In March 2025, we published an alert on what was then a Preliminary Bill on the proper use and governance of artificial intelligence, in which we highlighted Spain’s leadership in the national implementation of Regulation (EU) 2024/1689 of 13 June, which lays down harmonised rules on artificial intelligence (the AI Act). 

The text has made significant progress through the legislative approval process. The Draft Organic Law on the Proper Use and Governance of Artificial Intelligence (the Draft Organic Law) has been published in the Official Journal of the lower house of the Spanish Parliament (Congress of Deputies) and is currently undergoing amendments there. As was the case in the Preliminary Bill, it lays down the aspects of the AI Act that require specific national implementation. These are set out below, with particular attention to modifications from the Preliminary Bill.

 

Competent authorities and model of oversight

The Draft Organic Law retains the Directorate-General for Artificial Intelligence, a part of the State Secretariat for Digitalisation and Artificial Intelligence, as the notifying authority for the purposes of the AI Act. This authority will be responsible for procedures for the assessment, designation and notification of conformity assessment bodies, with the support of the National Accreditation Body (ENAC).

Oversight is structured around Spain’s main authority in the field: the Artificial Intelligence Supervisory Agency (Agencia Española de Supervisión de Inteligencia Artificial, or AESIA), which has powers to impose sanctions, functions as a single point of contact and exercises market oversight. AESIA shares a number of powers with sector authorities, which are coordinated through a joint Commission of which it is chair and secretariat. Compared with the Preliminary Bill, the Draft Organic Law introduces two significant changes: a sole complaints channel is established before AESIA, replacing the previous anonymous reporting channel; the joint Commission is also restructured, now incorporating regional authorities and its decisions are now recognised as being non-binding on independent administrative authorities.

There are two significant differences compared to the Preliminary Bill. One concerns a change in the allocation of market surveillance powers relating to systems linked to law enforcement; the other concerns democratic processes. As regards the first, the Preliminary Bill designated the Spanish Data Protection Agency (Agencia Española de Protección de Datos, or AEPD) as the body responsible for the supervision of high-risk systems listed in Annex III.1 of the AI Act (biometrics) when used in law enforcement or for border management, as well as the systems listed in Annex III.6 (law enforcement without the use of biometrics); as far as law enforcement is concerned, the Draft Organic Law transfers these responsibilities to the General Council of the Judiciary (Consejo General del Poder Judicial, or CGPJ) – the change is justified on the grounds of the ‘special independence’ requirement imposed by Article 74(8) of the AI Act. On the other hand, the Preliminary Bill designated the Central Electoral Board (Junta Electoral Central) – composed of eight Supreme Court judges and five university professors nominated by the political parties – as the market surveillance authority in the case of high-risk AI systems under Annex III.8.b), relating to democratic processes, as well as for prohibited AI practices in this area; as a result of the relevant proposed reform of the Organic Law on the General Electoral System, the Draft Organic Law instead allocates these functions to AESIA, adding also surveillance functions regarding systems that use biometrics for remote identification or categorisation purposes.

 

Sandboxes and the public sector

With regard to sandboxes, the Draft Organic Law continues to provide for the creation of a controlled testing environment managed by AESIA, as already provided for in the Preliminary Bill, and repeals Royal Decree 817/2023 of 8 November, which regulated the first AI sandbox prior to the adoption of the AI Act. Furthermore, it sets out the framework for the new sandbox in greater detail, aligning with the AI Act.

As for the state public sector, the Draft Organic Law introduces an entirely new chapter, which was not included in the Preliminary Bill. Among its main provisions, it imposes on state public sector bodies obligations to provide information on the use of AI systems, to participate in an inventory that is interoperable with the European register of high-risk systems, to appoint an AI officer, and to promote training on the responsible development and use of AI.

 

Prohibited practices in biometric identification and deepfakes

The Draft Organic Law retains the prohibited practices set out in Article 5.1 of the AI Act and confirms the authorisation of the use of ‘real-time’ remote biometric identification systems in public-access law enforcement areas, subject to judicial authorisation. However, in the case of deployers, certain conduct linked to such use – such as use outside the permitted cases, without prior authorisation or without complying with the imposed restrictions – has been reclassified from a very serious offence to a serious offence, thereby lowering the offence classification set out in the Preliminary Bill.

In the case of deepfakes and artificially generated or manipulated content, the Draft Organic Law maintains the classification of certain offences as serious. In particular, it penalises non-compliance with transparency obligations applicable to systems that interact with natural persons, generate synthetic content or produce content constituting ultra-impersonation or texts intended to inform the public on matters of public interest .

 

Penalty regime

The penalty regime is an area in which the Draft Organic Law introduces the most significant changes. On the one hand, the general clause that classified any breach of the AI Act or national legislation as an offence has been replaced by a specific list of very serious, serious and minor offences. Furthermore, the minimum fines set out in the Preliminary Bill have been removed – only maximum limits have now been established:

  • In the case of very serious offences relating to prohibited practices, up to €35,000,000 or, if the offender is a company, up to 7% of its total global turnover in the previous financial year.
  • For other very serious offences, up to €15,000,000 or up to 3% of total worldwide turnover.
  • For serious infringements, up to €7,500,000 or up to 1% of total worldwide turnover.
  • For minor infringements, up to €500,000 or up to 0.5% of total global turnover.

In the case of SMEs and start-ups, the lower of the two amounts will apply: the percentage of turnover or the corresponding absolute amount.

 

Other significant developments

The Draft Organic Law now classifies the failure by suppliers or deployers of high-risk systems to report serious incidents as a very serious offence. It also confers powers on the competent authority to require that corrective measures be adopted in relation to minor infringements – it is possible to waive a financial penalty where the party under investigation complies with such measures and acknowledges their liability. Finally, the separate damages proceedings established in previous versions have been removed, although references remain to the restoration of the altered situation and to the determination of compensation arising from the offence.

 

Next steps

As the text has been elevated to the status of a draft organic law, it will require an absolute majority vote for approval in the Congress of Deputies, before passing on to the Senate. The Draft Organic Law would return to the Congress should the Senate veto the text or introduce amendments. Once the Draft Organic Law has completed the parliamentary process, the Organic Law would enter into force on the day following its publication in the Official State Journal.

 

Final considerations

Ultimately, the Draft Organic Law retains the overall structure of the Preliminary Bill but does introduce significant changes: it improves the penalty framework, removes minimum penalty thresholds, narrows the scope of offences, strengthens institutional collaboration and clarifies the role of AESIA and sector authorities in the supervision of AI in Spain.

The implementation of this text is, moreover, essential for ensuring that the AI Act is effectively applicable in Spain. This is also because the day-to-day operation of the AI Act requires – as explained above – further clarification on key aspects.
Those subject to the AI Act – whether that be suppliers, deployers or operators – cannot therefore afford to relax in their gradual adaptation to its provisions. And that is the case even though the Digital Omnibus on artificial intelligence is soon set to extend the deadlines for compliance with the AI Act, both in the case of high-risk horizontal systems (Annex III) and high-risk industrial systems (Annex I). The AI Act is a dense, extensive and complex piece of legislation, which every organisation must begin to implement without delay within its structure and processes. The ultimate aim of the Draft Organic Law must, without doubt, be to assist in that task.

 

Ver post @Linkedin

Related categories

Key contacts

Pablo García Mexía photo

Pablo García Mexía

Consultant - Head of Digital Law, Madrid, Madrid

Pablo García Mexía Iria Calviño Jaime Bofill