AESIA: What Every Spanish Business Deploying AI Must Know in 2026
AESIA: What Every Spanish Business Deploying AI Must Know in 2026
If your company uses AI in Spain — even a SaaS tool with AI features, an automated hiring screen, or a chatbot — you are already regulated. AESIA, Spain’s dedicated AI supervisory authority, has been operationally active since late 2023 and is now enforcing the EU AI Act (Regulation 2024/1689) at the national level.
With the next major compliance deadline — August 2, 2026 — now less than four months away, this article gives Spanish businesses a clear-eyed view of what AESIA is, what it can do to you, and what you need to do before that date arrives.
What Is AESIA and Why Does It Matter?
AESIA — Agencia Española de Supervisión de la Inteligencia Artificial — is Spain’s national supervisory authority under the EU AI Act. It was established by Royal Decree 729/2023, published in the BOE on 19 July 2023. Spain was among the first EU member states to stand up a purpose-built AI regulator, doing so even before the AI Act formally entered into force in August 2024.
AESIA sits within the Ministerio de Asuntos Económicos y Transformación Digital, and its mandate covers every AI system deployed or placed on the Spanish market — whether the company behind it is Spanish, German, or American. If it runs in Spain, AESIA can inspect it.
Its official portal is at aesia.gob.es, where it publishes guidance, sandbox applications, and enforcement communications.
Why this matters to your business: AESIA is not a paper tiger. It holds market surveillance authority, can demand documentation within 15 business days, can order system suspension, and can issue fines. The EU AI Act establishes the fine scale; AESIA pulls the trigger at the national level.
What Powers Does AESIA Actually Have?
Many Spanish SMEs assume that AI regulation is a distant concern that only affects large tech companies. That assumption is increasingly incorrect. AESIA’s enforcement toolkit is substantial:
Supervisory powers:
- Request and review conformity assessments, technical documentation, and risk management records
- Commission or conduct direct testing of AI systems, including access to training data
- Conduct post-market monitoring of AI incidents reported in Spain
- Coordinate cross-border enforcement with EU AI authorities
Corrective and punitive powers:
- Issue corrective orders requiring companies to bring systems into compliance by a set deadline
- Suspend access to or use of a non-compliant AI system in Spain
- Order market withdrawal of non-compliant products
- Issue administrative fines in the amounts below
- Refer serious cases to the Ministerio Fiscal for potential criminal liability
Advisory role:
- Publish guidance documents and interpretive notes (several already published)
- Operate a regulatory sandbox for innovative AI products that want to test under supervised conditions before full market release
The fine structure follows the three-tier EU AI Act model:
| Infraction | Maximum Fine | Turnover Cap |
|---|---|---|
| Prohibited practices (Art. 5) — social scoring, subliminal manipulation, real-time biometric surveillance | EUR 35,000,000 | 7% global annual turnover |
| High-risk AI non-compliance — missing documentation, no conformity assessment, not registered in EU database | EUR 15,000,000 | 3% global annual turnover |
| Misleading information provided to AESIA or notified bodies | EUR 7,500,000 | 1.5% global annual turnover |
For SMEs, the regulation explicitly requires proportionality — first-time, good-faith violations are more likely to receive corrective orders than maximum fines. But that window for good-faith treatment narrows once the August 2026 deadline passes.
The Enforcement Timeline: Where We Are Right Now
gantt
title EU AI Act Enforcement Timeline (Spain / AESIA)
dateFormat YYYY-MM
axisFormat %b %Y
section Prohibited Practices
Art. 5 prohibited practices ENFORCEABLE :crit, done, 2025-02, 2025-08
section GPAI Models
GPAI transparency + safety obligations :done, 2025-08, 2025-08
GPAI Code of Practice published :done, 2025-10, 2025-10
section AI Literacy
AI literacy training required (deployers) :done, 2025-08, 2025-08
section High-Risk AI
Annex III full compliance deadline :crit, 2026-08, 2026-08
EU database registration required :2026-08, 2026-08
Conformity assessment mandatory :2026-08, 2026-08
section Legacy Systems
Annex I legacy high-risk systems :2027-08, 2027-08
section AESIA Active
AESIA enforcement active (Spain) :active, 2024-08, 2027-08April 2026 — where you stand today:
- Prohibited practices (Article 5) have been enforceable since February 2025. If you are using social scoring systems, subliminal AI manipulation, or real-time biometric surveillance in public spaces without an exception, you are already in violation.
- AI literacy training for staff who interact with AI systems has been required since August 2025. You need documented evidence that relevant employees have received it.
- The August 2, 2026 deadline — full compliance for Annex III high-risk AI systems — is 4 months away.
AESIA vs AEPD: You Are Likely Regulated by Both
A critical point that most businesses miss: AESIA and the AEPD are separate regulators with overlapping jurisdiction whenever AI systems process personal data — which most AI systems do.
| Dimension | AESIA | AEPD |
|---|---|---|
| Legal basis | EU AI Act (Regulation 2024/1689) | GDPR + LOPDGDD |
| Focus | AI system safety, risk classification, human oversight, transparency | Personal data processing, privacy rights, data subject protection |
| Fines issued by | AESIA | AEPD |
AESIA and AEPD have published a joint statement confirming that coordinated inspections will be standard for AI-related investigations. This means a single AI deployment could trigger simultaneous inquiries from both agencies. Compliance with one does not satisfy the other.
For a deeper look at the GDPR obligations that run alongside AESIA’s AI Act requirements, see our GDPR and AI Convergence guide.
What Spanish SMEs Must Do Right Now — A Practical Action Plan
The following steps are ordered by urgency. The first group is already overdue. The second group must be completed before August 2, 2026.
Already Overdue (Do Immediately)
1. Conduct an AI inventory. List every AI system or tool used in your operations, including SaaS tools with embedded AI features (HR software, CRM tools, chatbots, content generators). Most businesses have 10–30 such tools and have never catalogued them.
2. Run a prohibited-practices audit. Verify that none of your AI use cases fall under Article 5 of the EU AI Act — social scoring, subliminal manipulation, emotion recognition in workplaces (with limited exceptions), or real-time biometric identification in public spaces without legal basis. These have been banned since February 2025.
3. Document AI literacy training. If you deploy AI tools and your staff interact with them, you are a “deployer” under the AI Act. Since August 2025, you are required to ensure staff have adequate AI literacy — understanding the system’s capabilities, limitations, and risks. A short course with a written completion record satisfies the minimum standard.
Before August 2, 2026 (Critical Deadline)
4. Classify each AI system by risk level. For every system in your inventory, determine whether it falls into the Annex III high-risk categories. The categories are: employment and HR, credit and financial assessment, education, law enforcement, biometric identification, critical infrastructure, migration and border control, and justice/democratic processes. AESIA has published classification guidelines on its website to help with this determination.
5. Build a compliance package for any high-risk systems. If you have Annex III systems, you need: a documented risk management system, technical documentation per Annex IV, data governance records, automatic logging for traceability, human oversight controls, accuracy and robustness testing results, and a post-market monitoring plan.
6. Register high-risk systems in the EU database. Any high-risk AI system must be registered in the EU AI Act public database before deployment. This must be done before the August deadline.
7. Complete a conformity assessment. For most Annex III systems, self-assessment is permitted. For biometric systems and certain critical infrastructure AI, third-party assessment by a notified body is required.
8. Prepare your AESIA inspection readiness. If AESIA initiates an inspection, you will typically have 15 business days to produce your technical documentation. Run a mock exercise: can you produce your risk management records, classification rationale, and human oversight documentation within that window?
For a detailed breakdown of the August deadline and month-by-month action plan, see our post on the EU AI Act August 2026 deadline.
What AESIA Has Already Published
As of April 2026, AESIA has published substantive guidance documents that Spanish businesses can and should use:
| Document | Key Content |
|---|---|
| AI Act Implementation Guide for Operators | Step-by-step compliance obligations by risk category |
| Regulatory Sandbox Framework | Application process and eligibility for supervised testing |
| High-Risk AI Classification Guidelines | Practical Annex III classification with sector-specific examples |
| AI Literacy Training Minimum Standards | What counts as sufficient training for deployers |
| Joint AESIA-AEPD Statement | How simultaneous AI Act + GDPR compliance works in practice |
| SME Fast-Track Compliance Guidance | Simplified pathway for businesses under 250 employees |
All documents are available on the AESIA official portal. Primary language is Spanish; some materials have English translations.
The EU AI Act full text is available directly at EUR-Lex.
The Local AI Compliance Advantage
One structural compliance risk that many businesses overlook: when AI systems run on cloud infrastructure with third-party providers, the audit trail for data governance, logging, and human oversight becomes dependent on that provider’s disclosures. AESIA can and will ask about your data governance chain.
Local AI deployments — where inference runs on hardware within your premises — are structurally simpler to audit. You control the logs, the data pipeline, the access controls, and the monitoring infrastructure. When AESIA asks for documentation, you produce it directly without needing to coordinate with a cloud provider.
This is one reason why the Edge AI model has a compliance advantage, particularly for SMEs that want to deploy AI in HR, document processing, or client-facing workflows without taking on significant regulatory exposure.
Work With VORLUX AI on AESIA Compliance
VORLUX AI provides AESIA compliance services as part of every AI deployment engagement. Our compliance services for Spanish SMEs include:
- AI Inventory Audit — Map all AI systems in use, classify each by risk level, identify gaps
- Article 5 Gap Check — Verify no current use cases fall under prohibited practices
- Annex III Classification Report — Written determination with reasoning traceable to AESIA guidance
- Technical Documentation — Draft or review the Annex IV documentation package
- AI Literacy Training Programme — Design and deliver training meeting AESIA minimum standards
- Joint AESIA + AEPD Compliance — One engagement covers both regulatory regimes
All AI deployed by VORLUX AI runs on local hardware — no data leaves your premises. This directly reduces your AESIA documentation burden, your GDPR exposure, and your third-party processor chain.
Pricing:
- Initial compliance scan: EUR 800 flat — AI inventory, risk classification, gap report
- Full compliance package: included in Edge AI deployment engagements (custom scope)
- Ongoing compliance retainer: EUR 200/month — annual review, AESIA guidance monitoring, incident support
Related reading
- Edge AI in Manufacturing: How Spanish Factories Are Deploying Intelligence on the Shop Floor
- AI Evaluations: How to Test Your RAG Pipeline Before Going Live
- Best Local LLM Models for Q2 2026: Practical Comparison for SMEs
Start Now — The Window Is Closing
AESIA is active. The August 2026 deadline is real. The penalties are proportionate but substantial even for SMEs. The companies that will have a smooth August 2026 are the ones doing the work in April, May, and June 2026 — not in July.
Start with your AI inventory. If you find you are using AI tools you have never catalogued, that is your first signal that compliance work is needed.
Contact VORLUX AI for a compliance consultation — we will work through your AI inventory, classify your systems, and identify your exposure in a single structured engagement.
Explore our AI compliance and deployment services — including the SME fast-track compliance package and our local Edge AI deployments for Spanish businesses.
The regulation exists. Your regulator is staffed and operating. The question is whether you are ready.