Illustration mit EU-Buch, Schild, Verzweigung zu Säulengebäude und Fabrik sowie Akten.
Digital Business & Future 29.06.2026

The AI oversight in Germany now has an address

6 min read

On 11 June 2026, the Bundestag passed the AI-MIG. This resolves one question that had been open since spring: who is actually supervising the EU AI Act in Germany? The answer is the Federal Network Agency. For mid-sized companies, this is the first reliable point of contact since the AI Act began assigning obligations.

Key Takeaways

  • Bundestag approval: With the Artificial Intelligence Market Surveillance and Innovation Promotion Act (AI-MIG), Germany regulates national oversight for the EU AI Act. In April, this body was still being set up.
  • One central contact, many familiar faces: The Federal Network Agency will coordinate, while sectoral authorities such as BaFin retain their responsibilities. Companies keep their usual point of contact.
  • Deadline set: From 2 August 2026, obligations for high-risk AI take effect. Anyone using AI should know by then which category their application falls into.

Related:EU AI Act takes effect 6 April 2026: what mid-market tech teams must clarify by August  /  Shadow AI in mid-sized firms: what covert use reveals

What the AI-MIG decides

A law called the Artificial Intelligence Market Surveillance and Innovation Promotion Act sounds like the very bureaucracy it claims it wants to avoid. The reality is more sober-and far more important for day-to-day operations. The AI-MIG determines who in Germany checks whether companies are complying with the EU AI Act. That question had been unanswered for months.

Back in April, the situation looked different. Anyone trying to find out whom to contact received no clear answer. The designated authority had been announced but not yet appointed. That exact scenario is described in the article EU AI Act takes effect 6 April 2026: what mid-market tech teams must clarify by August. With the Bundestag vote on 11 June, what had been an announcement became an enacted law that must still pass the Bundesrat. The obligations themselves remain unchanged; what has changed is the authority enforcing them.

Who is responsible for what now

The Federal Network Agency will serve as the central coordinating body, market-surveillance authority and notifying body. The name suggests a single monolithic institution, yet the structure is deliberately different. The agency will coordinate, but it will not review everything itself. Existing sectoral authorities keep their remits-BaFin, for example, remains in charge of the financial sector.

What is the AI-MIG?

The Artificial Intelligence Market Surveillance and Innovation Promotion Act is Germany’s implementing law for the EU AI Act. It designates the competent supervisory authorities, regulates market surveillance for AI systems and assigns the Federal Network Agency a mandate to foster innovation. In short, it transposes the AI Act into national law and names the responsible bodies.

For businesses, this model is the good news in the story. If you already dealt with BaFin, you continue dealing with BaFin. The Federal Network Agency sits in the background ensuring uniform interpretation so that every authority does not read the AI Act differently. That is the one-stop-shop approach. In practice, it means your familiar contact remains unchanged.

Four things SMEs should clarify now

The real work happens inside your own company. Four points will determine whether 2 August becomes just another routine date or a day of frantic last-minute scramble.

  1. Which AI are we actually using? It’s not the official list that counts, but what teams are really deploying. Tools adopted without approval still fall under the rules. An honest inventory is the first step-otherwise you end up supervising a list instead of reality.
  2. What risk class applies to each use? The AI Act grades applications by risk level. Most SME deployments aren’t high-risk, but you need to know for sure rather than guess. The classification decides how much effort you’ll need.
  3. Who owns compliance internally? If nobody is explicitly responsible for AI compliance, the buck stops with the executive team. Designating one person with a clear mandate is cheaper than waiting for a liability case.
  4. Is the documentation up to date? If you’re buying AI systems, you need the vendor’s conformity certificates. Requesting them now is easier than scrambling just before an audit.

None of these steps requires a major project. They simply demand one hour of honest reflection on what is actually happening in your business.

What the regulator is offering SMEs

The AI-MIG doesn’t just set supervisory rules-it also gives Germany’s Federal Network Agency an explicit innovation mandate. A dedicated AI-Service-Desk is planned as a low-threshold contact point, aimed primarily at smaller firms and start-ups. A real-world test lab is also envisaged, allowing companies to trial AI applications in a legally safe sandbox before launch.

2 August
High-risk AI obligations kick in on 2 August 2026. By then every business should know which risk class applies to its applications.
Source: EU AI Act, application start for high-risk systems

“We’re not building another top-heavy bureaucracy.”

Karsten Wildberger, Federal Minister for Digital Affairs and State Modernisation

Yet the law still means business. The AI Act foresees fines of up to €35 million or 7 percent of global annual turnover for banned practices, with lower but still significant penalties for other breaches. For most SMEs these figures remain theoretical-and will probably stay that way in practice. More worrying is reputational damage if an AI system is shown to violate the rules. That’s exactly what the quiet groundwork in the previous section is designed to prevent.

Whether the promised advisory service lives up to expectations will only become clear once companies start using it. Whether the Service-Desk becomes more than an FAQ page depends on whether someone actually picks up the phone when an SME calls. The idea is sound: a regulator that also advises gives companies a reason to reach out early. For SMEs, this contact point may turn out to be the most valuable part of the entire regulation.

Frequently Asked Questions

What exactly is the AI-MIG?

The AI-Marktüberwachungs- und Innovationsförderungsgesetz (AI Market Surveillance and Innovation Promotion Act) is Germany’s implementing law for the EU AI Act. It designates the competent supervisory authorities and regulates market surveillance for AI systems in Germany.

Who should a mid-sized company contact with AI-related questions?

The Federal Network Agency (Bundesnetzagentur) serves as the central point of contact and operates an AI service desk for smaller businesses. In regulated sectors, the existing specialist supervisory authorities remain responsible-such as BaFin in the financial industry.

When do the obligations take effect?

The EU AI Act will become generally applicable for high-risk AI on 2 August 2026. Prohibited practices have already been in force since February 2025, and rules for general-purpose AI models have applied since August 2025.

Is my use of AI automatically considered high-risk?

In most mid-sized companies, no. High-risk classification applies to clearly defined areas such as personnel selection or critical infrastructure. The assessment should still be documented, not merely assumed.

What does the Federal Network Agency’s real-world lab offer?

The real-world lab allows companies to test AI applications in a legally secure framework before going live. This reduces the risk of building a solution that later fails to meet compliance requirements.

Editor’s Reading Tips

More from the MBF Media Network

Image source: AI-generated (June 2026)

Also available in

A magazine by evernine media GmbH
The decision-maker magazine for the DACH mid-market DEENFRES
Newsletter