This week the Spanish Council of Ministers have approved a draft bill on the governance and responsible use of AI, setting in motion Spain’s transposition of the EU AI Act into national law. The bill now heads to the Spanish Parliament for scrutiny.
At its core, the bill aims to equip Spain with a comprehensive framework for human oversight and the trustworthy use of artificial intelligence. It designates the supervisory bodies responsible for overseeing the EU AI Act in Spain, establishes a sanctions regime, and introduces a series of measures to drive the AI adoption across the Spanish public sector.
Below, we summarise the key elements of the draft law and what they mean in practice.
1. Governance: who oversees the use of AI
The bill sets up a governance framework by designating the authorities responsible for notifying and monitoring compliance. Products already covered by sector-specific legislation — such as machinery, toys, vehicles and medical devices — will keep their existing supervisory authorities, mirroring the approach taken in the EU AI Act itself.
AI systems not covered by product legislation, including those relating to employment, biometrics and education, will largely fall under the supervision of Spain’s AI Supervisory Agency (AESIA), the Spanish Data Protection Authority (AEPD) and the General Council of the Judiciary (CGPJ), depending on the sector concerned.
The draft law also establishes a reinforced model of institutional collaboration, with coordination mechanisms between authorities and a single point of contact for supervisory matters through AESIA.
2. Prohibited AI systems
The EU AI Act draws a hard line against AI systems that pose an unacceptable risk to safety or health, and imposes graduated obligations on other systems before they may enter the European market.
At Spain's initiative and with French backing, the EU agreed on 7 May 2026 to add two further prohibitions to the eight already in force. The first targets AI systems that generate sexual deepfakes. The second bans AI systems that produce child sexual abuse material — a significant step forward in the protection of minors.
3. Enforcement and sanctions
In terms of sanctions, the stakes are high. Infringements are classified as very serious, serious or minor, with fines reaching up to €35 million or 7% of annual worldwide turnover for the most serious cases. At the lower end, minor infringements can still attract penalties of up to €500,000 or 1% of turnover.
The bill gives authorities flexibility in applying sanctions, calibrating them to the gravity of the infringement, the intent behind it, or recidivism. It also builds in mechanisms that prioritise correction over penalisation — including reductions for early payment or the adoption of corrective measures — as well as specific consideration of company size to protect SMEs and start-ups, in line with the AI Act.
One procedural feature stands out: the bill would require AESIA to set up an electronic anonymous reporting channel, open to anyone who wants to flag a potential infringement. Once a report lands, AESIA has ten working days to decide — by reasoned decision — whether to open proceedings ex officio or refer the matter to the competent market surveillance authority.
4. AI in the public sector
Going beyond a straight transposition of the EU AI Act, the draft bill carves out a dedicated chapter on the responsible use of AI within Spain's central public sector.
The proposal introduces the creation of an AI inventory covering all AI systems used in administrative procedures — not only high-risk systems — to reinforce transparency, as well as the appointment of AI officers responsible for coordinating compliance and advising on specific AI projects and public procurement.
Organisations operating within or contracting with Spain's central public sector should keep a close eye on those implementing measures, as they may generate compliance obligations and procurement requirements that go beyond the EU AI Act's own framework.
5. Regulatory sandboxes
The bill recognises the need to foster innovation in a controlled environment and incorporates the mandatory national-scale AI testing environment required under the AI Act, to be operated by AESIA.
Additional AI sandboxes are permitted, provided they are set up by market surveillance or notifying authorities and tied to their supervisory sector. All sandboxes must involve the authorities responsible for defining public policies in the sectors covered, as well as the relevant fundamental rights authorities.
For providers and deployers, the practical takeaway is clear: participating in AESIA's sandbox framework offers regulatory certainty and the chance to align compliance design with supervisory expectations before systems are placed on the market. Given the number of authorities involved in the governance structure and the novelty of the AI Act's requirements, early engagement with the sandbox could prove a significant advantage.
6. A new digital right: disconnection from the market
One proposal stands out as particularly noteworthy: the introduction of a right of disconnection or withdrawal from the market for AI systems that have caused a serious incident — a safeguard that goes beyond the provisions of the EU AI Act.
7. National database for critical infrastructure AI systems
The bill lays the legal groundwork for the creation of a national database in Spain for the registration of AI systems dedicated to the management of critical infrastructures. Given their security sensitivity, these systems have been carved out as exceptions to the general EU registration framework. The database's structure and operation will be set out in a Royal Decree.
Looking ahead
The bill now faces parliamentary scrutiny, and its final shape remains to be seen.
In the meantime, organisations that place AI systems on the Spanish market should not wait. The additional time afforded by the Digital Omnibus is a window to map systems against the AI Act's risk categories, identify which supervisory authority will be competent for each, review incident detection and response protocols in light of the new right of disconnection, and explore early engagement with AESIA's regulatory sandbox. The bill's parliamentary journey may be uncertain, but the obligations it will enforce are already taking shape.
If you would like to discuss what these developments mean for your organisation or need support assessing your AI governance and compliance framework, please get in touch with your usual Linklaters contact or any member of our team.
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2026-04-27-09-11-13-669-69ef2831a93f16e7b510b349.png)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2026-03-16-09-26-04-830-69b7ccac0f5150d9ca0d7301.jpeg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2026-05-19-09-11-29-012-6a0c2941055a002f3f82f159.jpg)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2026-02-10-09-26-10-525-698af9b2b876970f0dcaea7f.jpg)