Spain Approves AI Governance Law Aligned With EU Framework
Spain's government approved a draft Organic Law on artificial intelligence on May 26, 2026, bringing national rules into line with the EU AI Act. The legislation establishes oversight mechanisms, penalty structures, and public sector requirements for AI systems operating in Spain.
New Supervisory Structure
The law creates a tiered governance model. AI products already regulated by sector-specific rules-medical devices, automotive systems, and others-remain under existing authorities. For AI systems outside those frameworks, three bodies share responsibility: the Spanish AI Supervisory Agency (AESIA), the Spanish Data Protection Agency (AEPD), and the General Council of the Judiciary (CGPJ).
AESIA serves as the single point of contact for cross-sector AI matters. The law also requires these authorities to coordinate on enforcement.
Fines Scale With Company Size
Violations fall into three categories: very serious, serious, and minor. The most serious breaches carry fines up to €35 million or 7% of global turnover. Minor violations can result in penalties of up to €500,000 or 0.5% of turnover.
Authorities have discretion to adjust penalties based on the violation's gravity, whether it was intentional, and whether it repeated. The law includes provisions to reduce fines for early payment, adoption of corrective measures, and company size-a protection designed for SMEs and startups.
Public Sector Accountability Requirements
Beyond implementing the EU framework, Spain added measures specific to government use of AI. Agencies must maintain an inventory of all AI systems used in administrative proceedings, not just high-risk ones, to increase transparency.
Each government entity will designate an AI delegate to coordinate compliance and advise on projects and procurement. The law also mandates AI training for public employees.
Regulatory Sandboxes Formalized
Spain has operated AI testing environments for early compliance. The new law formalizes these sandboxes at the national level, with AESIA operating the mandatory national sandbox required under EU rules.
Market surveillance authorities can establish additional sector-specific sandboxes within their areas, with required participation from agencies overseeing public policy and fundamental rights in those sectors.
What Government Officials Need to Know
The law targets prohibited AI practices-those that manipulate behavior, exploit vulnerabilities, or use certain biometric systems-and requires human review when fundamental rights are at stake. It includes protections for minors and mandates algorithmic transparency.
Spain positions this legislation as part of its broader AI infrastructure strategy, which includes two EU AI factories and leading private companies. The emphasis on coordinated supervision and public sector accountability reflects a European trend: building governance models that allow technology development while protecting fundamental rights.
For government employees, the law creates new compliance obligations, oversight roles, and training requirements. AI Learning Path for Policy Makers offers guidance on understanding AI governance frameworks and regulatory requirements.
Your membership also unlocks:
