Artificial intelligence has ceased to be a technological promise and has become a daily tool in professional offices, shops, agencies, clinics, consultancies, real estate agencies, workshops, industrial companies and digital businesses. It is used to draft emails, attend to clients, sort résumés, generate images, analyze data, automate budgets or answer inquiries via WhatsApp. Now, the Government wants that adoption to advance with clear rules.
The Council of Ministers approved on May 26, 2026 the bill to guarantee human oversight and trustworthy use of artificial intelligence in Spain. The law does not create an isolated framework; instead, it adapts Spanish law to the European Artificial Intelligence Regulation, which took effect on August 1, 2024 and classifies AI systems according to the level of risk they may pose to safety, health, or fundamental rights. (La Moncloa)
The regulation’s philosophy is simple: not all AI applications are alike. It is not the same risk to use a virtual assistant to summarize meetings as it is to use an algorithm to decide whether a person gets a job, a loan, a place in education, or an essential service. Therefore, the European framework distinguishes between prohibited uses, high-risk systems, transparency obligations, and minimal or zero-risk applications. The European Commission recalls that the majority of AI systems currently used in the EU are considered minimal or zero-risk, but it sets stricter requirements for sensitive uses.
A Spanish law to implement the European Regulation
The Government’s bill identifies the bodies that will supervise the application of the rule in Spain and establishes a sanction regime. The Spanish Agency for the Supervision of Artificial Intelligence, based in A Coruña, will be one of the key bodies, along with other authorities such as the Spanish Data Protection Agency, the Bank of Spain, or the General Council of the Judiciary, depending on the domain affected.
The government also incorporates rules to promote responsible use of AI in the state public sector. This is relevant for companies supplying the Administration, technology consultancies, software developers, service companies, and freelancers who work with public agencies, since transparency criteria, human oversight, and risk management are likely to be reflected in bidding documents, contracts, and public procurement processes.
The Spanish regulation arrives, furthermore, in a European context of adjustments. Brussels has proposed simplification measures to reduce administrative burdens and clarify timetables, especially for high-risk systems. According to the European Commission, the general transparency rules will take effect in August 2026, while some obligations for high-risk systems will apply later, with dates that may extend to December 2027 or August 2028, depending on the type of system.
What uses are under greater scrutiny
For small and medium-sized enterprises and self-employed professionals, the key question is not “can I use AI?”, but “in which part of my business am I using it?” The answer varies greatly depending on the case.
A small retailer that uses AI to draft promotional copy, prepare social media posts, or generate campaign ideas will, in principle, face a much lower level of scrutiny than a company that uses AI to screen candidates in hiring processes. The European Commission includes as high-risk uses AI tools applied to employment, workforce management, and access to self-employment, such as résumé screening programs.
Also considered especially sensitive are systems used in education, critical infrastructure, access to essential services, credit evaluation, biometric identification, justice, migration, or security forces. In these cases, the company that develops, sells, or deploys the system must pay attention to requirements such as risk management, data quality, technical documentation, activity logging, transparency, human oversight, accuracy, robustness, and cybersecurity.
The law also focuses on AI-generated content. Users must know when they are interacting with a machine, for example in the case of a chatbot, and certain synthetic contents, such as deepfakes or texts generated to inform the public about matters of public interest, must be clearly identified.
Practical impact on SMEs: less improvisation and more traceability
For an SME, the main change will be cultural and organizational. Until now many companies have adopted AI tools informally: a ChatGPT account in the sales department, an image generator in marketing, customer service automation, or an AI plugin in the CRM. The new regulation pushes to document what tools are used, for what purpose, and what data are entered into them.
This does not mean every small business should create a legal or tech department. But it makes sense to establish basic rules: do not input personal or confidential data into uncontrolled tools, notify customers when they are interacting with a bot, review results before making important decisions, and keep evidence of how the technology is used in sensitive processes.
In customer service, for example, a small business can continue using chatbots, but it must prevent the customer from thinking they are talking to a person if they are actually interacting with a machine. In marketing, it can generate images, texts, or videos, but it should pay attention to labeling when the content could mislead. In human resources, it should exercise extreme caution if it uses AI to sort candidates, score profiles, or automate rejections.
Freelancers: proportional obligations, but not negligible
Freelancers are also encompassed by the new regulatory framework when they use AI in their professional activities. A designer who generates images, a consultant who automates reports, a lawyer who uses AI to prepare drafts, a consultant who analyzes client data, or a real estate agent who uses conversational assistants should ask what kind of data they handle and what impact the tool may have on third parties.
Most everyday uses will be low risk, but that does not erase basic due diligence obligations. In sectors where confidentiality, data protection, or professional secrecy duties already exist, AI does not reduce those requirements; on the contrary, it can make them more visible. The professional will remain responsible for what they deliver to the client, even if the first draft was generated by an automated tool.
Sanctions and reputation: the new business risk
The sanction regime will be one of the most closely watched elements of the Spanish regulation. The bill establishes the national framework for supervision and penalties, aligned with the European AI Regulation. In practice, this introduces a new compliance risk for companies, especially for those that develop AI solutions, integrate them into products, or use them in processes that affect people.
But the risk will not be purely financial. A company that uses AI to discriminate against candidates, manipulate consumers, generate deceptive content, or make opaque decisions can also face loss of trust, customer claims, labor disputes, and reputational damage.
The other side of regulation is opportunity. For many tech SMEs, agencies, consultancies, law firms, and software providers, complying well can become a commercial argument. Companies that can demonstrate that their systems are auditable, transparent, secure, and supervised by humans will have an advantage over improvised or unclear solutions.
There is also room for new services: AI audits, training for employees, compliance consulting, adaptation of chatbots, review of automated processes, system documentation, AI cybersecurity, and data governance. The European Commission has promoted support tools such as the AI Pact, assistance services, and guides to facilitate the application of the regulatory framework.
