Licentium

AI Regulation Hub

Spain

Spain applies the EU AI Act through dedicated national infrastructure: AESIA, the Spanish AI supervisory agency, and an AI regulatory sandbox under Royal Decree 817/2023. Spain has published practical compliance guidance based on sandbox work.

Key provisions

AESIA supervisory agency

In force

Spain's national AI supervisory agency, with supervision, advice, awareness, training and implementation-support functions. One of the first dedicated AI supervisory authorities in the EU.

AI regulatory sandbox

In force

Royal Decree 817/2023 establishes a controlled testing environment where selected organisations test AI systems with regulatory guidance. Participation does not exempt companies from other legal obligations or remove liability for damage.

Practical compliance guides

In force

Spain has published guides covering conformity assessment, CE marking, quality management, risk management, human oversight, data governance, transparency, accuracy, robustness and cybersecurity, based on its sandbox work.

EU AI Act obligations

In force

Prohibited, high-risk, transparency-risk and GPAI obligations from the EU AI Act apply, with Spain's penalty regime mirroring EU AI Act caps.

Detailed overview

Spain regulates AI through the EU AI Act and through national implementation infrastructure. Spain has created the Spanish Agency for the Supervision of Artificial Intelligence, known as AESIA, and has adopted rules for an AI regulatory sandbox.

AESIA

AESIA is Spain's national AI supervisory agency. It has legal personality, its own assets and operational autonomy. Its role includes supervision, advice, awareness, training and support for the implementation of national and European AI rules. AESIA is relevant for companies operating in Spain because Spain is one of the first EU countries to create a dedicated AI supervisory authority.

AI regulatory sandbox

Spain's Royal Decree 817/2023 establishes a controlled testing environment for AI, commonly called an AI sandbox. A sandbox is a supervised environment where selected organisations can test AI systems with regulatory guidance. Spain's sandbox is designed to help providers and users validate how legal requirements for high-risk AI systems and general-purpose or foundation-model-related AI may work in practice. Participation in the sandbox does not exempt a company from other legal obligations and does not remove liability for damage caused by breach, negligence or intentional misconduct.

Business obligations

For most businesses, the main substantive AI obligations in Spain come from the EU AI Act. This means that a company must first classify its AI system. If the system is prohibited, it cannot be used. If it is high-risk, the provider must implement risk management, data governance, documentation, conformity assessment, human oversight, accuracy, robustness and cybersecurity controls. Deployers of high-risk AI must use the system properly, supervise it, keep logs where required and inform affected persons where the AI Act requires it.

Spain has also published practical compliance guides based on its sandbox work. These guides address issues such as conformity assessment, CE marking, quality management, risk management, human oversight, data governance, transparency, accuracy, robustness and cybersecurity.

Penalties

Penalties for AI Act breaches in Spain follow the EU AI Act structure: up to EUR 35 million or 7% of worldwide annual turnover for prohibited AI breaches, up to EUR 15 million or 3% for many other AI Act breaches, and up to EUR 7.5 million or 1% for supplying incorrect, incomplete or misleading information to authorities.

Spanish sandbox participation does not operate as a general immunity from liability.

Practical requirements & details

Sourced from the EU AI Act, the Spanish Real Decreto 817/2023 (AI regulatory sandbox), the AESIA (Spanish AI Supervisory Agency) founding regulation, and AEPD guidance on AI and personal data.

EU AI Act in Spain

  • Applies directly. AESIA is Spain's designated national authority for most AI Act matters.
  • Provider/deployer duties identical to the EU baseline.

AESIA — Spanish AI Supervisory Agency

  • First dedicated AI supervisory authority in the EU, with legal personality and operational autonomy.
  • Powers: supervision, advisory, awareness, training, and implementation support for AI Act compliance.
  • Coordinates with AEPD (data protection), Banco de España, CNMV and sectoral regulators.

Regulatory sandbox (RD 817/2023)

  • Controlled testing environment for AI systems with regulatory guidance.
  • Helps providers and users validate high-risk AI and foundation-model requirements in practice.
  • Participation does not exempt companies from other legal obligations or liability for damages.
  • Outputs feed AESIA's practical compliance guides.

AEPD — data protection

  • AEPD has issued AI-specific guidance: "Adecuación al RGPD de tratamientos que incorporan Inteligencia Artificial" — a step-by-step DPIA template for AI.
  • Where AI processes personal data: lawful basis assessment, DPIA, data minimisation, accuracy controls, automated-decision safeguards under Art. 22 GDPR.
  • AEPD has fined Spanish companies for facial-recognition deployments without sufficient legal basis or DPIA.

Penalties

  • EU AI Act fines apply (EUR 35M/7%, EUR 15M/3%, EUR 7.5M/1%).
  • AEPD GDPR fines: up to EUR 20M or 4% worldwide turnover.
  • Sandbox participation is not a shield against liability for damage caused by AI.

See also the European Union entry, which covers the EU AI Act (Regulation (EU) 2024/1689) — the substantive framework that this jurisdiction implements and supervises domestically.

European Union — EU AI Act

Ready to launch without the regulatory guesswork?

Book a 30-minute consultation. We'll map your AI or licensing path and tell you exactly what's required, in plain language.

Get Started