The new German AI Market Surveillance and Innovation Promotion Act (hereafter, the Act) clarifies which authority is responsible for AI systems in Germany. For companies, it is increasingly important to determine precisely which authority oversees each AI application, as this can differ depending on the area of use. For example, within a bank, the German Federal Financial Supervisory Authority is typically responsible for AI-driven lending, whereas the Federal Network Agency (Germany's designated AI oversight authority) oversees AI used in human resources. Below, we outline the key considerations for businesses.
Understanding the German AI Market Surveillance and Innovation Promotion Act
This Act establishes how the European Union's AI Regulation (the "AI Act") is implemented in Germany. While the EU AI Act regulates what is permissible in AI systems, the German AI Act implementation law further clarifies these requirements—specifically delineating which authorities are responsible for monitoring AI and serving as points of contact for regulatory matters.
Which authorities retain responsibility?
Administrative responsibilities – Continuation of existing frameworks:
The established supervisory authorities overseeing product safety, medical devices, data protection, and other relevant sectors will continue to exercise responsibility for their respective domains. The AI Act and the Act do not replace these authorities, but instead introduce an additional, AI-specific supervisory layer. Companies should be prepared to engage with both their existing regulatory bodies and new AI-focused authorities when introducing AI systems to the market or implementing them internally.
What changes does the Act bring?
It is not solely the technology itself that matters: in the future, businesses will be required to demonstrate that all processes associated with AI—including documentation, data protection, and occupational health and safety—are fully compliant. In the medical sector, existing obligations under the EU Medical Devices Regulation (MDR), data protection law, risk management, and traceability will remain in effect. The Act clarifies which authority businesses should approach for each specific application.
Regarding medical devices, the German Federal Institute for Drugs and Medical Devices generally retains primary responsibility in Germany; however, depending on the application, the Federal Network Agency (Germany's designated AI oversight authority) may also be involved. The Act provides clarity regarding which authority is responsible for oversight and acts as the primary point of contact for AI matters within your organisation.
- More authorities, more responsibility: Depending on the industry and the application, various supervisory authorities are responsible. For general artificial intelligence matters, it is typically the Federal Network Agency (Germany's designated AI oversight authority); in the financial sector, responsibility lies with the German Federal Financial Supervisory Authority; for medical devices, it is the German Federal Institute for Drugs and Medical Devices; and in the media sector, Germany's regional media authorities are in charge. As before, the relevant data protection authority remains responsible for data protection matters.
- Product oversight and AI compliance are intertwined: For each AI product or application, it is essential to determine which regulations apply concurrently, including those relating to product safety, the EU Medical Devices Regulation (MDR), data protection, and AI legislation, as well as identifying the responsible authority for each area. Ensure you are aware of when notifications or documentation are required.
- Authorities have comprehensive powers of inspection: Supervisory bodies may examine source code and enter business premises. In the medical sector, inspections are particularly likely to be unannounced and thorough.
- Mapping is mandatory: It is crucial to document from an early stage which authority is responsible for each system. This ensures you can provide evidence promptly and avoid disputes during emergencies.
- Compliance and organisation are just as important as technology: The deliberate allocation of responsibilities within the German AI Market Surveillance and Innovation Promotion Act enables multiple authorities—such as those responsible for data protection, market surveillance, or sector-specific supervision—to review the same AI system simultaneously and independently. The Coordination and Competence Centre for AI oversight, situated within the Federal Network Agency (Germany's designated AI oversight authority), facilitates cooperation but cannot entirely eliminate overlaps during inspections. Consequently, companies should ensure that internal use of AI systems, allocation of responsibilities, and information flows are clearly regulated to be prepared for, or ideally prevent, concurrent inspections.
Key considerations going forward
- It is important to review not only the AI system itself but also its specific area of application: the same system may fall under the jurisdiction of different authorities depending on how it is used—for example, the German Federal Financial Supervisory Authority for lending activities, or the Federal Network Agency (Germany's designated AI oversight authority) for human resources applications. Determine in each case which authority is responsible for the relevant area of use:
- General AI supervision: Federal Network Agency (Germany's designated AI oversight authority)
- Sector-specific supervision: for example, the German Federal Financial Supervisory Authority (finance), the German Federal Institute for Drugs and Medical Devices (medical devices), and Germany's regional media authorities (media)
- Data protection supervision: the competent data protection authority at the federal level or, where applicable, the Public Procurement Tribunal.
- Product safety supervision: the existing market surveillance authorities remain responsible.
- Ensure that the designated contact person is clearly documented, and maintain accurate records of where supporting evidence is stored.
- Organise internal processes to ensure readiness for official inspections and potential product recalls .
- If you are uncertain, consult with the relevant authorities at an early stage or seek external expert advice.
Conclusion
While the German AI Market Surveillance and Innovation Promotion Act does not represent a radical change, it does provide greater clarity—particularly for companies operating in or with Germany. Systematic mapping of your products to the appropriate regulatory authorities is increasingly important. It is essential to consider products, compliance, and organisational processes together: the Act redefines the regulatory landscape, yet the established framework for product safety and medical devices, such as the EU Medical Devices Regulation, remains in force. A solid understanding of both sets of requirements will help ensure your business is well positioned for compliance.
We have summarised the most important points in a one-page overview, which you can access here.
