Spain's AI Supervisor in One Hour: What a CEO Needs to Know About AESIA's 16 Official Guides
The 16 official guides from Spain's AI Supervision Agency (AESIA), explained in plain language for business leaders. Deadlines, real penalties for SMEs, and common pitfalls to avoid before August 2026.
Why you need to know AESIA before August
Spain was the first country in the European Union to set up an agency specifically dedicated to supervising artificial intelligence. AESIA (the Spanish AI Supervision Agency) was created by Royal Decree 729/2023, dated 22 August, published in the Official State Gazette on 2 September 2023. Its permanent headquarters, granted by the City Council, will be the “La Terraza” building in the Méndez Núñez Gardens of A Coruña; while works are completed, AESIA has been operating from a provisional site at the Casa Veeduría in the historic centre since February 2025.
Nobody on your team is thrilled to read a Royal Decree. But on 2 August 2026 the transparency and human oversight obligations of the EU AI Act enter into force, and AESIA is who will inspect and fine.
If your business uses any AI-powered system, this applies to you. The good news is that in December 2025 AESIA published a set of 16 official guides that digest the regulation for you. The bad news is that most are technical and no one has summarised them well for someone who does not run an internal legal team.
That is what we will do here. After one hour of reading, you will know what applies to your business, what does not, and what you need to put in place before August.
AESIA’s 16 guides, grouped by block
The guides were published in three blocks: introductory, technical, and self-assessment. They come with a ZIP file of diagnostic checklists for twelve different areas.
Block 1: Introductory (guides 1-2)
| # | Guide | What it solves |
|---|---|---|
| 1 | Introductory guide to the AI Regulation | General overview: who it applies to, risk levels, timeline |
| 2 | Practical guide with examples | Concrete cases to understand how any business fits in |
Block 2: Technical (guides 3-15)
| # | Guide | Topic |
|---|---|---|
| 3 | Conformity assessment | How to validate that a system complies |
| 4 | Quality management system | Required internal processes |
| 5 | Risk management system | Identification and mitigation |
| 6 | Human oversight | Human supervision required by the Regulation |
| 7 | Data and data governance | How to manage the datasets feeding your AI |
| 8 | Transparency | What information to provide to users and authorities |
| 9 | Accuracy | Acceptable accuracy metrics |
| 10 | Robustness | System behaviour under errors |
| 11 | Cybersecurity | Protection against attacks on the model |
| 12 | Automatic logging / log files | What to log and for how long |
| 13 | Post-market monitoring plan | Monitoring after deployment |
| 14 | Reporting of serious incidents | When and how to notify AESIA |
| 15 | Technical documentation | What records to keep |
Block 3: Self-assessment (guide 16)
| # | Guide | Purpose |
|---|---|---|
| 16 | Manual for using the checklists | Practical application of the ZIP of compliance checklists |
The full guides are available on the official AESIA page and the Spanish Government press release of 11 December 2025 announcing their publication.
What does apply to your business
The most common mistake is to think that AESIA only affects tech companies or large corporations. False. The EU AI Act distinguishes four levels of risk, and all of them can touch an ordinary business depending on its uses:
- Unacceptable risk (prohibited): social scoring, subliminal manipulation, emotion recognition at the workplace, biometric categorisation to infer sexual orientation, religion or race. If your business does any of this, it must stop.
- High risk (Annex III): CV screening by AI, credit scoring, biometric identification, automated decisions affecting rights. Many businesses fall here without knowing it: for example, a system that filters job candidates automatically.
- Limited risk (transparency): chatbots, deepfakes, AI-generated content. Obligation to label and warn the user.
- Minimal risk: spam filters, basic recommenders, AI in video games. No special obligations.
If you deploy or use any AI system, the first step is to classify it. Guides 1, 2 and 5 (risk management) are your first stops. If your system falls into transparency or high risk, operational obligations start to count.
The real timeline, with a nuance almost nobody mentions
This is what should be on your calendar:
| Date | What enters into force |
|---|---|
| 2 February 2025 | Prohibited practices (art. 5) and obligation to train staff (art. 4) |
| 2 August 2025 | Sanctions, governance and obligations for GPAI models |
| 2 August 2026 | Transparency (art. 50) and most high-risk obligations of Annex III |
| 2 August 2027 | High-risk systems embedded in already regulated products (Annex I) |
The nuance: on 7 May 2026, the Council and the European Parliament reached a provisional political agreement known as the Digital Omnibus that delays part of the high-risk obligations of Annex III to 2 December 2027 and systems embedded in products to 2 August 2028. It is a provisional agreement pending formal adoption and publication in the Official Journal before 2 August 2026. What remains fully in force for that date is the transparency obligation of article 50 and the AI literacy obligation of article 4.
Practical takeaway: even if part of the regulation is relaxed, what you already had to have ready (staff AI literacy, labelling of chatbots, marking of AI-generated content) is still enforceable in August. For more context on the related privacy obligations, see our previous post on AI data security and privacy for businesses.
Real penalties, without alarmism
Headlines speak of 35 million euros. That is for large corporations engaging in prohibited practices. For an SME the figures are very different, and a detail changes everything.
Article 99 of the EU AI Act sets three tiers:
| Infringement | Cap for a large company | % cap for a large company |
|---|---|---|
| Prohibited practices (art. 5) | 35 M€ | or 7% of worldwide turnover |
| Breach of obligations | 15 M€ | or 3% of worldwide turnover |
| Incorrect information to authorities | 7,5 M€ | or 1% of worldwide turnover |
For large companies, the higher of the fixed amount or the percentage applies. For SMEs and startups, the Regulation requires the lower amount to apply, proportionate to economic viability.
Translated for a business with 2 million euros of annual revenue: the maximum fine for the most serious infringement (prohibited practices) is 140.000 €, not 35 million. Still serious, but not existential ruin.
The regulatory sandbox: an opportunity your business can leverage
Spain regulated the controlled testing environment back in November 2023 (Royal Decree 817/2023), but the operational activation and selection of the first participants were officially announced on 3 April 2025. The sandbox thus anticipated by sixteen months the European deadline of August 2026. It is the first AI sandbox in the European Union.
In the first call, 12 high-risk AI systems from Spanish companies were selected, across six sectors: essential services, biometrics, employment, critical infrastructure, industrial machinery and medical devices. Participants included Airbus Operations, Tucuvi, Bit&Brain, Imotion Analytics, Loradix RED and Made of Genes, among others.
AESIA’s 16 guides are not improvised: they are the direct result of learnings extracted from the sandbox. That is why they are so operational compared to typical EU regulations.
For a business with a high-risk or potentially high-risk AI system, entering the sandbox is free and provides technical guidance from the regulator itself. Information about upcoming calls is published at Spain Digital 2026.
Who does what: AESIA, AEPD, CNMC
Another frequent confusion: AESIA does not replace the AEPD (Spanish Data Protection Agency). They coexist, and the competence split matters:
- AESIA: general supervision of AI systems, sandbox, sanctions under the AI Regulation.
- AEPD: any processing of personal data by AI. Biometrics, prohibited systems affecting personal data, GDPR.
- CNMC: impact on competition and markets.
- Bank of Spain: credit scoring.
- DGSFP: insurance.
- CGPJ: application in justice.
If your business uses an AI system that processes personal data (most do), both AESIA and AEPD apply. The two authorities coordinate, but sanctions can come from either.
Common compliance pitfalls
These are the misunderstandings worth dismantling before making decisions:
- “AESIA only affects tech companies”. False. Any business that uses AI for staffing, automated customer service, scoring or biometrics is in scope.
- “Fines are always 35 million”. False for SMEs: the percentage applies, which is the smaller amount.
- “The whole Regulation enters in force on 2 August 2026”. False after the Digital Omnibus. Much of high risk is delayed to December 2027.
- “AESIA replaces AEPD”. False. If there is personal data, GDPR and AEPD also apply.
- “The guides are optional”. False in practice. They are not binding, but AESIA uses them as a technical reference when it inspects.
Minimum plan for a business before August 2026
If you have budget for only four things, do them in this order:
- Inventory of AI systems. List every system that uses AI in your company: includes corporate ChatGPT, email assistants, HR systems, automated scoring, chatbots. No compliance is possible without an inventory.
- Risk classification. For each system, classify it under the four categories (prohibited, high, limited, minimal) using AESIA guide 2.
- AI literacy for staff (obligation already in force since February 2025). Internal sessions with criteria are enough. Guide 1 indicates the expected scope.
- Labelling of chatbots and AI-generated content. Any conversation with AI must warn the user. Any image, video or text generated must carry a mark.
With those four steps your business will be aligned with the essentials of article 50 and article 4 for August. Advanced high-risk obligations, where they apply, are worked through with guides 3-15.
If you need guidance, at Utilia we run AI Act audits specifically scoped for Spanish businesses, combining technical review and compliance roadmap. If you would rather understand first what kind of consultant fits, see our post on when you need AI consulting.
Frequently asked questions
Official sources
Was this article helpful?
Discover how we can help you implement these solutions in your company
Related Articles
How to Compare AI Implementation Partners for SMEs (2026 Checklist)
Side-by-side framework to compare AI implementation partners in 2026: 12 evaluation criteria, real pricing benchmarks, EU AI Act compliance checks and red flags. Free PDF checklist included.
AI Agents for SMEs: What They Are, How They Work, and How to Use Them in 2026
Complete guide to AI agents for SMEs. Discover what they are, how they differ from chatbots, tools like Claude, MCP, Operator, and practical use cases with real ROI for your business.
AI Trends for SMEs in 2026: What's Coming and How to Prepare
Discover the 7 artificial intelligence trends that will dominate 2026 for SMEs: generative AI, autonomous agents, edge AI, personalization and more. Practical guide with examples and tips.