AESIA: Spain's AI Regulator Explained — What It Means for Your Business

When the EU AI Act entered into force on 1 August 2024, a question echoed across compliance departments throughout Europe: which authority will actually enforce this regulation, and when?

For 18 of the EU's 27 Member States, that question still had no definitive answer well into 2025. Not for Spain. Spain had been ready since June 2024.

The Agencia Española de Supervisión de la Inteligencia Artificial — AESIA — is the first dedicated AI regulatory authority in the European Union. It was operational before the EU AI Act itself entered into force. It published 16 compliance guides within months of the regulation's entry into force. It selected 12 companies for its AI regulatory sandbox in April 2025. And by mid-2026, it had already opened preliminary investigations into AI systems deployed by Spanish organisations.

For any business that develops, deploys, or uses AI systems in Spain, AESIA is not an abstraction. It is an active regulator with investigatory powers, a growing enforcement programme, and a clear mandate to ensure that AI in Spain operates ethically, safely, and within the law.

This guide explains what AESIA is, what it can do, how it enforces the EU AI Act, what its 16 compliance guides mean for your organisation, and exactly how to engage with it constructively as a compliance professional or business leader.

Build the compliance knowledge AESIA expects. The Compliance with the EU AI Act and Ethics in AI certification from the Spanish Compliance Institute covers AESIA's regulatory framework, enforcement approach, and the practical compliance obligations that sit behind it. Taught by professionals holding globally recognised credentials. Currently  €79.99 €49.99. Join 89+ professionals already certified.

What Is AESIA?

AESIA — Agencia Española de Supervisión de la Inteligencia Artificial — is Spain's national authority responsible for supervising, enforcing, and providing guidance on artificial intelligence regulation. It is an autonomous public agency attached to the Ministry of Economic Affairs and Digital Transformation, operating under the Secretary of State for Digitalisation and Artificial Intelligence.

AESIA was created by Royal Decree 729/2023, approved on 22 August 2023 and in force from 3 September 2023. The agency officially launched operations on 19 June 2024 — six weeks before the EU AI Act entered into force on 1 August 2024.

AESIA's headquarters are in A Coruña, in the Galicia region of northwestern Spain — making it the only major European AI regulatory authority operating outside a national capital.

Its official mission, as stated in its founding statute and on its website, is to guarantee the ethical and safe use of artificial intelligence in Spain, ensuring that both public and private entities comply with applicable regulations while protecting privacy, equal treatment, and fundamental rights.

Critically, AESIA is not designed to be a purely sanctioning body. Its statute describes it as an intelligence "Think & Do" organisation — one that investigates problems, develops solutions, advises on compliance, and publishes guidance, alongside its enforcement function. This dual role — regulator and guidance provider — makes it a practical resource for compliant organisations as well as a source of enforcement risk for non-compliant ones.

Why Spain Became Europe's AI Regulatory Leader

Spain's decision to create AESIA before the EU AI Act even entered into force was a deliberate strategic choice, and it has positioned the country as the most advanced national AI governance environment in the EU.

While 18 of the EU's 27 Member States had not designated their national AI authorities by the August 2025 deadline, Spain had already been operating AESIA for over a year. While the European Commission was still drafting high-level guidance on Article 6 high-risk classification, AESIA had published 16 detailed, practical compliance guides developed through real-world sandbox testing.

The IAPP — the world's leading privacy and data protection professional association — described AESIA's guidance work in March 2026 as "genuinely pioneering regulatory work," noting that its guides constitute "one of the first structured sets of interpretative criteria issued by a public authority in Europe."

This matters for businesses operating in Spain for two reasons:

First, Spanish organisations are operating under a more developed and active regulatory environment than their counterparts in most other EU countries. AESIA's investigations are already underway. The enforcement calendar is ahead of the EU average.

Second, AESIA's guidance is the most practically useful official interpretation of EU AI Act obligations currently available anywhere in the EU. Compliance professionals across Europe — not just in Spain — are using AESIA's guides as reference material precisely because the European Commission's own guidance is still being developed.

AESIA's Legal Basis and Structure

AESIA operates within a clear legal framework:

Royal Decree 729/2023 establishes AESIA's statute — its institutional structure, mandate, governance rules, and the scope of its powers. It designates AESIA as Spain's central market surveillance authority for AI under the EU AI Act, as Spain's single point of contact with the European Commission on AI regulatory matters, and as Spain's representative in EU AI governance structures.

The EU AI Act (Regulation (EU) 2024/1689) provides the primary legal basis for AESIA's supervisory and enforcement powers, as well as the obligations it is charged with enforcing.

The Draft Spanish National AI Law (Anteproyecto de Ley para el Buen Uso y la Gobernanza de la IA), approved by the Council of Ministers on 11 March 2025, is the national legislative instrument that will fully transpose the EU AI Act into Spanish law, establish the domestic sanctioning regime, and define the procedural rules for how AESIA and sectoral regulators exercise their powers. This law is currently in the parliamentary process.

Organisational structure: AESIA is led by a president whose position is held by the head of the Secretariat of State for Digitalisation and Artificial Intelligence. The agency includes specialised units covering supervision and inspection, compliance guidance and sandbox management, international coordination, and annual reporting obligations. Its statute requires AESIA to produce a public annual report covering its supervisory activities, findings, and enforcement actions.

AESIA's Powers: What the Agency Can Actually Do

Understanding AESIA's actual powers is essential for any organisation operating AI systems in Spain. Those powers are substantial and already active.

Inspection and Investigation

AESIA has the authority to conduct inspections of AI systems and the organisations that develop, deploy, or distribute them. This includes requesting and accessing documentation required for compliance under the EU AI Act — technical documentation, risk management records, data governance policies, human oversight procedures, incident logs, and more.

Inspections can be triggered by:

• Complaints from individuals, employees, or competitors about a potentially non-compliant AI system
• AESIA's own market surveillance — the agency actively monitors AI systems in the Spanish market for indications of prohibited practices or high-risk non-compliance
• Referrals from other authorities — the AEPD, the Bank of Spain, or other sectoral regulators may refer AI-related issues to AESIA where their mandate intersects with AI compliance

Corrective Measures and Sanctions

AESIA can impose corrective measures including orders to modify non-compliant AI systems, suspend their deployment, or withdraw them from the Spanish market entirely. For organisations whose operations depend on AI tools, withdrawal is often a more commercially severe consequence than a fine.

Once the Draft Spanish National AI Law passes, AESIA will have full sanctioning powers aligned with the EU AI Act's penalty framework:

• Up to €35 million or 7% of global annual turnover for prohibited AI practice violations
• Up to €15 million or 3% of global annual turnover for high-risk system non-compliance
• Up to €7.5 million or 1% of global annual turnover for supplying incorrect information to authorities

Sanctions are categorised into very serious, serious, and minor infringements. A public register of sanctioned entities and corrective orders will be maintained.

International Coordination

AESIA acts as Spain's single point of contact with the European AI Office and national AI authorities across the other 26 EU Member States. For cross-border AI investigations — where an AI system deployed in Spain is developed by a company in another Member State — AESIA coordinates with the relevant authority in that country.

Guidance and Awareness

In addition to its enforcement role, AESIA is statutorily required to provide guidance, publish recommendations, and conduct awareness-raising activities. This includes the 16 compliance guides (covered in Section 6), sandbox management, annual reports, and participation in EU-level standards development.

Spain's Multi-Authority AI Regulatory Architecture

responsibilities in Spain. The EU AI Act's multi-stakeholder governance approach means that several sectoral regulators also have a role — each within their established domain.

Why this multi-authority architecture matters for your compliance strategy:

Your organisation's AI compliance exposure may span multiple authorities simultaneously. A Spanish bank deploying an AI credit scoring system faces oversight from AESIA (EU AI Act compliance), the Banco de España (sectoral financial regulation), and the AEPD (GDPR, since the system processes personal data). Compliance strategies must account for all relevant authorities, not only AESIA.

AESIA facilitates coordination between these authorities through shared guidance documents, public registers, and inter-agency cooperation agreements. The Draft National AI Law formalises this coordination architecture and specifies which authority takes the lead in cases of overlapping jurisdiction.

For a detailed analysis of how AESIA and the AEPD work together on cases where AI compliance and data protection overlap, see our guide on EU AI Act vs GDPR in Spain: What Your Business Must Do to Comply With Both.

AESIA's 16 Compliance Guides: What Each One Covers

In December 2025, Spain's Minister for Digital Transformation officially announced the publication of AESIA's 16 compliance guides — the product of Spain's AI regulatory sandbox programme and the most comprehensive set of official EU AI Act compliance guidance published by any national authority in the EU.

These guides are non-binding — they do not replace the legal text of the EU AI Act and do not constitute authoritative legal interpretations in the formal sense. However, they represent AESIA's reading of what compliance requires, developed through hands-on testing with real AI systems. In practice, they are the closest thing to an official compliance blueprint that most Spanish organisations will encounter.

AESIA has confirmed that the guides are living documents, subject to regular updates as the European Commission publishes additional guidance and as the Digital Omnibus amending the Act is formally adopted.

The guides are structured in three groups:

Group A — Introductory Guides (01–02)

Guide 01 — Introduction to the AI Act (26 pages) Covers the main principles of the EU AI Act, its risk-based approach, the roles of economic operators (providers, deployers, importers), key obligations including AI literacy and transparency requirements, and a timeline of the regulation's entry into force dates. Essential reading for any organisation starting its compliance journey.

Guide 02 — Practical Examples (21 pages) Provides detailed worked examples of AI systems to illustrate how obligations apply in practice. Examples include biometric identification in the workplace, AI tools for HR management, and AI systems for diabetes detection. Also explains key definitions through concrete scenarios — a valuable tool for risk classification exercises.

Group B — Technical Guides (03–15)

Guide 03 — Conformity Assessment (47 pages) Explains the conformity assessment process for high-risk systems — what it requires, the recommended format, practical steps, and the standards AESIA recommends for demonstrating compliance. The most technically demanding guide in the series.

Guide 04 — Quality Management System Covers the organisational and technical measures required to comply with Article 17 — the quality management requirements that must be incorporated into any high-risk AI system.

Guide 05 — Risk Management System Explains the steps needed to implement an Article 9-compliant risk management system — identifying, analysing, evaluating, and mitigating AI system risks. Includes an Excel tool with worked-through use cases.

Guide 06 — Data Governance Covers Article 10's requirements for training, validation, and testing datasets — relevance, representativeness, bias detection, and documentation requirements.

Guide 07 — Human Oversight Explains Article 14's human oversight requirements — what it means for a human to be able to understand outputs, override decisions, and stop a system. Includes design requirements for human-in-the-loop and human-on-the-loop implementations.

Guide 08 — Transparency and Labelling Covers Article 13 (transparency to deployers) and Article 50 (transparency to users and the public) — what must be disclosed, in what format, and to whom. Particularly relevant for AI-generated content obligations.

Guide 09 — General Purpose AI (GPAI) Models Explains obligations for providers of general-purpose AI models — the documentation, transparency, and copyright obligations that have been in force since August 2025.

Guide 10 — Fundamental Rights Impact Assessment (FRIA) Covers Article 27's FRIA requirements for deployers of high-risk systems — the assessment's scope, required content, and completion process. 

Guide 11 — Accuracy, Robustness and Cybersecurity Covers Article 15's technical performance requirements for high-risk systems.

Guide 12 — Record Keeping (34 pages) Helps providers and deployers meet their record-keeping and logging obligations under Article 12 — what must be logged, for how long (minimum six months), and in what format.

Guide 13 — Post-Market Monitoring (38 pages) Explains the post-market monitoring plan requirements for systems already deployed — what to monitor, how to document it, and when to escalate.

Guide 14 — Incident Reporting (25 pages) Covers the steps required to report serious incidents involving high-risk AI systems, including timelines, content requirements, and reporting channels to AESIA.

Guide 15 — Technical Documentation (62 pages) The most detailed guide. Covers the full requirements for Annex IV technical documentation — the ten-category structure every provider of a high-risk AI system must produce and maintain.

Group C — Checklist and Assessment Tools (16)

Guide 16 — Checklist Manual + 13 Excel Compliance Checklists A compliance self-assessment toolkit. The 13 Excel checklists cover key EU AI Act obligation areas, allowing organisations to document their compliance measures, assess their compliance level against each requirement, and identify gaps requiring remediation. AESIA designed these to serve as a shared reference tool for technical, legal, and management teams — providing a common language for cross-functional compliance discussions.

Where to access the guides: All 16 guides are available free of charge at aesia.digital.gob.es — primarily in Spanish, with some materials available in English.

Spain's AI Regulatory Sandbox

AESIA manages Spain's AI regulatory sandbox — established under Royal Decree 817/2023 — which is one of the most advanced AI testing environments in the EU and the direct origin of the 16 compliance guides.

The sandbox provides a controlled environment in which organisations can develop, test, and validate AI systems under regulatory supervision before placing them on the market. In April 2025, AESIA selected 12 AI projects from Spanish companies to participate — systems operating across six sectors:

• Essential services
• Biometrics
• Employment
• Critical infrastructure
• Machinery
• Healthcare products

Participating companies received direct access to regulatory guidance, hands-on compliance testing against EU AI Act requirements, and a formal assessment of their system's suitability for market deployment. In exchange, AESIA used the learning from these 12 real-world projects to develop the 16 compliance guides published in December 2025.

Why the sandbox matters for your business:

The EU AI Act requires every EU Member State to establish at least one AI regulatory sandbox by 2 August 2026. Spain's is already operational and well-established. SMEs and startups in Spain have access to sandbox participation as a pathway to:

• Direct regulatory guidance on their specific AI system
• Formal compliance assessment before market launch
• Protection from enforcement action for good-faith compliance efforts during the sandbox period
• A structured compliance roadmap from prototype to market-ready product

The sandbox is also open to companies from other EU Member States — participation is not restricted to Spanish-headquartered organisations.

The Draft Spanish National AI Law {#national-law}

The EU AI Act is a directly applicable EU Regulation — it does not require national transposition. However, it leaves certain implementation details to Member States, and Spain's Council of Ministers approved the Anteproyecto de Ley para el Buen Uso y la Gobernanza de la IA on 11 March 2025 to fill these gaps and create a complete domestic AI governance framework.

This draft national law, currently progressing through the parliamentary process, will when enacted:

Establish the domestic sanctioning regime — defining Spain's enforcement procedures, the categories of infringements (very serious, serious, minor), and the specific penalty calculation rules within the EU AI Act's maximum thresholds.

Formalise AESIA's full sanctioning powers — confirming its authority to impose fines up to €35 million or 7% of global annual turnover for the most serious violations.

Define prohibited practices in Spanish law — implementing Article 5 of the EU AI Act at national level and aligning them with Spain's existing legal framework for fundamental rights protection.

Establish a multi-authority supervisory architecture — formally assigning roles and coordination mechanisms between AESIA and the AEPD, Bank of Spain, CNMV, DGSFP, and other sectoral regulators.

Create a public register of sanctioned entities — organisations found to have violated the EU AI Act will be publicly identified.

Mandate AESIA annual public reporting — covering enforcement activity, incident statistics, sandbox outcomes, and guidance publications.

Require AI impact evaluations — periodic assessments of enforcement effectiveness and stakeholder consultations.

What this means for your compliance timeline:

The national law's passage will be the point at which AESIA's full sanctioning powers activate for most infringements under the EU AI Act. The EU AI Act itself already provides the legal basis for prohibited practice enforcement (in force since February 2025) and GPAI obligations (in force since August 2025). But the national law will complete the enforcement architecture for the full range of violations — particularly those relating to high-risk system requirements.

Organisations should not interpret the pending national law as a reason to delay compliance. AESIA's investigatory powers are already active. Market surveillance is already underway. When full sanctioning powers activate, the organisations that will be most exposed are those that have not yet begun their compliance programmes.

How AESIA Investigates: What an Inquiry Looks Like

Understanding how AESIA conducts investigations allows compliance professionals to build governance programmes that hold up under scrutiny — not just on paper.

Based on AESIA's published mandate, its statute, and established patterns from comparable EU regulators (particularly the AEPD, whose enforcement approach AESIA is expected to mirror), a typical AESIA inquiry follows this structure:

Stage 1 — Trigger and Initial Assessment

An investigation is triggered by a complaint, a referral from another authority, or AESIA's own market surveillance activity. The initial assessment determines whether the matter falls within AESIA's jurisdiction, whether there is a prima facie indication of a violation, and which specific obligations may have been breached.

Stage 2 — Information Request

AESIA issues a formal information request to the organisation under investigation. This typically requests specific documentation — technical documentation for the AI system in question, risk management records, data governance policies, human oversight procedures, incident logs, and any FRIA completed for the deployment.

This is the moment your documentation either protects you or exposes you. Organisations with complete, current, well-structured compliance documentation can respond efficiently and demonstrate good-faith compliance. Organisations without documentation face a significantly more difficult investigation process.

Stage 3 — Investigation and Assessment

AESIA reviews the submitted documentation, potentially conducts on-site inspections, interviews relevant personnel, and assesses the organisation's AI system and governance practices against the applicable EU AI Act requirements. This stage may include technical assessment of the AI system itself.

Stage 4 — Provisional Findings and Response

AESIA issues provisional findings to the organisation, which has the right to submit a response and provide additional documentation or evidence. This is the organisation's primary opportunity to address any compliance gaps identified.

Stage 5 — Decision and Action

AESIA issues its final decision. Outcomes range from a recommendation to address specific gaps, through corrective orders requiring system modification, to referral to sanctioning procedures once full powers are active. Organisations have the right to appeal decisions through administrative and judicial review mechanisms.

Key takeaway: AESIA's pattern of enforcement — based on AEPD's model — tends to be high volume, proportionate, and systematic. It pursues organisations across all sizes and sectors, not only large enterprises. The AEPD opened 147 AI-related investigations in 2025 alone. Expect AESIA to build toward comparable activity levels as its capacity grows.

For a detailed guide on how to prepare your documentation for an AESIA investigation and what the full audit process involves, see: What to Expect From an EU AI Act Audit: A Step-by-Step Walkthrough for Spanish Organisations.

What AESIA Expects to See From Compliant Organisations

AESIA's 16 guides, sandbox programme, and published communications make its expectations for compliant organisations clear. Based on these sources, organisations that want to operate confidently in Spain's AI regulatory environment should be able to demonstrate:

A complete AI system inventory — every AI system in use, classified by risk level, with documented rationale for the classification.

Article 4 compliance evidence — documented AI literacy training delivered to all relevant staff, proportionate to their role and the AI systems they work with. This obligation has been in force since February 2025. See our guide on building an Article 4 AI literacy programme.

For prohibited AI categories — confirmed non-use — documentation showing that your organisation has assessed whether any systems in use fall into the prohibited categories and has decommissioned or never deployed those that do. See our guide on prohibited AI practices already illegal in Spain.

For high-risk system deployers — a completed FRIA — documentation of the Fundamental Rights Impact Assessment required from deployers under Article 27, completed before deployment.

For high-risk system providers — Annex IV technical documentation — the full ten-category technical documentation file required before market placement.

Governance records — minutes, policies, and decisions demonstrating that AI governance is being actively managed, not just documented in templates.

Incident management procedures — a documented process for identifying, escalating, and reporting serious incidents to AESIA under Article 73.

AESIA's own checklist tool — Guide 16's 13 Excel checklists are the clearest statement of what AESIA considers a complete compliance picture. Working through them systematically provides both a compliance roadmap and the documentation evidence to demonstrate it.

How AESIA's Guidance Compares to the Rest of the EU

To understand how significant Spain's regulatory leadership is, it helps to place AESIA in the broader EU context.

Of the 27 EU Member States, only a handful had designated their national AI market surveillance authorities by the August 2025 deadline. Finland became the first Member State to activate full AI enforcement powers in January 2026. Most others were still finalising their institutional arrangements.

Meanwhile, AESIA had been operational for over 18 months, had conducted a fully operational regulatory sandbox, had published 16 detailed compliance guides, and had opened preliminary investigations into Spanish AI deployments.

The practical consequence for compliance professionals is significant: AESIA's guides are the most detailed official EU AI Act guidance currently available from any national authority in Europe. The European Commission's high-risk classification guidance was still being finalised in early 2026. AESIA had already published Guide 02 with worked examples across six sectors and Guide 03 with a 47-page conformity assessment framework.

Compliance professionals in Belgium, Germany, Italy, and other EU Member States are actively using AESIA's guides as interim reference material precisely because their own national authorities have not yet produced equivalent documentation. AESIA is not just Spain's regulator — it is currently serving as a de facto reference point for EU AI Act compliance across the bloc.

Practical Steps for Spanish Businesses Right Now

Given AESIA's active posture, these are the priority actions for any Spanish organisation operating AI systems.

Step 1: Access AESIA's guides immediately All 16 guides are free at aesia.digital.gob.es. Guide 01 is the starting point for any organisation. Guide 16 (the checklist tool) is the fastest way to assess your current compliance gaps. Do not wait for the national law to pass before using these resources.

Step 2: Conduct your AI inventory using Guide 02's examples Guide 02's worked examples across six sectors make it significantly easier to classify your own AI systems correctly. If your systems resemble any of the examples in a high-risk sector, treat them as high-risk until you have a documented rationale for a different classification.

Step 3: Address Article 4 AI literacy immediately This obligation has been in force since February 2025. Every organisation using AI in Spain should have a documented AI literacy programme in place. AESIA's enforcement of this obligation does not require the national law to pass — it derives directly from the EU AI Act.

Step 4: Register on AESIA's communications channels AESIA publishes guidance updates, sandbox announcements, and enforcement information through its website. Monitor aesia.digital.gob.es regularly. When guides are updated to reflect the Digital Omnibus changes, your compliance programme may need to be adjusted.

Step 5: Consider sandbox participation If your organisation is developing a new high-risk AI system, sandbox participation provides direct access to AESIA guidance, formal compliance testing, and enforcement protection during the development period. The investment in participation is typically far lower than the cost of post-deployment non-compliance.

Step 6: Engage qualified training and certification AESIA's guides establish a high bar for what compliance looks like. Meeting that bar requires compliance professionals with genuine knowledge of the EU AI Act's requirements — not just awareness training.

The Compliance with the EU AI Act and Ethics in AI certification from the Spanish Compliance Institute covers AESIA's regulatory framework and all core EU AI Act obligations in structured, expert-led training. 15 hours of on-demand content, Annex IV templates, FRIA workshops, and a verified digital certificate. Currently  €79.99 €49.99.

 Why EU AI Act certification is becoming non-negotiable for compliance professionals in Spain →

Build the Compliance Knowledge AESIA Expects

AESIA is operational, its guides define clear expectations, its sandbox is selecting new participants, and its investigations are already underway. For Spanish organisations, operating without a structured AI compliance programme is no longer a calculated risk — it is a compliance deficit that the most advanced national AI regulator in Europe is actively working to identify.

The Compliance with the EU AI Act and Ethics in AI certification from the Spanish Compliance Institute gives compliance professionals, business leaders, and legal teams the structured knowledge to meet that bar:

• 15 hours of on-demand training across 7 modules — covering AESIA's regulatory framework, all core EU AI Act obligations, and Spain's national legal context
• Annex IV documentation templates aligned with AESIA's Guide 15 requirements
• FRIA workshops built around AESIA's Guide 10 framework
• ISO 42001 alignment guidance — understanding where the international standard supports your AESIA compliance programme
• Mock and final exams to verify your knowledge
• A verified digital certificate recognised across Europe

€79.99 €49.99— Join 89+ compliance professionals already certified.

Enrol Now and Get Certified →

Continue Reading: Related Guides in This Series

• Ethical AI and EU AI Act Compliance: The Professional's Complete Guide for Spain (Pillar)
• EU AI Act vs GDPR in Spain: What Your Business Must Do to Comply With Both
• How to Write a Fundamental Rights Impact Assessment (FRIA) Under the EU AI Act
• 8 AI Practices That Are Already Illegal in Spain Under the EU AI Act
• What to Expect From an EU AI Act Audit: A Step-by-Step Walkthrough for Spanish Organisations
• EU AI Act Certification: Why It Is Becoming Non-Negotiable for Compliance Professionals