AI Regulation Tracker / Legislation pending
Germany's Bundestag Passes KI-MIG, Naming the Bundesnetzagentur as Lead AI Enforcer
The lower house of Germany's parliament approved a bill making the Bundesnetzagentur the country's central AI market-surveillance authority. It still needs the Bundesrat and formal promulgation before it takes effect.
Germany has taken a decisive step toward answering a question that has hung over the EU AI Act since it entered the statute books: who, inside each member state, actually enforces it. On June 11, 2026, according to secondary coverage of the vote, the Bundestag passed the KI-Marktueberwachungs- und Innovationsfoerderungsgesetz, known as the KI-MIG. The bill would install the Bundesnetzagentur, Germany's federal network agency, as the lead market-surveillance authority for artificial intelligence and as the single national point of contact and complaints office.
The measure is not yet in force. It began as a Federal Cabinet draft on February 10, 2026, and the Bundestag vote is only one stage of the German legislative process. The bill still needs to pass through the Bundesrat, the chamber representing the federal states, and then be formally promulgated before it becomes binding law. Until those steps are complete, the KI-MIG sets a direction rather than an obligation.
What the bill would establish
The core of the KI-MIG is an enforcement map. The Bundesnetzagentur, already the regulator for electricity, gas, telecommunications, post, and railways, would become the central authority for AI market surveillance in Germany. That makes it the body companies contact, the office that receives complaints, and the point of contact other EU authorities coordinate with on German matters. In practical terms, it concentrates responsibility in an established, well-resourced federal regulator rather than standing up an untested new agency, which is the choice several other member states have debated.
The title of the bill signals a second purpose beyond enforcement. The word Innovationsfoerderung, or innovation promotion, sits in the statute's name alongside market surveillance. That framing suggests German lawmakers want the same authority that polices AI to also support its development, a balance the country has emphasized as it implements the EU rules. How that dual mandate plays out in practice will depend on the resources and guidance that follow promulgation.
The bill does not hand the Bundesnetzagentur everything. Financial-sector AI would fall to BaFin, Germany's financial supervisory authority, reflecting the reality that AI used in banking, insurance, and securities sits inside an existing supervisory system. Data-protection oversight would remain with the Federal Commissioner for Data Protection and Freedom of Information, the BfDI. The result is a lead regulator with two important neighbors, rather than a single all-purpose AI agency.
What it does not do
The KI-MIG does not create new substantive AI obligations. The duties themselves, on high-risk systems, transparency, and prohibited practices, come from the EU AI Act (Regulation (EU) 2024/1689), which applies across the bloc. What the German bill supplies is the institutional plumbing: which national authority polices those EU duties, where a complaint goes, and who speaks for Germany in the EU coordination structure. It is a governance and enforcement statute, not a new rulebook of prohibitions.
A note of caution on the record. The exact Bundestag document number (BT-Drucksache) for the KI-MIG could not be independently confirmed for this report, and the June 11 vote is drawn from secondary coverage rather than a primary parliamentary record verified here. Readers who need the citation for a compliance file should pull the BT-Drucksache and the Bundesrat schedule directly before relying on them.
The cross-border angle
For a US firm with German AI operations, the KI-MIG matters because it tells you who will knock on the door. Once promulgated, it fixes the German enforcement structure a US company must map: the Bundesnetzagentur for most AI systems, BaFin if the system is financial, and the BfDI for data-protection questions. Germany is the EU's largest economy, so the choices it makes about AI enforcement carry weight for how the bloc's rules are applied in practice. A firm that already knows which of the three authorities owns each of its German AI use cases will be ready when the law takes effect, rather than scrambling to find its regulator after the fact.
The prudent posture now is preparation, not compliance panic. Nothing in the KI-MIG binds a company today, and the Bundesrat could still shape the final text. But the direction is clear enough that mapping systems to authorities, and watching for the Bundesrat's consideration and the promulgation date, is time well spent.
Frequently Asked Questions
What did the German Bundestag actually pass on June 11, 2026?
According to secondary coverage, it passed the KI-MIG, a bill that would make the Bundesnetzagentur Germany's lead AI market-surveillance authority and single point of contact. It is not yet law; the Bundesrat and promulgation still follow.
Who does the KI-MIG affect?
Any provider or deployer of AI systems operating in Germany, including US firms with German operations. Financial-sector AI would be supervised by BaFin, and data-protection matters would stay with the BfDI.
Is the Bundesnetzagentur now enforcing AI rules in Germany?
Not yet. The bill has passed the Bundestag but still needs the Bundesrat and formal promulgation before it enters into force. Until then, the designation is proposed rather than active.
Does the KI-MIG create new AI obligations for my company?
No. The substantive duties come from the EU AI Act. The KI-MIG assigns which German authority enforces those duties and where complaints and the single point of contact sit.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.