Spain was one of the first EU Member States to establish a dedicated national AI oversight body. The Agencia Española de Supervisión de la Inteligencia Artificial (AESIA) is now Spain's designated authority for AI Act implementation and enforcement. For US companies with Spanish customers, employees, or EU representatives in Spain, AESIA's approach to supervision matters. AESIA (Agencia Española de Supervisión de la Inteligencia Artificial) is Spain's national AI regulator under the EU AI Act. It has authority to enforce AI Act obligations within Spanish territory, including inspections, information requests, and sanctions. US companies with Spanish market exposure or an EU representative in Spain should prepare for AESIA oversight. Lexara Advisory coordinates EU representation through SecureFound, with connections in Spain.
What This Means
The EU AI Act is enforced through a decentralized architecture. While the AI Office coordinates at the EU level — particularly for general-purpose AI models — day-to-day enforcement of high-risk AI systems falls to national market surveillance authorities designated by each Member State. AESIA is Spain's designated authority. For US companies, the practical significance of AESIA depends on the company's EU footprint. If the company has an EU authorized representative in Spain, AESIA is likely the primary authority for that representative. If the company sells AI systems to Spanish customers, AESIA has jurisdiction over market surveillance. If the company deploys AI systems that affect Spanish employees or consumers, AESIA may investigate deployer compliance. Spain has historically been an active jurisdiction in digital regulation. The Spanish data protection authority (AEPD) has issued significant GDPR fines and has been vocal on algorithmic accountability. AESIA is expected to adopt a similarly proactive stance. US companies should not assume that Spanish enforcement will be lenient or delayed.
Key Requirements
AESIA's establishment and mandate.
AESIA was established by Spanish law as the national authority for the supervision and enforcement of AI systems. It operates under the EU AI Act framework but with national procedural rules. Its mandate includes monitoring compliance with AI Act obligations, conducting inspections, requesting information and documentation, and imposing sanctions for violations.
Jurisdiction.
AESIA's jurisdiction covers AI systems placed on the Spanish market, put into service in Spain, or used in Spain. This includes systems provided by non-EU companies. The output-based scope of Article 2(1)(c) means that a US company's AI system affecting Spanish individuals is within AESIA's reach even if the company has no physical presence in Spain.
Cooperation with the AI Office.
For general-purpose AI models, AESIA cooperates with the AI Office at the EU level. For high-risk AI systems, AESIA is the primary enforcement authority within Spain. This division of labor means that a US provider of a GPAI model may interact with the AI Office, while a US provider of a high-risk system sold in Spain may interact with AESIA.
Inspection powers.
AESIA has the authority to conduct inspections of providers, deployers, and authorized representatives within its jurisdiction. For non-EU providers, inspections may be conducted at the premises of the EU authorized representative or through remote requests for documentation. The representative's role under Article 22 includes cooperation with these inspections.
Information requests.
AESIA may request technical documentation, risk management records, conformity assessment documentation, and post-market monitoring reports. The deadline for responding is typically short. Providers and representatives should have these documents organized and accessible. Delays in responding may be treated as non-cooperation. Sanctions. AESIA may impose sanctions for violations of the AI Act within Spain. The maximum penalties are defined in Article 99 of the AI Act, but the procedural framework for imposing them is governed by Spanish administrative law. This includes notification requirements, hearing rights, and appeal procedures. US companies should understand that the penalty process is not identical to US administrative enforcement.
Spanish language requirements.
AESIA operates in Spanish. Technical documentation, correspondence, and hearings will typically be conducted in Spanish. US companies with an authorized representative in Spain should ensure that the representative has Spanish-language capacity. If the representative cannot communicate effectively with AESIA, the provider may face delays or adverse inferences.
Data protection intersection.
AESIA's work intersects with the Spanish data protection authority (AEPD). An AI system that processes personal data may be subject to parallel or coordinated investigations by both authorities. The Digital Omnibus addressed some of this overlap by creating a bias-detection legal basis, but the institutional coordination between AESIA and AEPD is still developing.
Related Resources
EU AI Act Overview
EU representation services and requirements:
EU AI Act database registration for US companies:
Database Registration for US Companies
Frequently Asked Questions
Q: What is AESIA?
AESIA is the Agencia Española de Supervisión de la Inteligencia Artificial, Spain's national authority for the supervision and enforcement of AI systems under the EU AI Act. It has jurisdiction over AI systems placed on the Spanish market or used in Spain.
Q: Does AESIA enforce the AI Act against US companies?
Yes, if the US company's AI system outputs affect individuals in Spain or if the system is placed on the Spanish market. AESIA has jurisdiction over non-EU providers through the extraterritorial scope of Article 2(1)(c) and through the EU authorized representative under Article 22.
Q: What language does AESIA use for enforcement?
AESIA operates in Spanish. Correspondence, documentation requests, hearings, and decisions are typically in Spanish. US companies with an authorized representative in Spain should ensure that the representative has Spanish-language capacity and understands Spanish administrative procedure.
Q: How does AESIA relate to the AI Office?
The AI Office at the EU level coordinates enforcement for general-purpose AI models. AESIA is the national authority for high-risk AI systems within Spain. For GPAI models, AESIA cooperates with the AI Office. For high-risk systems, AESIA is the primary enforcement authority.
Q: Should US companies choose Spain for their EU authorized representative?
Spain is a viable jurisdiction for EU representation, with established administrative infrastructure and a dedicated AI regulator. The choice of jurisdiction should reflect practical considerations: language capacity, regulatory accessibility, time zone alignment, and the representative's technical and legal expertise. Lexara Advisory coordinates representation through SecureFound with connections in Spain.
2026-06-27 Regulation (EU) 2024/1689 (EU AI Act); Digital Omnibus provisional agreement, 7 May 2026; Spanish law establishing AESIA. AESIA is Spain's national AI regulator under the EU AI Act. It enforces AI Act obligations for systems placed on or used in the Spanish market, including systems from non-EU providers. US companies with Spanish exposure should prepare for Spanish-language documentation, inspection cooperation, and potential coordination with the Spanish data protection authority.
2. Evaluate representative location.
Take our free AI Regulatory Readiness Assessment to evaluate your exposure level and next steps.
Start the Free Assessment