AI Audit Readiness in 90 Days: what Mittelstand prepares for BfDI and BNetzA
From 02 Aug 2026 BNetzA audits with KoKIVO. Big4 sells 6-month programs at 250k. Mittelstand needs a lean path. Here is the 90-day plan.
Sebastian LangMay 6, 202610 min read
Key numbers at a glance
- 02 August 2026: EU AI Act milestone. National supervisory powers go live, fine framework becomes enforceable, innovation labs open.
- KI-MIG (KI-Marktüberwachungs- und Innovationsförderungsgesetz): approved by the German Federal Cabinet on 11 February 2026. It anchors the national supervisory architecture (BMDS).
- BNetzA plus KoKIVO: the Federal Network Agency is the central market surveillance authority. The Coordination and Competence Centre for the AI Regulation (KoKIVO) coordinates sectoral authorities, runs the AI Service Desk and manages the AI sandbox (Bundestag committee).
- BSI C5:2026: published 07 April 2026, 168 criteria. Mandatory from 01 June 2027 for all C5 audits, including running Type-2 attestations that end after that date (BSI).
- ISO/IEC 42001:2023 (AI Management System): international AIMS standard. SME consulting plus audit starts at 6,900 EUR. DAkkS-accredited initial certification requires at least 4 audit days. Typical ROI 12 to 18 months (ISO).
- AI Act Article 26: deployer obligations apply directly. Operational controls become testable from August.
Why this post matters now
Big4 firms have opened the market with 6-month AI audit-readiness programs starting at 250,000 EUR, staffed by 12-person project teams and built on frameworks designed for groups with their own compliance offices. For a Mittelstand company with 100 to 1,000 employees, three productive AI use-cases and a 4-person platform team, that is the wrong fit, both in depth and in budget.
At the same time the regulator side is not delivering a 1:1 counterpart. There is no official BfDI audit guideline for AI in the Mittelstand in 2026, no binding BNetzA inspection scheme. What does exist: three combinable anchors, AI Act Article 26 (operational), BSI C5:2026 (cloud-compliance lens), ISO/IEC 42001 (voluntary AIMS standard). This post shows how Mittelstand CTOs build a lean 90-day plan from those anchors, one that holds up in a real audit without spending 250,000 EUR.
The logic: when somebody knocks on 02 August 2026, BfDI, BNetzA or a sectoral authority, you want to demonstrate three things. First, a complete AI inventory with risk classification. Second, documented controls per use-case above minimal risk. Third, a working incident-response path. Everything else is bonus.
Who asks: the regulator map for 2026
BNetzA and KoKIVO. The Federal Network Agency is the central market surveillance authority for the AI Regulation. It supervises wherever no sectoral authority is competent. KoKIVO coordinates interpretation across all bodies, runs the AI Service Desk for industry and manages the AI sandbox. If you are a Mittelstand company in a non-regulated sector running AI in HR, sales or operational reporting, BNetzA is your primary counterpart.
BfDI. The Federal Data Protection Commissioner and the state data protection authorities remain competent for data-protection interfaces, especially biometric systems, profiling and potential fundamental-rights breaches. The BfDI opinion on the AI Regulation from 23 March 2026 is clear: high-risk AI involving personal data means dual oversight, BNetzA for the AI Regulation, BfDI or state authority for GDPR (BfDI opinion).
BaFin. High-risk AI in financial services (credit scoring, anti-money-laundering, automated insurance decisions) is supervised by BaFin. If your business touches banking, insurance or securities, the audit path runs through BaFin, not BNetzA.
BSI. The Federal Office for Information Security is not an AI Regulation supervisor, but it shapes the audit market through C5:2026 and KRITIS. If your AI workloads run in certified cloud environments, C5:2026 flows indirectly into every AI audit.
Sectoral supervisors. Medical devices (BfArM), transport (KBA), product safety (BAuA) and others may inspect domain-specific AI in addition. Coordination across them sits with KoKIVO, not with you.
Three frameworks in the audit stack
(a) AI Act Article 26: deployer obligations (operational, testable from 02 Aug 2026).
Article 26 lists what you, as deployer of a high-risk AI system, must do directly. Follow the provider's instructions, ensure human oversight, control input data, retain logs (at least 6 months), report incidents, inform staff before deployment, run impact assessments where fundamental rights are concerned. This is the operational layer. The regulator checks whether your processes are alive, not whether you have a 200-page compliance binder.
(b) BSI C5:2026: cloud-compliance lens (mandatory from 01 June 2027).
C5:2026 has 168 criteria and introduces, for the first time, AI-transparency requirements, container management (OPS-34/35), confidential computing (OPS-32/33), post-quantum-crypto preparation and supply-chain security with SBOM. Relevant for AI workloads: AI transparency, container hardening, cryptographic protection of training and inference data. If your cloud provider delivers a C5:2026 Type-2 attestation from June 2027, a large part of the infrastructure-layer compliance is covered.
(c) ISO/IEC 42001: AIMS certification (voluntary anchor).
ISO 42001 is the international standard for an AI Management System, comparable to ISO 27001 for information security. The first German certification was Noxtua, audited by SGS in 2024. SME consulting plus audit starts around 6,900 to 8,000 EUR; DAkkS-accredited initial certification covers at least 4 audit days. For Mittelstand companies, 42001 is often the pragmatic path: a documented management system that immediately serves as evidence vehicle in audit conversations. Certification bodies include SGS, TÜV SÜD, DNV, BSI Group, A-LIGN, KPMG.
The combination: Article 26 supplies the obligation list, BSI C5:2026 the infrastructure lens, ISO 42001 the system scaffolding. Three anchors, one audit stack.
90-day plan with weekly deliverables
The plan assumes a C-level sponsor (CTO or CFO), a 3- to 4-person core team and access to the AI use-case inventory. Three phases of 4 weeks each, 3 to 4 deliverables per phase with a clear output artifact.
Phase 1 (weeks 1 to 4): inventory plus gap analysis
Week 1, inventory sprint. Complete list of all production and pilot AI applications, including shadow AI (what employees use without IT approval, see Shadow AI Mittelstand). Output artifact: AI Inventory Sheet with columns for system name, vendor, use-case, data categories, personal-data flag, model type (classical ML, GenAI, agent), hosting region, business owner. Goal: completeness, not depth.
Week 2, risk classification. Each entry from week 1 mapped to AI Act risk tier: prohibited (Art. 5), high-risk (Annex III), general purpose (GPAI), minimal. Plus GDPR Art. 35 trigger. Output artifact: risk matrix with rationale per entry. This is where many fail: high-risk does not mean "critical", it means falling under a specific Annex III category (HR, education, law enforcement, critical infrastructure and others).
Week 3, regulator mapping. For each entry, identify the supervisory body that would be competent in a real case: BNetzA (default), BaFin (financial services), BfDI or state authority (personal data), sectoral. Output artifact: regulator map as a 1-page overview for the executive board. This map doubles as your emergency diagram on audit day.
Week 4, gap analysis against Article 26 plus C5:2026 plus ISO 42001. Per high-risk system: what you have, what you lack. Logging, human oversight, impact assessment, vendor instructions, employee information, all documented. Output artifact: gap heatmap with traffic-light status per criterion. Phase 1 closes with a clear picture of what phase 2 must close.
Phase 2 (weeks 5 to 8): control implementation
Week 5, logging and audit trail. For each high-risk system: logs for at least 6 months, with input hash, model version, output hash, human override, timestamp. Where the vendor does not provide logs, install your own wrapper layer. Output artifact: logging architecture diagram plus sample log entry per system.
Week 6, human oversight. Concrete escalation and override paths per use-case. Who reviews, when, with what tool. For agentic systems: stop-button mechanism and read-only mode. Output artifact: oversight playbook per high-risk system, with named roles.
Week 7, impact assessment and employee information. AI Act Article 27 impact assessment for Annex III systems, GDPR Article 35 in parallel where personal data is involved (see GDPR and Agentic AI). Employee information before deployment, documented via works-council agreement or information email with read-receipt. Output artifact: impact-assessment dossier plus auditable information track.
Week 8, incident-reporting path. Who reports what, when, to whom. Threshold for a reportable incident (serious incident under the AI Act, plus data breach under GDPR Art. 33). Internal 24-hour triage team named. Output artifact: incident-response playbook with escalation matrix and regulator contacts (BNetzA, BfDI or state authority, sectoral if applicable).
Phase 3 (weeks 9 to 12): audit dry run plus documentation freeze
Week 9, internal mock audit. External advisor or unused internal resource (e.g. internal audit) runs a 1-day mock audit on one of the three most critical high-risk systems. Pre-defined question list (see section 6 below). Output artifact: mock-audit report with concrete findings.
Week 10, findings closure. Top 5 findings from week 9 are closed or formally accepted (risk acceptance signed by sponsor). Output artifact: findings tracker with status, owner, closure date.
Week 11, documentation freeze. All artifacts from phases 1 and 2 consolidated in a tamper-resistant repository: inventory, risk matrix, regulator map, gap heatmap, logging architecture, oversight playbooks, impact-assessment dossier, incident-response playbook, mock-audit report. Versioned with date and owner. Output artifact: audit dossier (digital, 1 master index, 1 click to each document).
Week 12, executive sign-off plus AI steering routine. CTO and management board sign off the audit dossier. In parallel, the ongoing AI steering routine is established (at least monthly, with inventory review and findings status). Output artifact: sign-off protocol plus first agenda of the running routine.
Audit-day playbook
When somebody knocks on audit day (announced or unannounced), the playbook runs in five steps.
Step 1, intake triage (hour 0 to 1). Who is at the door or on the phone? Which authority, which inspection mandate, written copy of the mandate. Verify against the regulator map prepared in week 3. Inform management and compliance/legal.
Step 2, hand over the audit dossier (hour 1 to 4). Master index from week 11 is handed to the auditor, plus a named single point of contact (ideally CTO or compliance lead). No improvisation, no on-the-fly documents. What is not in the dossier is delivered later, not built spontaneously.
Step 3, structured interview (day 1 to 2). Auditor asks questions about use-cases, controls, logs. Answers come from dossier artifacts, not from memory. Rule: every answer ships with its evidence.
Step 4, sampling (day 2 to 3). Auditor picks 1 to 3 use-cases and tests depth: review logs, walk through the oversight path live, inspect impact-assessment documentation. This is where the phase-2 work pays off.
Step 5, findings and closing (day 3+). Auditor collects findings, oral closing. Written report follows. Within the set deadline (typically 14 to 30 days) submit a written response or remediation plan.
Six typical regulator questions with answer patterns
| Regulator question | Answer pattern | Required evidence artifact |
|---|---|---|
| Which AI systems do you operate? | Refer to the complete inventory with risk classification. | AI Inventory Sheet plus risk matrix (weeks 1+2) |
| Which of these fall under Annex III (high-risk)? | List of high-risk systems with classification rationale. | Risk matrix with Annex III mapping |
| How do you ensure human oversight? | Documented oversight path per high-risk system with named role. | Oversight playbook (week 6) |
| Where are your logs for the last 6 months? | Logging architecture and live example per system. | Logging architecture diagram plus sample log (week 5) |
| Have you conducted an impact assessment? | Per Annex III system, Article 27 plus GDPR Article 35 assessment. | Impact-assessment dossier (week 7) |
| How did you inform employees? | Information before deployment with proof (works council or read-receipt). | Information track (week 7) |
Bottom line: what you do this month
Step 1, this week. Start the inventory sprint. One person, one sheet, one deadline (5 days). Completeness over depth. Shadow AI counts.
Step 2, in the next 14 days. Lock in a C-level sponsor, name a 4-person core team, secure phase 1 to 4 budget and time. Without a sponsor the plan runs on sand.
Step 3, in May. Close phase 1 (weeks 1 to 4 in May), so phase 2 can start in June and the dry run runs in July before 02 August 2026. If you have not started by May, the milestone window cannot be hit without panic.
A team that runs the 90-day plan with discipline ends the milestone with three things: an audit dossier that holds up to a regulator request, a running AI steering routine that does not fall asleep after 30 days, and a path to ISO 42001 certification as the next escalation tier. This is not Big4 depth. It is the right depth for a Mittelstand company with 100 to 1,000 employees.
Companion post: Who is liable when the AI agent hallucinates?, the legal side to the operational roadmap here.
About the author
Sebastian Lang
Co-Founder · Business & Content Lead
Co-Founder von Sentient Dynamics. 15+ Jahre Business-Strategie (u.a. SAP), MBA. Schreibt über AI-Act-Compliance, ROI-Messung und wie Mittelstand-CTOs agentische KI tatsächlich einführen.