On 26 May 2026, Spain’s Council of Ministers approved a draft Organic Law on the proper use and governance of artificial intelligence, aligning Spain’s national law with Regulation (EU) 2024/1689 (the “EU AI Act”). The legislation aims to create a framework for trustworthy, human‑centric AI, combining regulatory oversight while supporting innovation.
Governance and designated authorities
A central feature of the legislation is the establishment of a structured governance framework, built around designated notifying authorities and market surveillance authorities responsible for overseeing compliance. In line with the EU AI Act, AI-enabled products already subject to sector-specific regulation will remain under their existing supervisory authorities. For AI systems not covered by sector-specific product frameworks —such as those relating to employment, biometrics, or education— supervisory responsibility will primarily fall within the remit of the Spanish AI Supervisory Agency (AESIA), the Spanish Data Protection Agency (AEPD), and the General Council of the Judiciary (CGPJ), depending on the relevant area. The law also promotes cooperation between authorities, with AESIA designated as the single point of contact for supervisory matters.
Sanctions regime
The law establishes a graduated sanctions regime, categorising infringements as very serious, serious, and minor. Penalties are aligned with the EU AI Act framework, with fines reaching up to €35 million or 7% of total worldwide turnover for the preceding financial year in the most serious cases, and up to €500,000 or 0.5% of turnover in the least serious cases. The law grants authorities flexibility in applying sanctions, adapting them to the gravity, intentionality, or recurrence of the infringement, and incorporates mechanisms that prioritise correction over penalisation, such as early-payment reductions, adoption of corrective measures, and specific consideration of company size to protect SMEs and start-ups.
Proper use of AI in the state public sector
Beyond implementing the EU AI Act, the law incorporates its own additional measures to promote the proper use of AI in the state public sector, in response to numerous proposals received during the public consultation. Although some of these measures will be further developed by Royal Decree, these include:
- Creation of an inventory of AI systems used in administrative proceedings, covering not only high-risk systems but all systems, thereby strengthening transparency.
- Establishment of the role of AI delegate, responsible for coordinating the application of the legislation and advising on projects and public procurement.
- Promotion of training and awareness among public employees in the field of artificial intelligence.
Testing environments at the national level
Building on Spain’s early experience with AI regulatory sandboxes, the law formalises the governance of these controlled testing environments and facilitating measures at the national level, with the aim of helping AI providers comply with the legislation. A national-level sandbox, the creation of which is mandatory under the EU AI Act, will be operated by AESIA.
Additional sector-specific sandboxes may be established by market surveillance or notifying authorities within , their respective supervisory sectors, with mandatory participation of authorities responsible for sectoral public policy and fundamental rights.
Key takeaways
The law seeks to enhance the safety of digital environments by imposing accountability on those responsible for AI systems that use prohibited practices— following the EU’s recent decision on 7 May to add two prohibited systems to those already covered under this category—mandating human oversight where fundamental rights may be impacted, promoting algorithmic transparency, and including specific measures for the protection of minors.
The legislation represents a comprehensive effort to embed the EU AI Act within Spain’s legal framework, combining safeguards with the promotion of safe innovation.. Spain frames this legislation within its digital leadership, noting that it has two EU AI factories, a gigafactory project, as well as leading companies in the field. The emphasis on coordinated supervision, public sector accountability and regulatory sandboxes highlights a broader trend across Europe: the development of governance models that seek to reconcile technological advancement with the protection of fundamental rights.