DE | EN

KI-MIG Adopted: Oversight Clear

On 11 February 2026 the German Federal Cabinet adopted the AI Market Surveillance and Innovation Promotion Act (KI-MIG). This establishes which authorities in Germany are responsible for implementing the EU AI Act. For small and medium-sized enterprises this means above all one thing: at last there is clarity.

What the KI-MIG is about

As an EU regulation, the EU AI Act applies directly in all member states. What it does not regulate, however, is which national authority is responsible for oversight, guidance and sanctions. The KI-MIG closes this gap. It names the responsible authorities, regulates their cooperation and defines the fine provisions for violations.

Germany should actually have established these structures by August 2025. The early federal election delayed the process. With yesterday’s cabinet decision, the path is now clear for the parliamentary procedure in the Bundestag and Bundesrat.

BNetzA becomes the central point of contact

For the private sector, the Federal Network Agency (Bundesnetzagentur) becomes the central market surveillance authority. This applies in particular to companies that use or provide AI systems and are not already subject to sector-specific oversight.

The legislator follows a hybrid approach. Existing oversight structures are retained: BaFin supervises high-risk AI in the financial sector, the established product surveillance authorities remain responsible for their respective areas. For all other cases, the BNetzA applies. Companies thus keep their familiar points of contact, where these already exist.

KoKIVO as a service centre

At the Federal Network Agency, the Coordination and Competence Centre for the AI Regulation, or KoKIVO for short, is being created. It pools AI expertise and makes it available to other authorities. More relevant for companies, however, is another function: the already active AI service desk is aimed specifically at small and medium-sized enterprises and start-ups.

In addition, the KI-MIG provides for AI regulatory sandboxes. These test environments make it possible to try out innovative AI applications under simplified regulatory conditions. SMEs and start-ups based in the EU receive priority access. That is a clear signal: the legislator wants to combine regulation and innovation, not play them off against each other.

No additional national surcharge

An important detail of the draft law: Germany refrains from additional national requirements beyond the EU AI Act. The Digital Ministry explicitly emphasises an innovation-friendly implementation. For companies this means: whoever meets the EU regulation also meets the German requirements. There is no national special path with stricter rules.

That distinguishes the AI field from some other regulatory areas, where German implementing laws built up additional hurdles. The message is clear: the compliance effort should be limited to what is prescribed at the European level.

What this means in practice

With the KI-MIG, a key uncertainty disappears. The question of whom a mid-sized company can turn to with AI compliance questions now has an answer. This changes nothing, however, about the substantive requirements of the EU AI Act itself.

The obligation for AI literacy under Article 4 has applied since February 2025. Prohibited AI practices have also long been banned. The comprehensive obligations for high-risk AI systems apply from 2 August 2026. Whoever by then has no overview of their AI systems, has not carried out a risk classification and has not established corresponding processes, runs into time trouble.

Act now instead of waiting

The oversight structure is in place. The deadlines are running. What is missing, in many companies, is the internal preparation. The first step remains unchanged: build a complete AI register. Without transparency over your own AI systems, neither the risk class can be determined nor a sensible compliance strategy developed.

A systematic recording process identifies not only obvious AI applications, but also embedded AI features in existing software and unapproved shadow AI. Building on that follows the risk classification, which determines the further compliance effort.

The cabinet decision is no all-clear. It is the signal that things are getting serious now. The NADOVO framework offers a structured path from inventory to continuous monitoring. The authority structure is clarified. The responsibility for your own AI compliance still lies with the company itself.


About the author

Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.

© 2026 Jochen Stier / contoro.solutions