AI laws and regulation in Germany

High.

Germany is directly subject to the Regulation (EU) 2024/1689 – Artificial Intelligence Act (“EU AI Act”), which establishes harmonised rules for AI across all EU member states, including Germany. The Act introduces a risk-based approach, banning certain harmful AI practices, and imposes strict obligations on high-risk and general-purpose AI systems. In addition, Germany may issue national implementing rules and designate specific authorities for enforcement and oversight, but the core obligations are set by the EU AI Act.

While Germany applies the EU AI Act as its primary AI-specific regulation, a range of other German and EU legal frameworks also govern AI-related activities, depending on the sector and context. Key frameworks include:

• Data protection: The EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) apply to AI systems processing personal data, including rules on automated decision-making and profiling.
• Product safety and liability: The German Product Safety Act (ProdSG), the Medical Devices Act (MPG), and the EU General Product Safety Regulation apply where AI is integrated into products or services.
• Cybersecurity and operational resilience:
  • The EU NIS2 Directive (-implemented by the German national law “Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung” which came into force on 5th December 2025, BGBl. 2025, Nr. 301) and the EU Cyber Resilience Act (CRA) establish cybersecurity requirements for digital products, including AI-powered devices and software.
  • DORA: The EU Digital Operational Resilience Act (DORA) applies to financial entities operating in Germany, setting requirements for managing ICT risks, including risks arising from AI systems in financial services.
• Copyright and IPR: The German Copyright Act (UrhG) and EU copyright rules (including the TDM exception) are relevant for AI training data and outputs.
• Sectoral rules: Specific laws apply to AI in finance (e.g., KWG, ZAG), healthcare, transport, and employment, often supplementing EU-level requirements.
  These frameworks cover sectors such as critical infrastructure, medical and health technologies, education, employment, financial services, biometrics, law enforcement, justice, and online platforms.

Under the EU AI Act, Germany must designate one or more national market surveillance and notifying authorities for AI. The Federal Ministry for Digital Transformation and Government Modernisation (BMDS) coordinates national implementation, while the Federal Network Agency (BNetzA) has been proposed as a likely candidate for AI market surveillance. In addition, sectoral regulators (e.g., BaFin for finance, BfArM for medical devices, Federal Data Protection Commissioner for data protection) will have oversight roles. These authorities will enforce the AI Act, issue guidance, and coordinate with the EU AI Office. Germany is actively preparing its national structures for enforcement and guidance, (see draft legislation by the Federal Ministry for Digital Transformation and Government Modernisation from 11^th September 2025: Entwurf eines Gesetzes zur Durchführung der Verordnung (EU) 2024/1689 des Europäischen Parlaments und des Rates vom 13. Juni 2024 zur Festlegung harmonisierter Vorschriften für künstliche Intelligenz).

Germany has published several high-level and sectoral AI strategies and guidelines, including:

• German AI Strategy (Nationale Strategie für Künstliche Intelligenz) (updated 2020): Sets out Germany’s vision for AI innovation, research, and regulation.
• AI Action Plan (KI-Aktionsplan) of the Federal Ministry of Research, Technology and Space constitutes an update to the German AI Strategy (Nationale Strategie für Künstliche Intelligenz) by identifying eleven priority areas where urgent action is needed and presenting concrete measures.
• Data Strategy (Datenstrategie der Bundesregierung): Addresses data use for AI and digital innovation.
• IPCEI – AI (Important Project of Common European Interest –AI): Several European member states have been preparing a joint project for industry-specific artificial intelligence. This project is being coordinated by the German Federal Ministry for Economy and Energy. The goal of the project is to create a powerful AI ecosystem in Europe that is tailored to the AI needs of industry.
• Sector-specific guidance (e.g., BSI’s guidance on trustworthy AI, BfArM’s requirements for AI in medical devices).
• Germany also participates in EU-level guidance, including the voluntary GPAI Code of Practice and guidance published by the European Commission and the EU AI Office.

The EU AI Act, directly applicable in Germany, references and aligns with international standards and guidelines, including:

• OECD AI Principles
• ISO/IEC standards (e.g., ISO/IEC 42001:2023 for AI management systems)
• UNESCO and Council of Europe recommendations
• Germany also contributes to and references NIST, ITU, and other international frameworks in its national strategy and sectoral guidance.

Germany is not drafting a standalone national AI law, as the EU AI Act is directly applicable. However, Germany is preparing national implementation legislation to designate authorities, lay down penalties, and align sectoral rules. This process is expected to be completed during 2026. Further adjustments may follow if the EU’s Digital Omnibus on AI Regulation Proposal is adopted.

• CMS Artificial Intelligence
  https://cms.law/en/deu/insight/artificial-intelligence
• CMS Blog Series:  Artificial Intelligence (in German)
  Künstliche Intelligenz - CMS Blog
• E-Learning | Artificial Intelligence – AI basics and literacy training (according to Art. 4 AI Act)
  CMS Client Academy | Artificial Intelligence, basic skills| E-Learning
• Webinars: Ready for AI – CMS Legal Expert Series
• Artificial Intelligence Act (AI Act) (EN) - CMS DigitalLaws
• EU AI Act - Questions and Answers