AESIA: Spain's AI Supervision Agency and Why It Matters
AESIA (Agencia Española de Supervisión de la Inteligencia Artificial) is Spain's designated national competent authority for EU AI Act enforcement. Established by Royal Decree 729/2023 and operational since June 2024, it's the first dedicated AI supervisory agency in the EU — and it's not just first chronologically. It's the most operationally advanced.
Here's what makes AESIA stand out: while most member states are still designating authorities and sorting out institutional structures, AESIA has already published 16 detailed compliance guides, selected 12 sandbox projects, and built an operational enforcement apparatus. The IAPP called AESIA's output "genuinely pioneering regulatory work" in March 2026. That's not hype — nobody else is close.
Why should you care if you don't operate in Spain? Because AESIA's guides fill a gap the European Commission hasn't closed yet. The Article 6 high-risk classification guidelines were overdue. Commission-level guidance on conformity assessments, technical documentation, and risk management is still materialising. AESIA's 16 guides are the most practical, detailed official interpretation of EU AI Act obligations available anywhere in the EU right now. Other regulators and compliance professionals across Europe are already using them as reference material.
National AI law in progress: Spain is also preparing a national AI bill — the Anteproyecto de Ley para el Buen Uso y la Gobernanza de la IA — approved by the Council of Ministers on 11 March 2025. It adapts Spain's legal framework to the EU AI Act, establishes a domestic sanctioning regime, and defines prohibited practices. Meanwhile, the AEPD (Spain's data protection authority) has published separate guidance on agentic AI systems, covering opacity, manipulation, and user control risks.
AESIA's 16 Compliance Guides: What They Cover
AESIA published these guides on 10 December 2025, developed through Spain's regulatory sandbox pilot with input from industry participants, technical assistants, and potential competent authorities. They're available in both Spanish and English at aesia.digital.gob.es/en/guides. I've worked through all 16 — here's what each covers and how it connects to practical compliance work.
| # | Guide Topic | Key Coverage | Tool Connection |
|---|---|---|---|
| 01 | Introduction to AI Regulation | Risk-based approach, roles, obligations overview, key dates | Compliance Guide |
| 02 | Practical Examples | Biometric ID, HR tools, diabetes detection, deepfakes, GPAI | Compliance Checker |
| 03 | Conformity Assessment | Assessment format, steps, standards recommended by AESIA (47pp) | Deployer Assessment |
| 04 | Quality Management System | QMS structure aligned to AI Act requirements | ISO/NIST Gap Analyzer |
| 05 | Risk Management | Risk identification, assessment, and mitigation for high-risk AI | Risk Classification |
| 06 | Human Oversight | Human-in-the-loop vs human-on-the-loop, intervention design | Deployer Guide |
| 07 | Data & Data Governance | Training data quality, bias, provenance, GDPR alignment | AI Act vs GDPR |
| 08 | Transparency | Article 50 labeling, watermarking, user notification | Transparency Validator |
| 09 | Accuracy | Accuracy metrics, lifecycle monitoring measures (62pp) | — |
| 10 | Robustness | Robustness measures for providers and deployers (73pp) | — |
| 11 | Cybersecurity | Security measures list with implementation guidance (79pp) | — |
| 12 | Record Keeping | Lifecycle record-keeping for providers and deployers | — |
| 13 | Post-Market Monitoring | Surveillance plans, performance tracking | — |
| 14 | Serious Incidents | Incident reporting obligations, notification procedures | Incident Playbook |
| 15 | Technical Documentation | Documentation requirements for high-risk systems | — |
| 16 | Checklist Manual | Excel self-assessment tool: maturity scoring + adaptation plan | Compliance Checker |
How to Use AESIA's Guides (Practical Advice)
These guides aren't legally binding — they're authoritative interpretive guidance developed within AESIA's sandbox. They represent AESIA's reading of the regulation, which may differ from other member state authorities on specific points. Use them as a structured starting point, especially where Commission-level guidance is missing. Cross-reference with the official EU AI Act text on Eur-Lex and any Commission guidelines as they appear. AESIA has committed to updating the guides once the Digital Omnibus amending the AI Act is approved.
AESIA's 16 guides: introductory (01-02), technical (03-15), and checklist manual (16) — the most comprehensive official AI Act guidance in the EU.
Spain's AI Regulatory Sandbox: 12 Active Projects
Spain was the first EU member state to operationalise an AI regulatory sandbox, established under Royal Decree 817/2023 with a maximum 36-month duration. In April 2025, 12 AI projects were selected to participate. The sandbox isn't just a testing environment — it's the laboratory that produced AESIA's 16 compliance guides. Every guide was tested against real AI systems under regulatory supervision before publication.
What does sandbox participation actually give you? A controlled testing environment with direct regulatory engagement, practical compliance experience documented under supervision, evidence that strengthens your compliance documentation, and a pathway to understanding how regulators interpret obligations in practice. If you're an SME or startup building AI that could be classified as high-risk, sandbox participation is one of the most cost-effective compliance preparation strategies available.
The sandbox is open to cross-border applications — you don't have to be a Spanish company. SMEs and startups get priority access under Article 57. Contact AESIA for current eligibility and application procedures.
Spain's Enforcement Approach and Penalties
AESIA's track record — 16 guides, a sandbox programme, an active AI literacy plan — signals a "guidance-first, enforcement-second" approach in the initial enforcement period. That said, don't mistake guidance for leniency. Spain's AEPD (data protection authority) has been among the most prolific GDPR enforcers in the EU by number of fines issued. The institutional culture around regulatory enforcement is assertive.
| Violation Category | Maximum Fine | % of Worldwide Turnover |
|---|---|---|
| Prohibited AI practices (Article 5) | €35 million | 7% |
| High-risk AI non-compliance | €15 million | 3% |
| Incorrect/misleading information to authorities | €7.5 million | 1% |
No formal fines have been issued under the EU AI Act by any member state as of March 2026. Spain's draft national AI law will add procedural rules for penalty calculation within the framework set by the Regulation. Once that law is enacted and AESIA receives full sanctioning powers, expect enforcement to follow the AEPD's pattern: high volume, proportionate fines, and a willingness to act early.
Digital Omnibus watch: AESIA has flagged that its guides are subject to revision once the EU's Digital Omnibus Simplification Package is approved. If high-risk obligation timelines shift, AESIA will update accordingly. Don't treat the current guides as permanently fixed — they're living documents.
FAQ: EU AI Act in Spain
Who enforces the EU AI Act in Spain? ▼
AESIA (Agencia Española de Supervisión de la Inteligencia Artificial), established by Royal Decree 729/2023 and operational since June 2024. It's the first dedicated AI supervisory agency in the EU, with 16 published compliance guides and 12 active sandbox projects. The AEPD retains GDPR enforcement where AI processes personal data. See our EU AI Act Compliance Guide for the full enforcement overview.
Are AESIA's guides legally binding? ▼
No. They're authoritative non-binding practical guidance, developed through Spain's regulatory sandbox with industry input. They represent AESIA's interpretation — the most detailed available in the EU as of March 2026 — but they don't replace the official regulation or Commission guidelines. Use them as a structured starting point and cross-reference with the EU AI Act text.
Can non-Spanish companies use AESIA's guides? ▼
Yes. All 16 guides are available in English at aesia.digital.gob.es/en/guides. The EU AI Act applies uniformly across member states, so AESIA's interpretive guidance is useful for any company complying with the Act, regardless of location. The IAPP has noted these guides may influence how other regulators approach AI Act compliance.
Can my company join Spain's sandbox from another country? ▼
The sandbox is open to cross-border applications. Twelve projects were selected in April 2025. SMEs and startups get priority access under Article 57. Contact AESIA for current eligibility and application procedures. Sandbox participation provides regulatory engagement, compliance documentation evidence, and practical experience with how authorities interpret obligations.
Does Spain have a national AI law beyond the EU AI Act? ▼
Spain is preparing a draft national AI law (Anteproyecto de Ley para el Buen Uso y la Gobernanza de la IA), approved by the Council of Ministers on 11 March 2025. It adapts Spain's framework to the EU AI Act and establishes a domestic sanctioning regime. The EU AI Act already applies directly as a Regulation. The Spanish bill adds national enforcement procedures, institutional structure, and penalty calculation rules.
Operationalise AESIA's Guidance with Free Tools
AESIA provides the interpretation. These tools help you implement it.
EU AI Act Compliance Checker
Check if your AI systems are in scope. Maps to AESIA Guide 01-02.
Deployer Self-Assessment
Map your deployer obligations. Aligns with AESIA Guide 03-06.
AI Literacy Planner
Build your Article 4 training programme. Links to AESIA literacy guidance.
Transparency Validator
Check Article 50 compliance. Pairs with AESIA Guide 08.
Need Structured Templates and Evidence Packs?
Our compliance toolkits provide the templates, checklists, and documentation frameworks that operationalise AESIA's guidance into audit-ready evidence. Built for deployers preparing for August 2026.
Abhishek G Sharma
Founder, Move78 International | 20+ Years Cybersecurity & Risk Management
ISO 42001 LA • ISO 27001 LA • CISA • CISM • CRISC • CEH • CCSK • CAIGO • CAIRO
Disclaimer & Legal Notice
This guide provides general information about EU AI Act implementation in Spain. It doesn't constitute legal advice. AESIA's guides are non-binding and may be updated. Spain's national AI law is in draft form as of March 2026. Consult qualified legal counsel for compliance advice specific to your organisation. EU AI Compass and Move78 International Limited accept no liability for decisions made based on this content.
Last updated: March 2026. AESIA's guide count and sandbox status may have changed since publication.
Sources & Legal Basis
- • AESIA — Practical Guides for AI Act Compliance (English)
- • IAPP — AESIA's AI Guidelines: Spain Steps into the Spotlight (March 2026)
- • Alston & Bird — Guidance from the Spanish AI Regulator (December 2025)
- • White & Case — AI Watch: Global Regulatory Tracker — Spain
- • Covington — Spain Issues Guidance Under the EU AI Act (December 2025)