Spain's Council of Ministers approved a draft Organic Law on AI governance on May 26, 2026, implementing the EU AI Act with additional national measures. The law establishes a sanctions regime with fines up to €35 million or 7% of turnover, formalizes regulatory sandboxes, and imposes specific requirements for AI use in the public sector.
No articles specifically tagged for Spain yet. Check our blog for general compliance coverage.
Spanish authorities have dismantled a major manga piracy platform operating since 2014, arresting four individuals and seizing $470,000 in cryptocurrency. This enforcement action demonstrates increased regulatory scrutiny on intellectual property rights, cybersecurity measures against illicit online operations, and financial crime involving hidden digital assets. Companies should review their compliance with copyright laws and ensure proper licensing for digital content distribution.
Spain has approved a draft Royal Decree implementing mandatory B2B e-invoicing under the 'Crea y Crece' law, requiring structured electronic invoices for business transactions. The implementation will be phased based on turnover thresholds, with larger businesses (turnover > €8M) required to comply 12 months after publication of technical details, and all others within 24 months.
noyb has appealed a Spanish Data Protection Authority (AEPD) decision that restricted a customer's GDPR right to access location data from Virgin Telco. This enforcement action highlights tensions between data retention laws and GDPR access rights, potentially impacting how data protection authorities interpret these rights across the EU.
The Spanish Audiencia Nacional court annulled a previous decision by the Spanish Data Protection Authority (AEPD) that denied a customer access to their location data under GDPR's right to access provisions. The court confirmed that location data constitutes personal data, establishing a precedent that may influence similar cases across the EU and requiring telecommunications providers to disclose such data to data subjects.
The Spanish Data Protection Authority (AEPD) has received a complaint against Ryanair for implementing facial recognition verification for bookings through online travel agents, alleging violations of GDPR consent and data minimization principles. This enforcement action could result in fines up to €192 million and signals increased regulatory scrutiny of biometric data practices in the travel industry.
Spanish police arrested 12 suspects in a multimillion-dollar gambling fraud scheme that exploited Ukrainian war refugees to open bank accounts and launder $5.5 million through online betting platforms. This enforcement action signals increased regulatory scrutiny of financial institutions and gambling operators regarding customer due diligence, identity verification, and suspicious transaction monitoring.