AI Law in Spain: AESIA, Obligations and the Lesson for Brazil

Spain's AI law came to life on May 26, 2026, when the Council of Ministers approved the draft organic law for the proper use and governance of artificial intelligence. If your company sells software or services to the Spanish or European market, this text is no longer distant news but a compliance checklist. As a CTO and developer, I explain what changes in practice and what to do before August.

TL;DR

• Spain approved on 05/26/2026 the draft law adapting the European AI Act to its national legal system.
• Oversight falls to AESIA, the agency created in 2023, headquartered in A Coruña.
• AI-generated content (deepfakes) now requires labeling — with penalties for non-compliance.
• In August 2026, obligations for high-risk systems come into effect: risk management, technical documentation, and human oversight.
• For Brazilian companies, this is a preview of what's coming. Compliance by design is no longer optional.

What Spain approved (and why now)

The Spanish Council of Ministers approved the Proyecto de Ley Orgánica for the proper use and governance of artificial intelligence, a text ensuring human oversight and trustworthy use of systems. In practice, Spain is doing its homework by transposing the European AI Regulation — the AI Act, in effect since August 2024 — into its domestic law.

Why does this matter to non-Spaniards? Because the AI Act has extraterritorial effect. It applies to any provider whose AI system is placed on the market or used within the European Union, regardless of where the company is based. I've served clients in Brazil and abroad for over 15 years, and this logic is the same as the GDPR: the rule doesn't ask your zip code, it asks where your user is.

The AI law in Spain does not create a parallel regime. It establishes the national structure — authority, sanctions, procedures — to enforce a regulation that is already valid. It's the difference between having the law on paper and having someone knock on your door to enforce it.

Spain is not improvising

Spain has invested about €1.5 billion in its national AI strategy and maintains two "AI factories" (factorías de IA). Reference reports, such as those from Stanford University and Microsoft, point to the country as a leader in AI adoption. In other words: the country regulates what it already uses at scale. This tends to produce rules more grounded in operational reality than abstractly written norms.

AESIA: who oversees AI in Spain

The supervisory authority is AESIA — Agencia Española de Supervisión de Inteligencia Artificial. Created in 2023, headquartered in A Coruña, it is the body that will check documentation, investigate incidents, and apply sanctions. Think of it as the AI equivalent of what a data protection authority represents for privacy.

For a Brazilian company, the existence of AESIA changes the conversation from "maybe someday someone will ask" to "there is an address, a CNPJ-equivalent, and a procedure." When there is a designated supervisor with competence and budget, regulatory risk ceases to be theoretical. The AI law in Spain gives teeth to this agency: without an authority that enforces, any regulation becomes a recommendation.

AESIA does not act alone. It connects to the European supervisory ecosystem under the AI Act, meaning coordination between national authorities. A problem detected in Spain can echo in other EU markets where the same system operates.

The calendar that matters: 2026 deadlines

The point that most confuses my clients is the feeling that "everything took effect at once." That's not how it happened. The AI Act has a phased application, and the most relevant date for most companies is August 2026. I've put together the calendar below to separate what's already in effect from what's coming.

Date	Milestone	What it means in practice
August 2024	AI Act in force	The European regulation takes effect, with obligations entering into force in phases
May 26, 2026	Spanish draft law approved	The Council of Ministers approves the adaptation of the AI Act to Spanish law
August 2, 2026	Transparency and GPAI (EU)	Art. 50: inform the user that they are interacting with AI and label generated content; penalty powers for general-purpose AI models (GPAI) come into effect
August 2026	High risk in Spain	Most obligations for high-risk AI systems take effect

The official implementation timeline is detailed in the European Commission's digital strategy. The honest reading of this table: if you operate a high-risk system targeting the European market, August 2026 is your real deadline. You can't start building risk management and technical documentation in July. The AI law in Spain merely gives a national face to a timeline that has been running since 2024.

High-risk systems: what your company needs to have ready

"High risk" is a technical category of the AI Act, not an adjective. It covers uses such as biometrics, critical infrastructure, education, personnel selection, access to credit, and essential services. If your product fits, obligations cease to be best practices and become legal requirements — and this is where the AI law in Spain truly bites.

Starting August 2026, in Spain, high-risk systems must have a minimum set ready. Here's what I ask any team dealing with this category:

1. Risk management system — a continuous process of identifying, assessing, and mitigating risks throughout the system's lifecycle, not a single archived document.
2. Technical documentation — description of the system, training data, logic, metrics, and limitations, organized for audit.
3. Human oversight protocols — people with real power to intervene, correct, or shut down the system, with defined roles and authority.
4. Logging and traceability — logs that allow reconstructing decisions and investigating incidents.
5. Data governance — quality control, representativeness, and protection of the data feeding the model.

When I help a team structure this type of governance, I often connect the discussion to how AI agents are entering companies. An agent that executes actions autonomously concentrates exactly the type of risk that human oversight is meant to contain — which is why documentation and safeguards must be born alongside the product.

When you do NOT need to panic

Not every software with AI is high risk. A FAQ chatbot, an internal email classifier, or a caption generator rarely fall into this category. The common trap is the opposite: treating everything as low risk for convenience. Classify with documented criteria. If the answer is "I don't know," treat it as higher risk until proven otherwise.

Deepfakes and synthetic content: the obligation to label

One of the most concrete points of the AI law in Spain is the penalty for not labeling AI-generated content. In parallel, the AI Act activates on August 2, 2026, the transparency obligations of Art. 50: inform the user when they interact with an AI and identify synthetic content.

This affects many more companies than it seems. Any business that produces images, videos, or audio with generative AI needs to think about signaling. I work with image and video generation pipelines — those who generate media in volume, for example using ComfyUI on Google Colab, need to embed labeling in the workflow, not improvise later.

The obligation is not aesthetic. It exists to protect the public from deceptive deepfakes. In practice, it means visible marking and, ideally, metadata or technical watermarking that survives republication. Those selling content creation services to European clients should already be offering labeling as part of the deliverable.

The detail many ignore: responsibility tends to follow the chain. If a Brazilian agency generates a synthetic video for an advertiser in Spain, the lack of labeling is a problem for both sides. That's why I recommend standardizing signaling at the source, at the moment of generation, before the content circulates.

Compliance by design: governance from the first line of code

The AI law in Spain accelerates a model I've long advocated: compliance by design. Privacy, governance, transparency, and risk management integrated from the initial development phase — not as a layer glued on at the end of the project.

I've seen many teams build an entire product and only then ask "how do we become compliant?" It's the most expensive way to find out. Rewriting logging, traceability, and human oversight in a finished system costs multiple times more than designing it into the initial architecture.

In my experience as CTO of IEJUR, dealing with environments that mix sensitive data and educational technology, the lesson repeats: the governance you postpone becomes regulatory technical debt. And regulatory debt, unlike technical debt, has a legal deadline and an associated fine.

A minimum design checklist

• Decide the risk classification before coding the first AI feature.
• Define where logs are stored and for how long, in the schema, not later.
• Write down who is the human in the loop and their real power.
• Treat synthetic content labeling as a functional requirement.

The lesson for Brazil (and for software exporters)

Brazil is still debating its own framework for artificial intelligence. Those following the legislative process know that European inspiration is strong. Betting that "it will take a while here" is a fragile strategy for two reasons.

First, the extraterritorial effect. If you sell SaaS, provide AI services, or license models to clients in Spain or any EU country, the AI Act already applies to you — regardless of what the Brazilian Congress decides. The AI law in Spain is, for the Brazilian exporter, a yardstick that is already measuring.

Second, the cost of turning around. Companies that build governance now gain a commercial asset: they can respond to due diligence from European clients without panic. When Brazil approves its version — and the direction points to high risk, transparency, and human oversight, the same pillars — those who have already done the work only need to adjust details.

I see this as a competitive advantage, not bureaucracy. Compliance becomes a sales argument in markets where the buyer fears fines. And the European buyer does. Studying the AI law in Spain today is, at its core, studying the contract your European client will demand tomorrow.

Where to start now

The AI law in Spain doesn't ask you to stop everything. It asks you to know where you stand. Start by mapping which of your systems use AI, classify each by risk level, and identify what touches users or clients in the European Union. That inventory alone already resolves half the anxiety.

Then prioritize: what is high risk and targets the EU needs risk management, technical documentation, and human oversight before August 2026. What generates content needs labeling. The rest goes into the continuous improvement queue.

If your company needs a technical reading of this scenario — classifying systems, designing governance, or structuring labeling for AI-generated content — that's exactly the kind of work I do at Agathas Web. Anticipating the European yardstick today is cheaper than chasing it later.