Licentium

AI Regulation Hub

Germany

Germany applies the EU AI Act directly. A national implementation bill is in preparation to designate competent authorities, give the Bundesnetzagentur an AI-sandbox role, and set procedures for cooperation, supervision and fines.

Key provisions

EU AI Act obligations

In force

Apply directly in Germany as an EU regulation: provider, deployer, importer and distributor duties under the EU classification model.

German implementation bill

Draft

Government bill before the Bundestag to designate national competent authorities (market surveillance, notification), regulate cooperation, administrative powers and fine procedures.

Bundesnetzagentur AI sandbox

Draft

Implementation bill provides for at least one AI regulatory sandbox and guidance for SMEs, start-ups and public bodies.

Detailed overview

Germany is regulated by the EU AI Act. The EU AI Act applies directly in Germany as an EU regulation, so German AI providers, deployers, importers and distributors must comply with the EU-wide classification, governance, transparency, high-risk AI and general-purpose AI requirements.

Implementation law

Germany is also preparing national implementation legislation for the EU AI Act. The German Bundestag has published a government bill for implementing Regulation (EU) 2024/1689. The purpose of the implementation law is to determine national competent authorities, including market-surveillance and notification authorities, and to regulate cooperation, administrative powers and fine procedures.

Under the German implementation bill, the requirements that businesses must meet and prove are still the requirements of the EU AI Act. In other words, Germany's implementation law is not designed to create a separate German high-risk AI regime. It is mainly about enforcement architecture: which authority supervises AI, how conformity-assessment bodies are notified, how authorities cooperate and how the EU AI Act is enforced nationally.

Sandboxes and innovation

The implementation bill gives the Federal Network Agency, or Bundesnetzagentur, an important role in innovation support and AI regulatory sandboxes. The bill provides for information and guidance on application of the EU AI Act, especially for SMEs, start-ups and public bodies, and for at least one AI regulatory sandbox. A sandbox is a supervised testing environment for developing or testing AI systems with regulatory guidance.

Business obligations

For AI used in Germany, businesses must apply the EU AI Act classification model. AI used in employment, education, credit scoring, biometric identification, critical infrastructure, essential services, law enforcement, migration, border control or justice may be high-risk. High-risk AI providers must implement quality management, risk management, data governance, documentation, conformity assessment, human oversight, accuracy, robustness and cybersecurity controls. Deployers must use the system according to instructions, monitor operation and ensure human oversight.

Penalties

Penalties for substantive AI Act breaches follow the EU AI Act penalty structure. Breaches of prohibited AI rules can reach EUR 35 million or 7% of worldwide annual turnover. Other AI Act breaches can reach EUR 15 million or 3% of worldwide annual turnover, and misleading information to authorities can reach EUR 7.5 million or 1% of worldwide annual turnover. German implementation legislation determines how national authorities exercise enforcement powers.

Practical requirements & details

Sourced from the EU AI Act, the German KI-Marktüberwachungsgesetz (Entwurf) / implementing bill before the Bundestag, Bundesnetzagentur AI guidance, and the German Datenschutz-Aufsichtsbehörden (DSK) data-protection guidance on AI.

EU AI Act in Germany

  • Applies directly — same provider/deployer duties for prohibited, high-risk, transparency-risk and GPAI as elsewhere in the EU.
  • Implementation law in preparation focuses on designating national competent authorities, market-surveillance, notification, cooperation and fine procedures.
  • Federal Network Agency (Bundesnetzagentur) expected as central market-surveillance authority; sector authorities (BaFin, BSI, BfArM, Bundeskartellamt) retain their AI-related powers.

Sandboxes and SME support

  • Implementation bill provides for at least one AI regulatory sandbox (Art. 57 AI Act) — Bundesnetzagentur-led.
  • Information and guidance on AI Act application targeted at SMEs, start-ups and public bodies.

Data protection — DSK guidance on AI

  • DSK "Orientierungshilfe der Aufsichtsbehörden für Anbieter von KI-Systemen" sets expectations for providers of AI systems processing personal data.
  • Identify lawful basis and legitimate interests balancing for AI training and inference.
  • Carry out a Datenschutz-Folgenabschätzung (DSFA) / DPIA for high-risk AI processing.
  • Special attention to model memorisation, training data quality, transparency, automated decision rights under Art. 22 GDPR.

Sector overlays in Germany

  • Finance — BaFin AI-related supervisory expectations on governance, model risk management, third-party risk, fairness, traceability.
  • Healthcare — MDR/IVDR conformity assessment for AI medical devices; BfArM Software as a Medical Device guidance; predictive AI must be CE-marked.
  • Critical infrastructure — KRITIS regulations and the IT Security Act apply where AI affects critical service availability/integrity.
  • Cybersecurity — BSI guidance on the security of AI systems.

Penalties

  • EU AI Act fines apply as elsewhere (EUR 35M/7%, EUR 15M/3%, EUR 7.5M/1%).
  • German data-protection authorities can fine up to EUR 20M or 4% under GDPR.
  • Implementation law will set Germany-specific procedural rules but fines are aligned with the EU caps.

See also the European Union entry, which covers the EU AI Act (Regulation (EU) 2024/1689) — the substantive framework that this jurisdiction implements and supervises domestically.

European Union — EU AI Act

Ready to launch without the regulatory guesswork?

Book a 30-minute consultation. We'll map your AI or licensing path and tell you exactly what's required, in plain language.

Get Started