Spain's new AI Law: what changes for your small business.

First, a clarification that today's headlines are getting wrong: the law has NOT been voted on in Congress. What happened today is that the Council of Ministers approved the bill and the urgent parliamentary process begins. There can still be amendments. But the basic structure is already defined and, above all, the European AI Regulation (the AI Act) is already in force and from 2 August 2026 it will enter full application with its sanctions regime included.

What does this mean for you, running a small business in the Penedès, in Tarragona or anywhere else? That whether or not the Spanish law is published in the Official Gazette, the European AI Act already binds you. The Spanish law only adapts the AI Act into our legal framework and defines who inspects and who sanctions here: AESIA (the Spanish AI Supervision Agency), based in A Coruña.

AESIA has been operating since February 2025 and has full sanctioning authority since 2 August 2025. Today's news is that the Spanish bill sets specific sanctions in domestic law, defines additional prohibited practices (such as sexual deepfakes) and establishes how the different authorities will coordinate.

Why it affects you even if you "only" use ChatGPT

This is the most common confusion: "but I don't build AI, I only use it". The AI Act distinguishes two roles: provider (whoever develops the AI system and brings it to market) and deployer (whoever uses it inside their organisation). The second is you if:

• You use ChatGPT, Claude, Gemini or any assistant to generate text that will reach customers.
• You have an AI agent on WhatsApp or on your website that answers queries.
• You use AI tools for lead scoring, CV screening or supplier evaluation.
• You use AI-generated images or video for campaigns.
• You have any recommendation or personalisation system that learns from users.

If you do any of these things, you're an AI deployer in the eyes of the law. And you have obligations. Different ones depending on the risk, but they exist.

The four risk categories (and where you fall)

The AI Act classifies AI systems into four levels. Each level has different obligations.

1. Unacceptable risk (prohibited)

Systems that can never be used. If your small business does any of these things, you have to stop today:

• Subliminal techniques or psychological manipulation to influence decisions without consent.
• Exploitation of vulnerabilities linked to age, socioeconomic situation or disability.
• Social scoring of people (social credit style).
• Biometric classification by race, political orientation or religion.
• Remote biometric identification in real time in public spaces (with strict exceptions).
• New in Spain: generating non-consensual sexual deepfakes and chatbots that identify users with gambling addiction to lure them onto platforms.

2. High risk (strict obligations)

Permitted systems but with strong compliance. Includes:

• Hiring and employee evaluation (CV filters with AI).
• Credit granting and credit scoring.
• Regulated education (automatic grading, admissions).
• Healthcare (diagnostic support).
• Critical infrastructure (power grids, water, transport).
• Access to essential services (public or private).

If you fall here (for example, a consulting firm using an AI system to pre-filter candidate CVs), your compliance burden is serious: documented risk assessment, data governance, technical documentation, activity logs, real human oversight (not just "the approve button"), transparency towards the affected user and a declaration of conformity.

3. Limited risk (transparency)

Where most small businesses using generative AI fall:

• Chatbots and conversational agents.
• AI-generated content (text, image, video) aimed at the public.
• Emotion recognition systems (in non-prohibited contexts).
• Legitimate deepfakes (not sexual ones, which are prohibited).

The main obligation here is transparency: the user must clearly know they're interacting with an AI or that some content has been generated by AI. There are no draconian fines if you comply with this and, in general, the big AI providers (OpenAI, Anthropic, Google) already make it easy with visible watermarks and metadata.

4. Minimal risk (no specific obligations)

Spam filters, basic recommenders, image generators not aimed at the public. No specific obligations, but the rule requires you to have sufficient "AI literacy" in the team: that the people using these tools understand what they do and what their limits are.

The sanctions: the range that matters

This is where the headlines grab attention: up to €35 million or 7% of worldwide annual turnover, whichever is greater. But you need to understand the range:

• Minor: up to €500,000 or 0.5% of turnover.
• Serious: up to €7.5 million or 1.5% of turnover (failure to meet obligations for high-risk systems).
• Very serious: up to €35 million or 7% of turnover (using prohibited systems).

For a small business with €500K annual turnover, a minor sanction would be €2,500 (0.5%). It's not catastrophic, but added to the reputational cost and the fact that AESIA can withdraw the AI system from the market provisionally, it's an unnecessary risk.

My message here is simple: small businesses shouldn't worry about the million-euro fines in the headlines. They need to understand which risk category they're in, comply with the corresponding obligations (which are straightforward at limited risk) and document it minimally. The real complication is for high-risk systems, which few small businesses deploy.

The real timeline

The dates that matter:

• 2 February 2025: Prohibitions already in force. If you use a prohibited system, you're already in breach.
• 2 August 2025: AESIA takes on full sanctioning authority in Spain.
• 2 August 2026: Full application of the AI Act, including obligations for high-risk systems and the complete European sanctions regime.
• 2 August 2027: Full obligations for all "general-purpose" AI systems (GPAI), i.e. foundation models like GPT-4, Claude, etc.

What you need to do this week (the 5 pragmatic steps)

If you run a small business and use AI in any way, do this before 2 August:

1. A real inventory of the AI in use.

Make a list of all the AI systems your team uses. Include ChatGPT (and at which tier — Free, Plus, Business?), Claude, Gemini, Copilot, lead-scoring tools, image generators, website recommenders, WhatsApp agents, etc. Everyone tends to forget about 30% of what's actually in use.

2. Classify each system into a risk category.

For each one, identify whether it's prohibited, high risk, limited risk or minimal risk. The free diagnostic tool I've built does this classification for you in five minutes.

3. Document the purpose and data of each system.

For each AI, note: what you use it for (specific use case), what data you feed it (especially if it's personal), who supervises its outputs, and how you inform affected users. You don't need a 50-page PDF; a 2-page document per system is enough for most small businesses.

4. Put transparency markers where they're needed.

If you have a chatbot, it has to clearly say it's an AI in the first message. If you publish AI-generated images on your site or social channels, label them. If you use automatic scoring for customers (for example, to decide who gets a proposal first), inform them that there's an automated component and offer human review on request.

5. Train the team (AI literacy).

The AI Act requires that the people using AI understand what these systems do. For a small business, this means a one or two-hour training session explaining how generative AI works, what it can do well and what it can't, what biases it can have and how to review its outputs. You don't need a master's degree — you need to understand the basics.

If you fall under high risk: the conversation is more serious

If your small business has high-risk systems (hiring, credit scoring, healthcare, infrastructure), don't do it on your own. You need a compliance officer or an external consultant to help you set up the risk management system, the technical documentation and the declaration of conformity process. The cost of this compliance is real (between €5K and €20K in consulting for a typical small business), but it's a fraction of what you could pay in fines or in having to withdraw the system.

Why I'm relatively optimistic (but watch out)

The AI Act is the first serious AI regulation in the world and, overall, it's well designed. The risk-tier distinction is sensible: it doesn't put the same burden on someone using ChatGPT to write emails as on someone deciding who gets a mortgage. For most Catalan small businesses using "normal" generative AI, real compliance is manageable: transparency, human oversight, minimal documentation.

But there are three warnings worth remembering:

• AESIA can inspect and sanction without prior notice. There's no formal grace period for prohibited systems or for basic transparency.
• Complaints can come from competitors, unhappy customers or ex-employees. It doesn't have to be a proactive AESIA inspection.
• The real cost is not the fine — it's having to pull an AI system you've already embedded in the business.

Official resources

• AESIA — Spanish AI Supervision Agency
• Full text of the AI Act (in English, with explanations)
• EU Regulation 2024/1689 on the European Official Gazette (in Spanish)
• Spain Digital 2026 — information from the Spanish government

Practical tool: classify your AI in 5 minutes

I've built a free diagnostic tool. You answer six questions about how your company uses AI and it gives you: the risk category you fall into, a concrete list of specific obligations for your case, and a checklist of steps to take before 2 August.

No sign-up, no email, nothing sent to third parties. All processing happens in your browser. You use it, you walk away with the result.