Dieser Artikel ist derzeit auf Englisch verfügbar.
AI Governance in Germany and the DACH Region: EU AI Act, BaFin, BSI, and German Law
Germany sits at the heart of EU AI Act implementation. BaFin has specific expectations for AI in financial services. The BSI sets cybersecurity standards for AI systems. German market surveillance will set enforcement precedent across the EU.
Key Takeaways
Germany is designated as one of the primary market surveillance authorities for EU AI Act enforcement within the EU — making German regulatory practice directly relevant to all organisations deploying AI in the EU.
BaFin, Germany's financial regulator, has specific AI governance expectations for financial institutions — model risk management, algorithmic decision-making transparency, and AI in credit and insurance assessments.
BSI (Federal Office for Information Security) has issued AI cybersecurity guidance that applies to critical infrastructure operators and public sector AI deployments.
German employment law (Betriebsverfassungsgesetz) gives works councils (Betriebsrat) co-determination rights over the introduction of AI-based monitoring and performance assessment systems.
Austria and Switzerland, as DACH neighbours, have adopted approaches broadly aligned with Germany and the EU framework, with some important differences in employment law and sector-specific regulation.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
Germany's role in EU AI Act enforcement
Germany is not just subject to the EU AI Act — it is one of the central enforcement jurisdictions. As a major EU economy with significant AI deployment across automotive, manufacturing, financial services, and healthcare sectors, Germany's market surveillance authority will be among the most active in Europe. German regulatory practice will set precedent for how the EU AI Act is applied in practice.
The EU AI Act requires each member state to designate a national market surveillance authority responsible for supervising compliance within their territory. Germany designated its authority in 2025. The German authority will work alongside the EU AI Office on systemic risks and GPAI models, but will have primary responsibility for supervising AI systems in the German market — including imports from outside the EU that affect German users.
BaFin: AI in German financial services
The Federal Financial Supervisory Authority (BaFin) supervises banks, insurers, payment service providers, and other financial institutions in Germany. BaFin has developed specific expectations for AI governance in financial services that layer on top of the EU AI Act's requirements.
BaFin's model risk management expectations — analogous to the US SR 11-7 framework — apply to AI and ML models used in credit risk, market risk, AML, and customer-facing applications. Institutions must maintain model documentation, validate models independently, and monitor performance on an ongoing basis. BaFin's supervisory focus on AI has increased, and AI governance now features in BaFin examinations of major German financial institutions.
For credit scoring and lending AI, BaFin's expectations align with EU AI Act Annex III classification — these are high-risk AI systems requiring conformity assessment, technical documentation, and human oversight. German financial institutions should treat BaFin compliance and EU AI Act compliance as complementary, not separate, exercises.
Works council co-determination: the German employment AI dimension
One of the most practically significant AI governance considerations for employers in Germany is the Betriebsverfassungsgesetz — the Works Constitution Act — which gives works councils (Betriebsrat) substantial co-determination rights over the introduction of technical monitoring equipment and performance assessment systems. AI-based productivity monitoring, algorithmic performance scoring, and AI-assisted workforce management tools all potentially trigger works council consultation and agreement requirements.
Employers implementing AI systems that monitor employee performance, schedule work, or influence employment decisions must engage their works councils before deployment. Failure to do so can result in injunctions, works council orders, and unfair practices findings. This creates a governance requirement that sits alongside GDPR and EU AI Act compliance but derives entirely from German employment law.
BSI: cybersecurity for AI systems
The Federal Office for Information Security (BSI) is Germany's national cybersecurity agency. BSI has issued AI-specific security guidance addressing adversarial robustness, model protection, and secure AI deployment in critical infrastructure. Critical infrastructure operators in Germany — energy, water, transport, financial infrastructure — must comply with BSI cybersecurity requirements that now explicitly address AI system security.
Austria and Switzerland: DACH neighbours
Austria, as an EU member state, is subject to the EU AI Act on the same timeline as Germany and has designated its own national market surveillance authority. Austria's Financial Market Authority (FMA) has AI governance expectations aligned with BaFin's. Switzerland, outside the EU, is watching EU AI Act implementation closely and is developing its own AI regulatory approach under the National AI Strategy. Swiss financial institutions supervised by FINMA face AI governance expectations broadly aligned with EU approaches, and Swiss companies with EU customers face EU AI Act extraterritorial obligations.