Spain’s implementation status
Spain moved earlier than any other member state. While most EU countries spent 2024 and 2025 designating competent authorities, Spain’s framework was operational from June 2024. AESIA — operating from A Coruña under Director General Ignasi Belda — has been monitoring prohibited practices since 2 February 2025 and has held full sanctioning powers since 2 August 2025.[1][6]
Legislative framework
Three legal instruments anchor AI governance in Spain:
| Instrument | What it does |
|---|---|
| Royal Decree 729/2023 | Establishes AESIA’s statute as Spain’s national competent authority for AI supervision. Approved November 2023.[1] |
| Royal Decree 817/2023 | Creates the EU’s first AI regulatory sandbox; in force since 10 November 2023.[4][10] |
| Draft AI law | Ley para el Buen Uso y la Gobernanza de la Inteligencia Artificial. Public consultation closed 26 March 2025; in Parliament as of April 2026. Adds deepfake-labelling rules and SME proportionality to the EU baseline.[2][7][8] |
The draft national law is in Parliament, not yet enacted. The deepfake-labelling regime — which would categorise mislabelling AI-generated content as a "serious offence" with €7.5M–€35M ceilings — survives in the latest text but isn’t in force in April 2026.
Implementation progress compared to other member states
As of April 2026, Spain remains the most operational implementation in the EU. The picture below is the working baseline; the Digital Omnibus on AI may move several status indicators once adopted.[12]
| Member state | Competent authority | Regulatory sandbox | National AI law |
|---|---|---|---|
| Spain | AESIA — operational since Jun 2024; full powers Aug 2025 | Active under Royal Decree 817/2023; cohort of 12 projects | Draft in Parliament; consultation closed Mar 2025 |
| Germany | BNetzA designated in KI-MIG draft; KoKIVO planned | BNetzA-led; not yet operational | KI-MIG draft, not yet enacted |
| France | Decentralised: CNIL, ANSSI, PEReN; multi-authority bill pending | In development | Pending |
| Italy | AgID (notifying), ACN (market surveillance), Garante (GDPR) | Planned | Law 132/2025 in force from 10 Oct 2025 |
AESIA — the national competent authority
The Agencia Española de Supervisión de la Inteligencia Artificial (AESIA) is Spain’s dedicated AI supervisory agency, the first of its kind in the EU. Headquartered in A Coruña under Director General Ignasi Belda, AESIA has been operational since June 2024.[1][6]
AESIA’s mandate and powers
| Role | Detail |
|---|---|
| Market surveillance authority | Spain’s market surveillance authority of reference and EU single point of contact under Article 70. Powers cover training data, algorithms and system documentation. Actively monitoring prohibited practices since 2 February 2025.[6] |
| Sandbox management | Operates the regulatory sandbox under Royal Decree 817/2023. Selects participants, supervises tests, publishes synthesised guidance.[4] |
| Guidance publisher | Released 16 detailed compliance guides on 16 December 2025 covering risk management, technical documentation, conformity assessment and sandbox operation. AESIA flags these as living documents.[5] |
| Sanctioning authority | Full sanctioning powers since 2 August 2025. Director Belda has indicated a guidance-first approach: warnings and corrective orders before fines.[3] |
Decentralised enforcement model
AESIA is the primary supervisor for most high-risk AI systems. Sector authorities retain oversight in their own domains:
| Authority | Domain |
|---|---|
| AESIA | Lead market surveillance authority and EU single point of contact |
| AEPD | AI systems processing personal data; GDPR / LOPDGDD intersection |
| CNMC | Competition and market aspects of AI systems |
| Central Electoral Commission | AI systems affecting democratic processes |
| AEMPS | AI medical devices and in-vitro diagnostics |
Implementation timeline and Omnibus framing
Spanish organisations must track EU-level deadlines and Spain-specific milestones together. In April 2026 the picture is dual-framed: the original Act dates remain the working baseline, while the Digital Omnibus on AI proposes new dates that the Council and Parliament are negotiating.[12]
| Date | Milestone | Notes for Spain |
|---|---|---|
| Jun 2024 | AESIA operational | First EU AI supervisory agency active. |
| Feb 2025 | Prohibited practices in force | AESIA actively monitoring; no public enforcement actions confirmed in April 2026. |
| Aug 2025 | GPAI obligations live; AESIA full powers | AESIA gains sanctioning authority; GPAI Code of Practice signed by ~24 providers (Meta absent, xAI partial). |
| Dec 2025 | 16 AESIA guides published | Living documents covering risk management, technical documentation and conformity assessment.[5] |
| Aug 2026 | High-risk obligations — original date | Working baseline. Continue conformity preparation against this date. |
| Dec 2027 | High-risk obligations — proposed under Omnibus | Stand-alone systems if the Digital Omnibus on AI is adopted. |
| Aug 2028 | High-risk obligations — proposed under Omnibus | Systems embedded in products under Annex I sectoral law. |
The Digital Omnibus on AI is in trilogue. Until it is adopted, 2 August 2026 is the operative deadline AESIA continues to communicate. Build conformity, technical documentation and Article 12 logs against the original date; if the Omnibus shifts to 2 December 2027 / 2 August 2028, the work translates directly to the new dates.
The AI regulatory sandbox
Spain ran the EU’s first AI regulatory sandbox under Royal Decree 817/2023, in force since 10 November 2023. It is a controlled environment where high-risk AI systems can be tested under AESIA supervision before full market deployment.[4][10]
What the sandbox provides
| For participants | For the wider ecosystem |
|---|---|
| Direct AESIA guidance during development | Public best-practice reports synthesised from sandbox findings |
| Early compliance validation before market launch | Practical implementation templates that feed AESIA’s guidance pack |
| Reduced regulatory uncertainty for high-risk systems | Inputs into national policy and other member states’ approaches |
| Input into emerging best-practice guidance | EU-wide learnings (the sandbox is open to participants from other member states) |
Current cohort
Twelve projects were selected in April 2025 across healthcare diagnostics, financial-services risk assessment and employment-related AI. The sandbox runs for 36 months from November 2023 or until the EU AI Act becomes fully applicable in Spain — whichever is first. Future cohort calls will be announced by AESIA.[4]
Article 12 logging on demand. AESIA’s December 2025 guidance treats logging templates as living documents — the Glacis Agent Runtime Security & Evidence Sprint produces signed evidence receipts mapped to those templates from your AI’s actual runtime behaviour, with runtime controls running inside your infrastructure and zero sensitive-data egress.
High-risk categories for the Spanish market
Annex III applies uniformly across member states, but Spanish economic structure shifts which categories matter most in practice. AESIA’s December 2025 guides walk through each category with Spain-specific examples drawn from sandbox cohort findings.[5]
| Sector | Typical high-risk applications |
|---|---|
| Tourism and hospitality | Biometric identification at hotels (Annex III §1); dynamic pricing affecting accommodation access (essential-services scrutiny); chatbots and virtual concierges (Article 50 transparency). |
| Financial services | Creditworthiness assessment (Annex III §5(a)); insurance pricing and underwriting (§5(b)); fraud-detection systems where they gate consumer access. Major Spanish institutions in scope include Santander, BBVA and CaixaBank. |
| Healthcare | Clinical decision support; medical imaging in radiology, pathology and dermatology; emergency triage and dispatch (§5(c)). AESIA and AEMPS share oversight; medical-device AI carries the longer August 2027 deadline. |
| Public administration | Benefits eligibility (social security, unemployment, housing); permit and licence processing; service-allocation systems. Spain’s "Law 40/2015" requirements layer onto Annex III. |
| Employment | Recruitment and CV screening (§4(a)); performance monitoring for platform and gig workers; biometric attendance — the draft national AI law adds specific penalties when biometric attendance lacks proper human oversight.[2] |
Article 12 logging requirements
Article 12 of the EU AI Act mandates automatic logging that ensures traceability across the lifecycle of a high-risk AI system. AESIA’s December 2025 guidance pack includes Spain-specific implementation templates with retention defaults and AEPD coordination notes.[5]
Core logging requirements
| Layer | What must be captured |
|---|---|
| Traceability | Timestamped inputs; reference-database versions consulted; processing steps and decision logic; outputs generated and any confidence scores. |
| Human oversight | Identity of personnel involved in verification or validation; human override decisions and rationale; escalation events and their resolution. |
| Security and retention | Tamper-evident storage (cryptographic integrity); modification access controls; retention period appropriate to the system’s purpose and sector rules; accessibility to AESIA on request. |
Spain-specific considerations
Article 12 logging in Spain must align with the LOPDGDD (Spain’s GDPR implementation):
- Data minimisation — log only what is necessary for traceability; AESIA’s templates recommend hash-only storage for fields that exceed minimisation requirements.
- AEPD coordination — where logs include personal data, ensure a lawful basis under GDPR Article 6 and document the joint AESIA / AEPD position.
- Cross-border transfers — if logs are stored outside Spain or the EU, apply Standard Contractual Clauses or an adequacy mechanism. AESIA’s December 2025 template explicitly references this.
Sector-specific considerations
| Sector | What Spanish operators need to align |
|---|---|
| Healthcare | Determine whether the AI is a medical device under MDR (Regulation 2017/745) or IVDR. Coordinate conformity assessment between AEMPS notified bodies and AI Act requirements. Implement clinical-validation protocols aligned with both frameworks. Use the longer August 2027 deadline for AI as a medical-device safety component. |
| Financial services | Layer AI Act high-risk obligations onto Bank of Spain and CNMV supervision. Track EBA guidelines on machine learning in credit institutions. Apply consumer-protection rules under Spanish banking law and the algorithmic-transparency obligations for automated decisions affecting consumers. |
| Public sector | Layer Law 40/2015 requirements for automated administrative decisions; access-to-information transparency obligations; fundamental-rights impact assessments where AI affects citizens; and public-procurement considerations for AI acquisition. |
Conformity assessment pathway
Spanish organisations with high-risk AI systems must complete conformity assessment before the August 2026 working baseline (or whatever the Omnibus settles on). AESIA’s December 2025 guidance pack contains implementation templates aligned with Articles 43–44.[5]
Assessment pathways
| Pathway | Detail |
|---|---|
| Internal control (most high-risk systems) | Provider self-assessment supported by: technical documentation per Annex IV; quality management system (Article 17); post-market monitoring plan; EU declaration of conformity; CE marking affixation. Cost is internal resourcing. |
| Notified body assessment | Required for biometric identification (Annex III §1); medical AI devices (Class IIa and above); AI under other EU regulations requiring third-party conformity. Typical timeline 3–12 months; cost €10,000–€100,000. |
Spanish notified bodies
Spain is designating notified bodies for AI Act conformity assessments. Operators that need a third-party assessment should monitor AESIA announcements for the designated list, consider EU-wide notified bodies if Spanish capacity is constrained, and start engagement 6–9 months before the working baseline deadline.
Enforcement and penalties
The draft national AI law sets out a domestic penalty regime aligned with the EU AI Act ceilings. AESIA holds full sanctioning authority since 2 August 2025. No public enforcement actions for prohibited practices have been confirmed in April 2026 — the agency is in guidance-and-warning mode while authorities across the EU complete institutional set-up.[2][3]
Penalty structure
| Violation | Maximum fine | Examples |
|---|---|---|
| Prohibited AI practices | €35,000,000 or 7% turnover | Social scoring, manipulative AI, untargeted biometric scraping |
| Serious offences | €7.5M–€35M or 2–7% turnover | Failure to label AI-generated content; high-risk non-compliance |
| Biometric system violations | €500K–€7.5M or 1–2% turnover | Employee attendance monitoring without proper human oversight |
| Other violations | €7.5M or 1% turnover | Providing incorrect information to authorities |
Additional enforcement measures
Beyond fines, the draft national law authorises:
- System-adaptation orders requiring mandatory modifications to achieve compliance.
- Commercialisation prohibition barring market placement of non-compliant systems.
- Public warnings with reputational impact through official announcements.
- System destruction in extreme cases involving serious harm.
- Temporary operation prohibition — government authority to halt any AI system causing death or serious harm.
AESIA’s enforcement approach
Director Belda has signalled a guidance-first approach: warnings and corrective orders before fines. Organisations demonstrating good-faith compliance efforts benefit. Document compliance work thoroughly, engage proactively with AESIA guidance and sandbox learnings, and implement corrective actions promptly when issues are flagged.[3]
Compliance roadmap for Spanish organisations
The roadmap below builds against 2 August 2026 as the working baseline. If the Digital Omnibus on AI is adopted, the same artefacts move to 2 December 2027 (stand-alone) or 2 August 2028 (embedded) with no rework — only the milestone dates shift.
| Phase | Detail |
|---|---|
| 01. AI system inventory and AESIA alignment (Month 1) | Catalogue all AI systems operating in Spain or serving Spanish customers. Classify per Annex III. Review AESIA’s 16 December 2025 guides for Spain-specific interpretation. Flag any systems potentially triggering prohibited-practice provisions. |
| 02. Content-labelling implementation (Month 1–2) | Implement disclosure mechanisms for synthetic media, chatbots and AI-assisted communications. Track the draft national AI law’s progress in Parliament; the deepfake-labelling regime carries €7.5M–€35M ceilings if enacted. |
| 03. Article 12 logging infrastructure (Month 2–4) | Implement automated logging per Article 12 and AESIA’s December 2025 templates. Align with LOPDGDD / GDPR. Establish tamper-evident storage with documented retention. Prepare for AESIA information requests. |
| 04. Risk management and technical documentation (Month 3–6) | Stand up Article 9 risk management. Prepare Annex IV technical documentation using AESIA’s templates. Run bias assessments in the Spanish market context. Generate evidence of control execution, not just policy text. |
| 05. Quality management and conformity (Month 4–9) | Stand up Article 17 QMS. For notified-body pathways, engage by Q1 2026 to complete before the working baseline. Prepare EU declaration of conformity and CE marking. Coordinate with AEMPS, Bank of Spain or CNMV where applicable. |
| 06. AESIA readiness and post-market monitoring (Ongoing) | Prepare for AESIA information requests and inspections. Stand up Article 73 serious-incident reporting. Maintain living documentation; consider sandbox participation for future high-risk systems. |
AESIA rewards demonstrated good-faith effort. Document everything; evidence of compliance intent influences enforcement outcomes. The agency has been explicit that mature, technical evidence of control execution is what differentiates organisations during a review.
How GLACIS supports Article 12
Article 12’s logging requirement is a technical problem, not a documentation problem. Compliance teams must show that controls actually execute — input validation, output filtering, human-oversight triggers — not that policies exist on paper. GLACIS addresses this with a tamper-evident log generated from runtime behaviour.
| Need | What GLACIS produces |
|---|---|
| Continuous monitoring | Real-time verification that input validation, output filtering and human-oversight triggers execute as designed; timestamped evidence of every control firing. |
| Tamper-evident records | Cryptographically signed log entries that meet Article 12’s tamper-evidence bar — AESIA receives verifiable proof, not assertions. |
| Framework mapping | Evidence mapped to EU AI Act Articles 9–15 and 17, ISO 42001 controls, and NIST AI RMF functions, alongside AESIA’s December 2025 templates. |
FAQ
How does enforcement in Spain differ from other member states?
AESIA is the EU’s first operational AI supervisory agency (June 2024) and has held full sanctioning powers since August 2025. Director Belda has signalled a warnings-first approach. No public enforcement actions for prohibited practices have been confirmed in April 2026 — the agency is in guidance-and-warning mode while authorities across the EU complete institutional set-up. The draft national AI law adds specific deepfake-labelling penalties on top of the EU baseline.
Should I participate in the regulatory sandbox?
For high-risk system development serving the Spanish or EU market, the sandbox offers direct AESIA guidance, early compliance validation, reduced regulatory uncertainty, and input into emerging best practice. The current cohort of twelve projects runs through 2026; future intake calls will be announced by AESIA. Non-participants still benefit from the published best-practice reports.
How do I coordinate AESIA with sector regulators?
AESIA is the primary authority for most high-risk AI; sector regulators retain domain oversight. Start with AESIA’s December 2025 guidance, then layer sector-specific obligations: AEMPS for medical AI; Bank of Spain or CNMV for financial services; AEPD for personal-data aspects. For medical devices, coordinate conformity assessment between AEMPS notified bodies and AI Act requirements — the August 2027 extended deadline for medical AI provides additional time.
What makes Spain’s content-labelling rules different?
The draft national law treats unlabelled AI-generated content as a "serious offence" with €7.5M–€35M ceilings — beyond the EU AI Act’s Article 50 baseline. Operators generating or manipulating content with AI should implement unambiguous disclosure mechanisms now; the deepfake-labelling regime survives in the latest draft text but isn’t yet in force.
How do I access AESIA’s guidance pack?
AESIA published the 16-document compliance pack on 16 December 2025 — risk-management templates, technical-documentation skeletons, sandbox guidance and conformity-assessment notes. Available on the official AESIA site at aesia.digital.gob.es in Spanish, with portions in English. AESIA flags these as living documents that may be amended once the Digital Omnibus on AI is adopted.
Are there SME-specific provisions in the draft AI law?
Yes. The draft includes proportionality language: SMEs may face the lesser of the percentage-of-turnover calculation or the fixed-amount ceiling. AESIA’s guidance-first approach benefits smaller organisations that demonstrate good-faith effort.
References
- AESIA. "AESIA Consolidates Its Role in Europe in Promoting Ethical, Sustainable and Reliable AI." August 2025. aesia.digital.gob.es
- White & Case LLP. "AI Watch: Global Regulatory Tracker — Spain." Updated 2025–2026. whitecase.com
- Covington & Burling LLP. "Spain Issues Guidance Under the EU AI Act." Inside Privacy, December 2025. insideprivacy.com
- European Commission. "First Regulatory Sandbox on Artificial Intelligence Presented." June 2022. ec.europa.eu
- AESIA. "Guidelines Published to Support Compliance with the AI Act." 16 December 2025. aesia.digital.gob.es
- Holistic AI. "Spain Becomes First EU Member to Establish AI Regulatory Body." August 2024. holisticai.com
- Linklaters. "Spain Proposes a New AI Bill, Including Significant Fines." March 2025. linklaters.com
- Euronews. "Spain Could Fine AI Companies Up to 35 Million for Mislabelling Content." March 2025. euronews.com
- OECD. "Progress in Implementing the EU Coordinated Plan on AI — Spain." October 2025. oecd.org
- Pinsent Masons. "Spain Legislates for First EU AI Act Regulatory Sandbox." November 2023. pinsentmasons.com
- European Union. "Regulation (EU) 2024/1689 of the European Parliament and of the Council." OJEU, 12 July 2024. EUR-Lex
- European Parliament. "Artificial Intelligence Act: delayed application, ban on nudifier apps." 23 March 2026. europarl.europa.eu
- EU Artificial Intelligence Act. "Overview of All AI Act National Implementation Plans." Updated 2026. artificialintelligenceact.eu