The Spanish government, through its specialized agency AESIA, has published a set of practical guidelines for small and medium-sized enterprises (SMEs) and self-employed professionals (autónomos). The aim of the documents is to help businesses adapt their workflows to the new European Artificial Intelligence Regulation (AI Act), which introduces strict requirements for transparency and safety.
A key element of the new rules is the classification of AI systems by risk level. “High-risk” systems include algorithms that influence life-impacting decisions such as hiring employees, approving loans, medical diagnosis, or the use of biometric data. These systems are subject to stringent obligations related to record-keeping, risk management, and human oversight.
The guidelines stress that compliance begins with an inventory. Entrepreneurs are required to document all AI systems in use, identify their providers, define their purpose, and specify the types of data processed. These tools are no longer seen as simple “useful utilities,” but as regulated and supervised instruments.
If AI is used for routine tasks (such as generating texts or emails), requirements are lighter, but basic quality control remains mandatory. However, if an algorithm is used to assess customer creditworthiness, businesses must implement a “human-in-the-loop” mechanism to review decisions and revise contracts with software providers.
Authorities recommend not delaying the audit process: more than 20% of Spanish companies have already adopted AI, and ignoring the regulation may lead to legal risks. The first step is to appoint a person responsible for digital ethics and begin maintaining a register of the technologies in use.
A key element of the new rules is the classification of AI systems by risk level. “High-risk” systems include algorithms that influence life-impacting decisions such as hiring employees, approving loans, medical diagnosis, or the use of biometric data. These systems are subject to stringent obligations related to record-keeping, risk management, and human oversight.
The guidelines stress that compliance begins with an inventory. Entrepreneurs are required to document all AI systems in use, identify their providers, define their purpose, and specify the types of data processed. These tools are no longer seen as simple “useful utilities,” but as regulated and supervised instruments.
If AI is used for routine tasks (such as generating texts or emails), requirements are lighter, but basic quality control remains mandatory. However, if an algorithm is used to assess customer creditworthiness, businesses must implement a “human-in-the-loop” mechanism to review decisions and revise contracts with software providers.
Authorities recommend not delaying the audit process: more than 20% of Spanish companies have already adopted AI, and ignoring the regulation may lead to legal risks. The first step is to appoint a person responsible for digital ethics and begin maintaining a register of the technologies in use.
