Spain — AESIA & National AI Bill

Summary

AESIA (Agencia Española de Supervisión de la Inteligencia Artificial / Spanish Agency for the Supervision of AI) was established by Royal Decree 729/2023 (2023-08-22) and became operational on 2024-06-19.

Historical significance: the EU’s first dedicated AI regulator (early mover), established a year before the AI Act formally applied. Headquarters: A Coruña (autonomous community of Galicia).

Legal status

At the Spanish national level: a national agency under the Ministry for Digital Transformation and the Civil Service.
Under the EU AI Act: Spain’s single Market Surveillance Authority, corresponding to Article 70 of the AI Act.
Coordination with other national bodies: a division of labour with the Spanish Data Protection Agency (AEPD) and the Spanish telecoms regulator (CNMC).

Main functions

1. Market surveillance under the EU AI Act

Market surveillance and inspection of high-risk AI systems.
Receipt and handling of incident reports.
Coordination with other Member State MSAs.
Once the AI Act is fully applicable, AESIA will have inspection and penalty powers.

2. National AI sandbox (RD Sandbox)

A real regulatory sandbox, the EU’s first formally operational.
2025-04: 12 AI projects selected to participate.
Outputs fed into a public good-practice report, informing subsequent national legislation.

3. Compliance guidance

2024-12-10: 16 detailed guidance documents and non-binding checklists issued.
Guidance to firms on fulfilling AI Act obligations.
Compliance pathways specifically designed for SMEs.

4. Standards and evaluation

Promotion of national and international standards.
AI model evaluation methodologies.
Liaison with CEN-CENELEC JTC 21.

Spain’s National AI Bill

First reading passed at the Council of Ministers on 2025-03-11.
Currently in a public consultation period.
To be sent via expedited procedure to the Spanish parliament for debate.
Supplements (does not replace) the EU AI Act, setting finer rules within the scope of Member State autonomy.

Notable interpretive cases

2025 AESIA vs. generative-AI providers: detailed guidance on AI Act compliance issued; viewed by industry as an early-enforcement reference.
Coordination with other EU DPAs: the Italian Garante (Italian data protection authority) remains the EU’s most active AI regulator (ChatGPT ban, Replika ban), but AESIA is pioneering on AI-specific regulation.

Significance for global AI regulation

Early institution-building: demonstrates that a Member State can stand up a dedicated AI authority before the AI Act takes effect.
Sandbox first: a scaled AI sandbox as a compliance pathway.
Division of labour with the DPA: AI regulation does not replace the data-protection authority (GDPR enforcement still sits with the AEPD).
A reference for southern Europe: other southern European countries (Italy, Portugal, Greece) have drawn on the AESIA structure.

Primary text and links

Source	Link
AESIA website	aesia.digital.gob.es/en/es
Royal Decree 729/2023	BOE (2023-08-22)
European Commission AI Literacy page	digital-strategy.ec.europa.eu/…/aesia
2024-06 launch press release	lamoncloa.gob.es/…/20240619-ai-oversight-agency
White & Case Spain Tracker	whitecase.com/…/ai-watch-spain
AESIA’s 16 guidance documents (2024-12)	insideprivacy.com/…/spain-issues-guidance-under-eu-ai-act

Revision history

Date	Event
2023-08-22	Royal Decree 729/2023 establishes AESIA
2024-06-19	Formally operational
2024-12-10	16 compliance guidance documents issued
2025-03-11	Spanish National AI Bill passes first reading
2025-04	12 projects selected for the AI sandbox