AI Law in Spain: AESIA, Obligations and the Lesson for Brazil

The AI law in Spain came into effect on 26 May 2026, when the Council of Ministers approved the draft organic law for the proper use and governance of artificial intelligence. If your company sells software or services to the Spanish or European market, this text is no longer distant news but a compliance checklist. As a CTO and developer, I explain what changes in practice and what to do before August.

TL;DR

• Spain approved on 26/05/2026 the draft law adapting the European AI Act to its national legal system.
• Enforcement falls to AESIA, the agency created in 2023, based in A Coruña.
• AI-generated content (deepfakes) now requires labelling — and there are penalties for those who fail to label.
• In August 2026, obligations for high-risk systems come into force: risk management, technical documentation and human oversight.
• For Brazilian companies, it is a rehearsal of what is to come. Compliance by design is no longer optional.

What Spain approved (and why now)

The Spanish Council of Ministers approved the Proyecto de Ley Orgánica for the proper use and governance of artificial intelligence, a text that ensures human oversight and trustworthy use of systems. In practice, Spain is doing its homework to transpose into its domestic law the European Regulation on Artificial Intelligence — the AI Act, in force since August 2024.

Why does this matter to non-Spaniards? Because the AI Act has extraterritorial effect. It reaches any provider whose AI system is placed on the market or used within the European Union, regardless of where the company is based. I have served clients in Brazil and abroad for over 15 years, and this logic is the same as the GDPR: the rule does not ask your postcode, it asks where your user is.

The AI law in Spain does not invent a parallel regime. It creates the national structure — authority, sanctions, procedures — to enforce a regulation that is already valid. It is the difference between having the law on paper and having someone knock on the door to enforce it.

Spain is not improvising

Spain has invested around €1.5 billion in its national AI strategy and maintains two "AI factories" (factorías de IA). Reference reports, such as those from Stanford University and Microsoft, point to the country as a leader in AI adoption. In other words: the country regulates what it already uses at scale. This tends to produce rules more grounded in operational reality than norms written in the abstract.

AESIA: who oversees AI in Spain

The supervisory authority is AESIA — Agencia Española de Supervisión de Inteligencia Artificial. Created in 2023, based in A Coruña, it is the body that will check documentation, investigate incidents and apply sanctions. Think of it as the equivalent, for AI, of what a data protection authority represents for privacy.

For a Brazilian company, the existence of AESIA changes the conversation from "maybe someday someone will ask" to "there is an address, a CNPJ-equivalent and a procedure". When there is a designated enforcer, with competence and budget, the regulatory risk ceases to be theoretical. The AI law in Spain gives teeth to this agency: without an authority that enforces, any regulation becomes a recommendation.

AESIA does not act alone. It connects to the European supervisory ecosystem provided for in the AI Act, which means coordination between national authorities. A problem detected in Spain can echo in other EU markets where the same system operates.

The calendar that matters: 2026 deadlines

The point that most confuses my clients is the feeling that "everything came into force at once". It did not. The AI Act has a phased application, and the most relevant date for most companies is August 2026. I have put together the calendar below to separate what is already in force from what is coming.

Date	Milestone	What it means in practice
August 2024	AI Act in force	The European regulation comes into effect, with obligations entering into force in a phased manner
26 May 2026	Spanish draft law approved	The Council of Ministers approves the adaptation of the AI Act to Spanish law
2 August 2026	Transparency and GPAI (EU)	Art. 50: inform the user that they are interacting with AI and label generated content; fining powers for general-purpose AI models (GPAI) come into effect
August 2026	High risk in Spain	Most obligations for high-risk AI systems come into force

The official implementation timeline is detailed in the European Commission's digital strategy. The honest reading of this table: if you operate a high-risk system aimed at the European market, August 2026 is your real deadline. You cannot start building risk management and technical documentation in July. The AI law in Spain merely gives a national face to a timeline that has been running since 2024.

High-risk systems: what your company needs to have ready

"High risk" is a technical category of the AI Act, not an adjective. It covers uses such as biometrics, critical infrastructure, education, personnel selection, access to credit and essential services. If your product fits, obligations cease to be good practices and become legal requirements — and this is where the AI law in Spain really bites.

From August 2026, in Spain, high-risk systems need to have a minimum set ready. I summarise what I ask of any team dealing with this category:

1. Risk management system — a continuous process of identifying, assessing and mitigating risks throughout the system's lifecycle, not a single archived document.
2. Technical documentation — description of the system, training data, logic, metrics and limitations, organised for audit.
3. Human oversight protocols — people with real power to intervene, correct or shut down the system, with defined roles and authority levels.
4. Logging and traceability — logs that allow reconstructing decisions and investigating incidents.
5. Data governance — quality control, representativeness and protection of the data that feeds the model.

When I help a team structure this type of governance, I usually connect the discussion with how AI agents are entering companies. An agent that executes actions on its own concentrates exactly the type of risk that human oversight exists to contain — which is why documentation and safeguards must be born together with the product.

When you do NOT need to panic

Not every software with AI is high risk. A FAQ chatbot, an internal email classifier or a caption generator rarely fall into this category. The common trap is the opposite: treating everything as low risk for convenience. Do the classification with documented criteria. If the answer is "I don't know", treat it as higher risk until proven otherwise.

Deepfakes and synthetic content: the obligation to label

One of the most concrete points of the AI law in Spain is the penalty for those who do not label or tag AI-generated content. In parallel, the AI Act activates on 2 August 2026 the transparency obligations of Art. 50: inform the user when they are interacting with an AI and identify synthetic content.

This affects many more companies than it seems. Any business that produces images, videos or audio with generative AI needs to think about signalling. I work with image and video generation pipelines — those who generate media in volume, for example using ComfyUI on Google Colab, need to embed labelling in the workflow, not improvise later.

The obligation is not aesthetic. It exists to protect the public from deceptive deepfakes. In practice, it means visible marking and, ideally, metadata or technical watermarking that survives republication. Those who sell content creation services to European clients should already be offering labelling as part of the deliverable.

The detail that many ignore: liability tends to follow the chain. If a Brazilian agency generates a synthetic video for an advertiser in Spain, the lack of a label is a problem for both sides. That is why I recommend standardising signalling at the source, at the moment of generation, before the content circulates.

Compliance by design: governance from the first line of code

The AI law in Spain accelerates a model I have long advocated: compliance by design. Privacy, governance, transparency and risk management integrated from the initial development phase — not as a layer glued on at the end of the project.

I have seen many teams build an entire product and only then ask "how do we become compliant?". It is the most expensive way to find out. Rewriting logging, traceability and human oversight in a finished system costs many times more than designing this into the initial architecture.

In my experience as CTO of IEJUR, dealing with environments that mix sensitive data and educational technology, the lesson repeats itself: the governance you postpone becomes regulatory technical debt. And regulatory debt, unlike technical debt, has a legal deadline and an associated fine.

A minimum design checklist

• Decide the risk classification before coding the first AI feature.
• Define where logs are stored and for how long, in the schema, not later.
• Write down who is the human in the loop and what their real power is.
• Treat synthetic content labelling as a functional requirement.

The lesson for Brazil (and for software exporters)

Brazil is still debating its own framework for artificial intelligence. Those who follow the legislative process know that European inspiration is strong. Betting that "it will take a while here" is a fragile strategy for two reasons.

First, the extraterritorial effect. If you sell SaaS, provide AI services or license models to clients in Spain or any EU country, the AI Act already reaches you — regardless of what the Brazilian Congress decides. The AI law in Spain is, for the Brazilian exporter, a yardstick that is already measuring.

Second, the cost of turning around. Companies that build governance now gain a commercial asset: they can respond to due diligence from European clients without panic. When Brazil approves its version — and the direction points to high risk, transparency and human oversight, the same pillars — those who have already done the work only adjust details.

I see this as a competitive advantage, not bureaucracy. Compliance becomes a sales argument in markets where the buyer fears fines. And the European buyer does. Studying the AI law in Spain today is, ultimately, studying the contract your European client will demand tomorrow.

Where to start now

The AI law in Spain does not ask you to stop everything. It asks you to know where you are. Start by mapping which of your systems use AI, classify each by risk level and identify what touches users or clients in the European Union. This inventory alone already solves half the anxiety.

Then prioritise: what is high risk and targets the EU needs risk management, technical documentation and human oversight before August 2026. What generates content needs labelling. The rest goes into the continuous improvement queue.

If your company needs a technical reading of this scenario — classifying systems, designing governance or structuring labelling of AI-generated content — it is exactly the kind of work I do at Agathas Web. Anticipating the European yardstick today is cheaper than chasing it later.