What is AI regulation in Spain?
AI regulation: countries and regions
As of June 2026, AI regulation in Spain is mainly the EU AI Act applied through Spanish institutions. The binding rules come from the EU's risk-based regime, while Spain adds domestic supervision through AESIA, a dedicated AI oversight agency, and practical implementation tools such as the national AI sandbox and guidance. Spain is also advancing a national organic law to finalise authority allocation, sanctions and public-sector governance, but that bill is not yet fully enacted.
What this means
Spain does not currently have a separate, fully enacted all-purpose "Spanish AI Act". The core legal rules come from the EU AI Act, which applies directly in Spain. That means the basic questions are European ones: is the use prohibited, is it high-risk, does it trigger transparency duties, and who in the chain is the provider, deployer, importer or distributor.
What makes Spain distinctive is the national governance layer around those EU rules. Spain created AESIA before the AI Act fully applies, used a regulatory sandbox to test how compliance works in practice, and has published non-binding guides to help organisations prepare. It is also moving a national organic law through Parliament to settle the domestic map of authorities, sanctions and some public-sector governance duties.
Why it matters
For organisations operating in Spain, AI regulation is no longer just a policy or ethics topic. It affects product design, hiring tools, biometric systems, public benefits decisions, medical devices, procurement, incident response, staff training and board accountability. The practical challenge is not only knowing the EU AI Act text. It is also knowing which Spanish body may supervise a given use, what evidence you need to keep, and where AI law overlaps with privacy, employment, consumer, product safety or justice duties even when the model or system comes from a third party.
How it works
Spain's legal stack starts with the EU AI Act
In Spain, the core binding framework is Regulation (EU) 2024/1689, the EU AI Act. It applies directly, so Spain does not need a national statute to make the main obligations exist. The Act uses a risk-based model. Some practices are banned outright. Some systems are classed as high-risk and must meet detailed requirements. Some uses trigger transparency duties. General-purpose AI models sit on a partly distinct track, with heavier EU-level attention for the most powerful models.
The Act is phased in. Prohibited practices and AI literacy duties already apply. Governance rules and the obligations for general-purpose AI models have also started to apply. The wider regime for most remaining obligations takes effect from 2 August 2026, with some longer transition periods for certain product-related systems, though this date may be deferred for some high-risk uses under the EU simplification (Digital Omnibus) package that was politically agreed in 2026 but not yet finalised in amending legislation. For firms with Spanish operations, that means the compliance window is already open even if a specific use case is not yet at its final deadline.
AESIA is Spain's dedicated AI supervisory body
AESIA, the Agencia Espanola de Supervision de Inteligencia Artificial, was created by Royal Decree 729/2023 and is based in A Coruna. Its statute gives it a broad mission: supervision, advice, awareness, training, inspection and, where the law assigns it, sanctioning powers. Its stated purpose is not only market oversight in the abstract. It is also to reduce risks to privacy, equality, non-discrimination and other fundamental rights that can be affected by AI systems.
That does not mean AESIA is the only relevant authority in Spain. Its own statute preserves the role of other bodies in their specialist domains. The point of AESIA is to give Spain a central AI-focused institution and a coordination hub, not to erase sector regulators.
The sandbox is Spain's practical implementation engine
Royal Decree 817/2023 created a controlled testing environment for trying out compliance with AI requirements for systems that may pose risks to safety, health and fundamental rights. The sandbox was open to public bodies and private entities selected through a formal process. Participation did not remove normal legal duties. The decree is explicit that it does not displace data protection law, intellectual property rules or any sector-specific conformity pathway that still applies.
This matters because Spain used the sandbox for regulatory learning, not just experimentation by firms. Information gathered during the pilot could be used to refine public guidance. That guidance is now one of the most useful practical features of the Spanish model. AESIA and the ministry published 16 guides covering topics such as conformity assessment, quality management, risk management, human oversight, data governance, transparency, log records, post-market monitoring, serious incident reporting and technical documentation.
The guides are practical, but they are not the law. AESIA states clearly that they are non-binding and intended to help organisations while harmonised standards and Commission guidance continue to develop. In other words, the Spanish sandbox is best understood as a bridge between the legal text of the AI Act and the day-to-day evidence an organisation must build.
Supervision in Spain is centralised in part and sectoral in part
Under the EU AI Act, Member States must have at least one market surveillance authority and at least one notifying authority. At EU level, the European AI Office oversees the implementation of the AI Act and supervises the most powerful general-purpose AI models. At national level, authorities are expected to supervise AI systems placed on the market or put into service in their jurisdiction.
Spain's direction of travel is clear even if the full domestic allocation is still being finalised. AESIA is the central dedicated AI body and the likely lead for many non-product, high-risk or cross-cutting cases. But sectoral authorities still matter. Finance, data protection, justice, medical devices and other regulated product areas keep their own supervisory logic. Spain's draft organic law, approved by the Council of Ministers on 26 May 2026, would preserve existing authorities for already regulated products and allocate many non-product areas mainly to AESIA, with bodies such as the Spanish Data Protection Agency, Banco de Espana and the General Council of the Judiciary involved where the subject matter requires it.
That pending bill is important because it supplies domestic procedure, sanctions architecture and a clearer map of who supervises what. Until it completes parliamentary passage, the broad architecture is visible, but some details can still move.
Operationally, the real work is evidence, governance and contracts
For most organisations, compliance in Spain will look less like a licensing exercise and more like disciplined system governance. First, classify the use case. Then identify your role in the value chain. Then build the evidence pack that matches that role. For high-risk systems, that usually means a risk management process, data governance controls, documentation, logs, user information, human oversight arrangements, accuracy and robustness controls, cybersecurity measures, post-market monitoring and a route for reporting serious incidents.
Spanish guidance is especially helpful here because it turns legal concepts into workstreams. It pushes organisations to document intended purpose, scope, model behaviour, operating conditions, residual risks, governance roles and update processes. It also helps procurement teams. A buyer in Spain should be asking not only "does this tool work?" but also "what is its AI Act category, who is the provider, what documentation exists, what logs are generated, how are incidents handled, what human checks are built in, and what support will the vendor provide if a regulator asks questions?"
The AI Act also already makes AI literacy a live requirement. That means staff who select, operate, oversee or procure AI in Spain should not be treated as passive users. Organisations need people who can recognise when a system enters a higher-risk regulatory zone and who know when to escalate to legal, privacy, product or security teams.
Examples
The official Spanish guidance uses biometric attendance at work as a worked example. In practice, a facial or other biometric time-recording system cannot be treated as just another HR tool. It sits in a high-risk category and needs a defensible intended purpose, technical documentation, human oversight, logging, risk controls and a privacy analysis that stands up under Spanish and EU data protection rules.
The same guidance uses an AI system that influences employee promotion decisions and pay. That is a useful reminder that AI regulation in Spain reaches ordinary management processes, not just dramatic frontier systems. If a system materially influences promotion or performance decisions, the organisation needs governance around data quality, oversight, documentation and challenge routes. It is not enough to rely on a vendor's marketing description of the tool.
A third official example is a smart insulin pump that monitors the patient and automatically administers insulin. This shows where Spain's model becomes genuinely layered. The AI Act matters, but so do medical-device and healthcare rules. In this kind of case, the AI analysis cannot be separated from patient-safety, product-conformity and sector supervision. Spain's framework does not replace those regimes. It sits on top of them.
Common misunderstandings
Spain already has a single, standalone national AI code in force. It does not. The main binding framework is the EU AI Act, while Spain's national bill is still going through the legislative process.
AESIA regulates every AI use in Spain by itself. It does not. AESIA is the central dedicated AI body, but sector regulators and EU-level bodies still matter.
The sandbox is a safe harbour from other laws. It is not. Spain's sandbox never switched off data protection, intellectual property, product or sector-specific duties.
The AESIA guides are legally binding. They are not. They are practical support documents and AESIA says they do not replace or develop the applicable law.
Only developers need to care. They do not. Deployers, buyers, employers and public bodies can all carry duties under the AI Act and under Spanish sector law.
Risks and boundaries
AI regulation in Spain is not a free-standing ethics programme, and it is not a universal permit system for every use of AI. It is a layered compliance framework. The AI Act only bites in specific ways depending on how the system is built, marketed and used. A great deal of confusion comes from talking about "AI" as though every model, chatbot or analytics tool sits in the same legal category. They do not.
There are also clear limits to what the Spanish sandbox and guidance can do. The sandbox was a pilot mechanism, and the guides are expressly non-binding. They are useful evidence of regulator thinking, but they are not a substitute for the Regulation itself, for harmonised standards, or for sector law. In product-regulated fields, ordinary conformity routes still matter. In privacy-heavy uses, GDPR and Spanish data protection law still matter. In employment, labour and anti-discrimination issues still matter. In justice, judicial independence and court-specific rules still matter.
The main near-term uncertainty is institutional rather than conceptual. Spain's broad architecture is now visible, but the domestic allocation of authorities, sanctions procedure and some public-sector governance features are still being finalised through legislation. The draft Organic Law approved by the Council of Ministers on 26 May 2026 is a major step, but Parliament can still amend it. Organisations should treat the direction of travel as clear, while avoiding assumptions that every procedural detail is fixed.
What to do next
Start with a live inventory of AI uses connected to Spain, including bought-in tools, embedded AI components and pilot deployments. For each use, record the intended purpose, affected people, data used, business owner, supplier, role in the value chain and likely AI Act category. Escalate any system that could be prohibited, high-risk, biometric, employment-related, public-service related or safety-critical.
Then build a governance file for the higher-risk uses. That file should cover contract terms, technical documentation access, human oversight, logging, incident handling, update control, post-market monitoring and staff training. Use AESIA's guides as an interim operating playbook, but do not treat them as a substitute for the law. Finally, track the Spanish organic law and the notices of relevant sector authorities so that your authority map, escalation route and reporting process are current before the wider AI Act regime applies in full.
FAQs
Does Spain have its own AI Act?
Not in the sense of a fully enacted national statute that replaces the EU AI Act. The binding core is the EU AI Act. Spain's national layer is mainly about supervisory bodies, procedure, sanctions and some public-sector rules.
Is AESIA the only AI regulator in Spain?
No. AESIA is the central dedicated AI body, but sectoral authorities still matter. Depending on the use case, data protection, financial, justice, medical-device or other product authorities may also be involved, and the European AI Office has an EU-level role for the most powerful general-purpose AI models.
Is the EU AI Act already in force in Spain?
Yes. It applies directly in Spain and is being phased in. Some duties already apply, including the ban on prohibited practices and AI literacy duties, while the broader regime applies from 2 August 2026 (a date that may shift for some high-risk uses under the pending EU Digital Omnibus simplification package), with some longer transitions for certain product-related systems.
Do the Spanish sandbox guides have legal force?
No. They are official and useful, but non-binding. They help organisations understand how to implement the AI Act in practice while European standards and guidance continue to develop.
If I only buy AI from a vendor, do I still have obligations in Spain?
Potentially, yes. Buyers and deployers can carry duties under the AI Act, especially for high-risk use, transparency, monitoring, human oversight and incident handling. Procurement and contract management are therefore part of AI compliance.
Does AESIA directly supervise general-purpose AI models such as the largest foundation models?
EU-level supervision matters here. The European AI Office is responsible for supervising the most powerful general-purpose AI models. AESIA still matters for many downstream systems and for Spain's national supervisory architecture.
Will Spain add extra rules for public bodies?
Probably yes, but some of that is still pending. The 2026 draft Organic Law proposes additional public-sector governance features, including an inventory of AI systems used in administrative procedures and an AI delegate role, but those measures are not yet final law.