From algorithmic CV screening and automated shift scheduling to AI-driven analyses of turnover risks, pay structures and employee feedback – artificial intelligence is no longer a future prospect but an everyday reality in businesses. Yet as the technology grows more powerful, so does the regulatory framework around it: What many companies have not yet realised is that from 2 August 2026, significantly tightened obligations will apply throughout the EU. Businesses that fail to comply risk fines of up to EUR 35 million or 7% of their worldwide annual revenue – whichever is higher. And with Germany’s new Act on Market Surveillance and Innovation Promotion of Artificial Intelligence (KI-MIG), German legislators are adding a robust national enforcement layer. What does this mean in practice – and where are the biggest pitfalls?
The AI Act – A Risk-Based Regulatory Framework
The European AI Regulation (AI Act), which entered into force in August 2024 and will become fully applicable from August 2026, follows a clear principle: the higher the risk, the stricter the requirements. The AI Act creates a harmonised European legal framework for AI-based products and services, while simultaneously safeguarding fundamental rights, democracy and the rule of law.
What Does This Mean in Practice?
If a company uses AI software that automatically evaluates and ranks incoming job applications, this constitutes a high-risk AI system. The same applies to AI-driven performance and behavioural monitoring of employees – for example, tools that track home-office productivity or automatically analyse attendance data. Such systems are subject to particularly strict requirements, including comprehensive risk mitigation and information obligations.
Some AI applications go too far in the eyes of the legislator and are outright prohibited: Employers who deploy software designed to detect employee emotions at the workplace – whether through facial analysis in video calls or sentiment analysis of emails – are in breach of the AI Act. The same applies to the use of such systems in the recruitment process.
National Implementation of the AI Act: The KI-MIG – and Who Will Be in Charge
To implement the AI Act at national level, the German Bundestag adopted the Act on Market Surveillance and Innovation Promotion of Artificial Intelligence (KI-MIG) on 11 June 2026. The Act primarily regulates government oversight: The Federal Network Agency (Bundesnetzagentur) will become the central market surveillance authority, empowered to monitor and enforce compliance with the AI Act.
However, the substantive compliance obligations for businesses (e.g. training, documentation and oversight requirements) – i.e. what truly matters in day-to-day operations – continue to flow directly from the AI Act itself.
What Do Businesses Need to Consider Going Forward?
The AI Act does not replace existing law but adds a further regulatory layer on top. For example, an employer deploying an AI-based recruitment tool must already comply with the GDPR today (legal basis for data processing, information obligations, potentially a data protection impact assessment) and with anti-discrimination legislation such as the German General Equal Treatment Act (no discrimination based on gender, age, ethnic origin, etc.). Going forward, the specific requirements of the AI Act will be added – including transparency, information, documentation and registration obligations (see details below) that go beyond existing rules. In short: these regulatory frameworks complement each other; none renders the other dispensable.
Importantly, the AI Act does not only capture AI systems developed in-house – purchased off-the-shelf software solutions are equally covered. A company that uses an AI-based HR tool from an external provider qualifies as a “deployer” under the AI Act and must fulfil its own compliance obligations. Businesses that develop AI systems themselves or substantially modify existing ones may even become “providers”, which triggers even more extensive duties.
Depending on the risk level, obligations include in particular:
- Transparency and information obligations – affected individuals (e.g. employees and job applicants) must know that an AI system is preparing or making decisions about them;
- Documentation obligations – the purpose, functioning and data basis of the AI system must be documented without gaps;
- Registration obligations – high-risk AI systems must be registered in an EU database;
- (Human) oversight obligations – there must always be a “human in the loop” who can review and override AI decisions;
- Reporting obligations for serious incidents – e.g. when an AI system produces discriminatory decisions;
- Training obligations – all employees working with AI systems must develop an adequate level of AI competence;
- Fundamental rights impact assessments – particularly for high-risk AI systems in HR, a systematic assessment of the impact on the fundamental rights of affected individuals is required before deployment;
- Risk management systems for high-risk AI – for the ongoing identification, minimisation and control of risks to health, safety and fundamental rights throughout the entire life cycle of the AI system.
Takeaways for Employers
“Our software provider takes care of all that” – this widespread assumption is a dangerous fallacy. It is not possible to pass these obligations on to the software provider. Businesses remain responsible as deployers. And the consequences for non-compliance are severe as already mentioned above: fines of up to EUR 35 million or 7% of worldwide annual revenue – whichever amount is higher.
Businesses should therefore act now: identify all AI systems in use, classify them by risk category and implement the corresponding obligations under the AI Act. Particularly in HR, where nearly every AI system is likely to be classified as high-risk, businesses should expect rigorous scrutiny from the authorities.
Don’t Forget the Works Council!
There is another point that is frequently overlooked in practice: Wherever the deployment of AI systems is planned, employers in Germany must observe the statutory co-determination rights of the works council. The introduction and use of AI-based systems for monitoring employee behaviour or performance is subject to co-determination. Employers who fail to involve the works council in a timely manner risk the introduction of the AI system being blocked altogether.
High-risk AI systems, transparency obligations, fines in the millions – what do the AI Act and the KI-MIG mean specifically for your business? If you have any questions on the topics discussed, please contact Nadine Birke at nadine.birke@gowlingwlg.com.
This blog post was written by Nadine Birke in collaboration with Katharina Schapfeld, a labor law trainee.

