On August 22, 2023, the Spanish Council of Ministers approved the Statute of the Spanish Agency for the Supervision of Artificial Intelligence (“AESIA”) thus creating the first AI regulatory body in the EU. The AESIA will start operating from December 2023, in anticipation of the upcoming EU AI Act  (for a summary of the AI Act, see our EMEA Tech Regulation Toolkit). In line with its National Artificial Intelligence Strategy, Spain has been playing an active role in the development of AI initiatives, including a pilot for the EU’s first AI Regulatory Sandbox and guidelines on AI transparency.

In recent years, Spain has focused its digital strategy on the implementation of  initiatives for the promotion and development of an “inclusive, sustainable, and citizen-centered AI”, one of the key pillars of the 2026 Spanish Digital Agenda, and to this end has developed guidance for companies on the use of AI (see our previous blog post). Spain has now overtaken the Presidency of the EU Council and announced that it will make the adoption of the AI Act one of its main priorities.  

The creation of the AESIA reflects the obligation contained in the draft AI Act for EU Member States to designate a regulator responsible for enforcing the AI Act and acting as a single point of contact for the EU Commission and the European Committee on Artificial Intelligence.

The implementation of the AESIA will not replace the role currently played by the AEPD (Spain’s Supervisory Authority for data protection) with respect to AI. Alongside the AESIA, the AEPD will continue to regulate AI applications, since many AI applications involve the processing of personal data and are therefore subject to the General Data Protection Regulation (“GDPR”). It remains to be seen how the two regulators will coordinate their regulatory guidance and enforcement activities to ensure a consistent approach to AI regulation in Spain.

What’s next?

As reported in our previous blog post, the European Parliament has adopted its version of the AI Act and EU institutions are now negotiating to agree on the final text of the Act, including the scope of definition of AI systems and the list of “high-risk” AI systems. These negotiations are expected to be concluded by late 2023, though this timeline could slip if EU institutions cannot reach a quick agreement on the final text. As currently drafted, the obligations contained in the AI Act will become binding on companies 24 months after the Act’s entry into force (however, the EU Council is seeking to extend this to 36 months).

Other EU Member States are considering which body will act as their AI Act regulator too, and we expect further EU Member States to follow Spain’s lead in setting up an AI regulator or empowering existing regulators (such as data protection regulators) to take on AI Act enforcement in the coming months.

***

Covington’s Data Privacy and Cybersecurity Team regularly advises clients on the laws surrounding AI and we will continue to monitor developments in the field of AI. If you have any questions about how the regulation of AI will affect your business, our team is happy to assist.

This post was prepared with the contributions of Diane Valat, trainee in Covington’s Brussels office.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.