The Spanish Agency for the Supervision of Artificial Intelligence. Its Statute was approved by Royal Decree 729/2023 of 22 August, it has its seat in A Coruña and it is attached to the Secretariat of State for Digitalisation and Artificial Intelligence. Spain was a pioneer in Europe in creating a state agency to supervise AI, before the European Regulation came into force.

What can AESIA ask of a company?

It supervises and advises on AI regulation, promotes testing environments and offers a voluntary certification framework. It began supervising prohibited practices on 2 February 2025 and assumed full sanctioning powers on 2 August 2025, in line with the timetable of Regulation (EU) 2024/1689.

AESIA: what it is and how it affects you

Q: Does AESIA supervise all AI in Spain?

It is the default authority, but not the only one. Depending on the sector, supervision falls to another authority: the Spanish Data Protection Agency in biometrics, or the Bank of Spain, the CNMV and the DGSFP in finance, among others. The final division is set by the national AI law, in parliamentary process.

When a company hears that Europe has passed a regulation on artificial intelligence, the next question is natural: and who supervises it here? In Spain the answer has a name and a seat. It is called AESIA, and it is worth knowing what it is, what it can ask of you and with what tools it works —before it matters.

What AESIA is

AESIA is the Spanish Agency for the Supervision of Artificial Intelligence. Its Statute was approved by Royal Decree 729/2023 of 22 August, and it has its institutional seat in A Coruña (Source: BOE, Royal Decree 729/2023, BOE-A-2023-18911, 2023). It is a public-law entity with its own legal personality and administrative powers, attached to the Secretariat of State for Digitalisation and Artificial Intelligence. By creating it before the European Regulation came into force, Spain was a pioneer in Europe in setting up a state agency dedicated to supervising AI (Source: La Moncloa, 2024). It is operational: in December 2025 its Governing Council appointed Alberto Gago Fernández as director general (Source: AESIA, 2025).

That an authority with a name and a seat exists changes the conversation: supervising AI stops being an abstract threat from "Brussels" and becomes something concrete that already has someone to watch it.

What it does, and what it can ask of you

AESIA's competences, under its Statute, span supervision and advice on AI regulation, the promotion of testing environments, a voluntary certification framework, impact and trend assessment, training, and coordination with other authorities (Source: BOE, Royal Decree 729/2023, BOE-A-2023-18911, 2023). In practice, two dates mark when it began to have teeth: AESIA started supervising prohibited practices on 2 February 2025 and assumed full sanctioning powers on 2 August 2025, following the timetable of the European Regulation (Source: Regulation (EU) 2024/1689, art. 113, EUR-Lex, 2024).

What it can ask of you, should it come to that, is predictable: that you demonstrate what your system does, which risk category it falls into and with what documentation you sustain it. It does not punish the use of artificial intelligence; it asks you to be able to prove it is governed. What you have to do, in order, to arrive ready for that question we set out in How to comply with the AI Act, step by step.

The sandbox: rehearsing before it is enforceable

AESIA is not only a supervisor; it also offers a lever. Spain established a regulatory sandbox —an official space in which to rehearse compliance with the regulator's support— through Royal Decree 817/2023 of 8 November, the first of its kind in the European Union (Source: BOE, Royal Decree 817/2023, BOE-A-2023-22767, 2023). In its first edition, of 44 applications 12 high-risk systems were selected, with participation reserved in part for SMEs and start-ups (Source: La Moncloa, 2025). For a company, the sandbox is an argument to move sooner rather than later: to validate conformity with official supervision while there is still room.

The guides: documentation that does not start from scratch

The most useful outcome of that testing environment is not a list of those selected, but reusable material. In December 2025 AESIA published a package of fifteen guides supporting compliance with the Regulation for high-risk systems, with checklists on risk management, data governance, transparency and cybersecurity, among others (Source: AESIA, 2025). They are the national practical standard: any company preparing its internal documentation has there an official mould instead of a blank page.

It is not always AESIA: the map by sector

A clarification that prevents errors: AESIA is the default authority, but not the only one. Depending on the sector, supervision falls to another authority —the Spanish Data Protection Agency in biometrics, or the Bank of Spain, the CNMV and the Directorate-General for Insurance in finance, for example—. That final division is set by the national AI law that adapts the European Regulation, today in parliamentary process (Source: MTDFP/SEDIA, 2025). Until its approval by Parliament, it is wise to treat the map of authorities as subject to confirmation. Knowing which one corresponds to you is part of the same exercise of order as everything else.

What to do with this

AESIA should not be read as a threat, but as a sign that the clock is now running with a concrete timekeeper behind it. The company that reaches a question from the agency with its inventory of systems, its risk classification and its documentation up to date does not have a difficult conversation: it has an answer. That base —the one that lets you at once operate your AI, see it and defend it— is what turns governance into something more than a formality. Having it ready before they call is the only advantage you can really prepare.