The Spanish Government yesterday approved the draft bill on the governance and responsible use of artificial intelligence, formally launching Spain’s implementation phase of the EU AI Act.
From a legal perspective, what is particularly interesting is that certain aspects of the proposal go beyond a simple legislative “adaptation” exercise. The bill starts building the governance and enforcement architecture that will sit around the EU AI Act in practice, including the designation of competent supervisory and market surveillance authorities.
For AI systems already regulated under sector-specific product legislation – such as machinery, vehicles, toys or medical devices – the existing competent authorities will retain their supervisory role. For other areas not covered by product legislation, including employment, biometrics and education, supervisory powers will largely fall to Spain’s AI Supervisory Agency (AESIA), alongside the Spanish Data Protection Authority (AEPD) and the General Council of the Judiciary (CGPJ), depending on the sector concerned.
The bill also seeks to strengthen institutional coordination through cooperation mechanisms between regulators and the creation of a single point of contact for supervisory matters through AESIA.
In terms of sanctions, the proposal establishes a detailed enforcement framework based on principles of proportionality and effectiveness. Infringements are classified as very serious, serious and minor, with fines reaching up to €35 million or 7% of global annual turnover in the most serious cases.
The text also introduces mechanisms designed to favour remediation over punishment in certain situations, including fine reductions for early payment or corrective action, while also taking into account the size of the undertaking, particularly in relation to SMEs and startups.
Another notable aspect is the bill’s focus on AI governance within the public sector. The proposal introduces the creation of an inventory of AI systems used in administrative procedures – extending beyond high-risk systems – as well as the future appointment of AI officers responsible for coordinating compliance and advising on AI-related projects and public procurement.
The bill also expressly allows the creation of additional regulatory sandboxes for AI, linked to specific sectors and supervised by the relevant competent authorities.
From a broader regulatory perspective, this is another important sign that the implementation phase of the EU AI Act is now truly beginning across Europe.
The key challenge ahead will no longer be understanding the text of the AI Act itself, but rather how Member States operationalise supervision, enforcement and governance at national level. Over the coming years, we are likely to see increasingly divergent national approaches emerge around enforcement priorities, interpretation of prohibited practices, interaction with GDPR and cybersecurity frameworks, and the practical supervision of high-risk AI systems.
