The draft bill for the AI Market Surveillance Act: German Implementation of the AI Act

Even though the AI Act is generally directly applicable, the member states must still enact legislation to monitor compliance with the AI Act and to promote innovation. By August 2025, member states must establish the necessary structures for market surveillance (Art. 70 (1) AI Act). Germany has now come one step closer to this goal with the first draft of the AI Market Surveillance Act (KIMÜG draft). The draft provides insights into how Germany could design the supervisory structure and organizational framework to implement the AI Act.

According to the current draft, the Federal Network Agency (Bundesnetzagentur, BNetzA) will, in general, act as the central market surveillance authority and notifying authority. It will oversee market surveillance in areas without existing supervisory structures. Existing market surveillance authorities, such as BaFin for the financial sector, will remain responsible for their respective areas. The BNetzA will establish several independent bodies, including the Independent Market Surveillance Chamber (UKIM) and the Coordination and Competence Center (KoKIVO). These bodies will monitor compliance with the AI Act and provide technical expertise. The German Accreditation Body will be responsible for the evaluation and monitoring of conformity assessment bodies.

The BNetzA will be designated as the central market surveillance authority and notifying authority. Its powers include monitoring compliance with the provisions of Chapters II to IV of the AI Act, including the prohibition of certain practices (Art. 5 AI Act), the control of high-risk AI systems (Art. 6 ff. AI Act), and ensuring transparency requirements (Art. 52 ff. AI Act). Additionally, the BNetzA will be responsible for the designation and monitoring of conformity assessment bodies (Art. 33 AI Act). By utilizing existing structures and pooling expertise under the BNetzA's umbrella, synergies are to be created, and duplicate structures avoided.

The Independent Market Surveillance Chamber (UKIM) is to be established as an independent and non-directive unit within the BNetzA. Its task is to monitor certain high-risk AI systems that are subject to the special requirements for the independence of the supervisory body under Art. 74(8) AI Act. The Coordination and Competence Center (KoKIVO) is also to be established within the BNetzA and will provide technical expertise and knowledge to the market surveillance authority. Furthermore, it will coordinate the actions of authorities in the field of national AI supervision and ensure a uniform response to legal questions.

The AI Act includes measures to promote innovation, such as the operation of AI regulatory sandboxes. Sandboxes are controlled environments where AI systems can be developed, tested, and validated before being released to the market. The BNetzA is to establish and operate such a sandbox to create legal certainty and promote exchange with the involved authorities. The primary goals of these sandboxes are to create legal certainty for the addressees in complying with the AI Act, promote exchange with the involved authorities, and enable evidence-based regulatory learning for the authorities. An AI ecosystem is to be created that reduces market entry barriers for startups and SMEs. In addition to legal certainty, participants in the AI sandboxes benefit from the exemption from the purpose limitation principle of the GDPR for personal data used as training data, as well as tests of high-risk AI systems under real conditions outside the sandboxes.

The draft also provides for sanctions for violations of the AI Act, similar to those in EU competition law and the General Data Protection Regulation (GDPR). The provisions of the Administrative Offenses Act (OWiG) are to be adapted accordingly. According to Art. 99 (1) AI Act, member states must establish rules for sanctions and other enforcement measures, which may include warnings and non-monetary measures. Regarding procedural rules, unless otherwise specified, the provisions of the Administrative Offenses Act and the general laws on criminal procedure, namely the Code of Criminal Procedure and the Courts Constitution Act, apply accordinly.

The draft could raise legal and practical concerns, particularly regarding the independence of the UKIM and the avoidance of duplicate structures. Constitutional and European legal concerns could arise if the BNetzA intervenes in state matters. This could also be conceivable in the higher education sector or with state police authorities. European legal concerns could particularly arise in the sensitive area of Art. 74(8) AI-VO. Market surveillance in the sensitive areas of justice and law enforcement should be carried out by an authority that also has this competence in order to continue to benefit from existing expertise.

The draft will be further discussed in the relevant departments and associations and may be subject to change. In addition to the political change (due to the recent elections), it is particularly questionable how the European and constitutional law issues of the KIMÜG-RefE, especially with regard to the enforcement of sanctions and federal concerns, are addressed in the draft. If these problems are solved, the KIMÜG-RefE could fulfil the requirements for the enforcement of the AI-VO at the national level. In principle, however, the draft offers a solid basis that makes efficient use of existing structures and creates clear responsibilities.​