Status of the AI Regulations

The EU AI Act is addressed separately here.

As noted above, Spain is in the process of adopting its first comprehensive AI statute while preparing for the direct application of the EU Artificial Intelligence Act. The updated National AI Strategy 2024 (which replaces the 2020 version) now serves as the overarching policy framework intended to guide national initiatives in line with EU policies at least until the end of 2025.

Other legislative and institutional milestones include:

• The Draft Spanish AI Law (Anteproyecto de Ley para el Buen Uso y la Gobernanza de la IA), approved by the Council of Ministers on March 11, 2025
• The AESIA Statute which was approved on August 22, 2023 and has been in force since September 2, 2023. AESIA has been operation since June 2024
• The RD Sandbox which was approved on November 8, 2023 and has been in force since November 10, 2023, with a maximum duration of 36 months from its entry into force or, until the EU AI Act is applicable in Spain. The first set of projects subject to the sandbox were selected in April 2025

Other laws affecting AI

There are a number of laws that do not directly seek to regulate AI but may affect the development or use of AI in Spain. A non-exhaustive list of key examples includes:

• The Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights
• Law 15/2007 on the Defence of Competition
• Organic Law 1/1982 on the civil protection of the right to honor, personal and family privacy and self-image
• Law 3/1991 on Unfair Competition
• Law 15/2022 on equal treatment and non-discrimination
• The Spanish Organic Law 2/1984 on the right of rectification
• Law 34/2002 on information society services and electronic commerce
• Law 9/2014, General Telecommunications Law
• Law 7/2010, General Law on Audiovisual Communication
• Royal Legislative Decree 2/2015, which approved the revised text of the Workers' Statute Law
• Law 10/2021 on Telecommuting
• Royal Legislative Decree 1/1996, which approved the revised text of the Intellectual Property Law, regularizing, clarifying and harmonizing the current legal provisions

Definition of “AI”

Spain's National AI Strategy explicitly mentions that there is still no formal and universally accepted definition of AI and merely refers to the one used by the European Commission. Notwithstanding the above, Spain's RD Sandbox contains some useful AI-related definitions. In particular:

• "AI system" is defined as: "system designed to operate with a certain level of autonomy and which, based on input data provided by machines or by people, infers how to achieve a set of objectives set using machine-learning strategies or based on logic and knowledge, and it generates output information, such as content (generative artificial intelligence systems), predictions, recommendations or decisions, that influence the environments with which it interacts"⁸
• "High-Risk AI System" is defined as: "an artificial intelligence system that meets any of the following:
  • An artificial intelligence system constituting a product governed by the Union harmonization legislation shall be considered high risk if it is to be subject to a conformity assessment by a third party with a view to the introduction into the market or commissioning of such a product in accordance with the aforementioned legislation
  • An artificial intelligence system to be used as a component that performs a safety function and whose failure or malfunction endangers the health and safety of persons or property in a product regulated by a harmonized standard of the European Union, whether it is to be subjected to a conformity assessment by a third party with a view to the placing on the market or putting that product into service in accordance with the applicable harmonization legislation. This assumption will be applicable, even if the artificial intelligence system is marketed or put into service independently of the product
  • An artificial intelligence system, from the list of specific areas in which certain artificial intelligence systems are considered high risk, provided that the response of the system is relevant to the action or decision to be taken and may therefore cause a significant risk to health, the rights of workers in the workplace or safety or fundamental rights"⁹
• Spain's RD Sandbox defines "general-purpose AI system" as: "an artificial intelligence system that, regardless of the mode in which it is marketed or put into service, including as open source software, is intended by the system provider to perform general application functions, such as text, image and speech recognition; the generation of texts, audios, images and/or videos; pattern detection; answering questions; translation and others"¹⁰

Territorial scope

It is expected that the Draft Spanish AI Law will apply throughout Spain once enacted and will govern any AI system that: (i) is placed on the Spanish market; (ii) is put into service or used in Spain; or (iii) produces effects in Spain, irrespective of where its provider is established.¹¹

Likewise, the Spanish Guidelines apply in every Spanish autonomous community, and have the objective of achieving consistency, ensuring organization and cohesion, territorial governance and coordination between different administrative spheres, from the national to the local level. It also addresses coordination with regulation and policies at the European level.

International cooperation focus is reflected in the National AI Strategy, which places special emphasis on promoting participation in international forums such as the Council of Europe or the OECD, as well as through Spain's adherence to European initiatives such as the Digital Agenda for Europe adopted in 2018, the Coordinated Plan on AI 2019-2027, and the White Paper on Artificial Intelligence published in February 2020.

Sectoral scope

Spain's forthcoming AI regime is cross-sectoral: the EU AI Act and the Draft Spanish AI Law apply horizontally to all economic sectors and public-sector bodies.

However, there are certain exclusions in relation to AI that is used for: (i) defense and national security; (ii) purely personal or household use; and (iii) R&D activities that are carried out in closed environments.

Compliance roles

In line with EU AI Act, Spain's forthcoming AI regime (as established in the Draft Spanish AI Law) assigns clear legal duties to all the different actors who have a role in the AI space value chain. Therefore, in line with European regulations, there are specific obligations for providers (developers or manufacturers), distributors, importers or deployers or authorized representatives.

Core issues that the AI Regulations seek to address

The forthcoming Draft Spanish AI Law adopts a risk-based model, as detailed below. Spanish lawmakers make explicit that identifying, assessing and mitigating risk—especially in relation to health, safety, equal treatment and other fundamental rights—is the starting point of every compliance duty.

Additionally, other core issues that future AI regulations may seek to address may be inferred from AESIA's main objectives, which are the following:

• The awareness, dissemination and promotion of training, development, and responsible, sustainable and reliable use of artificial intelligence
• The definition of mechanisms for advising and assisting society and other actors related to the development and use of artificial intelligence
• Collaboration and coordination with other national and supranational authorities for the supervision of artificial intelligence
• The promotion of real test environments for artificial intelligence systems, in order to reinforce the protection of users and avoid discriminatory biases
• The supervision of the implementation, use or commercialization of systems that include artificial intelligence and, especially, those that may pose significant risks to health, safety, equal treatment and non-discrimination, particularly between women and men, and to other fundamental rights

Spain's AI framework seeks to unlock economic and social benefits (e.g., in education, healthcare and industry) while guaranteeing that higher risk uses meet the strictest requirements of transparency, accountability, fairness and human oversight. The ultimate ambition is an AI ecosystem that is innovative yet reliable, inclusive, and fully compatible with EU fundamental rights standards.

Risk categorization

Spain now follows the four-tier model laid down in the EU AI Act which divides between: (i) unacceptable risk, which is prohibited (e.g., social scoring); (ii) high risk, subject to the most detailed compliance obligations (e.g., affecting safety components of a product); (iii) limited risk, with mainly transparency duties (e.g., disclosure of chatbots, labelling of deep-fakes, notice of emotion-recognition); and (iv) low or minimal risk, not included in previous categories, and not subject to new obligations beyond existing law.

Additionally, the RD Sandbox also uses this hierarchy, because it only allows high-risk or general-purpose AI systems to be tested under its safe environment.

Key compliance requirements

As noted above, under the Draft Spanish AI Law, there are specific compliance duties to meet, that are scaled to the system's risk level. However, although the Draft Spanish AI Law provides for the relevant sanctioning regime, it does not detail the specific duties. Instead, it refers to the specific duties provided in the EU AI Act.

Under the Draft Spanish AI Law, compliance obligations apply to AI systems according to the risk tiers laid down in the EU AI Act. The draft does not re-list those technical duties; instead, it incorporates them by reference and establishes the national enforcement and sanctioning regime.

Regulators

As mentioned above, AESIA is already operative and acts as Spain's central market-surveillance authority for AI. It conducts inspections and—once the sanctioning powers derived from the EU AI Act and the current Draft Spanish AI Law enter into force—will act with full sanctioning powers.

Another important actor is the Artificial Intelligence Advisory Council, which advises the government on the design and dissemination of AI policies. This body will contribute to the development of the National Artificial Intelligence Strategy and the analysis of its implications.

Finally, several sector-specific regulators are also involved in AI oversight in relation to their fields, such as data protection, competition, finance, labor or healthcare.

Enforcement powers and penalties

As noted above, AESIA will be assigned full sanctioning capacity once the EU AI Act and the current Draft Spanish AI Law enter into force.

Regional regulation

In addition to Spain's aforementioned national regulatory and strategic frameworks on artificial intelligence, each autonomous community has adopted its own set of initiatives to address the specific socioeconomic, institutional, and technological needs of its region. These include approved or developing AI strategies (such as those in Catalonia, Andalusia, Galicia, or the Basque Country, amongst others), broader digital transformation plans with significant AI components, and in some cases, binding legal instruments—most notably Galicia's pioneering Law 2/2025 on the Development and Promotion of Artificial Intelligence in Galicia, the first regional legislation on AI in Spain.¹²

Whilst the legal force, institutional architecture, and policy focus vary across regions, these instruments share a commitment to promoting a trustworthy, human-centric, and ethically grounded approach to AI in the different autonomous communities. Nevertheless, common elements include safeguards for algorithmic transparency and oversight, support for research and innovation ecosystems, integration of AI into public services, and mechanisms to prevent bias and ensure accountability in automated decision-making. Altogether, these regional frameworks complement and reinforce national efforts, adding territorial specificity to Spain's multilevel regulation of AI.

_{1 The first draft was open for public consultation until March 26, 2025, allowing individuals and organizations to submit comments. Before the draft bill is definitively approved by the Council of Ministers as a legislative proposal (the previous step to the submission to Spanish Parliament), several opinions and reports must be obtained, including the opinion of the Council of State. The draft Law for the Good Use and Governance of Artificial Intelligence [available here].
2 The Charter of Digital Rights is available here.
3 The National AI Strategy is available here.
4 The Royal Decree 817/2023 is available here.
5 The Royal Decree 729/2023 is available here.
6 The Order ETD/670/202 is available here.
7 The OECD Legal Instrument 0449 – Recommendation of the Council on Artificial Intelligence is available in English here.
8 The Royal Decree 817/2023 is available here, Article 3(3).
9 In order to make more accurate definitions, the RD Sandbox makes certain references to EU legislation and a list of specific areas in which artificial intelligence systems are considered high risk by virtue of the definitions set forth in the RD Sandbox.
10 The Royal Decree 817/2023 is available here, Article 4.
11 The Royal Decree 817/2023 is available here, Article 5.
12 Galicia's Law 2/2025 of April 2nd, on the Development and Promotion of Artificial Intelligence in Galicia is available here.}

Ana Calvo (Local Partner, White & Case, Madrid), Marcos Soberon (Local Partner, White & Case, Madrid) and Carlos Pena (Associate, White & Case, Madrid) contributed to this publication.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}