# AI Bill in Spain 2026: the fine is not the problem, the inventory is

> Spain's AI Bill focuses on inventory and risk management rather than fines, urging companies to map AI systems, purposes, and owners.

- Author: Viktor Berthelius (BRTHLS)
- Published: 2026-06-02
- Updated: 2026-06-29
- Category: ai operating models
- Tags: ai-governance, eu-ai-act, regulacion, aesia
- Language: en
- Canonical: https://www.brthls.com/magazine/spain-ai-bill-2026-inventory-en
- Source: BRTHLS Magazine — https://www.brthls.com

---

## Problem

The public conversation about the new Spanish AI regulation is staying at the loudest points: million‑dollar fines, deepfakes, prohibited systems, and the role of the AESIA.

That noise matters, but it is not the operational core.

On 26 May 2026, the Council of Ministers approved for referral to the Congress the Draft Organic Law for the good use and governance of artificial intelligence. This is important: we are talking about a bill in parliamentary processing, not a law already closed. Still, the direction is clear. Spain is creating the national layer that implements the European AI Regulation: authorities, supervision, sanctions, sandboxes, and specific obligations for the state public sector.

A company that reads this as “another legal issue” will be late. A company that reads it as “we need to know which AI systems we use, for what, with what risk, with which owner and with what evidence” will start to create advantage.

## Thesis

The fine is not the problem. The fine is the visible consequence of not having a system.

The real risk for a mid‑size company is not that it uses ChatGPT, Gemini, Claude, Midjourney, ComfyUI or an AI module inside the CRM. The risk is not knowing which AI is influencing real decisions: candidate selection, commercial scoring, customer support, lead prioritization, content creation, employee analysis, financial decisions or internal automations.

When AI moves from a loose tool to a regulated asset, compliance stops being a document and becomes an operational architecture.

## Framework

The practical way to read the Spanish AI Bill is not “what sanction will hit me”. It is this:

| Layer | Executive question | Minimum evidence |
| --- | --- | --- |
| Inventory | What AI systems we use or integrate | Live register of tools, workflows and providers |
| Purpose | What decision or output each system influences | Map of use cases and affected processes |
| Risk | Is it prohibited use, high risk, transparency or low risk | Classification aligned with the European AI Regulation |
| Owner | Who is responsible if the system fails | Operational responsible and legal/technical responsible |
| Supervision | What human can intervene, correct or stop | Decision rights, override and escalation criteria |
| Evidence | How we demonstrate that we act properly | Logs, documentation, assessments, contracts and reviews |

This is the mental shift. AI is not governed by tool brand. It is governed by use, impact, and control.

Two companies can use the same model and have different risks. One uses it to summarize internal notes. Another uses it to filter candidates. The tool may be the same; the exposure is not.

## Why it matters now

There are four reasons why this topic deserves to enter the magazine now.

First, because the Bill lands in Spain on a framework that already exists: the European AI Regulation has been in force since August 2024 and applies with a progressive calendar. Article 99 sets sanctions of up to €35 million or 7 % of worldwide turnover for prohibited practices, up to €15 million or 3 % for certain obligation breaches, and up to €7.5 million or 1 % for incorrect, incomplete or misleading information to authorities.

Second, because the Government itself has explained that the Spanish draft identifies supervisory bodies and establishes a national sanction regime. The official note talks about very serious, serious and minor infringements, with penalties that can reach €35 million or 7 % in the most serious cases and up to €500 000 or 0.5 % in the least serious.

Third, because August 2026 is not an abstract date. The general obligations of the Regulation start to have practical impact for many companies, and the transparency obligations of Article 50 affect systems that interact with people or generate/manipulate synthetic content. This touches support, marketing, product, content, customer service and operations.

Fourth, because the most interesting part is not only private. The draft also introduces for the state public sector an inventory of AI systems used in administrative procedures and the figure of the AI delegate, to be developed by Royal Decree. If the State needs inventory and responsible parties, a company that uses AI in sensitive processes cannot keep operating with “each team handles its own”.

## Anti-example

The anti-example is the company that reacts with a two‑page internal policy:

> “Do not introduce sensitive data. Use AI responsibly. Review the outputs.”

That does not govern anything.

When the problem appears, nobody knows which tool was used, what data entered, which model version generated the result, which human approved the decision, which provider was involved, whether there was an obligation to inform the affected party, or if the system should have been directly prohibited.

The policy does not fail because of bad intent. It fails because it is not connected to inventory, owners, logs, procurement, security, legal, data and operations.

The worst scenario is not “we are fined for using AI”. The worst scenario is “we cannot explain how we use AI”.

## Protocol (3 steps)

1. **Inventory what already exists.** Don’t start with a workshop. Start with a table of tools, providers, processes and affected decisions. Include purchased AI, AI integrated in SaaS, internal automations, shared prompts and models used by creative or technical teams.

2. **Classify by exposure, not by hype.** Separate prohibited uses, high‑risk potential, transparency obligations and low‑risk uses. Not everything is recorded. Not everything is high risk. But everything that influences people, rights, money, employment, access to services or public content deserves specific treatment.

3. **Turn compliance into a backlog.** Each risk must generate a closeable task: request documentation from the provider, define owner, create human override, activate logging, update DPIA, label synthetic content, review contract or block a use case.

| Week | Work | Result |
| --- | --- | --- |
| 1 | Inventory of tools and AI‑enabled workflows | Single list with owner per system |
| 2 | Risk and obligation classification | Map of prohibited, high‑risk, transparency and low‑risk uses |
| 3 | Evidence and providers | Logs, contracts, technical documentation and gaps |
| 4 | Governance backlog | Prioritized actions with responsible and date |

Rule: if an obligation does not become a work item, it does not exist.

## Related

- [EU AI Act 2026: 5 things a Spanish mid‑size company CEO must change before October](/magazine/eu-ai-act-2026-five-changes-for-spanish-ceos-en)
- [AI Governance Backlog: turning risk into executable work](/magazine/ai-governance-backlog-risk-to-work-en)
- [AI Decision Ledger: the decision log that makes your AI auditable](/magazine/ai-decision-ledger-separates-learning-from-opinion-en)
- [Tool Registry: the risk map enterprise agents need](/magazine/tool-registry-enterprise-agent-risk-en)
- [AI Content Labels: the legal notice becomes trust infrastructure](/magazine/ai-content-labels-trust-infrastructure-en)

## Sources consulted

- [Ministry for Digital Transformation and Public Function: press release of the Council of Ministers, 26 May 2026](https://digital.gob.es/content/dam/portal-mtdfp/comunicacion/comunicacion_ministro/2026/05/2026-05-26/260526%20NP%20CMin%20APL%20IA.pdf)
- [La Moncloa: Council of Ministers reference, 26 May 2026](https://www.lamoncloa.gob.es/consejodeministros/referencias/Paginas/2026/20260526-referencia-rueda-de-prensa-ministros.aspx)
- [Regulation (EU) 2024/1689 on Artificial Intelligence in EUR‑Lex](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?locale=es)
- [Cuatrecasas: Organic Bill for the good use and governance of AI](https://www.cuatrecasas.com/es/spain/propiedad-intelectual/art/proyecto-ley-organica-buen-uso-gobernanza-ia)

## Next step

Don’t wait for the text to finish its processing before you start. Useful work does not depend on a single comma changing: inventory, classification, owners, human supervision, traceability and providers.

If today you cannot answer which AI systems influence business decisions, the first project is not legal. It is operational. Start with the inventory and turn it into an [AI governance diagnosis](/en/contact).

---

*Translated from the Spanish original with AI assistance and reviewed for accuracy. [Read the original in Spanish](/magazine/proyecto-ley-ia-espana-2026-multa-no-problema-inventario-es).*

---

_Cite as: Berthelius, V. (2026). "AI Bill in Spain 2026: the fine is not the problem, the inventory is". BRTHLS Magazine. https://www.brthls.com/magazine/spain-ai-bill-2026-inventory-en_
