Licentium

AI Regulation Hub

Spain

Spain applies the EU AI Act through dedicated national infrastructure: AESIA, the Spanish AI supervisory agency, and an AI regulatory sandbox under Royal Decree 817/2023. Spain has published practical compliance guidance based on sandbox work.

Key provisions

AESIA supervisory agency

In force

Spain's national AI supervisory agency, with supervision, advice, awareness, training and implementation-support functions. One of the first dedicated AI supervisory authorities in the EU.

AI regulatory sandbox

In force

Royal Decree 817/2023 establishes a controlled testing environment where selected organisations test AI systems with regulatory guidance. Participation does not exempt companies from other legal obligations or remove liability for damage.

Practical compliance guides

In force

Spain has published guides covering conformity assessment, CE marking, quality management, risk management, human oversight, data governance, transparency, accuracy, robustness and cybersecurity, based on its sandbox work.

EU AI Act obligations

In force

Prohibited, high-risk, transparency-risk and GPAI obligations from the EU AI Act apply, with Spain's penalty regime mirroring EU AI Act caps.

Detailed overview

Spain regulates AI through the EU AI Act and through national implementation infrastructure. Spain has created the Spanish Agency for the Supervision of Artificial Intelligence, known as AESIA, and has adopted rules for an AI regulatory sandbox.

AESIA

AESIA is Spain's national AI supervisory agency. It has legal personality, its own assets and operational autonomy. Its role includes supervision, advice, awareness, training and support for the implementation of national and European AI rules. AESIA is relevant for companies operating in Spain because Spain is one of the first EU countries to create a dedicated AI supervisory authority.

AI regulatory sandbox

Spain's Royal Decree 817/2023 establishes a controlled testing environment for AI, commonly called an AI sandbox. A sandbox is a supervised environment where selected organisations can test AI systems with regulatory guidance. Spain's sandbox is designed to help providers and users validate how legal requirements for high-risk AI systems and general-purpose or foundation-model-related AI may work in practice. Participation in the sandbox does not exempt a company from other legal obligations and does not remove liability for damage caused by breach, negligence or intentional misconduct.

Business obligations

For most businesses, the main substantive AI obligations in Spain come from the EU AI Act. This means that a company must first classify its AI system. If the system is prohibited, it cannot be used. If it is high-risk, the provider must implement risk management, data governance, documentation, conformity assessment, human oversight, accuracy, robustness and cybersecurity controls. Deployers of high-risk AI must use the system properly, supervise it, keep logs where required and inform affected persons where the AI Act requires it.

Spain has also published practical compliance guides based on its sandbox work. These guides address issues such as conformity assessment, CE marking, quality management, risk management, human oversight, data governance, transparency, accuracy, robustness and cybersecurity.

Penalties

Penalties for AI Act breaches in Spain follow the EU AI Act structure: up to EUR 35 million or 7% of worldwide annual turnover for prohibited AI breaches, up to EUR 15 million or 3% for many other AI Act breaches, and up to EUR 7.5 million or 1% for supplying incorrect, incomplete or misleading information to authorities.

Spanish sandbox participation does not operate as a general immunity from liability.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started