Spain’s Implementation Status
Spain has positioned itself at the forefront of EU AI Act implementation, moving faster than any other member state to establish governance infrastructure. While most EU countries are still designating competent authorities, Spain’s regulatory framework has been operational for over a year.
Legislative Framework
Spain’s AI governance rests on three foundational legal instruments:
- Royal Decree 729/2023: Establishes AESIA’s statute, designating it as Spain’s national competent authority for AI supervision. Approved November 2023.[1]
- Royal Decree 817/2023: Creates Europe’s first AI regulatory sandbox, providing a controlled environment for testing high-risk AI systems. In force since November 10, 2023.[4]
- Draft AI Law (March 2025): Ley para el Buen Uso y la Gobernanza de la Inteligencia Artificial—implements and supplements the EU AI Act with domestic provisions on content labeling and a national penalty regime.[2]
Spain’s draft national AI law underwent public consultation until March 26, 2025. The legislation is expected to be enacted before the August 2025 GPAI deadline, giving Spanish organizations early clarity on national requirements beyond the baseline EU AI Act.[3]
Implementation Progress Compared to Other Member States
As of December 2025, Spain leads EU member states in implementation readiness:
EU AI Act Implementation by Member State
| Member State | Competent Authority | Regulatory Sandbox | National AI Law |
|---|---|---|---|
| Spain | OPERATIONAL | ACTIVE | DRAFT |
| Germany | DESIGNATED | PLANNED | PENDING |
| France | DESIGNATED | DEVELOPING | PENDING |
| Italy | DESIGNATED | PLANNED | PENDING |
AESIA: Spain’s National Competent Authority
The Agencia Espanola de Supervision de la Inteligencia Artificial (AESIA) is Spain’s dedicated AI supervisory agency—the first of its kind appointed in the EU in compliance with the AI Act. Headquartered in A Coruna, Galicia, AESIA has been operational since June 2024 under Director General Ignasi Belda.[1]
AESIA’s Mandate and Powers
Market Surveillance Authority
AESIA serves as Spain’s market surveillance authority of reference and Single Point of Contact with the EU. It monitors AI systems placed on the Spanish market, including prohibited AI practices that became banned February 2, 2025. AESIA has extensive inspection and verification powers covering training data, algorithms, and AI system documentation.[6]
Sandbox Management
AESIA manages Spain’s AI regulatory sandbox (RD Sandbox), selecting participants, supervising testing activities, and synthesizing findings into best practice guidance. The sandbox provides practical insights that inform national AI regulations and AESIA’s enforcement approach.[4]
AI Literacy and Guidance
Beyond enforcement, AESIA promotes AI literacy and publishes compliance guidance. In December 2025, it released 16 practical guides supporting EU AI Act implementation, covering high-risk system requirements, conformity assessment procedures, and technical documentation templates.[5]
Sanctioning Powers
AESIA gains full sanctioning powers from August 2025. Director Belda has indicated the agency will prioritize warnings and corrective guidance before resorting to fines—a proportionate enforcement approach that benefits organizations demonstrating good-faith compliance efforts.[3]
Decentralized Enforcement Model
Spain adopts a decentralized approach to AI Act enforcement. While AESIA serves as the primary supervisor for most high-risk AI systems, sector-specific authorities retain oversight within their domains:
- CNMC (Comision Nacional de los Mercados y la Competencia) — Competition and market aspects of AI systems
- AEPD (Agencia Espanola de Proteccion de Datos) — AI systems processing personal data, GDPR/LOPDGDD intersection
- Central Electoral Commission — AI systems affecting democratic processes
- AEMPS (Agencia Espanola de Medicamentos y Productos Sanitarios) — AI medical devices
Implementation Timeline
Spanish organizations must track both EU-level deadlines and Spain-specific milestones. The Spanish government’s proactive approach means certain obligations—particularly around AI content labeling—may apply earlier than in other member states.
Spain AI Act Implementation Timeline
| Date | Milestone | Spain-Specific Notes | Status |
|---|---|---|---|
| June 2024 | AESIA Operational | First EU AI supervisory agency active | COMPLETE |
| Feb 2, 2025 | Prohibited AI Ban | AESIA actively monitoring Spanish market | ACTIVE |
| Aug 2, 2025 | GPAI + AESIA Powers | AESIA full sanctioning authority; GPAI obligations | 7 MONTHS |
| Late 2025 | National AI Law | Spanish-specific content labeling requirements | EXPECTED |
| Aug 2, 2026 | High-Risk Compliance | Full Annex III requirements; sandbox insights apply | 19 MONTHS |
| Aug 2, 2027 | Medical AI Devices | AEMPS coordination with AESIA | 31 MONTHS |
Spain-Specific Deadline Alert
Spain’s national AI law introduces immediate content labeling requirements upon enactment. Organizations using AI to generate or manipulate content must implement clear disclosure mechanisms. Given AESIA’s active monitoring and upcoming sanctioning powers, Spanish operations should prioritize transparency compliance ahead of other EU jurisdictions.
Spain’s AI Regulatory Sandbox
Spain launched Europe’s first AI regulatory sandbox in June 2022, predating the EU AI Act’s final adoption. This pioneering initiative provides organizations a controlled environment to test high-risk AI systems with regulatory supervision before full market deployment.
Sandbox Structure and Benefits
Established under Royal Decree 817/2023, the sandbox creates a collaborative space between regulators and innovators:
For Participants
- + Direct AESIA guidance during development
- + Early compliance validation before market launch
- + Reduced regulatory uncertainty for high-risk systems
- + Input into best practice guidance development
For the Ecosystem
- + Public best practice reports from sandbox findings
- + Practical implementation templates
- + Informed regulatory policy development
- + EU-wide learnings (sandbox open to other states)
Current Sandbox Cohort
In April 2025, twelve AI projects were selected for sandbox participation. These span high-risk categories including healthcare diagnostics, financial services risk assessment, and employment-related AI. Results will be synthesized into public guidance informing future national regulations.[4]
The sandbox runs for 36 months from November 2023 or until the EU AI Act becomes fully applicable in Spain—whichever comes first. Organizations interested in future sandbox participation should monitor AESIA announcements for subsequent cohort calls.
High-Risk AI Categories for the Spanish Market
While the EU AI Act’s Annex III defines high-risk categories uniformly across member states, certain categories have particular relevance to Spain’s economic structure and regulatory priorities.
Tourism and Hospitality
Spain’s tourism sector—one of Europe’s largest—increasingly deploys AI for dynamic pricing, personalized recommendations, and customer service automation. High-risk considerations include:
- Biometric identification at hotels: Facial recognition for check-in or access control falls under Annex III Category 1
- Dynamic pricing algorithms: May trigger essential services scrutiny if affecting accommodation access
- AI chatbots and virtual concierges: Limited-risk transparency obligations under Article 50
Financial Services
Spain’s banking sector (Santander, BBVA, CaixaBank) and fintech ecosystem face significant high-risk exposure:
- Creditworthiness assessment: Annex III Category 5(a)—any AI evaluating natural persons’ credit eligibility
- Insurance pricing and underwriting: Annex III Category 5(b)—risk assessment and premium calculation
- Fraud detection systems: May require conformity assessment if used for access decisions
Healthcare
Spain’s public health system (SNS) and private healthcare providers deploying AI face dual regulatory oversight from AESIA and AEMPS:
- Clinical decision support systems: AI assisting diagnosis or treatment recommendations
- Medical imaging AI: Radiology, pathology, dermatology analysis systems
- Patient triage and prioritization: Emergency dispatch falls under Annex III Category 5(c)
Public Administration
Spanish public sector AI deployment requires particular attention given government scale and citizen impact:
- Benefits eligibility determination: Social security, unemployment, housing assistance
- Permit and license processing: AI-assisted decisions on applications
- Public service resource allocation: Scheduling, queue management, service prioritization
Employment
Spain’s significant gig economy and traditional employment sectors face extensive high-risk obligations:
- Recruitment and CV screening: Annex III Category 4(a)—any AI influencing hiring decisions
- Performance monitoring: Particularly relevant for platform/gig workers
- Biometric attendance systems: Spain’s draft AI law specifically penalizes use without proper human oversight[2]
Article 12 Logging Requirements
Article 12 of the EU AI Act mandates that high-risk AI systems maintain automatic logging capabilities ensuring traceability throughout the system lifecycle. AESIA’s December 2025 guidance provides Spain-specific implementation templates.[5]
Core Logging Requirements
Traceability
Logs must enable reconstruction of AI system operation from input to output:
- - Input data received by the system (timestamped)
- - Reference database versions consulted
- - Processing steps and decision logic applied
- - Output generated and any confidence scores
Human Oversight Documentation
Logs must record human involvement in AI-assisted decisions:
- - Identity of persons involved in verification/validation
- - Human override decisions and rationale
- - Escalation events and resolution
Security and Retention
Logs must be protected and retained appropriately:
- - Tamper-evident storage (cryptographic integrity)
- - Access controls limiting modification
- - Retention period appropriate to system purpose and sector requirements
- - Accessibility to AESIA and market surveillance authorities upon request
Spain-Specific Considerations
Spanish organizations must align Article 12 logging with domestic data protection requirements under LOPDGDD (Spain’s GDPR implementation). Key considerations:
- Data minimization: Log only what’s necessary for traceability—avoid excessive personal data capture
- AEPD coordination: Where logging involves personal data, ensure GDPR-compliant processing basis
- Cross-border transfers: If logs are stored outside Spain/EU, apply appropriate transfer mechanisms
Sector-Specific Considerations
Healthcare AI in Spain
Healthcare AI operates at the intersection of AESIA oversight and existing medical device regulation under AEMPS. Organizations should:
- Determine whether AI constitutes a medical device under MDR (Regulation 2017/745)
- Coordinate conformity assessment between AEMPS notified bodies and AI Act requirements
- Implement clinical validation protocols aligned with both frameworks
- Note extended August 2027 deadline for AI as medical device safety components
Financial Services AI
Spanish financial institutions face overlapping requirements from AESIA, Bank of Spain, and CNMV. Key alignment areas:
- AI Act high-risk requirements for credit and insurance decisions
- EBA guidelines on machine learning in credit institutions
- Consumer protection requirements under Spanish banking law
- Algorithmic transparency obligations for automated decisions affecting consumers
Public Sector AI
Spanish public administration AI requires coordination with general administrative law and digital government frameworks:
- Law 40/2015 requirements for automated administrative decisions
- Transparency obligations under Spain’s access to information law
- Fundamental rights impact assessments for AI affecting citizens
- Public procurement considerations for AI system acquisition
Conformity Assessment Pathway
Spanish organizations with high-risk AI systems must complete conformity assessment before the August 2026 deadline. AESIA’s guidance documents provide implementation templates aligned with Articles 43-44.[5]
Assessment Pathways
Internal Control (Most High-Risk Systems)
Provider self-assessment based on:
- 1. Technical documentation per Annex IV
- 2. Quality management system (Article 17)
- 3. Post-market monitoring plan
- 4. EU declaration of conformity
- 5. CE marking affixation
Notified Body Assessment
Third-party assessment required for:
- - Biometric identification systems (Annex III Category 1)
- - Medical AI devices (most Class IIa and above)
- - AI under other EU regulations requiring third-party conformity
Timeline: 3-12 months | Cost: 10,000-100,000 EUR
Spanish Notified Bodies
Spain is designating notified bodies for AI Act conformity assessments. Organizations requiring third-party assessment should:
- Monitor AESIA announcements for designated notified body lists
- Consider EU-wide notified bodies if Spanish capacity is constrained
- Initiate engagement 6-9 months before the August 2026 deadline
Enforcement & Penalties
Spain’s draft AI law establishes a domestic penalty regime aligned with—and in some areas exceeding—EU AI Act requirements. AESIA gains full sanctioning authority from August 2025.[2][3]
Penalty Structure
Spain AI Act Penalty Tiers
| Violation Type | Maximum Fine | Examples |
|---|---|---|
| Prohibited AI practices | 35M EUR or 7% turnover | Social scoring, manipulative AI, untargeted biometric scraping |
| Serious offences | 7.5M-35M EUR or 2-7% turnover | Failure to label AI-generated content, high-risk non-compliance |
| Biometric system violations | 500K-7.5M EUR or 1-2% turnover | Employee attendance monitoring without human oversight |
| Other violations | 7.5M EUR or 1% turnover | Providing incorrect information to authorities |
Additional Enforcement Measures
Beyond fines, Spain’s draft AI law authorizes:[2]
- System adaptation orders: Mandatory modifications to achieve compliance
- Commercialization prohibition: Barring market placement of non-compliant systems
- Public warnings: Reputational impact through official announcements
- System destruction: In extreme cases involving serious harm
- Temporary operation prohibition: Government authority to halt any AI system causing death or serious harm
AESIA’s Enforcement Approach
Director Belda has indicated AESIA will prioritize warnings and guidance before imposing fines. This creates opportunity for organizations demonstrating good-faith compliance efforts:[3]
- Document compliance efforts thoroughly to evidence good faith
- Engage proactively with AESIA guidance and sandbox learnings
- Implement corrective actions promptly when issues are identified
Compliance Roadmap for Spanish Organizations
Given Spain’s advanced implementation status, organizations should accelerate compliance timelines compared to other EU markets. The following roadmap accounts for Spain-specific requirements and AESIA’s active enforcement posture.
EU AI Act Spain Implementation
AI System Inventory & AESIA Alignment (Month 1)
Catalog all AI systems operating in Spain or serving Spanish customers. Classify per Annex III high-risk categories. Review AESIA’s 16 guidance documents for Spain-specific interpretation. Identify any systems potentially triggering prohibited AI provisions (already enforceable since February 2025). Prioritize content-generating AI for Spain’s labeling requirements.
Content Labeling Implementation (Month 1-2)
Spain’s national AI law prioritizes transparency for AI-generated content. Implement clear disclosure mechanisms for synthetic media, chatbots, and AI-assisted communications. Ensure labeling meets Spain’s specific requirements—penalties reach 35M EUR for serious non-compliance. Review deepfake and manipulated content detection capabilities.
Article 12 Logging Infrastructure (Month 2-4)
Implement automated logging per Article 12 requirements and AESIA guidance. Ensure traceability of inputs, outputs, and decisions. Document human oversight interventions. Align with LOPDGDD/GDPR data protection requirements. Establish tamper-evident storage and appropriate retention periods. Prepare for AESIA information requests upon enforcement authority activation in August 2025.
Risk Management & Technical Documentation (Month 3-6)
Establish continuous risk management per Article 9. Prepare Annex IV technical documentation using AESIA’s templates. Conduct bias assessments for Spanish market context (demographic, linguistic, cultural considerations). Document data governance practices per Article 10. Generate evidence of control execution—not just policy documentation.
Quality Management & Conformity Assessment (Month 4-9)
Establish Article 17 quality management system. For systems requiring notified body assessment, initiate engagement by Q1 2026 to ensure completion before August 2026 deadline. Prepare EU declaration of conformity and CE marking documentation. Coordinate with sector-specific regulators (AEMPS for healthcare, Bank of Spain for financial services) on overlapping requirements.
AESIA Readiness & Post-Market Monitoring (Ongoing)
Prepare for AESIA information requests and inspections. Establish Article 73 serious incident reporting procedures. Implement post-market monitoring tracking performance and user feedback. Maintain living documentation updated with system changes. Consider sandbox participation for future high-risk system development. Engage with AESIA guidance updates and emerging best practices.
Spain-specific insight: AESIA’s proactive enforcement stance means compliance delays carry higher risk than in other member states. However, the agency’s guidance-first approach rewards organizations that demonstrate good-faith efforts. Document everything—evidence of compliance intent can influence enforcement outcomes.
How GLACIS Supports Article 12 Compliance
Article 12’s logging requirements present a significant technical challenge: organizations must prove their AI controls actually execute—not just document that policies exist. GLACIS addresses this gap with cryptographic evidence generation.
The Article 12 Evidence Challenge
Traditional compliance approaches rely on policy documentation and periodic audits. But AESIA, like other market surveillance authorities, can request evidence that controls are actively functioning. This requires:
- Continuous monitoring: Real-time verification that controls execute as designed
- Tamper-evident records: Cryptographic proof that logs haven’t been modified
- Audit-ready documentation: Evidence packages formatted for regulatory review
GLACIS Continuous Attestation
GLACIS generates cryptographic evidence that AI governance controls execute correctly. This addresses Article 12 requirements by providing:
Automated Control Verification
GLACIS continuously monitors AI system controls—input validation, output filtering, human oversight triggers—and generates timestamped evidence of execution. This transforms Article 12 compliance from periodic documentation to continuous proof.
Cryptographic Evidence Packs
Evidence is cryptographically signed and immutable, meeting Article 12’s tamper-evident requirements. When AESIA requests documentation, you provide verifiable proof—not assertions that require trust.
Framework Mapping
GLACIS maps evidence to EU AI Act articles, ISO 42001 controls, and NIST AI RMF functions. This alignment with AESIA’s guidance documents simplifies regulatory review and demonstrates comprehensive compliance.
Frequently Asked Questions
How does Spain’s enforcement differ from other EU member states?
Spain has the EU’s first operational AI supervisory agency (AESIA), active since June 2024. While most member states are still designating competent authorities, AESIA is already monitoring prohibited AI practices and will have full sanctioning powers from August 2025. Director Belda has indicated a warnings-first approach, but organizations should expect more active enforcement than in slower-moving member states. Spain’s draft national AI law also introduces specific content labeling requirements with penalties reaching 35M EUR.
Should I participate in Spain’s regulatory sandbox?
If you’re developing high-risk AI systems for the Spanish or EU market, sandbox participation offers significant advantages: direct AESIA guidance during development, early compliance validation, reduced regulatory uncertainty, and input into emerging best practices. The current cohort of twelve projects runs through 2026, but monitor AESIA announcements for future intake calls. Even non-participants benefit from public best practice reports synthesized from sandbox findings.
How do I coordinate between AESIA and sector-specific regulators?
Spain uses a decentralized enforcement model. AESIA is the primary authority for most high-risk AI, but sector-specific regulators retain domain oversight: AEMPS for medical AI, Bank of Spain/CNMV for financial services AI, AEPD for data protection aspects. Start with AESIA’s guidance documents for baseline requirements, then layer sector-specific obligations. For medical devices, coordinate conformity assessment between AEMPS notified bodies and AI Act requirements—the August 2027 extended deadline for medical AI provides additional time.
What makes Spain’s content labeling requirements different?
Spain’s draft AI law places particular emphasis on AI-generated content transparency, reflecting concerns about deepfakes and synthetic media. The legislation classifies failure to label AI content as a "serious offense" with penalties of 7.5M-35M EUR or 2-7% of global turnover. This exceeds the EU AI Act’s baseline Article 50 transparency requirements. Organizations generating or manipulating content with AI should implement clear, unambiguous disclosure mechanisms before Spain’s national law takes effect.
How do I access AESIA’s guidance documents?
AESIA published 16 practical guides in December 2025 covering high-risk system requirements, conformity assessment procedures, technical documentation templates, and implementation recommendations. These are available on AESIA’s official website (aesia.digital.gob.es) in Spanish, with some materials translated to English. The guidance provides Spain-specific interpretation of EU AI Act requirements and should be your primary reference for national implementation.
What are SME-specific provisions in Spain’s AI law?
Spain’s draft AI law includes reduced penalty provisions for small and medium enterprises. While the maximum fines remain substantial (up to 35M EUR for serious offenses), SMEs may receive the lesser of the percentage-of-turnover calculation or the fixed amount. Additionally, AESIA’s guidance-first enforcement approach benefits smaller organizations demonstrating good-faith compliance efforts. Consider engaging proactively with AESIA resources to document your compliance journey.
References
- [1] AESIA. "AESIA Consolidates Its Role in Europe in Promoting Ethical, Sustainable and Reliable AI." August 2025. aesia.digital.gob.es
- [2] White & Case LLP. "AI Watch: Global Regulatory Tracker - Spain." December 2025. whitecase.com
- [3] Covington & Burling LLP. "Spain Issues Guidance Under the EU AI Act." Inside Privacy, December 2025. insideprivacy.com
- [4] European Commission. "First Regulatory Sandbox on Artificial Intelligence Presented." June 2022. ec.europa.eu
- [5] AESIA. "Guidelines Published to Support Compliance with the AI Act." December 2025. aesia.digital.gob.es
- [6] Holistic AI. "Spain Becomes First EU Member to Establish AI Regulatory Body." August 2024. holisticai.com
- [7] Linklaters. "Spain Proposes a New AI Bill, Including Significant Fines." March 2025. linklaters.com
- [8] Euronews. "Spain Could Fine AI Companies Up to 35 Million in Fines for Mislabelling Content." March 2025. euronews.com
- [9] OECD. "Progress in Implementing the European Union Coordinated Plan on Artificial Intelligence - Spain." October 2025. oecd.org
- [10] Pinsent Masons. "Spain Legislates for First EU AI Act Regulatory Sandbox." November 2023. pinsentmasons.com
- [11] European Union. "Regulation (EU) 2024/1689 of the European Parliament and of the Council." Official Journal of the European Union, July 12, 2024. EUR-Lex
- [12] EU Artificial Intelligence Act. "Overview of All AI Act National Implementation Plans." 2025. artificialintelligenceact.eu