この記事は現在英語でのみご利用いただけます。
AI Governance for German Companies: BaFin, BSI, Betriebsrat, and the EU AI Act
German companies navigate AI governance through the EU AI Act, sector regulation from BaFin and BSI, GDPR as enforced by state and federal DPAs, and the unique dimension of Betriebsrat co-determination rights on AI in the workplace. The 2026 complete guide.
Key Takeaways
German companies face four distinct AI governance obligations: EU AI Act compliance, BaFin/BSI sector-specific requirements for financial and critical infrastructure companies, German GDPR enforcement (both federal BfDI and state DPAs), and Betriebsrat co-determination rights.
The Betriebsrat (works council) has specific co-determination rights under the BetrVG (Works Constitution Act) for the introduction of technical monitoring equipment — AI systems that monitor employee behaviour require Betriebsrat agreement before deployment.
BaFin has published specific AI governance expectations for financial institutions — its supervisory priorities align with EBA/ESMA guidance and include model risk, explainability, and third-party AI vendor management.
The BSI (Federal Office for Information Security) has published AI security guidance that applies to critical infrastructure operators and is increasingly referenced in public sector AI procurement.
Germany's AI liability framework is evolving — the German civil law approach to product liability applies to AI-caused harm, and the EU AI Liability Directive will add additional liability channels when enacted.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
The Betriebsrat dimension: Germany's unique AI governance challenge
The most distinctive element of AI governance for German companies is the Betriebsrat — the statutory works council that represents employees in German workplaces with five or more employees. Under Section 87(1) No. 6 of the Works Constitution Act (BetrVG), the Betriebsrat has co-determination rights over the introduction and use of technical equipment that can monitor the behaviour or performance of employees. AI systems that generate performance scores, monitor work activity, or influence employment decisions are squarely within this co-determination right.
Co-determination means the employer cannot introduce these systems without reaching agreement with the Betriebsrat — or, if agreement cannot be reached, going to the conciliation committee. This is a legally binding right, not a consultation right. German employers who deploy AI monitoring or performance management systems without Betriebsrat agreement are acting unlawfully, and the Betriebsrat can seek an injunction to prevent or reverse the deployment.
The practical implication: AI governance planning in German companies must include the Betriebsrat engagement process from the outset, not as an afterthought. The Betriebsrat will often require: disclosure of how the AI system works, what data it collects, how it will be used in employment decisions, and what safeguards protect employees. Engaging the Betriebsrat early, with transparent information, typically results in faster and less contentious agreement than attempting to negotiate under time pressure.
BaFin AI governance expectations
BaFin — Germany's financial regulator — has developed AI governance expectations that apply to banks, insurers, asset managers, and other financial institutions under its supervision. BaFin's approach aligns with the EBA (European Banking Authority) and ESMA (European Securities and Markets Authority) guidelines on AI, and requires: model risk management frameworks that apply to ML and AI models; explainability capabilities for AI used in credit and underwriting decisions; bias testing and fairness assessment for customer-facing AI; and vendor management requirements for third-party AI systems. BaFin has signalled that AI governance will be an increasingly prominent examination topic in supervisory reviews.