Contact us
  • Case Studies

Case Study: Spain’s AI governance in the era of the EU AI Act)

This case study explores Spain’s leadership in AI governance within Europe, focusing on the implementation of the EU AI Act and the establishment of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA). It analyzes Spain’s historical AI strategy, major developments from 2020 to 2025, key stakeholders, policy responses, and the societal and economic impact of AI regulation. The study also evaluates challenges for SMEs, ethical concerns, and international implications, offering evidence-based recommendations for responsible and sustainable AI adoption in Europe.

Spain entered the 2020s with a national AI strategy—ENIA (Estrategia Nacional de Inteligencia Artificial)—as part of the broader Spain Digital 2025 agenda, positioning AI as a growth and public-service modernisation lever while anchoring it in fundamental-rights protections. 

Major developments 

  • EU rulebook finalised. The EU AI Act was adopted in June 2024, entered into force on 1 Aug 2024, and phases in obligations through 2025–2027 (prohibitions and AI-literacy duties from Feb 2025; GPAI model rules from Aug 2025; most high-risk obligations by Aug 2026/27). 

  • Spain creates Europe’s first dedicated AI supervisor. The Spanish Agency for the Supervision of AI (AESIA)—headquartered in A Coruña—opened in 2025, tasked with AI oversight, literacy and sandboxing, and coordinating with Spain’s data-protection authority (AEPD). 

  • Supervision & sandboxes. The Commission and Member States launched AI regulatory sandboxes to let firms test systems with supervisors—informing EU-wide implementation and guidance. 

  • Data-protection interface. Spain’s AEPD expanded AI-relevant guidance and clarified its role on AI systems that process personal data—key to avoiding supervisory overlaps with AESIA. 

  • Broader European & international frame. In May 2024, the Council of Europe adopted the first international AI treaty (open beyond the EU). UNESCO’s 2021 Recommendation on AI Ethics continues to shape national literacy and governance programmes. 

Key stakeholders

  • National: AESIA; AEPD (privacy); Ministry of Economic Affairs & Digital Transformation; regional governments (innovation, skills); SME/start-up ecosystem; large platforms; labour unions; civil-society organisations on digital rights. 

  • EU-level: European Commission (AI Act implementation, guidance, sandboxes), European Parliament/Council (co-legislators), national market-surveillance authorities. 

  • International: OECD (AI Principles, country dashboards), Council of Europe (AI Convention), UNESCO (ethics). 

Policy responses (national, regional/EU, international)

National (Spain)

  • Institution-building: Stand-up of AESIA; staffing up and launching guidance, literacy and sandbox activities; cooperation protocols with AEPD

  • Strategy & investment: ENIA actions under the Spain Digital agenda (skills, R&D, data spaces, public-sector AI). 

EU/Regional

  • EU AI Act rollout: Phased applicability; Commission rejects calls to delay the timeline; simplification initiatives promised to ease burdens, notably for SMEs. 

  • Regulatory sandboxes & guidance: Member-state sandboxes plus Commission guidance to harmonise enforcement and reduce fragmentation. 

International

  • Council of Europe AI Convention and OECD AI Principles provide converging norms on risk-based, rights-respecting AI; useful for Spain’s external cooperation and cross-border assurance. 

Critical evaluation: outcomes & implications (2024–2025)

What’s working

  • Early institutional clarity. Spain gains a first-mover advantage by designating AESIA and clarifying its interface with AEPD, improving predictability for companies deploying AI. 

  • Legal certainty & the “Brussels effect.” A single, risk-based EU rulebook reduces multi-country compliance patchwork and projects standards globally (suppliers adapt to access the EU market). 

  • SME on-ramps. Sandboxes and AI-literacy duties encourage safer experimentation and user awareness before full obligations bite. 

Gaps & risks

  • SME compliance capacity. Even with sandboxes, smaller firms face documentation, risk-management, and post-market monitoring costs that may slow innovation or shift it to “lower-risk” niches. (Assessment based on EU timeline and SME concerns reported to the Commission.) 

  • Supervisor coordination. Overlap between privacy, consumer-protection, product-safety and AI-specific oversight can confuse developers; clear “lead authority” models and joint procedures are still maturing. 

  • Talent & literacy bottlenecks. Rapid AI adoption strains public-sector skills; literacy obligations help but require sustained funding and teacher training to reach schools and SMEs. 

Societal & economic implications

  • Trust & uptake: Rights-preserving design and transparency can raise citizen trust, but over-cautious interpretations could deter beneficial public-sector AI (e.g., health triage, mobility). 

  • Regional development: Locating AESIA in A Coruña spreads digital-economy benefits beyond Madrid/Barcelona and seeds a governance-tech cluster. 

Global impact

  • Standard-setting beyond the EU. The EU Act, CoE Convention, OECD principles and UNESCO ethics together shape a de facto global baseline for “trustworthy AI,” influencing suppliers from the US to Asia who seek EU access. 

Recommendations 

  1. “SME-first” compliance pathways
    Create template technical documentation, conformity-assessment checklists, and open-source risk-management toolkits co-published by AESIA/AEPD; offer vouchers for third-party audits for SMEs building high-risk systems. (Aligns with EU push to ease burdens on small firms.) 

  2. One-stop supervisory coordination
    Stand up a single online gateway for AI notifications, sandbox entry, and guidance that routes cases to AESIA, AEPD, consumer- and product-safety authorities—backed by MoUs and SLAs to cut delays. 

  3. Public-sector exemplars
    Fund reference implementations (e.g., clinical decision-support with bias audits; school-admin chatbots with transparency notices) that publish model cards, DPIAs, and post-market reports—creating reusable patterns for municipalities. 

  4. Regional skills & literacy flywheel
    Expand AI-literacy programmes tied to teacher training, vocational centres, and SME chambers; co-brand with UNESCO/OECD frameworks to ensure content quality and international portability. 

  5. International interoperability
    Map Spain’s conformity assessments to the Council of Europe AI Convention and OECD practices to streamline cross-border assurance and procurement. 

Selected sources

  • EU AI Act (Regulation (EU) 2024/1689)—text & timelines. (EUR-Lex)

  • European Parliament explainer: phased applicability. (European Parliament)

  • European Commission: AI regulatory sandboxes. (Digital Strategy)

  • AESIA (Spanish AI supervisor): mission & setup; Commission project page on A Coruña HQ. (Aesia)

  • AEPD (Spanish data-protection authority): innovation tools and AI-related guidance; coordination role. (aepd.es)

  • OECD AI Principles & Spain dashboard; UNESCO AI ethics. (OECD AI)

  • Reuters (July 2025): Commission sticking to AI Act timelines despite industry requests to delay. (Reuters)

Share the Post:

Related Posts

Your Partner in Real Innovation

We design and develop pioneering projects, conduct meaningful research, and build products that shape the future.