EU AI Act enforcement in Germany for SaaS founders

German competent authorities for the AI Act

Germany has assigned AI Act enforcement to a federal-state mix. At the federal level: BSI (Bundesamt für Sicherheit in der Informationstechnik) for cybersecurity-classified AI, BfDI (Bundesbeauftragter für den Datenschutz) for AI overlapping with GDPR, and BNetzA (Bundesnetzagentur) for AI in telecoms and platform regulation. At the state level: 16 Landesbeauftragte für Datenschutz, each with independent enforcement authority over AI systems used by entities headquartered in their state. The Konferenz der Datenschutzaufsichtsbehörden (DSK) coordinates between federal and state authorities.

German enforcement philosophy

Germany's approach is rule-based, thorough, and procedurally rigorous. Enforcement decisions are slower than France or Italy but more uniformly applied once made. The Hamburg DPA's 2024 decision against Microsoft and the Lower Saxony DPA's 2023 decision on automated employment screening signal early enforcement priorities. For SaaS shipping to Germany, expect 6 to 12 month vendor reviews from large enterprises (DAX-listed companies in particular) and detailed documentation requests.

German national law implementing the AI Act

Germany has not yet enacted a national AI implementation law, but the Bundestag is debating a Digitalgesetz package that will include AI Act specifics. Expected elements: clearer allocation of enforcement authority between federal and state levels, additional protections for employees against AI-driven workplace decisions (Betriebsverfassungsgesetz overlap), and stricter Article 50 disclosure requirements for AI used in healthcare. Expected enactment in 2027.

Aleph Alpha and Germany's domestic AI policy

Germany backs Aleph Alpha (Heidelberg) as a European GPAI provider through the Federal Ministry of Education and Research. As in France with Mistral, this creates a domestic AI provider whose interests influence enforcement framing. For SaaS founders, the practical impact: training-data documentation requirements will be applied uniformly, but extra scrutiny will fall on US-headquartered foundation model providers operating in Germany.

Public procurement requirements

German federal procurement through BAFA (Bundesamt für Wirtschaft und Ausfuhrkontrolle) and the e-Vergabe platform now requires AI Act compliance attestations for any AI-touching tender. State-level procurement (Bundesländer) follows similar patterns but with state-specific variations. Large municipal procurement (Stadt München, Berlin Senate, Hamburg Senate) also requires the attestation. Missing it auto-disqualifies the bid.

Frequently asked questions

Who enforces the EU AI Act in Germany?

BSI for cybersecurity, BfDI for GDPR overlap, BNetzA for telecoms, plus 16 state-level data protection authorities. The DSK coordinates between federal and state levels.

Does German federalism mean parallel enforcement?

Yes - a single AI Act violation can be investigated by multiple state-level supervisors simultaneously, depending on which Bundesländer host affected users or the company itself.

How does the German Works Council Act affect AI in HR?

The Betriebsverfassungsgesetz requires Works Council co-determination for many workplace AI introductions. AI Act compliance is necessary but not sufficient - separate Works Council agreement is required for AI use in HR.

What does e-Vergabe attestation require?

A signed compliance statement plus supporting documentation: Article 43 conformity file if high-risk, Article 50 implementation evidence, Article 10 data governance documentation, Article 73 incident reporting workflow.

Are there sectoral AI rules in Germany?

Yes - the Medizinprodukterecht-Durchführungsgesetz (MPDG) overlay for medical AI, the Allgemeines Gleichbehandlungsgesetz (AGG) overlay for HR AI, and sector-specific rules for AI in financial services (BaFin) and energy (Bundesnetzagentur).

Sources

• https://www.bsi.bund.de/
• https://www.bfdi.bund.de/
• https://www.evergabe-online.de/