Status of the AI Regulations

The EU AI Act is addressed separately here.

As noted above, Spain is in the process of adopting a dedicated national AI statute to implement and supplement the EU AI Act domestically. The bill was approved by the Council of Ministers on May 26, 2026, and subsequently published in the Official Journal of the Parliament on June 12, 2026, formally initiating parliamentary processing.

Other legislative and institutional milestones include:

• The Draft Spanish AI Bill, approved by the Council of Ministers on March 11, 2025.
• The AESIA Statute which was approved on August 22, 2023 and has been in force since September 2, 2023. AESIA has been operational since June 2024.⁹ In this regard, the Spanish AI Bill also mandates the Government to adapt AESIA's legal status within six months of entry into force.
• The RD Sandbox which was approved on November 8, 2023 and has been in force since November 10, 2023, with a maximum duration of 36 months from its entry into force or until the EU AI Act is applicable in Spain. The first set of projects subject to the sandbox were selected in April 2025.

Furthermore, Spain has successfully promoted an amendment to the EU AI Act to introduce an explicit prohibition on AI systems that generate sexual deepfakes, which is pending formal adoption by the Council and is expected to apply from December 2, 2026.

Other laws affecting AI

There are a number of laws that do not directly seek to regulate AI but may affect the development or use of AI in Spain. Three areas have become particularly relevant in Spain: minors and digital environments; deepfakes and personality rights; and democratic governance of digital services and media.

First, the Organic Bill for the protection of minors in digital environments is the most advanced of these related initiatives.¹⁰ It was presented to the Spanish Congress on March 27, 2025 and admitted for processing on April 8, 2025, subject to urgent procedure and at the time of this publication appears at the Justice Committee report stage. The bill is relevant to AI because it addresses concerns linked to sexual deepfakes, grooming, age safeguards, harmful online content and child protection in digital services.

Second, in January 2026, the Council of Ministers approved a preliminary draft Organic Law on civil protection of the right to honor, personal and family privacy, and one's own image.¹¹ At the time of this publication it remains at the pre-legislative stage, rather than parliamentary processing subject to certain reports and contributions before returning to the Council of Ministers. The reform is relevant to AI because it is intended to adapt the civil protection framework for honor, privacy and image rights to the digital environment, including unauthorized usage of a person's image, voice or likeness through AI or deepfake techniques.

Third, the bill on democratic governance in digital services and media regulation is also before the Spanish Congress.¹² It was presented on July 30, 2025 and admitted for processing in August 2025. At the time of this publication, it is at the amendments stage in the Economy, Trade and Digital Transformation Committee. It is not an AI law, but it affects the broader ecosystem in which algorithmic systems operate, including platforms, media, transparency and digital supervision.

Additionally, a non-exhaustive list of other Spanish legal frameworks that may affect the development of deployment of AI systems includes:

• Data protection and digital rights, including Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights
• Personality and image rights, including Organic Law 1/1982 on the civil protection of the right to honor, personal and family privacy and self-image¹³
• Competition and unfair competition, including Law 15/2007 on the Defence of Competition Law 3/1991 on Unfair Competition
• Equality and non-discrimination, including Law 15/2022 on equal treatment and non-discrimination
• Rectification, information society services, digital platforms and media, including Organic Law 2/1984 on the right of rectification, Law 34/2002 on information society services and electronic commerce, Law 11/2022 General Telecommunications Law, and Law 13/2022 General Audiovisual Communication Law
• Employment and workplace regulation, including Royal Legislative Decree 2/2015, which approved the revised text of the Workers' Statute Law and Law 10/2021 on remote work
• Intellectual property, including Royal Legislative Decree 1/1996 approving the revised text of the Intellectual Property Law
• Law 2/2023 on whistleblower protection, which establishes internal and external reporting channels and protects informants against retaliation, and to which the Spanish AI Bill expressly links its enforcement framework for the reporting of AI-related infringements

A further Spanish development worth mentioning is the BOSCO litigation. The Spanish Supreme Court ordered the Public Administration to provide access to the source code of the software used to determine eligibility for the electricity social bonus. Although not an AI statute, the case is relevant background for public-sector algorithmic transparency and access to algorithmic source code.

Definition of “AI”

Spain's National AI Strategy explicitly mentions that there is still no formal and universally accepted definition of AI and merely refers to the one used by the European Commission. Notwithstanding the above, Spain's RD Sandbox contains some useful AI-related definitions. In particular:

• "AI system" is defined as: "system designed to operate with a certain level of autonomy and which, based on input data provided by machines or by people, infers how to achieve a set of objectives set using machine-learning strategies or based on logic and knowledge, and it generates output information, such as content (generative artificial intelligence systems), predictions, recommendations or decisions, that influence the environments with which it interacts".¹⁴
• "High-Risk AI System" is defined as: "an artificial intelligence system that meets any of the following:
  • An artificial intelligence system constituting a product governed by the Union harmonization legislation shall be considered high risk if it is to be subject to a conformity assessment by a third party with a view to the introduction into the market or commissioning of such a product in accordance with the aforementioned legislation
  • An artificial intelligence system to be used as a component that performs a safety function and whose failure or malfunction endangers the health and safety of persons or property in a product regulated by a harmonized standard of the European Union, whether it is to be subjected to a conformity assessment by a third party with a view to the placing on the market or putting that product into service in accordance with the applicable harmonization legislation. This assumption will be applicable, even if the artificial intelligence system is marketed or put into service independently of the product
  • An artificial intelligence system, from the list of specific areas in which certain artificial intelligence systems are considered high risk, provided that the response of the system is relevant to the action or decision to be taken and may therefore cause a significant risk to health, the rights of workers in the workplace or safety or fundamental rights"¹⁵
• Spain's RD Sandbox defines "general-purpose AI system" as: "an artificial intelligence system that, regardless of the mode in which it is marketed or put into service, including as open source software, is intended by the system provider to perform general application functions, such as text, image and speech recognition; the generation of texts, audios, images and/or videos; pattern detection; answering questions; translation and others"¹⁶

Spain's most recent contribution in this field is the practical translation and guidance offered to interpret these categories by AESIA and the AEPD. AESIA's guides provide useful guidelines to interpret concepts such as high-risk AI systems, provider obligations, deployer obligations, documentation, risk management or human oversight. The AEPD has also begun to address concrete AI categories such as agentic AI from a data protection perspective.

Territorial scope

It is expected that the Spanish AI Bill will apply throughout Spain once enacted and will govern any AI system that: (i) is placed on the Spanish market; (ii) is put into service or used in Spain; or (iii) produces effects in Spain, irrespective of where its provider is established.

Likewise, the Spanish Guidelines act as a valid reference in every Spanish autonomous community, and have the objective of achieving consistency, ensuring organization and cohesion, territorial governance and coordination between different administrative spheres, from the national to the local level. They also address coordination with regulation and policies at the European level.

Spain's National AI Strategy also reflects an international cooperation agenda, including on promoting participation in international forums such as the Council of Europe or the OECD, as well as through Spain's adherence to European initiatives such as the Digital Agenda for Europe adopted in 2018, the Coordinated Plan on AI 2019-2027, and the White Paper on Artificial Intelligence published in February 2020.

Sectoral scope

Spain's AI regime is cross-sectoral in its foundations: the EU AI Act and the Spanish AI Bill are intended to apply horizontally across all economic sectors and public-sector bodies.

However, certain exclusions apply to AI for: (i) defense and national security; (ii) purely personal or household use; and (iii) R&D activities carried out in closed environments.

While the horizontal framework sets the baseline, Spain's AI governance is increasingly complemented by sector-specific layers that apply and specify the general rules in particular fields. Significant developments have already emerged, or are actively underway, across a growing number of sectors, including justice, data protection, public administration, minors' rights, employment, financial supervision, competition, and regional public-sector AI.

The justice sector has also seen a particularly important development. General Council of the Judiciary (CGPJ) Instruction 2/2026, of January 28, 2026,¹⁷ sets criteria for the use of AI systems in judicial activity. The Instruction frames AI use as auxiliary and subject to effective human control and judicial responsibility, including non-substitution of judges, respect for fundamental rights, confidentiality, security, prevention of algorithmic bias, proportionality, limited use and training.¹⁸

On February 18, 2026, the AEPD published guidance on agentic AI from a data-protection perspective.¹⁹ The guidance defines an AI agent as an AI system using language models to achieve a goal and analyses the data protection issues that may arise when controllers and processors use agentic AI systems in personal data processing. It focuses on the additional considerations arising from autonomy, tool use, chained decision-making and the difficulty of attributing responsibility for agent behavior.

This development is important as an early regulatory reference for agentic AI in Europe, because it addresses a recent technological trend from an established GDPR analytical framework considering concepts such as accountability, purpose limitation, minimization, security, data protection by design or human control. The AEPD has further addressed AI-based voice transcription, including responsibility, transparency, data subject rights, errors in transcription and the possibility that emotion detection or inference of special-category data may trigger strict data protection requirements or even intersect with prohibited AI practices.²⁰

Compliance roles

In line with the EU AI Act, Spain's forthcoming AI regime assigns clear legal duties to all the different actors who have a role in the AI space value chain. Therefore, in line with European regulations, there are specific obligations for providers (developers or manufacturers), distributors, importers or deployers or authorized representatives.

Further to AESIA's practical guides, the compliance conversation in Spain has become more evidence-based and documentation-driven. These guides are especially important for companies, because they provide a first Spanish operational map for implementing high-risk AI obligations before the full national enforcement framework is in place.

Additionally, Chapter IV of the Spanish AI Bill introduces a dedicated compliance layer exclusively for Spain's central public sector. The bill promotes the responsible use of AI within Spain's central public sector, and includes obligations relating to transparency in AI-assisted decision-making, the creation of a central inventory of AI systems in use, and the appointment of an AI delegate within each public body responsible for coordinating compliance.

Core issues that the AI Regulations seek to address

The EU AI Act adopts a risk-based model. The published Spanish AI Bill does not aim to create a separate domestic risk classification but incorporates the EU AI Act categories by direct reference and builds a national governance, supervision and enforcement framework around them. Its core objectives are to designate and coordinate the competent market surveillance authorities, establish a sanctions regime, regulate the use of AI within Spain's central public sector, and provide procedural safeguards such as complaints channels and whistleblower protection.

Additionally, other core issues that future AI regulations may seek to address may be inferred from AESIA's main objectives, which are the following:

• The awareness, dissemination and promotion of training, development, and responsible, sustainable and reliable use of artificial intelligence
• The definition of mechanisms for advising and assisting society and other actors related to the development and use of artificial intelligence
• Collaboration and coordination with other national and supranational authorities for the supervision of artificial intelligence
• The promotion of real test environments for artificial intelligence systems, in order to reinforce the protection of users and avoid discriminatory biases
• The supervision of the implementation, use or commercialization of systems that include artificial intelligence and, especially, those that may pose significant risks to health, safety, equal treatment and non-discrimination, particularly between women and men, and to other fundamental rights

Therefore, the Spanish framework should be understood against the EU AI Act's risk-based model, which distinguishes between prohibited practices, high-risk AI systems, transparency obligations for certain AI systems and lower-risk uses.

Risk categorization

Spain now follows the four-tier model laid down in the EU AI Act which divides between: (i) unacceptable risk, which is prohibited (e.g., social scoring); (ii) high risk, subject to the most detailed compliance obligations (e.g., affecting safety components of a product); (iii) limited risk, with mainly transparency duties (e.g., disclosure of chatbots, labelling of deep-fakes, notice of emotion-recognition); and (iv) low or minimal risk, not included in previous categories, and not subject to new obligations beyond existing law.

Additionally, the RD Sandbox also uses this hierarchy, because it only allows high-risk or general-purpose AI systems to be tested under its safe environment.

Key compliance requirements

The main substantive compliance duties for AI operators derive from the EU AI Act. The Spanish AI Bill is expected to establish the domestic supervision and enforcement framework, including sanctions.

Regulators

As mentioned above, AESIA is already operational and acts as Spain's central market-surveillance authority for AI. It conducts inspections and—once the enforcement powers derived from the EU AI Act and the current Spanish AI Bill enter into force—it is expected to act with full sanctioning authority. Moreover, the Spanish AI Bill designates AESIA as Spain's single point of contact, with coordination functions vis-à-vis the European Commission, the AI Office and the AI Board and the authorities of other Member States.

Additionally, the AEPD and sectoral regulators in areas such as competition, finance, employment, health and justice, constitute key regulatory actors in the Spanish AI field. For instance, the AEPD has publicly clarified that it can already act against certain prohibited AI systems or AI uses where they involve personal data processing and infringe data protection law, even before Spain formally implements the national law designating market surveillance authorities under the AI Act. Another important actor is the Artificial Intelligence Advisory Council, which advises the government on the design and dissemination of AI policies. This body will contribute to the development of the National Artificial Intelligence Strategy and the analysis of its implications.

Enforcement powers and penalties

The Spanish AI Bill establishes a four-tier sanctions regime, with maximum fines ranging from €500,000 or 0.5% of global annual turnover (whichever is higher) for minor infringements, to €35 million or 7% for the most serious prohibited-practice violations, with reduced caps for SMEs and start-ups. In the case of prohibited-practice infringements or where an AI system has caused a serious incident, authorities may additionally order the withdrawal, disconnection or prohibition of the AI system where it poses an unacceptable or serious risk. Persistent failure to comply with remediation obligations may result in restrictions on or prohibition of the marketing of the high-risk AI system, and competent authorities may impose periodic penalty payments of up to 10% of the original fine for continued non-compliance. Market surveillance authorities may also adopt interim measures — including restricting an AI system's marketing or ordering its withdrawal — before opening formal sanction proceedings, where there is an urgent need to protect health, safety or fundamental rights.

The enforcement framework also includes (i) a single-entry complaints channel through AESIA, which forwards complaints to the competent market surveillance authorities; (ii) whistleblower protection under dedicated Spanish Law 2/2023; and (iii) a correction-before-penalty mechanism for minor infringements under which the authority may close the case with a formal warning but without further sanctioning effects or publication, where the infringer adopts the required corrective measures and acknowledges responsibility.

The Spanish AI Bill grants sanctioning powers to all designated market surveillance authorities, including AESIA.

Regional regulation

In addition to Spain's aforementioned national regulatory and strategic frameworks on artificial intelligence, several autonomous communities have adopted their own set of initiatives to address the specific socioeconomic, institutional, and technological needs of its region. These include approved or developing AI strategies (such as those in Catalonia, Andalusia, Galicia, or the Basque Country, amongst others), broader digital transformation plans with significant AI components, and in some cases, binding legal instruments—most notably Galicia's pioneering Law 2/2025 on the Development and Promotion of Artificial Intelligence in Galicia, the first regional legislation on AI in Spain.²¹

The Community of Madrid began processing its first Law on Digital Administration and Artificial Intelligence in November 2025, focused on ethical and secure use of AI by the regional administration and safeguards for citizens interacting with AI-enabled public services.²²

Whilst the legal force, institutional architecture, and policy focus vary across regions, these instruments share a commitment to promoting a trustworthy, human-centric, and ethically grounded approach to AI in the different autonomous communities. Nevertheless, common elements include safeguards for algorithmic transparency and oversight, support for research and innovation ecosystems, integration of AI into public services, and mechanisms to prevent bias and ensure accountability in automated decision-making. Altogether, these regional frameworks complement and reinforce national efforts, adding territorial specificity to Spain's multilevel regulation of AI.

_{1 Spanish Council of Ministers, Reference of the Council of Ministers meeting of 11 March 2025, approving the preliminary draft law on the good use and governance of artificial intelligence is available here. 
2 Spanish Council of Ministers, Reference of the Council of Ministers meeting of May 26, 2026, approving the Proyecto de Ley Orgánica para el buen uso y la gobernanza de la inteligencia artificial for submission to Parliament is available here. Spanish Ministry for Digital Transformation and Public Administration, press release of May 26, 2026 is available here. The full text of the Spanish AI Bill as submitted to Congress was published in the Boletín Oficial de las Corte Generales, nº 97-1, 12 June 2026, and is available here.
3 Royal Decree 817/2023, of 8 November, establishing a controlled testing environment for artificial intelligence systems is available here.
4 AESIA's publication of support guides for compliance with the EU AI Act, 16 December 2025 is available here.
5 The Order ETD/670/2020 is available here.
6 The Charter of Digital Rights is available here.
7 The National AI Strategy is available here.
8 The OECD Legal Instrument 0449 – Recommendation of the Council on Artificial Intelligence is available in English here.
9 The Royal Decree 729/2023, approving the Statute of AESIA is available here.
10 The Organic Bill for the protection of minors in digital environments is available here.
11 Spanish Ministry of Justice, press release of January 13, 2026 on the preliminary draft Organic Law on civil protection of the right to honor, personal and family privacy and one's own image is available here.
12 Bill on democratic governance in digital services and media regulation is available here.
13 This law currently remains the applicable framework, subject to the January 2026 preliminary draft reform (as detailed above) intended to replace this law and adapt the civil protection regime to the digital environment, including artificial intelligence, social media and deepfake techniques.
14 The Royal Decree 817/2023 is available here, Article 3(3).
15 The Royal Decree 817/2023 is available here, Article 4.
16 The Royal Decree 817/2023 is available here, Article 3(5).
17 General Council of the Judiciary, Instruction 2/2026, of 28 January, on the use of artificial-intelligence systems in judicial activity is available here.
18 A recent example of these rules applied in practice in the justice sector involves a EUR 1,000 disciplinary fine imposed by the CGPJ on a judge for using an AI tool in the drafting of a judgment and disclosing personal and confidential data through an unauthorized AI tool. The CGPJ reportedly treated the matter as a serious disciplinary issue, while distinguishing auxiliary use of AI from full substitution of judicial decision-making.
19 AEPD, guidance on agentic artificial intelligence, February 18, 2026, is available here.
20 AEPD, blog posts on AI-based voice transcription, January 14, 2026 and April 20, 2026, are available here and here.
21 Galicia Law 2/2025, of 2 April, on the development and promotion of artificial intelligence in Galicia is available here.
22 Community of Madrid, preliminary draft Law on Digital Administration and Artificial Intelligence is available here.}

Carmen Imaz (Associate, White & Case, Madrid) contributed to this publication.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2026 White & Case LLP}