EU AI Act Compliance in Germany
The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.
How does AI Act apply in Germany?
AI Act applies in Germany under EU law with the same obligations as across the bloc — maximum fine €35M or 7% of global turnover. The national supervisory authority is the BfDI (Federal Commissioner for Data Protection), which handles enforcement, complaints, and notifications. Deadline: August 2, 2026 (high-risk systems).
- Supervisory authority: BfDI (Federal Commissioner for Data Protection)
- Maximum fine: €35M or 7% of global turnover
- Key deadline: August 2, 2026 (high-risk systems)
| Supervisory authority | BfDI (Federal Commissioner for Data Protection) |
| Maximum fine | €35M or 7% of global turnover |
| Key deadline | August 2, 2026 (high-risk systems) |
| Sectors affected | Technology, Healthcare |
What AI Act compliance software is available for a German GmbH?
For a German GmbH, EU AI Act compliance requires risk classification of AI systems (Annex III), technical documentation (Article 11), and registration for high-risk systems. EuroComply — Frankfurt-hosted, Portuguese EU entity, using Mistral AI (French SAS) — covers the full workflow from €49/month. The BfDI is the relevant data protection supervisory authority for AI systems processing personal data in Germany.
- Classify all AI systems to Annex III risk tiers
- Generate Article 11 technical documentation
- Register in-scope high-risk systems with BSI/BfDI
- Implement Article 4 AI literacy programme for staff
- Conduct post-market monitoring (Article 72) for deployed high-risk systems
| Jurisdiction | Germany (BfDI + BSI enforcement) |
| Key deadline | 2 August 2026 (high-risk systems) |
| Max fine | €35M or 7% of global turnover |
| EU-sovereign tool | EuroComply — Frankfurt infrastructure, Mistral AI |
August 2, 2026 (high-risk systems)
€35M or 7% of global turnover
Technology, Healthcare, Financial Services
What are my AI Act obligations in Germany?
- Classify AI systems by risk tier
- Implement risk management systems
- Ensure transparency and human oversight
- Register high-risk systems in EU database
- Conduct fundamental rights impact assessments
Who enforces AI Act in Germany?
Bundesnetzagentur (BNetzA)
Official authority websiteAI Act in Germany: what is different here?
The German government's draft implementation act (KI-Marktüberwachungs-/Implementierungsgesetz, adopted in Cabinet February 2026) provides for the Bundesnetzagentur (Federal Network Agency) to be designated as the national market-surveillance authority for the EU AI Act; this designation is not yet formally in force pending parliamentary enactment.
Source: Bundesnetzagentur — KI-Verordnung (AI Act)The Bundesnetzagentur runs a national 'KI-Service-Desk' to help German companies understand their obligations under the AI Act.
Source: Bundesnetzagentur — KI-Service-DeskWhere an AI system processes personal data in Germany, the relevant federal and state data protection authorities (the BfDI and the Landesdatenschutzbehörden) remain competent for the data-protection aspects in addition to AI Act market surveillance.
Source: BfDI — Künstliche IntelligenzWhat are the AI Act penalties for Germany organisations?
The EU AI Act (Regulation (EU) 2024/1689) establishes a three-tier penalty structure. The highest tier — up to €35M or 7% of global turnover — applies to violations of the prohibited AI practices in Article 5. The second tier — €15M or 3% — applies to most high-risk AI system and GPAI model violations. The third tier — €7.5M or 1.5% — covers incorrect or misleading information provided to authorities.
Prohibited AI practices (Art. 5 violations)
€35,000,000 or 7% of global annual turnoverNon-compliance with high-risk AI system obligations (Art. 6–49) and GPAI model obligations (Art. 53–55)
€15,000,000 or 3% of global annual turnoverSupplying incorrect, incomplete, or misleading information to notified bodies or national authorities
€7,500,000 or 1.5% of global annual turnoverWhat is the maximum fine under the EU AI Act?▼
The maximum EU AI Act fine is €35,000,000 or 7% of global annual turnover — whichever is higher — for violations of the prohibited AI practices under Article 5, such as social scoring, subliminal manipulation, or mass biometric surveillance.
Who can be fined under the EU AI Act?▼
Both providers (companies that develop or place AI systems on the market) and deployers (organisations that use AI systems in professional contexts) can be fined under the AI Act. Importers and distributors have separate compliance obligations that can also attract penalties.
When do EU AI Act penalties start applying?▼
Penalties for prohibited AI practices (Art. 5) have applied since 2 February 2025. Penalties for high-risk AI system obligations apply from 2 August 2026.
Common AI Act compliance questions
What is the EU AI Act and what does it require?▼
The EU AI Act (Regulation 2024/1689) classifies AI systems by risk level. Prohibited AI practices apply from February 2025. General Purpose AI model obligations apply from August 2025. High-risk AI system requirements — conformity assessments, documentation, human oversight — apply from August 2026. Providers of high-risk AI in healthcare, employment, critical infrastructure, and law enforcement face the strictest requirements. The AI Office (European Commission) enforces GPAI model rules; national market surveillance authorities enforce rules for other AI systems.
What is an EU AI Act compliance checklist for 2026?▼
An EU AI Act compliance checklist for 2026: (1) Map all AI systems to the risk classification tiers — prohibited, high-risk, limited-risk, minimal-risk; (2) For high-risk systems, implement a risk management system (Article 9), technical documentation (Article 11), quality management (Article 17), and post-market monitoring (Article 72); (3) Register high-risk systems in the EU AI database for in-scope sectors; (4) For GPAI models above 10²⁵ FLOPs training compute, comply with systemic risk obligations (Article 55); (5) Establish AI literacy programmes for staff under Article 4.
When does EU AI Act enforcement start in 2026?▼
EU AI Act enforcement is phased: prohibited AI practices apply from 2 February 2025; GPAI model obligations (Articles 51–56) from 2 August 2025; high-risk AI system rules for Annexes I and III sectors (healthcare, employment, education, critical infrastructure, law enforcement) from 2 August 2026. AI systems used as safety components of products covered by existing EU sectoral legislation face additional deadlines aligned with product safety laws. Member states must designate national competent authorities to enforce the Act.
How do I classify high-risk AI systems under the EU AI Act?▼
Under EU AI Act Annex III, AI systems are classified as high-risk when deployed in: biometric identification and categorisation; critical infrastructure management; education and vocational training; employment and HR management; essential private and public services (including credit scoring); law enforcement; migration and asylum management; and administration of justice. An AI system is also high-risk if it is a safety component of a product covered by existing EU product safety legislation. Article 6(3) allows providers to self-assess that an Annex III system is not high-risk if it poses no significant risk to health, safety, or fundamental rights.
Does AI Act apply to your Germany business?
Find out in 2 minutes with our free regulation checker.
Check now — freeAI Act compliance in other EU countries
AI Act in Germany by Industry
Check Your Compliance Obligations
Find out which AI Act obligations apply to your Germany organisation in under 2 minutes.
Explore AI Act Compliance
For informational purposes only. This is not legal advice — consult qualified legal counsel.