🇪🇸 Spain — AESIA & National AI Framework — Reference S1 (EN)
Slug EN: `spain-aesia` · URL: `zertia.ai/resources/regulatory-frameworks/spain-aesia` · hreflang: ES → `/es/recursos/marcos-regulatorios/spain-aesia`
Tipo: Stub (~1.000 words) · Estado: Draft v1 · Last regulatory review: May 2026
—
Resources / Regulatory Frameworks
Spain — AESIA & the National AI Framework
The first dedicated AI supervisory agency in Europe, the country that built the regulatory sandbox before the EU AI Act existed, and the Member State whose national law shapes how the Regulation is operationalised in Spanish territory
| Supervisory authority | Agencia Española de Supervisión de la Inteligencia Artificial (AESIA) — established by Royal Decree 729/2023 of 22 August 2023, headquartered in A Coruña (Edificio La Terraza, with provisional operations from Casa Veeduría since 14 February 2025; La Terraza renovation expected 2027). First dedicated national AI supervisory agency in Europe. |
| — | — |
| Leadership (May 2026) | Director General: Alberto Gago (appointed 19 December 2025, succeeding Ignasi Belda whose dismissal was published on 24 December 2025). President of AESIA: Mayte Ledo, Secretary of State for Digitalisation and Artificial Intelligence. Reporting line: Ministry for Digital Transformation and the Civil Service, led by Minister Óscar López. |
| National framework instruments | Royal Decree 729/2023 (AESIA statute) · Royal Decree 817/2023 of 8 November 2023 (regulatory sandbox for AI, first in the EU) · Draft Bill on the Good Use and Governance of AI (approved by Council of Ministers 11 March 2025, urgent processing) · National AI Strategy (ENIA) within the España Digital 2026 Agenda · Digital Rights Charter · National Green Algorithms Plan |
| EU AI Act articulation | Spain is the first Member State with a dedicated AI supervisory body operational. The draft Bill designates AESIA as the principal market surveillance authority for most prohibited practices and Annex III high-risk systems, alongside AEPD, Banco de España, CNMV, the General Council of the Judiciary and the Central Electoral Board as sectoral market surveillance authorities. |
| Sanctions regime | Administrative fines of up to €35 million or 7% of worldwide turnover for very serious infractions (prohibited practices), €15 million or 3% for serious infractions, €7.5 million or 1% for minor infractions — aligned with Article 99 of the EU AI Act. Caution measures include cautious withdrawal of the product and disconnection or prohibition of the AI system. |
| Status (May 2026) | AESIA operational since February 2025. Draft Bill in advanced legislative phase, urgent processing, public hearing completed 26 March 2025, CES Opinion 3/2026 published April 2026 backing the draft. Final approval and entry into force expected in the 2026 legislative window. |
—
Regulatory identity
The dominant narrative reads Spain’s AI framework as a straightforward transposition of the EU AI Act — a Member State implementing supranational law. The reading captures the surface and misses the institutional choice.
Spain built AESIA before the EU AI Act was finalised. The Royal Decree approving the agency’s statute is dated August 2023; the regulatory sandbox under Royal Decree 817/2023 was operational from November 2023; the EU AI Act was only published in June 2024. Spain did not wait for Union law. It built the supervisory infrastructure first, anticipating the regulation rather than implementing it, and that sequencing is the structural distinguishing feature of the Spanish framework.
The conceptual problem most analyses miss is that AESIA is not a transposition vehicle. It is a policy instrument built before the policy existed, which means it has institutional path-dependence: the staff hired, the methodology developed, the sandbox cohorts processed, the international coordination established (with AEPD, with the European AI Office, with other Member State authorities) all predate the Regulation that AESIA now operationalises. This is structurally different from a Member State that designates its data protection authority as competent for the AI Act in 2026.
The second narrative-correction is around the sandbox. Royal Decree 817/2023 is consistently described as Spain’s implementation of EU AI Act sandbox obligations. It is not. The Royal Decree was published nine months before the Regulation, in collaboration with the European Commission, as the operational pilot of what would become Articles 57–58 of the Regulation. The lessons learned from Spanish sandbox cohorts shaped how the Commission drafted the final sandbox provisions. The Spanish sandbox is the prototype, not the implementation.
The third structural feature is the multi-authority enforcement architecture designed in the draft Bill. AESIA is not the sole AI regulator. The Bill designates AESIA as the principal market surveillance authority for most prohibited practices and most Annex III high-risk systems, alongside AEPD for AI involving personal data processing, Banco de España for AI in solvency and credit-scoring, CNMV for AI in capital markets, the General Council of the Judiciary for AI in judicial administration, and the Central Electoral Board for AI affecting electoral processes. This is structurally closer to the Brazilian SIA coordinated framework than to the centralised single-regulator model. AESIA can assist other authorities through collaboration agreements (Article 9 of the draft Bill), creating coordination capacity without subordination.
What the Spanish framework actually is, then, is the first operational implementation of supranational AI supervision in Europe, built ahead of the Regulation, structured as multi-authority federalism, and positioned as the institutional template that other Member States are watching as their own AI supervisory architectures take shape.
—
Subjective and material scope
The draft Bill on the Good Use and Governance of AI applies to legal persons and public-sector entities acting as operators of AI systems introduced, put into service, marketed, or tested in real conditions in Spanish territory. The scope mirrors Article 2 of the EU AI Act: extraterritorial reach for foreign operators whose AI systems’ outputs are used in Spain.
The Bill is purely a sanctioning regime built on top of the directly applicable EU AI Act. It does not create substantive AI obligations; it designates competent authorities, classifies infractions, sets penalty brackets, regulates procedure, and articulates Spain’s national-level AI governance with the Regulation’s market surveillance architecture.
Royal Decree 817/2023 (the sandbox) has a narrower scope: AI providers and users (private legal persons, public administrations, and public-sector entities) testing high-risk AI systems, general-purpose AI, or foundation models, with foreign participants required to have permanent establishment in Spain or be part of a Spanish-domiciled grouping. Annex II of the Royal Decree lists the high-risk areas in scope. Military, defence, and national-security AI systems are excluded from the sandbox.
—
Principal obligations and enforcement architecture
The draft Bill structures enforcement in four layers.
Article 6 — Market surveillance authorities. AESIA is designated as the principal market surveillance authority for the majority of prohibited practices (Article 5 EU AI Act) and most Annex III high-risk systems, plus transparency obligations for certain systems. AEPD and autonomous community data protection authorities have surveillance competence over prohibited practices and high-risk systems involving personal data. Banco de España and CNMV handle AI in solvency and credit-scoring. The General Council of the Judiciary supervises AI in judicial administration. The Central Electoral Board oversees AI affecting electoral processes.
Article 9 — Collaboration framework. AESIA may assist other market surveillance authorities through collaboration agreements, providing technical capacity, joint investigations, and shared methodology across the multi-authority architecture.
Article 10 — Prohibited practices. The Bill operationalises Article 5 EU AI Act prohibitions in Spanish administrative law: subliminal manipulation techniques causing significant harm, exploitation of vulnerabilities (age, disability, socioeconomic situation), social scoring, untargeted scraping for biometric databases, emotion recognition in workplace and education contexts, biometric categorisation by protected characteristics, real-time remote biometric identification in publicly accessible spaces with narrowly defined exceptions.
Sanctions regime aligned with Article 99 EU AI Act. Very serious infractions: €7.5M–€35M or 2–7% of worldwide turnover. Serious infractions: up to €15M or 3%. Minor infractions: up to €7.5M or 1%. Examples of very serious infractions include failure to report a serious incident (death of a person, compromise of critical infrastructure, environmental damage) or non-compliance with orders of a market surveillance authority. Caution measures include cautious withdrawal of the product and disconnection or prohibition of the AI system pending proceedings.
The sanctioning procedure can be initiated through a complaint mailbox or channel managed by AESIA, operationalising Article 85 EU AI Act on the right to lodge complaints.
—
Calendar and current status
– 22 August 2023 — Royal Decree 729/2023 approves the AESIA statute.
– 8 November 2023 — Royal Decree 817/2023 establishes the AI regulatory sandbox (36-month validity, until the EU AI Act applies in Spain).
– 12 June 2024 — Ignasi Belda designated Director General of AESIA.
– 14 February 2025 — AESIA begins in-person operations at Casa Veeduría, A Coruña (provisional headquarters during La Terraza renovation).
– 11 March 2025 — Council of Ministers approves the Draft Bill on the Good Use and Governance of AI; urgent processing initiated.
– 18–26 March 2025 — Public hearing of the Draft Bill.
– 19 December 2025 — Alberto Gago designated new Director General of AESIA; Ignasi Belda’s dismissal published 24 December 2025.
– April 2026 — Spanish Economic and Social Council Opinion 3/2026 backs the Draft Bill, calling for reinforced social dialogue.
– Expected 2026 — Final approval of the Bill by the Council of Ministers, parliamentary processing, entry into force.
The Spanish sandbox under Royal Decree 817/2023 has been operational since November 2023 with successive cohorts. The lessons learned feed the European Commission’s guidance on sandboxes under Articles 57–58 of the EU AI Act.
—
Intersections with other regimes
EU AI Act. The Spanish framework is engineered as the national operationalisation of the Regulation. Article 6 of the Draft Bill designates the market surveillance authorities required under Article 70 EU AI Act. The sanctioning regime mirrors Article 99. The sandbox under Royal Decree 817/2023 anticipates and feeds Articles 57–58.
GDPR. AEPD retains competence over AI processing personal data. AESIA coordinates with AEPD on prohibited practices and high-risk systems involving personal data. Spain’s national AI architecture preserves the GDPR enforcement structure while adding the AI-specific supervisory layer.
Sectoral regulation. Banco de España, CNMV, and other sectoral regulators retain vertical competence within their domains, articulated with AESIA’s horizontal AI competence through the multi-authority framework.
Council of Europe Framework Convention on AI. Spain participates actively in Convention implementation and is among the EU Member States preparing ratification. Convention obligations articulate with the national framework through the EU’s competence over AI matters.
ISO/IEC 42001 and international standards. AENOR (Spain’s national standards body) is active in ISO/IEC JTC 1/SC 42. ENAC accredits certification bodies for ISO/IEC 42001 in Spain. AESIA’s draft sanctioning framework recognises certified management systems as evidence of compliance, in line with the EU AI Act’s articulation between harmonised standards and presumption of conformity.
—
> ## ⚖️ How Zertia operates within the Spanish AI regulatory environment
>
>
>
> ### Built for Spanish AI compliance from day one
>
>
>
> Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory
>
>
>
> Zertia is an ANAB-accredited AI management system certification body with offices in Boston, Madrid, and London. ENAC accreditation process active in Spain, positioning Zertia to issue AESIA-aligned ISO/IEC 42001 certificates under the Spanish accreditation framework. Spain’s multi-authority enforcement architecture — AESIA as principal, AEPD for personal data, Banco de España and CNMV for finance, sectoral regulators for specific domains — makes integrated management system certification operationally valuable for Spanish organisations.
>
>
>
> Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. Accredited ISO/IEC 42001 certification is the operational backbone for compliance with the Spanish sanctioning framework once enacted, providing presumption-of-conformity positioning for Article 17 EU AI Act quality management system obligations enforced by AESIA. ISO/IEC 27701 + ISO/IEC 42001 integration is particularly relevant for AI systems processing personal data subject to dual AESIA / AEPD supervision.
>
>
>
> Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Pre-Certification Assessments structured to satisfy AESIA’s documentary expectations under the Spanish sanctioning framework, with attention to multi-authority articulation (AEPD personal data, sectoral regulators) and Royal Decree 817/2023 sandbox participation where applicable.
>
>
>
> Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent audits structured to provide assurance evidence portable across the Spanish regulatory architecture and parallel EU Member State obligations.
>
>
>
> Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Spanish-language programmes treating the AESIA framework explicitly, including the multi-authority architecture, Royal Decree 817/2023 sandbox, the Draft Bill on the Good Use and Governance of AI, and integration with the EU AI Act and ISO/IEC 42001 for Spanish multinationals.
>
>
>
> Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS and ENAC. Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.
>
>
>
> ### 🎯 Take action
>
>
>
> | 🔍 Diagnose your gap | 📊 Build the management backbone |
>
> |—|—|
>
> | [Pre-Certification Assessment →](https://zertia.ai/regulatory-frameworks/) | [ISO/IEC 42001 Certification →](https://zertia.ai/iso-42001/) |
>
> | Independent diagnosis against AESIA’s surveillance expectations, the Draft Bill on the Good Use and Governance of AI sanctioning framework, and Royal Decree 817/2023 sandbox participation criteria. | The ANAB-accredited management system that operationalises Spanish AI governance into auditable practice, integrating EU AI Act obligations and sectoral supervisory expectations. |
>
>
>
> [Discuss AESIA and Spanish AI compliance positioning →](https://zertia.ai/regulatory-frameworks/)
>
—
Frequently asked questions
Is AESIA already enforcing AI obligations?
AESIA is operational since February 2025 but the formal sanctioning power awaits enactment of the Draft Bill on the Good Use and Governance of AI, expected in the 2026 legislative window. Prohibited practices under Article 5 EU AI Act are directly applicable since 2 February 2025; the Bill provides the procedural framework for their enforcement in Spanish territory.
What is Spain’s regulatory sandbox?
Royal Decree 817/2023 of 8 November 2023 established the first AI regulatory sandbox in the EU, in collaboration with the European Commission. Spanish AI providers and users (or foreign operators with permanent establishment in Spain) can apply to test high-risk AI systems, general-purpose AI, or foundation models under supervised conditions. The sandbox feeds the European Commission’s guidance on Article 57 EU AI Act sandboxes.
Who is the principal AI regulator in Spain?
AESIA, by designation under Article 6 of the Draft Bill, for most prohibited practices and Annex III high-risk systems. AEPD has competence over AI involving personal data. Banco de España and CNMV cover AI in finance. The General Council of the Judiciary supervises AI in judicial administration. The Central Electoral Board oversees AI affecting electoral processes. AESIA may assist other authorities through collaboration agreements (Article 9).
What are the sanctions under the Spanish framework?
Aligned with Article 99 EU AI Act: up to €35M or 7% of worldwide turnover for very serious infractions, €15M or 3% for serious, €7.5M or 1% for minor. Caution measures include cautious withdrawal of the product and disconnection or prohibition of the AI system pending proceedings.
How does Spanish AI law articulate with the EU AI Act?
The Draft Bill is purely a national sanctioning and procedural framework on top of the directly applicable EU AI Act. It does not duplicate substantive obligations; it designates competent authorities, classifies infractions, sets penalty brackets, regulates procedure, and operationalises Article 85 EU AI Act complaint mechanisms through AESIA.
Should Spanish organisations pursue ISO/IEC 42001 certification?
Yes, particularly organisations subject to AESIA market surveillance or operating in sectors with parallel sectoral AI obligations (financial services, healthcare, public administration). Accredited ISO/IEC 42001 certification provides presumption-of-conformity positioning for EU AI Act Article 17 obligations enforced by AESIA, with documentation portable across the multi-authority architecture.
What is the relationship between AESIA and AEPD?
AESIA is the principal AI supervisory authority; AEPD retains competence over AI processing personal data under GDPR and over certain AI prohibited practices. The two authorities coordinate through collaboration agreements established under Article 9 of the Draft Bill. Organisations operating AI systems involving personal data are typically subject to both authorities’ supervision.
—
Cross-links
Related glossary terms: [AESIA](#) · [Royal Decree 729/2023](#) · [Royal Decree 817/2023](#) · [Regulatory sandbox](#) · [Spanish National AI Strategy (ENIA)](#) · [Digital Rights Charter](#) · [Multi-authority enforcement architecture](#) · [AEPD AI competence](#) · [Article 6 Draft Bill](#) · [La Terraza headquarters](#)
Applicable risk families (AI Risk Repository): [Discrimination and biased outputs](#) · [Privacy violations](#) · [AI in employment decisions](#) · [AI in financial services](#) · [AI in public services](#) · [Failure of human oversight](#) · [Subliminal manipulation](#) · [Biometric categorisation](#)
Related regulations in this Hub: [EU AI Act](#) · [ISO/IEC 42001](#) · [NIST AI RMF](#) · [GDPR — AI provisions](#) · [Council of Europe AI Convention](#) · [UK AI Regulation](#) · [Brazil AI Regulation](#)
Zertia services: [Regulatory Frameworks](https://zertia.ai/regulatory-frameworks/) · [Certification](https://zertia.ai/certification/) · [ISO/IEC 42001 Certification](https://zertia.ai/iso-42001/) · [AIUC-1 Certification](https://zertia.ai/certification/aiuc-1/) · [Audit](https://zertia.ai/audit/) · [Training](https://zertia.ai/training/)
—
Last reviewed: May 2026 · Sources: Royal Decree 729/2023 of 22 August (AESIA statute); Royal Decree 817/2023 of 8 November (AI regulatory sandbox); Draft Bill on the Good Use and Governance of AI (approved by Council of Ministers 11 March 2025, public hearing 18–26 March 2025); CES Opinion 3/2026 (April 2026); appointment of Alberto Gago as Director General of AESIA (19 December 2025) and dismissal of Ignasi Belda (24 December 2025); España Digital 2026 Agenda; National AI Strategy (ENIA); Digital Rights Charter; Regulation (EU) 2024/1689 (EU AI Act).
