Skip to content
Back to Magazine
ai-operating-models 7 min read

AI Bill in Spain 2026: the fine is not the problem, the inventory is

Does this apply to your company?

Free 30-min AI diagnostic →

Key Takeaways

  • - [EU AI Act 2026: 5 things a Spanish mid‑size company CEO must change before October](/magazine/eu-ai-act-2026-five-changes-for-spanish-ceos-en)
  • - [AI Governance Backlog: turning risk into executable work](/magazine/ai-governance-backlog-risk-to-work-en)
  • - [AI Decision Ledger: the decision log that makes your AI auditable](/magazine/ai-decision-ledger-separates-learning-from-opinion-en)
  • - [Tool Registry: the risk map enterprise agents need](/magazine/tool-registry-enterprise-agent-risk-en)

Decision

Decide what governance, ownership or cadence is missing before scaling AI.

Room

Executive committee, AI portfolio review, transformation steering.

Risk

Mistaking activity, pilots and tooling for real operating capability.

Agent prompt: map decision rights, KPIs, risks and the next operational move

Problem

The public conversation about the new Spanish AI regulation is staying at the loudest points: million‑dollar fines, deepfakes, prohibited systems, and the role of the AESIA.

That noise matters, but it is not the operational core.

On 26 May 2026, the Council of Ministers approved for referral to the Congress the Draft Organic Law for the good use and governance of artificial intelligence. This is important: we are talking about a bill in parliamentary processing, not a law already closed. Still, the direction is clear. Spain is creating the national layer that implements the European AI Regulation: authorities, supervision, sanctions, sandboxes, and specific obligations for the state public sector.

A company that reads this as “another legal issue” will be late. A company that reads it as “we need to know which AI systems we use, for what, with what risk, with which owner and with what evidence” will start to create advantage.

Thesis

The fine is not the problem. The fine is the visible consequence of not having a system.

The real risk for a mid‑size company is not that it uses ChatGPT, Gemini, Claude, Midjourney, ComfyUI or an AI module inside the CRM. The risk is not knowing which AI is influencing real decisions: candidate selection, commercial scoring, customer support, lead prioritization, content creation, employee analysis, financial decisions or internal automations.

When AI moves from a loose tool to a regulated asset, compliance stops being a document and becomes an operational architecture.

Framework

The practical way to read the Spanish AI Bill is not “what sanction will hit me”. It is this:

LayerExecutive questionMinimum evidence
InventoryWhat AI systems we use or integrateLive register of tools, workflows and providers
PurposeWhat decision or output each system influencesMap of use cases and affected processes
RiskIs it prohibited use, high risk, transparency or low riskClassification aligned with the European AI Regulation
OwnerWho is responsible if the system failsOperational responsible and legal/technical responsible
SupervisionWhat human can intervene, correct or stopDecision rights, override and escalation criteria
EvidenceHow we demonstrate that we act properlyLogs, documentation, assessments, contracts and reviews

This is the mental shift. AI is not governed by tool brand. It is governed by use, impact, and control.

Two companies can use the same model and have different risks. One uses it to summarize internal notes. Another uses it to filter candidates. The tool may be the same; the exposure is not.

Why it matters now

There are four reasons why this topic deserves to enter the magazine now.

First, because the Bill lands in Spain on a framework that already exists: the European AI Regulation has been in force since August 2024 and applies with a progressive calendar. Article 99 sets sanctions of up to €35 million or 7 % of worldwide turnover for prohibited practices, up to €15 million or 3 % for certain obligation breaches, and up to €7.5 million or 1 % for incorrect, incomplete or misleading information to authorities.

Second, because the Government itself has explained that the Spanish draft identifies supervisory bodies and establishes a national sanction regime. The official note talks about very serious, serious and minor infringements, with penalties that can reach €35 million or 7 % in the most serious cases and up to €500 000 or 0.5 % in the least serious.

Third, because August 2026 is not an abstract date. The general obligations of the Regulation start to have practical impact for many companies, and the transparency obligations of Article 50 affect systems that interact with people or generate/manipulate synthetic content. This touches support, marketing, product, content, customer service and operations.

Fourth, because the most interesting part is not only private. The draft also introduces for the state public sector an inventory of AI systems used in administrative procedures and the figure of the AI delegate, to be developed by Royal Decree. If the State needs inventory and responsible parties, a company that uses AI in sensitive processes cannot keep operating with “each team handles its own”.

Anti-example

The anti-example is the company that reacts with a two‑page internal policy:

“Do not introduce sensitive data. Use AI responsibly. Review the outputs.”

That does not govern anything.

When the problem appears, nobody knows which tool was used, what data entered, which model version generated the result, which human approved the decision, which provider was involved, whether there was an obligation to inform the affected party, or if the system should have been directly prohibited.

The policy does not fail because of bad intent. It fails because it is not connected to inventory, owners, logs, procurement, security, legal, data and operations.

The worst scenario is not “we are fined for using AI”. The worst scenario is “we cannot explain how we use AI”.

Protocol (3 steps)

  1. Inventory what already exists. Don’t start with a workshop. Start with a table of tools, providers, processes and affected decisions. Include purchased AI, AI integrated in SaaS, internal automations, shared prompts and models used by creative or technical teams.

  2. Classify by exposure, not by hype. Separate prohibited uses, high‑risk potential, transparency obligations and low‑risk uses. Not everything is recorded. Not everything is high risk. But everything that influences people, rights, money, employment, access to services or public content deserves specific treatment.

  3. Turn compliance into a backlog. Each risk must generate a closeable task: request documentation from the provider, define owner, create human override, activate logging, update DPIA, label synthetic content, review contract or block a use case.

WeekWorkResult
1Inventory of tools and AI‑enabled workflowsSingle list with owner per system
2Risk and obligation classificationMap of prohibited, high‑risk, transparency and low‑risk uses
3Evidence and providersLogs, contracts, technical documentation and gaps
4Governance backlogPrioritized actions with responsible and date

Rule: if an obligation does not become a work item, it does not exist.

Sources consulted

Next step

Don’t wait for the text to finish its processing before you start. Useful work does not depend on a single comma changing: inventory, classification, owners, human supervision, traceability and providers.

If today you cannot answer which AI systems influence business decisions, the first project is not legal. It is operational. Start with the inventory and turn it into an AI governance diagnosis.


Translated from the Spanish original with AI assistance and reviewed for accuracy. Read the original in Spanish.

ai-governance eu-ai-act regulacion aesia
Cite this article

Berthelius, V. (2026). “AI Bill in Spain 2026: the fine is not the problem, the inventory is”. BRTHLS Magazine. https://www.brthls.com/magazine/spain-ai-bill-2026-inventory-en

Fractional CAIO · Free diagnostic

Is your company ready to operate with AI?

30 minutes. No pitch. An honest read on where you are and what to move first.

Book free diagnostic