Spain Approves the New Artificial Intelligence Law: What Changes and How It Affects Businesses

The Council of Ministers has approved the Draft Organic Law for the Proper Use and Governance of Artificial Intelligence, a regulation that adapts the European AI Regulation into the Spanish legal framework and establishes the first comprehensive framework for the supervision, control and sanctioning of the use of this technology in Spain.

The regulation introduces a risk-based approach, reinforces human oversight of AI systems and establishes a sanctioning regime that may reach up to €35 million or 7% of global turnover in the most serious cases of non-compliance.

Beyond the technological debate, the law has a direct impact on companies across all sectors, especially those already using artificial intelligence systems in recruitment processes, data analysis, customer service or automated decision-making.

A common European framework with direct application in Spain

The new law develops the European Artificial Intelligence Regulation, which classifies systems according to their level of risk:

• Unacceptable risk systems: directly prohibited.
• High-risk systems: subject to control and supervision.
• Limited or minimal risk systems: subject to transparency obligations.

Among the prohibited uses are those capable of manipulating human decisions, exploiting vulnerabilities or carrying out certain forms of surveillance or biometric classification.

Within this framework, the Government also introduces new prohibitions, such as the use of AI to generate sexual deepfakes or child pornography content, strengthening the protection of minors and digital integrity.

What changes for companies: responsibility, supervision and control

One of the most relevant aspects of the regulation is the attribution of responsibility not only to AI system developers, but also to those who use or implement them within the business environment.

This means that a company may be sanctioned if it uses prohibited AI tools or implements systems that fail to comply with the regulation, even if they were developed by third parties.

The law also establishes the obligation of effective human oversight over AI models, which in practice requires that automated decisions are not completely autonomous in sensitive areas.

High-risk systems: the regulatory focus on HR and business management

The greatest practical impact of the regulation concerns the so-called high-risk systems, which include applications particularly relevant to the business environment, such as:

• Recruitment processes and human resources management.
• Evaluation of candidates or employees through algorithms.
• Systems governing access to employment or internal promotion.
• Tools capable of influencing significant employment-related decisions.

These applications will be subject to enhanced requirements regarding transparency, traceability, data control and ongoing supervision.

New transparency obligations: labelling AI-generated content

The law also introduces transparency obligations regarding the use of content generated by artificial intelligence.

In particular, it establishes that synthetic content must be clearly identifiable:

• In images, through visible watermarking.
• In videos, through permanent identification.
• In audio files, through warnings or labels on the distribution platform.

The objective is to prevent disinformation and ensure that users can distinguish when they are interacting with AI-generated content.

 

I want more information

 

Sanctioning regime: fines of up to €35 million

Failure to comply with the regulation may result in sanctions of varying severity:

• Minor infringements: reduced sanctions.
• Serious infringements: fines of up to several million euros.
• Very serious infringements: up to €35 million or 7% of global turnover.

Sanctionable conduct includes the use of prohibited systems, the absence of human oversight or failure to comply with transparency obligations.

Governance and control: new supervisory authorities

The application of the law will be structured through a multi-level governance system involving different sectoral authorities.

The main authority will be the Spanish Agency for the Supervision of Artificial Intelligence (AESIA), which will coordinate the overall monitoring of regulatory compliance.

In addition, other entities such as the Spanish Data Protection Agency, the Bank of Spain and the General Council of the Judiciary will assume specific powers depending on the area of application.

What companies should do now

Although the regulation still has to complete its parliamentary process, its content already establishes a clear roadmap for companies:

• Identify which AI systems are currently being used.
• Assess whether they may be considered high-risk.
• Review recruitment, evaluation and automated decision-making processes.
• Implement human oversight mechanisms.
• Strengthen internal technological governance policies.

A structural shift in digital risk management

The approval of this law marks a decisive step towards the regulation of artificial intelligence in Europe and places companies in a new compliance landscape.

AI is no longer merely a technological tool; it has become a regulated element with direct implications for corporate responsibility, data management and decision-making processes.

At Adlanter, we advise companies on the implementation of compliance systems in labour matters, data protection and technological governance. If your organisation uses or plans to use AI systems, we can help you assess their regulatory impact and design a compliance model adapted to the new legal framework.