのみご利用いただけます。
AI Governance for German Companies: BaFin, BSI, Betriebsrat, and the EU AI Act
German companies navigate AI governance through the EU AI Act, sector regulation from BaFin and BSI, GDPR as enforced by state and federal DPAs, and the unique dimension of Betriebsrat co-determination rights on AI in the workplace. The 2026 complete guide.
Key Takeaways
German companies face four distinct AI governance obligations: EU AI Act compliance, BaFin/BSI sector-specific requirements for financial and critical infrastructure companies, German GDPR enforcement (both federal BfDI and state DPAs), and Betriebsrat co-determination rights.
The Betriebsrat (works council) has specific co-determination rights under the BetrVG (Works Constitution Act) for the introduction of technical monitoring equipment — AI systems that monitor employee behaviour require Betriebsrat agreement before deployment.
BaFin has published specific AI governance expectations for financial institutions — its supervisory priorities align with EBA/ESMA guidance and include model risk, explainability, and third-party AI vendor management.
The BSI (Federal Office for Information Security) has published AI security guidance that applies to critical infrastructure operators and is increasingly referenced in public sector AI procurement.
Germany's AI liability framework is evolving — the German civil law approach to product liability applies to AI-caused harm, and the EU AI Liability Directive will add additional liability channels when enacted.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
AI governance for German companies — the 2026 landscape
Germany sits at the centre of European AI regulation: it is both the largest EU member state economy and home to substantial AI development across automotive, industrial, and financial sectors. The EU AI Act applies directly, but Germany's national implementation through the KI-Marktüberwachungs- und Innovationsförderungsgesetz (KI-MIG) — and a layered structure of existing regulators including the BSI, BfDI, BNetzA, and BaFin — creates a specific German governance landscape that companies operating in Germany must understand.
EU AI Act in Germany — applicable timeline and obligations
The EU AI Act applies directly to German companies as an EU Regulation. Key dates:
2 February 2025: AI literacy obligation (Article 4) and prohibited AI practices (Article 5) entered application. The November 2025 EU Digital Omnibus proposal would transfer responsibility for AI literacy from providers/deployers to the Commission and Member States as a policy task, though this has not been formally adopted.
2 August 2025: General-purpose AI model (GPAI) obligations and governance rules entered application.
2 August 2026: Bulk of remaining obligations apply, including transparency rules for limited-risk AI. Germany has officially confirmed this remains the legally binding deadline for high-risk AI under the Act, despite the EU Council voting on 13 March 2026 to postpone Annex III high-risk obligations to 2 December 2027.
2 December 2027: Per the May 2026 political agreement on the Digital Omnibus, high-risk AI obligations for standalone systems (employment, credit, biometrics, education, critical infrastructure under Annex III) postponed to this date.
2 August 2028: Annex I high-risk obligations for AI embedded in regulated products (lifts, toys, machinery).
German national implementation — KI-MIG and BNetzA
Germany's draft implementation law, the AI Market Surveillance and Innovation Promotion Act (KI-Marktüberwachungs- und Innovationsförderungsgesetz, KI-MIG), was approved by the German Cabinet on 11 February 2026. This implements the EU AI Act in Germany by designating competent authorities, organising innovation measures, establishing the penalty regime, and amending German law.
Bundesnetzagentur (BNetzA) — Federal Network Agency is designated as Germany's primary market surveillance authority for AI systems not already subject to specialised sectoral supervision. BNetzA operates an AI service desk with a "compliance compass" interactive tool, providing practical guidance on whether companies are within AI Act scope and what obligations apply. BNetzA also has innovation-promoting responsibilities including operating an AI lab.
Hybrid supervisory model. BNetzA coordinates centrally, supplemented by sectoral authorities depending on system context:
- BfDI (Federal Commissioner for Data Protection and Freedom of Information): data protection-relevant high-risk AI systems
- BaFin (Federal Financial Supervisory Authority): AI used in financial services
- BSI (Federal Office for Information Security): cybersecurity and KRITIS-relevant AI
- Federal/state data protection authorities (Landesdatenschutzbeauftragte): GDPR enforcement against AI systems processing personal data
Market surveillance powers include fines, operating bans, and recall orders. Germany missed the 2 August 2025 deadline for formal designation of national competent authorities under EU AI Act Article 70, which created some uncertainty during 2025-2026.
Key German AI compliance resources
BSI QUAIDAL framework — released by the Federal Office for Information Security, this is a quality framework for AI training data with a catalog of 143 metrics to help providers meet AI Act data quality, transparency, fairness, and compliance requirements.
BSI AI Cloud Services Compliance Catalogue (AIC4) — security and compliance criteria for AI services offered through cloud computing. Increasingly referenced in procurement.
BSI guidance on generative AI risks — including risks of AI-enabled cyberattacks, phishing, malware. BSI emphasises defensive AI solutions and continued application of existing criminal law to AI-driven cybercrime.
BNetzA AI Service Desk and Compliance Compass — interactive tools at bundesnetzagentur.de for company-specific guidance on AI Act applicability and obligations.
GDPR enforcement against AI in Germany
German DPAs have been active in enforcement of GDPR against AI systems. The DSK (Conference of German Data Protection Authorities) has issued multiple guidance documents on AI under GDPR. Areas of focus include: AI training on personal data without lawful basis; biometric AI; emotion recognition; AI in HR. The Berlin DPA's €300,000 fine on a bank for Article 22 violations in automated credit decisioning (referenced in DLA Piper's 2026 enforcement survey) demonstrated active enforcement and is widely cited.
Sector-specific German AI requirements
BaFin in financial services. Germany's financial regulator integrates AI oversight into existing prudential supervision. BaFin's MaRisk (Mindestanforderungen an das Risikomanagement) addresses AI/ML in risk management. The ECB's July 2025 Supervisory Guide on Internal Models — applying to all significant institutions including German banks — extended MRM expectations to all models including AI/ML, not just regulatory internal models.
Automotive AI. Germany's automotive sector is uniquely exposed: ADAS, autonomous driving, AI in design and manufacturing. The Federal Motor Transport Authority (Kraftfahrt-Bundesamt, KBA) regulates type approval; UN-ECE Regulations apply; the EU's General Safety Regulation requires increasing levels of safety AI. The German Autonomous Driving Act (2021) established the regulatory framework for SAE Level 4 autonomous driving in defined operational design domains.
Industrial and manufacturing AI. German manufacturers integrating AI into production must address EU AI Act Annex I (machinery, PPE) provisions effective August 2028, plus the Machinery Regulation (Regulation 2023/1230) effective January 2027.
NIS2 cybersecurity. Germany's Cybersecurity Strengthening Act draft (implementing NIS2 Directive) stalled in 2025 amid political disagreement. Despite delays, existing laws oblige organisations using AI-based systems to implement rigorous cybersecurity and incident reporting.
CSRD reporting on AI
From 2025, around 13,000 German companies fall within the Corporate Sustainability Reporting Directive (CSRD) requirements. CSRD reporting now intersects with AI: companies must disclose material AI-related risks (operational, regulatory, environmental). Environmental disclosure of AI's energy and water footprint is becoming standard. Workforce-related disclosure of AI's employment impact is expected.
Practical compliance priorities for German companies
For German companies preparing for the EU AI Act and German implementation:
AI inventory. Catalogue AI systems with classification under EU AI Act risk tiers. Identify which systems are high-risk under Annex III, which are limited-risk requiring Article 50 transparency, which are minimal risk.
Provider/deployer role clarification. Many German companies are both provider (when developing AI) and deployer (when using AI from others). Obligations differ; many companies need to comply with both.
AI literacy programme (Article 4). Even if the Digital Omnibus transfers responsibility to Member States, AI literacy remains a regulatory and commercial expectation. Document training, content, and reach.
GDPR/AI alignment. Personal data processing in AI requires lawful basis, transparency, DPIA where high-risk, and data minimisation. German DPAs are active enforcers.
QMS and technical documentation for high-risk AI. The Act's QMS requirements are AI-specific and not equivalent to ISO 9001 or existing quality systems.
Contract review. Supplier and customer contracts need updating for AI Act obligations — provider/deployer role allocation, technical documentation, data governance, monitoring obligations.
Cybersecurity and resilience. BSI guidance, NIS2 readiness, AI-specific security controls for AI systems and AI-enabled threats.
Engage with BNetzA service desk. The compliance compass tool provides company-specific guidance and signals areas where authority engagement may be needed.
Primary sources: Bundesnetzagentur (BNetzA) · BSI — Federal Office for Information Security · EU AI Act — European Commission