Spain already has its Organic Bill on the table in Parliament for the responsible use and governance of artificial intelligence. The text, published in the Official Gazette of the General Courts, does not replace the European AI Regulation (AI Act), but it does translate a key part of its implementation into Spanish law: competent authorities, institutional coordination, sanctioning regime, controlled testing spaces, and specific obligations for the national public sector.
The Steering Committee of Congress agreed to refer the bill to the Committee on Economy, Commerce, and Digital Transformation and opened a fifteen-working-day amendment period, which ends on June 30, 2026. From that point, the bill will continue its parliamentary process, meaning it could still undergo changes before final approval.
A Spanish law to implement the AI Act
The project is based on a clear idea: the European AI Regulation is directly applicable, but it leaves member states the task of designating national authorities, organizing oversight, and developing the sanctioning framework. Spain takes advantage of this law to build that national architecture.
The regulation covers four main areas: market governance and supervision, controlled testing environments, responsible AI use in the public sector, and sanctions for violations of the European AI Regulation.
| Area | What the bill regulates |
|---|---|
| Governance | Designation of competent national authorities |
| Supervision | Market surveillance, inspections, and coordination |
| Sandbox | Controlled testing spaces for AI |
| Public sector | Inventory of systems and AI delegate |
| Sanctions | Minor, major, and very serious infringements |
| Complaints | One-stop shop via AESIA |
| Provisional measures | Restrictions, removal, disconnection, or prohibition of systems |
The bill emphasizes that it does not create parallel regulation to the AI Act but adapts Spanish regulations to its requirements. It recalls in its rationale that the European Regulation governs the market entry, commissioning, and use of AI systems within the EU, and that obligations apply to providers, deployment managers, importers, distributors, and other operators.
AESIA will be the central body, but not the only authority
The Spanish Agency for AI Oversight, AESIA, appears as the backbone of the national system. The draft designates it as the market surveillance authority for most AI systems and as the single contact point with the European Commission, the AI Office, the AI Council, and authorities from other Member States.
However, the model isn’t entirely centralized. The law opts for distributed oversight depending on the sector and system type. The AEPD and autonomous data protection authorities will handle competencies in particularly sensitive areas such as biometrics, identification, biometric categorization, migration, asylum, and border control. The General Council of the Judiciary will have competencies over specific AI systems used in justice and the enforcement of legal compliance.
| Authority | Main Competencies |
| AESIA | General market surveillance, single contact point, and coordination |
| Directorate General of Artificial Intelligence | Notifying authority for AI systems in Annex III |
| ENAC | Technical support in compliance evaluation and oversight of conformity assessment bodies |
| AEPD and autonomous authorities | Biometrics, migration, asylum, and border control in specific cases |
| CGPJ | AI in justice and legal compliance enforcement |
| Bank of Spain | AI systems for solvency and credit scoring in supervised entities |
| CNMV | Solvency AI in entities under its scope |
| General Directorate of Insurance | AI for risk assessment and pricing in life and health insurance |
The Directorate General of AI, dependent on the Secretary of State for Digitalization and AI, will act as the notifying authority for Annex III systems under the European AI Regulation. Its work will be supported by ENAC, the national accreditation body, for the evaluation and oversight of conformity assessment bodies.
The design aims to balance specialization and coordination. AESIA can provide technical assistance to other authorities, but the text underscores that such support should not compromise each authority’s independence or sectoral expertise.
Inventory of AI systems and mandatory AI delegate in the public sector
A notable novelty concerns the public sector. State public entities will be required to provide updated information about AI systems used in their functions. An interoperable inventory of AI systems will be created, aligned with the European registry of high-risk systems.
This inventory does not replace the registration obligations for high-risk systems under the AI Act but adds a national transparency layer concerning AI use in electronic administrative procedures. It will include minimum information such as provider, deployment responsible, other operators involved, and system categorization.
| Obligation for the public sector | Scope |
| Report AI systems | Relevant and updated information |
| Create inventory | Interoperable with the European registry |
| Identify provider and responsible | Minimum required info per system |
| Classify systems | Based on the applicable framework |
| Promote training | Responsible, sustainable, and trustworthy use |
| Nominate AI delegate | Internal coordination and regulatory compliance |
The bill also introduces the figure of the AI delegate in each public sector entity. This person will coordinate internal policies, ensure compliance with applicable standards, and promote proper AI use. They may also advise on impact assessments concerning discriminatory bias and fundamental rights when relevant.
Not everything will be public. Exemptions are foreseen for systems related to military, defense, national security, critical infrastructure, pre-deployment research, public cybersecurity, tax fraud, or system integrity when publicity could compromise system efficacy or increase elusion or attack risks.
Sanctions of up to 35 million euros or 7% of worldwide turnover
The sanctioning regime is a core part of the bill. It classifies violations into minor, major, and very serious categories, mirroring the thresholds set in the European AI Regulation. The most severe infringements relate to prohibited AI practices.
| Type of violation | Maximum sanctions |
| Very serious for prohibited practices | 35 million euros or 7% of global annual turnover |
| Other very serious | 15 million euros or 3% of global annual turnover |
| Serious | 7.5 million euros or 1% of global annual turnover |
| Minor | 500,000 euros or 0.5% of global annual turnover |
For SMEs and startups, fines may be based on the lower of a percentage of turnover or a fixed amount, per the European regulations. The law also contemplates additional measures such as product removal, system disconnection, or prohibition when there is a significant or unacceptable risk.
Major violations include non-compliance with transparency, failure to register high-risk systems, resistance to inspections, provision of misleading information to authorities, and breaches by providers, importers, distributors, deployment managers, or notified bodies.
The law sets time limits for sanctions: one year for minor infringements, three years for major, and five years for very serious offenses. Enforcement procedures will aim for resolutions within eighteen months for serious and very serious violations, and within nine months for minor ones.
Complaints, whistleblowers, and interim measures
The project establishes a complaint process allowing individuals or entities to report possible violations of the European AI Regulation. AESIA will set up a one-stop shop and transmit complaints to the competent authority within a maximum of ten working days.
Filing a complaint doesn’t automatically make the complainant a party in a potential sanctioning procedure, but it can trigger analysis, requests for information, inspections, corrective measures, motivated dismissals, or start of official sanctions.
The bill also provides protections for whistleblowers reporting known violations within a professional or employment relationship, aligning with European and Spanish whistleblower protections.
| Tool | Function |
| One-stop shop | Channel for complaints through AESIA |
| Preliminary actions | Investigate facts before starting procedures |
| Inspection | Verify systems and request information |
| Provisional measures | Avoid damages or escalation of risks |
| Whistleblower protection | Guarantee confidentiality and protection against retaliation | Publication of sanctions | Coordination and publication by AESIA |
Authorities may take provisional measures to prevent harm, including requiring system modifications, banning sales, returning products to providers, disabling, disconnecting, or alerting users about risks.
Sandboxes to foster innovation with higher legal certainty
The bill also regulates controlled testing environments for AI. AESIA will be responsible for establishing the mandatory sandbox specified by the European Regulation, though other competent authorities may create additional spaces within their scope.
These environments aim to facilitate the development, testing, and validation of innovative AI systems before commercialization or deployment. They must have sector-specific governance, sufficient resources, and communicate with the AI Office and the AI Council through the single contact point.
The text explicitly mentions healthcare and social health sectors, where AI deployment should preserve human dignity, autonomy, privacy, patient safety, care quality, and professionals’ technical and scientific independence.
What organizations should do now
Although the bill is still under parliamentary processing, companies and public administrations in Spain using AI can draw a clear conclusion: AI governance ceases to be an abstract recommendation and becomes an operational obligation.
Organizations should start by identifying which AI systems they use, who provides them, who deploys them, their purpose, data involved, and whether they fall into high-risk or transparency categories. Compliance will depend not only on the technology provider but also on the deployment responsible, especially when using high-risk systems in employment, education, critical services, credit, insurance, biometrics, or the public sector.
| Priority | Recommended action |
| Inventory | Map all AI systems used within the organization |
| Classification | Determine if they are prohibited, high risk, transparent, or others |
| Documentation | Register provider, purpose, data, model, and responsible parties |
| Impact assessment | Review fundamental rights, biases, and data protection |
| Human oversight | Assign competent, trained, and authorized personnel |
| Transparency | Inform when interacting with AI or when synthetic content is involved |
| Incidents | Prepare protocols for notification and response |
| Audit | Maintain logs, traceability, and technical documentation |
| Training | Promote AI literacy among affected teams |
| Internal governance | Assign clear compliance and review responsibilities |
The biggest change will not only be in fines but also in demonstrating control. Organizations will need to know which AI they use, the risks involved, who is responsible, and how oversight is conducted. This traceability will be crucial not only for compliance but also to mitigate reputational and operational risks.
A regulation still in process but with immediate impact on planning
The Organic Bill for the responsible use and governance of AI is not yet an approved law. However, its publication allows us to anticipate the regulatory direction in Spain. The country aims to position AESIA as the central coordination body, distribute responsibilities across sensitive sectors, enable sandboxes, and embed an internal sanctioning regime aligned with the AI Act.
For the tech sector, the message is clear: selling or deploying AI in Spain will now require more than just technical proficiency. Documentation, controls, risk assessments, transparency, incident response capacity, and a clear relationship with authorities will be essential.
For public administrations, the bar also rises. The AI systems inventory and the AI delegate figure could change how algorithms are purchased, deployed, and explained in the public sector. Public AI systems will need to be more traceable, although exceptions may be made for security, fraud, or cybersecurity reasons.
Spain is not creating its own AI Act but building the national machinery to implement it. This machinery will directly impact companies, administrations, tech providers, compliance officers, legal departments, and product teams. AI will continue to advance, but deploying it without internal governance, traceability, and responsible oversight will become increasingly difficult.
Frequently Asked Questions
What is the Organic Bill on the responsible use and governance of AI?
It is a legislative proposal under processing that adapts the Spanish framework to the European AI Regulation, designates competent authorities, regulates sandboxes, introduces obligations for the public sector, and defines sanctions.
Does it replace the European AI Act?
No. The AI Act is a European regulation with direct applicability. The Spanish law develops national aspects such as authorities, coordination, procedures, and sanctions.
What role will AESIA play?
AESIA will be the market surveillance authority for most AI systems, the single contact point, and responsible for the obligatory controlled testing environment.
What are the maximum fines envisioned?
Severe violations related to prohibited practices can be fined up to 35 million euros or 7% of the global annual turnover, whichever is higher.