10 July 2026
Germany doesn't have an AI law. It has the KI-MIG, a year behind schedule.
There is no standalone German AI law. The EU AI Act applies directly. Germany's KI-MIG only settles who supervises it, with the Bundesnetzagentur coordinating.
Anyone searching for a standalone German AI law is looking for something that does not exist in that form. The EU AI Act is a Regulation, not a Directive. It applies directly in every member state without a national parliament transposing it. What Germany had to deliver instead was narrower: naming the authorities Article 70 of the Act requires each member state to designate. The deadline for that was 2 August 2025.
What the Regulation already governs directly
Part of the Act was never waiting on German implementation. Prohibited AI practices and the AI literacy obligation for providers and deployers have applied since 2 February 2025. Obligations for general-purpose AI models took effect on 2 August 2025. Most of the remaining Act, including the high-risk obligations under Annex III, applies from 2 August 2026. None of these dates depend on a German law. They are already binding, whether or not the national supervisory structure is finished.
The deadline Germany missed
Article 70 requires each member state to establish or designate at least one notifying authority and at least one market surveillance authority by 2 August 2025. Germany did not meet that deadline on its own legislative timeline. The federal cabinet only approved the implementing draft on 11 February 2026. The Bundestag passed the law, the KI-Marktüberwachungs- und Innovationsförderungsgesetz (KI-MIG), on 11 June 2026, with minor amendments. Bundesrat approval was still pending at the time of writing. Close to a year separates the EU deadline from the German implementation, a year in which the Act's substantive obligations already applied while the question of which German authority to call remained unsettled.
Where the oversight actually sits
The KI-MIG centres coordination at the Bundesnetzagentur, which is building a coordination and competence centre for the AI Act, known as KoKIVO. KoKIVO's job is not to supervise every AI application in Germany directly. Its job is to support the existing sector authorities in their own obligations under the Act and to keep interpretation consistent on horizontal legal questions, meaning questions that don't belong to one specific sector. A financial institution still has BaFin as the natural sector authority for sector-specific questions. A company without an obvious sector regulator has the Bundesnetzagentur, through KoKIVO, as the first point of contact.
What this means for your own classification work
The delayed German implementation changes nothing about your own obligation to classify AI systems correctly. A company running a system for candidate screening, credit scoring, or another purpose listed in Annex III has to meet the high-risk obligations regardless of whether the responsible German authority has a fixed address yet. If you haven't done that classification systematically, start with Annex III, not with the question of who to call in a dispute. Our governance page covers how we set up that classification inside an engagement, and the EU AI Act Readiness assessment checks your actual estate against Annex III and Annex IV.