Personal Liability and a New Regulator: Germany Girds for AI Act's First Compliance Wave
19.06.2026 - 04:12:18 | boerse-global.de
The European Union’s landmark AI regulation is edging closer to enforcement, and Germany’s top telecoms watchdog has stepped into the role of national enforcer. The Federal Network Agency, better known as the Bundesnetzagentur, will run an “AI Service Desk” to field questions and conduct oversight.
Company executives now carry personal responsibility for lawful AI governance, regulators made clear. Penalties for violations are severe: banned practices such as social scoring systems or workplace emotion detection can trigger fines of up to €35 million or 7% of global annual turnover. Failures on the transparency front, by contrast, cost up to €15 million or 3% of turnover.
The clock does not start ticking all at once. On June 16 the European Parliament voted 423 in favour, 57 against, with 174 abstentions, to approve a package of deadline revisions bundled as the “Digital Omnibus”. The changes give developers and operators of complex systems more breathing room, but also create a staggered timeline that companies must map carefully.
Transparency rules arrive first
The earliest hard date remains August 2, 2026. On that day, Article 50 of the AI Act becomes directly applicable. Chatbots, deepfakes and AI-generated text fall under its scope. Businesses must make sure that AI-produced content – particularly realistic images, audio or video – is clearly labelled as such. Minor technical edits and purely artistic works are exempt.
By December 2, 2026, an additional requirement kicks in: existing systems that generate AI content must carry technical watermarks.
High-risk systems get extra time
For high-risk AI applications listed in Annex III – such as those used in candidate selection or critical infrastructure – full compliance was originally due in August 2026. The new deadline is December 2, 2027.
Manufacturers of “embedded” systems covered by Annex I receive an even longer runway. Their compliance date shifts to August 2, 2028. The reason, the Parliament noted, is that by early 2026 no “notified bodies” were yet available to conduct conformity assessments.
A special accommodation applies to AI-powered medical devices. They must satisfy both the AI Act and the existing Medical Device Regulation (MDR). Their transitional period runs until August 2027.
Data protection remains a parallel track
The General Data Protection Regulation (GDPR) continues to apply in full. On June 10 the Baden-Württemberg state data protection authority (LfDI) published guidance on using AI to transcribe video conferences. The authority said such use can rest on a legitimate-interest basis, but requires a data protection impact assessment and a clearly defined deletion policy. Using the transcribed data for AI training is forbidden without an explicit legal basis.
Since early 2025, companies have also been obliged to ensure their workforce has sufficient AI literacy. Training on tools like ChatGPT or Microsoft Copilot is now a regulatory requirement.
The European Commission, meanwhile, is drafting further guidelines on how to distinguish high-risk from low-risk systems. A joint text with the European Data Protection Board, clarifying how the AI regulation and data protection rules interact, is expected by the end of 2026.
