The Government has approved in the Council of Ministers the draft Law for the proper use and governance of artificial intelligence, a regulation that aligns the Spanish framework with the European AI Regulation. It now needs to go through the parliamentary process in Congress and the Senate before becoming law definitively. Therefore, this is not an isolated regulation or a national whim: Spain is developing the components that the AI Act leaves in the hands of Member States, particularly oversight, governance, authorizations, and sanctions regimes.
The text sends a clear message to companies, administrations, and technology providers: using AI will no longer be just a matter of product choice or efficiency. It will also be a compliance issue, involving traceability, human oversight, and responsibility. Penalties range from €6,000 for minor violations up to €35 million or 7% of the global annual turnover for the most serious breaches related to prohibited practices.
A sanctions regime to give teeth to the AI Act in Spain
The European AI Regulation, approved in 2024, is directly applicable across the entire European Union but requires each Member State to establish its own control system. The Spanish draft fulfills this function: it defines authorities, sanctions procedures, coordination among supervisors, and rules for particularly sensitive uses, such as real-time remote biometric identification in public spaces.
The regulation classifies violations into minor, serious, and very serious. The strictest penalties target practices prohibited by the European Regulation, such as certain manipulative uses, social scoring systems, illegal biometric classification, or real-time remote biometric identification outside permitted scenarios.
| Type of violation | Expected sanctions |
|---|---|
| Minor | €6,000 to €500,000 or 0.5% to 1% of global turnover |
| Serious | €500,001 to €7,500,000 or 1% to 2% |
| Very serious in high-risk systems | €7,500,001 to €15,000,000 or 2% to 3% |
| Very serious in prohibited practices | €7,500,001 to €35,000,000 or 2% to 7% |
Additionally, the draft introduces an important rule for corporate groups: when the infringing entity belongs to a group, the turnover considered for the penalty calculation will be that of the entire group, not just the directly responsible subsidiary. This aims to prevent large companies from reducing the deterrent effect of fines by using smaller entities.
For SMEs and startups, the regulation takes a proportionate approach. When applicable, fines may be calculated using the lower of the amount or percentage. Moreover, for less serious violations, authorities may suspend proceedings if the company remedies the situation and compensates for damages caused.
The public sector has a different stance. If a public entity commits a violation, the competent authority can declare the violation, issue warnings, and request corrective measures, but administrative fines are excluded. This exception has generated debate, as some experts and associations believe it could weaken the real impact of the regulation when misuse of AI originates from an administration.
AESIA, AEPD, and sectorial supervisors: who will monitor what
The Spanish Agency for AI Supervision (AESIA) is established as the single contact point and one of the central authorities within the system. It will oversee a significant portion of high-risk systems and violations related to transparency or general AI obligations.
But it will not act alone. The draft distributes responsibilities among various authorities. The Spanish Data Protection Agency (AEPD) and regional data protection authorities will supervise certain biometric uses, enforcement of rights, migration, asylum, and border control. The Bank of Spain and the CNMV will oversee AI systems related to solvency and credit rating. The Directorate-General of Insurance and Pension Funds will be responsible for risk assessment and pricing in life and health insurance. The General Council of the Judiciary and the Central Electoral Board will oversee justice and democratic processes.
This structure reflects an uncomfortable reality: AI cannot be managed through a single point of contact. A system used for personnel selection presents different risks than one used for credit approval, insurance premium setting, medical image analysis, critical infrastructure monitoring, or synthetic content generation. Therefore, governance will necessarily be sector-specific, albeit coordinated.
To avoid conflicting decisions, the draft creates a joint coordination commission of market overseers, chaired and managed by AESIA. It also includes mechanisms for information exchange, annual reporting, and technical assistance among authorities.
Biometrics, deepfakes, and synthetic content
One of the most sensitive sections concerns the use of real-time remote biometric identification systems in public access spaces. The draft maintains a general ban but regulates exceptional cases related to guaranteeing compliance with the law. Such uses must be limited to specific individuals, with defined causes, geographic area, and timeframes, and require judicial authorization from administrative courts.
Authorization must be granted within a maximum of 48 hours. In urgent cases, the system could be used before authorization, but if denied, it must be immediately discontinued and the data collected deleted. The regulation also mandates that data belonging to individuals outside the authorized scope be discarded and securely deleted without undue delay.
Another key point concerns AI-generated or manipulated content. Providers will be required to inform when a person interacts with an AI system, and mark synthetic audio, image, video, or text content to enable its artificial nature to be detected. Deployers will also have transparency obligations when using systems for emotion recognition, biometric categorization, or generating content that could be classified as deepfakes.
This will have a direct impact on media, advertising, entertainment, social media, political campaigns, HR, banking, insurance, and customer service. The question will no longer be just whether content was created with AI, but whether it is correctly identified, documented, and supervised when it could infringe upon rights or cause deception.
What companies should do now
Although the legislation still needs to pass through parliament, waiting for publication in the BOE (Official State Gazette) would be a mistake for any organization already using AI in relevant processes. Preparation should start with the basics: understanding which AI systems are in use, who contracted them, who supervises, which data they use, what decisions they support, and which providers are involved.
Most companies do not require an overly bureaucratic structure, but a reasonable control system is necessary. An internal inventory, risk classification, minimal documentation, contractual review, and team training can prevent major issues. AI used for drafting internal emails does not carry the same risk as a system that filters candidates, recommends layoffs, calculates insurance premiums, or manages access to essential services.
| Compliance Area | Practical Measure |
|---|---|
| Inventory | Register all used, developed, or integrated AI systems |
| Risk | Classify each system according to the European AI Regulation |
| Transparency | Inform when there is interaction with AI or relevant synthetic content |
| Human oversight | Define responsible parties with training, authority, and intervention capacity |
| Traceability | Maintain records, technical documentation, and evidence |
| Providers | Review contracts, instructions, responsibilities, and guarantees |
| Data | Assess data quality, relevance, representativeness, and protection |
| Impact | Carry out evaluations when fundamental rights are involved |
| Training | Promote AI literacy for technical, legal, managerial, and business teams |
Regulation does not prohibit innovation. Instead, it raises the bar when AI could impact rights, safety, employment, education, essential services, or public information. For many organizations, the risk is not in using AI but in deploying it without a clear understanding of where, how, and with what controls.
The regulation also contemplates strict provisional measures. In cases involving risks to security, health, or fundamental rights, authorities could prevent the commercialization of a system, remove it from the market, issue public warnings, alert users, or even destroy or disable the system. For serious violations or incidents, systems could be removed or disconnected.
The message for boards is straightforward: AI is now on the corporate risk agenda. It is no longer enough for the technical team to test tools or for a department to contract with AI solutions. Management will need to know what systems are in use, what risks they pose, and what evidence supports compliance.
Spain is not creating a parallel framework to the European one but is translating the AI Regulation into the national administrative and enforcement reality. Parliamentary procedures may introduce changes, but the direction is set. AI is leaving the grey zone. From now on, anyone deploying it must be able to explain what it does, why, who supervises it, and what happens if it fails.
Frequently Asked Questions
Is the AI Law already in effect?
No. The Council of Ministers has approved the bill, but it still needs to go through Congress and the Senate, be definitively approved, enacted, and published in the BOE.
What is the maximum fine for AI misuse?
For the most serious violations related to prohibited practices, fines can reach up to €35 million or 7% of the global annual turnover, whichever is higher.
What role will AESIA play?
The Spanish Agency for AI Supervision (AESIA) will serve as the single contact point and a central authority for oversight, coordination, and supervision of AI in Spain.
What should companies do now?
Create an inventory of AI systems, classify risks, review providers, document decisions, train teams, establish human oversight, and coordinate compliance with GDPR, cybersecurity, intellectual property, and sector-specific regulations.
Source: Digital