Executive briefing · Spain 2026

Spain’s AI Law: what it requires of your company and how to prove compliance.

The European AI Regulation and its Spanish adaptation require you to inventory, classify and oversee your AI systems, with fines of up to EUR 35M or 7% of turnover. A briefing for boards, compliance and security.

Request a compliance assessment Frequently asked questions →

— days until full application of the sanctions regime · 2 Aug 2026

A handshake between a human hand and a computer-modelled hand, symbolising collaboration and governance between people and artificial intelligence

Free assessment

Free AI Act compliance assessment

Find out in days whether your company complies with Spain’s new AI Law and the EU AI Act. We inventory your real AI usage, classify it by risk level and deliver an actionable gap report before 2 August 2026.

Inventory your AI in hours

We surface every AI model, agent and tool in use across your organisation, including the shadow AI that never shows up in your inventory.
Risk-level classification

We map your systems to the AI Act categories: prohibited, high-risk, limited-risk or minimal.
Gap report vs. the law

You get a prioritised list of pending obligations: transparency, human oversight, documentation and registration.
Zero impact on production

Deployed in observation mode (read-only) and integrated in under 24 hours, without rewriting your applications.

Limited slots for companies operating in Spain. Informational only; not legal advice.

Request your free assessment

We reply within 24 business hours.

Step 1 of 3

Reply within 24 business hours
No commitment, no cost
Confidential data · GDPR-compliant

01 — Legal framework

What the new AI Law in Spain is

The Organic Law for the good use and governance of AI adapts the European AI Regulation (AI Act) to Spanish law. A summary of the elements that every board of directors should know before the sanctions regime is fully applicable.

The law at a glance

Statute: Organic Law for the good use and governance of artificial intelligence
Status: Approved by the Council of Ministers on 26 May 2026; before Parliament under the urgent procedure
Full application of the sanctions regime: 2 August 2026, in line with Regulation (EU) 2024/1689 (AI Act)
Supervisory authority: AESIA — Spanish Agency for the Supervision of Artificial Intelligence (A Coruña)
Scope of application: Any company whose AI systems produce effects in Spain or the European Union, regardless of its size
Prohibited practices: 10 unacceptable-risk uses, including sexual deepfakes added at Spain’s initiative

Sanctions regime

Tier	Maximum fine	% of turnover	Example
Very serious	Up to EUR 35M	7% of global annual turnover	e.g. use of prohibited systems
Serious	Up to EUR 15M	3% of global annual turnover	breach of high-risk obligations
Minor	Up to EUR 0.5M	0.5% of global annual turnover	formal or transparency infringements

With proportionality criteria and consideration of the size of SMEs and startups; reductions for early payment or corrective measures.

02 — Compliance

Which companies are affected and what must they do?

The law affects any company that develops or uses AI with effects in Spain or the EU. The obligations depend on each system’s risk level, not on the size of the organisation. These are the eight obligations to address.

The eight compliance obligations

#	Obligation	Applies to	What it involves
01	Inventory of AI systems	All systems	Identify every AI system and agent in use, including shadow AI that does not appear in the official inventory.
02	Classification by risk level	All systems	Assign each system to an AI Act category: prohibited, high-risk, limited-risk or minimal.
03	Effective human oversight	High-risk	Ensure human control over AI decisions that affect safety or fundamental rights.
04	Transparency and explainability	Limited-risk	Disclose when a person is interacting with AI and be able to explain how and why the system decides.
05	Technical documentation and registration	High-risk	Maintain conformity documentation and register high-risk systems where required.
06	Rights impact assessment	High-risk	Assess the impact on fundamental rights before deploying high-risk systems.
07	Labelling of AI-generated content	Generative AI	Mark synthetic content — image, audio, video or text — in a legible and machine-detectable way.
08	AI training and literacy	Whole organisation	Ensure that staff who operate or are affected by AI have adequate training.

03 — Solution

How RenLayer covers each obligation

RenLayer is the AI governance and observability control plane. It translates the obligations of the law into operational capabilities, from a single dashboard and without touching your application code.

Inventory and shadow AI

Shadow AI

Discover every AI model, agent and tool in use, attributed to user and department.

Usage and dependency map

Activity Graph

Visualise which AI systems touch which data and services to classify them by risk.

Transparency and control

Policy

Enforce policies in real time: blocking, PII redaction and rules by system and provider.

Traceability and oversight

Observe

Log every request with structured audit trails, exportable to your SIEM.

Risk assessment

Red Teaming

Detect prompt injection, data leaks and risky behaviour before production.

Governance and human oversight

Admin

Centralise agent identities, permissions and human oversight of the entire AI fleet.

04 — Frequently asked questions

Frequently asked questions about Spain’s AI Law

When does the AI Law come into force in Spain?

The European AI Regulation (AI Act) has been in force since August 2024 and its sanctions regime is fully applicable from 2 August 2026. On 26 May 2026 Spain approved the draft Organic Law for the good use and governance of AI, which adapts that regulation to Spanish law and is being processed under the urgent procedure.

Which companies does the AI Law affect?

Any company that develops, markets or uses AI systems whose effects occur in Spain or the EU, regardless of its size or sector. The obligations depend on the system’s risk level, not on the size of the company. Common uses such as AI in recruitment, credit scoring, customer service or content generation may trigger new obligations.

What penalties apply for non-compliance?

Infringements are classified as very serious, serious and minor. Very serious (for example, using prohibited systems): up to EUR 35 million or 7% of global annual turnover. Serious: up to EUR 15 million or 3%. Minor: up to EUR 500,000 or 0.5%. Proportionality criteria apply and the size of SMEs and startups is taken into account.

What is AESIA?

The Spanish Agency for the Supervision of Artificial Intelligence, headquartered in A Coruña and operational since 2025. It is the national authority that coordinates market surveillance and runs the regulatory sandbox. Other authorities, such as the AEPD and the CGPJ, retain powers within their remits.

Which AI systems are prohibited?

The AI Act bans unacceptable-risk practices: subliminal techniques that cause harm, exploitation of vulnerabilities due to age, disability or socioeconomic situation, biometric categorisation by race or orientation, social scoring and emotion recognition at work or in education, among others. Spain has added a ban on sexual deepfakes. In total there are ten prohibited practices.

What is a high-risk AI system?

A system that can affect safety or fundamental rights: AI in recruitment, education, access to essential services, credit, biometrics, critical infrastructure or safety components of regulated products. It carries enhanced obligations: risk management, technical documentation, human oversight, registration and conformity assessment.

Do I have to label AI-generated content?

Yes. The AI Act imposes transparency obligations: synthetic content (images, audio, video or text generated or manipulated with AI) must be marked in a legible way and, where technically feasible, in a format that machines can detect. You must also inform people when they interact with an AI system, such as a chatbot.

What obligations do I have if I use AI in HR or customer service?

AI for recruitment, evaluation or staff management is usually considered high-risk: it requires effective human oversight, transparency, bias control and documentation. In customer service with chatbots, you must disclose that the user is talking to an AI and meet the transparency obligations.

How does the law affect SMEs and startups?

Obligations apply according to risk, but the law includes proportionality measures: reduced sanctions for early payment or for adopting corrective measures, consideration of company size, and priority access to the AESIA sandbox to test systems safely.

How does it relate to the European AI Regulation (AI Act)?

The Spanish law does not replace the AI Act: it complements it by designating the supervisory authorities, the sanctions regime and the national procedures. The AI Act is directly applicable; the Spanish law enables its governance and enforcement in Spain.

What is the AESIA sandbox?

A controlled testing environment operated by AESIA in which companies can develop and validate AI systems, especially high-risk ones, under supervision and before market launch, reducing regulatory risk.

How can my company prepare now?

Start with an inventory of all AI systems in use, including shadow AI; classify them by risk level; implement human oversight and traceability; document and assess the impact on fundamental rights. A compliance assessment gives you the prioritised gap map to arrive in time for 2 August 2026.

Assess your company’s exposure before August 2026.

Request a compliance assessment: an inventory of your AI, classification by risk and a prioritised gap report, deployed in observation mode and with no impact on production.

Request a compliance assessment

This is an informational document; it does not constitute legal advice. The law is currently before Parliament and its wording may change. Sources: Ministry for Digital Transformation and the Civil Service (press release of 26/05/2026) and Regulation (EU) 2024/1689.