The EU AI Act (Regulation 2024/1689) applies directly in Spain as in all EU member states. Unlike the GDPR, which required national implementation laws, the AI Act's core obligations take effect uniformly across the EU.
High-risk AI systems deployed or provided in Spain must complete conformity assessment (Article 43), maintain technical documentation (Article 11), implement risk management (Article 9), and register in the EU database (Article 60). The compliance date for Annex III high-risk systems is 2 August 2026 as written; the Digital Omnibus provisional agreement of 7 May 2026 moves it to 2 December 2027, pending formal adoption and Official Journal publication. Article 50 transparency obligations are unchanged and apply from 2 August 2026.
Agencia Española de Protección de Datos (AEPD) will serve as the national market surveillance authority for AI Act enforcement in Spain. This authority will have powers to inspect, audit, and impose penalties on non-compliant AI systems.
Prohibited AI practices under Article 5 (social scoring, subliminal manipulation, real-time biometric identification in public spaces) are banned in Spain as in all EU member states, with limited law enforcement exceptions.
Penalties for non-compliance range up to EUR 35 million or 7% of global annual turnover (whichever is higher) for prohibited practices, and up to EUR 15 million or 3% for other violations (Article 99).