The Government approves the draft Organic Act on the responsible use and governance of artificial intelligence
On 12 June 2026, the Draft Organic Law on the Proper Use and Governance of Artificial Intelligence (hereinafter the “Draft” or the“LOIA”) was published in the Official Gazette of the Spanish Parliament, following the decision adopted by the Bureau of the Congress of Deputies on 8 June 2026, which referred the Bill to the Committee on Economy, Trade and Digital Transformation for its opinion and opened a fifteen-working-day period for amendments, ending on 30 June 2026.
The purpose of the Bill is to bring Spanish law into line with Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024, which lays down harmonised rules on artificial intelligence (hereinafter the ‘RIA’ or the‘AI Regulation’). The legislation does not replicate the obligations already set out in the Regulation, which is directly applicable, but merely elaborates on those aspects which the Regulation expressly delegates to Member States, thereby avoiding duplication within our legal system.
To this end, it regulates:
1. The governance and supervision framework at national level, through the designation of the competent national authorities:
The LOIA adapts the governance and supervision framework of the AI Regulation, distinguishing between the notifying authority and the market surveillance authorities, to which the power to impose sanctions is conferred. The Directorate-General for Artificial Intelligence, within the State Secretariat for Digitalisation and Artificial Intelligence, is designated as the notifying authority. It is responsible for the assessment, designation and supervision of conformity assessment bodies, drawing on the support of the National Accreditation Body (ENAC).
A decentralised supervision model has been adopted. The AESIA is designated as the market surveillance authority and is responsible, amongst other things, for high-risk systems relating to critical infrastructure, education, employment or biometrics not reserved for other authorities, as well as the transparency obligations set out in Article 50 of the RIA.
Likewise, the Spanish Data Protection Agency and the regional data protection authorities are designated as sectoral authorities, with the latter assuming responsibility for systems relating to biometrics, migration and border management. For its part, the General Council of the Judiciary is responsible for systems relating to the administration of justice. Furthermore, the Bank of Spain, the CNMV and the Directorate-General for Insurance and Pension Funds are responsible for solvency assessment systems and life and health insurance systems, within their respective areas of competence.
In all cases, the AESIA is designated as the single point of contact, responsible for liaising with European AI authorities and bodies.
Furthermore, a complaints system is established, enabling any natural or legal person to bring potential breaches of the Regulation to the attention of the authorities via a one-stop shop managed by AESIA, which must forward such complaints to the competent supervisory authority within a maximum of ten working days of receipt, without such a submission conferring the status of an interested party in any subsequent disciplinary proceedings. Article 10 also provides for a specific regime for the protection of whistleblowers, in line with Law 2/2023 of 20 February.
2. The governance of controlled testing environments for AI provided for in Article 57 of the RIA:
The LOIA regulates controlled testing environments for AI, aimed at promoting innovation and facilitating the development, testing and validation of innovative systems prior to their commercialisation. The AESIA shall be the authority responsible for the testing environment that must be established in accordance with Article 57.1 of the RIA, although additional testing environments may be established by the competent authorities within their respective spheres of competence.
The single derogatory transposition repeals Royal Decree 817/2023 of 8 November, which established a controlled testing environment for assessing compliance with what was then still a draft European AI Regulation.
3. Organisational measures to promote the responsible use of AI in the state public sector:
Chapter IV of the LOIA sets out the measures for the responsible use of AI in the state public sector, including the following:
- Inventory of AI systems: the obligation to draw up an inventory that is interoperable with the European register of high-risk systems, subject to certain exceptions (defence, national security, cybersecurity or fraud prevention).
- AI Officer: the appointment, by each public sector body, of an AI Officer responsible for coordinating the correct application of the regulatory framework and the responsible use of this technology.
- Awareness-raising and training: the promotion of awareness-raising and training initiatives on the responsible, sustainable and trustworthy development and use of AI.
4. The penalty regime applicable to AI systems for non-compliance with the RIA:
Finally, the LOIA sets out the classification of infringements and the penalty regime, in compliance with the provisions of Article 99 of the RIA, as shown in the table below[1]:
Category | Conduct | Parties | Maximum penalty |
Very serious (Article 14 LOIA) | Use or deployment of AI practices prohibited by Article 5 of the RIA (subliminal manipulation, social scoring, unauthorised real-time remote biometric identification, etc.). | Supplier, the party responsible for deployment, or any person who introduces, puts into service or uses the system. | €35,000,000 or 7% of global turnover. |
Very serious (Article 15 of the LOIA) | Failure to notify the competent market surveillance authority of a serious incident (Article 73 of the RIA). | Providers (and, failing that, those responsible for deployment). | €15,000,000 or 3% of global turnover. |
Serious (Article 17 of the LOIA) | Placing high-risk systems on the market without a quality management system, without prior conformity assessment, without technical documentation or without an authorised representative. | Suppliers. | €7,500,000 or 1% of global turnover. |
Serious (Article 21 of the LOIA) | Failure to comply with human oversight obligations, failure to carry out an impact assessment on fundamental rights (Article 27 of the RIA) or unauthorised use of remote biometric identification. | Those responsible for deployment. | €7,500,000 or 1% of global turnover |
Serious (Articles 19 and 20 of the LOIA) | Failure to verify the system’s compliance prior to its placing on the market. | Importers and distributors. | €7,500,000 or 1% of global turnover. |
Serious (Article 16 of the LOIA) | Resistance to or obstruction of an inspection, failure to comply with provisional measures imposed by the supervisory authority, and the submission of misleading information to notified bodies or national authorities. | Any operator. | €7,500,000 or 1% of global turnover. |
Serious (Articles 17 and 21 of the LOIA) | Failure to inform the user that they are interacting with an AI system or failure to properly label synthetic content generated by AI. | Providers and those responsible for deployment. | €7,500,000 or 1% of global turnover. |
Minor (Articles 23 to 29 of the LOIA) | Providing inaccurate or incomplete information to the authorities or notified bodies, failure to comply with formal labelling obligations, lack of an EU declaration of conformity, or breaches relating to identification and documentation. | Any operator. | €500,000 or 0.5% of global turnover. |
5. Final provisions:
Notable among the final provisions are the amendment to the General Tax Law, to reinforce the confidential nature of algorithmic and AI systems used in the prevention and control of tax fraud, the amendment to the General Social Security Act; and the amendment to the Organic Law on the General Electoral System, which designates the AESIA as the market surveillance authority for AI systems used in democratic processes. Furthermore, the second additional provision provides for the transformation of the AESIA, within six months, into a public-law body endowed with full organisational and functional independence.
As next steps, the Bill continues its parliamentary process, with the deadline for tabling amendments remaining open until 30 June 2026. Given the organic nature of certain provisions and their close link to the AI Regulation, its final approval will require close monitoring of both the parliamentary debate and the implementation timetable for the Regulation itself, the obligations of which are being rolled out progressively.
[1] In the case of SMEs and start-ups, the lower of the two amounts (percentage of global turnover or fixed sum) shall apply, in accordance with Article 99(6) of the AI Regulation. For public sector entities and constitutional bodies or those of constitutional significance, administrative fines shall not be imposed; instead, warnings and corrective measures shall be adopted, in accordance with Article 39 of the Draft.
Information note from the TMT department at ECIJA Madrid.
