Artificial intelligence is no longer a matter reserved for major technology companies or innovation departments. Today, it is used by businesses of all sizes to automate tasks, analyse data, serve customers, create content, support recruitment processes, detect risks and improve decision-making.
And that is precisely why regulation is now becoming central.
Spain’s Draft Organic Law on the proper use and governance of artificial intelligence marks an important step forward. This is not yet a definitively approved law, but rather a text currently going through the parliamentary process. Even so, its content already allows us to anticipate the direction in which Spain’s legal framework for AI is heading.
The main idea is simple: the EU Artificial Intelligence Act establishes a common framework for the whole European Union, and Spain needs to organise how that framework will be applied within its own legal system.
This affects companies that develop artificial intelligence, but also those that simply use it in their internal processes. And this is one of the key points in the new scenario: it is no longer enough to say, “we do not develop AI”. If a company integrates AI into its activity, it may assume obligations relating to control, transparency, documentation and supervision.
What is Spain’s Draft Organic Law on Artificial Intelligence?
The Draft Organic Law on the proper use and governance of artificial intelligence aims to adapt the Spanish legal system to the EU Artificial Intelligence Act, also known as the AI Act.
The EU Regulation sets out the general rules: which uses of AI are prohibited, which systems are considered high-risk, what obligations providers and deployers must comply with, and what safeguards must be applied to protect health, safety and fundamental rights.
The Spanish draft law does not create a parallel regime, nor can it rewrite the European framework. Its role is more practical: to define who supervises compliance, how complaints are handled, which authorities are involved, how sanctions are applied and what specific measures are adopted within Spain’s central government public sector.
Put simply: Europe sets the common framework, and Spain builds the internal system to apply it.
What Spain develops from the EU AI Act
The Draft Law develops several aspects that the EU AI Act leaves to Member States. Four areas are particularly important.
The first is national governance. Spain must designate the competent authorities responsible for supervising compliance with the Regulation, coordinating market surveillance and acting in the event of possible infringements.
The second is the sanctions regime. The EU Regulation establishes the broad limits, but each State must specify the procedure, the competent authorities and how those sanctions will be applied in its territory.
The third is controlled testing environments, also known as regulatory sandboxes. These environments allow innovative AI systems to be tested under supervision, with greater legal certainty and before they are placed on the market or put into service.
The fourth is the development of measures for the proper use of AI in the central government public sector. This is especially relevant because public authorities may use AI systems in procedures that have a direct impact on citizens and businesses.
The Spanish draft law should therefore not be understood as an isolated piece of legislation. It is a national implementation measure within a broader European framework.
How much room does Spain have to regulate artificial intelligence?
Spain does have some room to regulate, but it is limited.
The EU AI Act is directly applicable and seeks to prevent each country from creating its own substantive rules on artificial intelligence. If every Member State established different obligations for the same systems, the European market would become fragmented and businesses would have to comply with different regimes in each country.
For that reason, Spain cannot decide again which uses are permitted, which are prohibited or what basic technical obligations high-risk systems must meet when those issues are already regulated at European level.
What Spain can do is organise national implementation. In other words, it can decide which authorities are involved, how competences are distributed, how sanctions procedures are handled, how complaints are managed and what internal rules apply to the central government public sector.
It can also introduce adjustments to Spanish sector-specific rules, provided they do not contradict the EU Regulation. In fact, the Draft Law envisages amendments in areas such as the General Tax Law, Social Security and electoral legislation.
In practice, this means businesses will need to look at two levels at the same time: the EU AI Act and the future Spanish implementing legislation.
Which businesses may be affected by this regulation?
One of the most common mistakes is to assume that AI regulation only affects those who train models or develop tools from scratch.
That is not the case.
The new framework may affect providers, distributors, importers, integrators and deployers of AI systems. In business terms, this includes both technology companies and companies that incorporate artificial intelligence solutions into their day-to-day operations.
For example, a company may be affected if it uses AI to screen candidates in a recruitment process, assess employee performance, classify customers, automate credit decisions, manage complaints, detect fraud, personalise prices or provide automated customer service with a significant impact on users.
The key issue is not only the tool itself, but its specific use.
Using AI to summarise internal documents is not the same as using it to make or influence decisions that affect rights, employment, access to essential services or the processing of personal data.
Practical obligations for businesses using AI
For a company that does not develop artificial intelligence, but does use it internally, the main change will be the move from informal use to organised and documented management.
The first step should be to create an internal map of AI uses. Many organisations already use AI tools without having a complete picture of where they are used, who uses them, what data they work with and what impact they may have.
It is then advisable to classify those uses by risk level. Some will be minimal risk, such as certain productivity support tools. Others may require more caution, especially when AI is involved in human resources, credit, security, compliance, customer service or essential services.
It will also be important to review contracts with providers. The company needs to know which system it is using, what guarantees the provider offers, what documentation exists, what usage limitations have been established and how security, data and liability are managed.
This should be accompanied by internal policies. For example: what data may be entered into AI tools, which uses are prohibited, who authorises new use cases, how results are supervised and what should be done if an error, bias or incident is detected.
Training will also be essential. AI literacy should not be limited to the technical team. Anyone using AI tools within the company should understand their limits, risks and conditions of use.
How to know whether an AI system may be high-risk
One of the most important questions for any business will be this: could the AI system I use be considered high-risk?
To answer that, it is necessary to analyse the purpose of the system, its actual use and the context in which it is applied.
The EU AI Act classifies certain systems used in particularly sensitive areas as high-risk, including biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration, justice and democratic processes.
In a business context, a clear warning sign appears when AI is used to make decisions, or to significantly influence decisions, that affect natural persons.
For example, there may be high risk if AI screens candidates, recommends hiring decisions, assesses employees, classifies customers for financing purposes, prioritises access to essential services or is involved in processes with significant consequences for an individual.
Companies should not rely solely on the commercial label used by the provider. The fact that a tool is presented as an “assistant”, “recommendation engine” or “smart solution” does not resolve the legal analysis. What matters is how it is actually used.
That is why, where there is any doubt, it is advisable to document the assessment: use case, purpose, data processed, impact on individuals, degree of human intervention, control measures and conclusion on risk level.
AI, data protection and workplace transparency
Spain’s Draft AI Law does not replace the GDPR or Spanish data protection legislation. It complements them.
This is especially important because many artificial intelligence systems process personal data. If a company uses AI with information relating to customers, employees, candidates, users or suppliers, it must continue to comply with GDPR principles: lawful basis, transparency, data minimisation, purpose limitation, security, data subject rights and, where applicable, impact assessment.
In the employment context, the issue is even more sensitive. Spain already recognises the right of workers’ legal representatives to receive information on the parameters, rules and instructions of algorithms or AI systems that affect decisions with an impact on working conditions, access to employment or continued employment.
This means that a company using AI in human resources must coordinate several layers at once: compliance with the EU AI Act, data protection, workplace transparency and internal risk management.
It is not enough to implement a tool because it is efficient. The company must be able to explain how it works, what data it uses, what role it plays in the decision and what human supervision exists.
What role will AESIA play?
The Spanish Agency for the Supervision of Artificial Intelligence, known as AESIA, will be a central part of the Spanish model.
The Draft Law positions it as the market surveillance authority for different AI systems, particularly in cross-cutting areas and for certain high-risk systems. It will also play an important role in coordinating, supervising and applying the European framework in Spain.
However, AESIA will not act alone. The model will necessarily be distributed, because AI can affect many different sectors. When the use of AI involves the processing of personal data, the Spanish Data Protection Agency will continue to play a key role. If it affects financial services, financial authorities may intervene. If it concerns insurance, consumer protection, competition, telecommunications, justice or electoral processes, other supervisory bodies may also become involved.
For businesses, this means compliance should not be viewed solely in technological terms. It will be necessary to analyse the sector, the type of data, the system’s impact and the authority that may have competence.
In other words, there will not be a single supervisor for every case. There will be a networked model.
Sanctions regime: why it is worth preparing in advance
One of the most visible aspects of the Draft Law is the sanctions regime.
Infringements are classified as very serious, serious or minor. In the most serious cases, sanctions may reach very high amounts, following the logic of the EU AI Act.
But the risk is not only financial. In certain cases, the competent authority may adopt measures such as withdrawing the product, disconnecting the system or prohibiting its use where there is an unacceptable or serious risk to individuals.
Reputational damage can also be significant. A company sanctioned for improper use of AI faces not only a fine, but also a loss of trust among customers, investors, employees or public authorities.
That is why the right approach should not be to wait until there is a sanction. The key lies in prevention: inventory, risk classification, documentation, contracts, human supervision, training and incident response.
Proper use of AI in the central government public sector
The Draft Law pays particular attention to the central government public sector.
This makes sense because public authorities may use AI systems in administrative procedures, public services or actions that directly affect citizens and businesses. In these contexts, transparency and traceability are especially important.
The text envisages obligations such as providing up-to-date information on the use of AI systems, creating an inventory of systems used in administrative procedures and appointing an artificial intelligence officer in central government public sector entities.
This officer will play a role in internal coordination, advice and monitoring of the proper use of the technology. In some respects, the logic is similar to that of the data protection officer, although the scope is different: promoting internal policies, coordinating regulatory compliance and helping to integrate technical and legal criteria into AI projects.
Although these obligations are aimed at the central government public sector, they point to a clear trend for the market as a whole: AI will increasingly need to be explainable, governed and documented.
Regulatory sandboxes: an opportunity for start-ups and technology companies
Controlled testing environments may be one of the most interesting parts of the Draft Law for start-ups, scale-ups and technology companies.
A regulatory sandbox allows innovative AI systems to be tested in a supervised environment, for a specific period of time and with guidance from the competent authority. The aim is to reduce uncertainty, facilitate compliance and allow companies to validate their solutions before launching them on the market.
For a start-up, this can be especially useful. Many early-stage companies have the technical capacity to develop advanced solutions, but do not always have sufficient resources to interpret and apply all regulatory requirements from the outset.
The sandbox can help identify risks, improve documentation, adjust controls, validate mitigation measures and build trust with customers, investors or strategic partners.
However, it should not be understood as an obligation-free zone. Quite the opposite: its purpose is to test and innovate within a controlled framework, with safeguards and supervision.
What businesses should do in the coming months
Although the Draft Law is still going through the parliamentary process, businesses should not wait for its final approval before taking action.
Preparation can begin now with very specific measures.
First, it is advisable to identify all uses of AI within the organisation. This includes official tools contracted by the company, but also informal uses by teams relying on open solutions or third-party applications.
Second, those uses should be classified by risk. Not all of them require the same level of control, but they should all be located and at least minimally documented.
Third, contracts with technology providers should be reviewed. The company needs to know what guarantees it receives, what usage instructions exist, what responsibilities each party assumes and what happens if the system fails or generates an unwanted impact.
Fourth, it is advisable to approve an internal AI use policy. This policy should be clear, practical and easy for teams to understand. The aim is not to create a complex document that nobody consults, but to establish useful rules for day-to-day work.
Fifth, people who use AI should be trained. Training should cover issues such as confidentiality, data protection, bias, human review, intellectual property, prohibited uses and escalation criteria when doubts arise.
Finally, it is important to appoint a person or team responsible for coordination. AI governance cannot depend on isolated decisions. It must connect legal, compliance, technology, human resources, business and information security.
Regulation can also generate trust
Artificial intelligence regulation is often viewed through the lens of sanctions. That is understandable, because fines can be high. But the real change goes further.
The new framework requires companies to ask themselves how they use AI, with what controls, with what data, with what supervision and with what impact on people.
This may seem like a burden, but it is also an opportunity. Organisations that bring order to their use of artificial intelligence will be better prepared to innovate safely, negotiate with providers, respond to customers, participate in tenders, attract investment and reduce risks.
AI is not going to slow down. What is changing is that its use will need to be more responsible, more transparent and more governed.
AI is now a legal and strategic issue
The Draft Organic Law on the proper use and governance of artificial intelligence confirms a reality that many businesses are already experiencing: artificial intelligence is no longer just a technological tool.
It is also a legal, organisational and strategic issue.
For companies, the message is clear: adopting AI is not enough. They need to know what they are using, for what purpose, with what data, under what conditions, with what risks and with what controls.
For start-ups and technology companies, the new framework also opens up an opportunity: to develop AI solutions with greater legal certainty, especially if they make use of tools such as controlled testing environments.
In this scenario, having specialist advice in digital law, data protection, new technologies and regulatory compliance will be key to implementing artificial intelligence in a safe, proportionate way that is aligned with both the European and Spanish frameworks.
