This document is under active development and has not been finalised.
Skip to content

Market Surveillance

Jurisdiction

Enforcement of the AI Act takes place at two levels:

EU Level

  • AI Office (within the European Commission) — responsible for GPAI models and systemic risks
  • AI Board — coordination body of the Member States

National Level

  • Market surveillance authorities — responsible for high-risk AI and other obligations
  • Notifying authorities — supervision of notified bodies

Each Member State was required to designate its competent authorities by 2 August 2025.

Germany

In Germany, the Bundesnetzagentur (BNetzA) is the central market surveillance authority and single point of contact for the AI Act. The national authority architecture is set out in the KI-MIG (passed by the Bundestag on 11.06.2026, consent of the Bundesrat pending); sector-specific authorities (e.g. BaFin) retain their competencies.

For details see National Implementation – Germany (KI-MIG).

Powers of the Authorities

Market surveillance authorities have the following powers (from 2 August 2026; for high-risk systems as the respective obligations become applicable — Annex III from 02.12.2027):

  • Access to AI systems and their documentation
  • Access to source code (under certain conditions)
  • Access to training data and test data
  • Ordering corrective measures
  • Market withdrawal and recall
  • Imposition of fines

Documentation licensed under CC BY-NC 4.0 · Code licensed under MIT