bestgirlfriend.ai
Best Match Quiz
Editorial

Spain's AESIA Goes Live: Europe's First Dedicated AI Supervisory Agency

In December 2025 Spain launched AESIA, the first EU member-state AI regulator, setting compliance templates ahead of the August 2026 EU AI Act deadline.

By Last revised Jun 2026

What AESIA is and why it shipped first

The Agencia Española de Supervisión de Inteligencia Artificial, AESIA, was established by Spanish royal decree published in Boletín Oficial del Estado and reached operational status in December 2025. The agency sits under the Ministry for Digital Transformation, headquartered in A Coruña (Galicia), and reports to both the national government and to the EU AI Office in Brussels for cross-jurisdictional enforcement coordination [Source: Inside Privacy, Spain Issues Guidance Under the EU AI Act · verified 2026-05-23].

The structural choice matters. Spain opted for a dedicated AI sectoral regulator rather than extending the existing data-protection authority (AEPD) with AI competencies, which is the route France's CNIL and Italy's Garante took. The sectoral model gives AESIA a single-purpose mandate covering risk-assessment audits, transparency-documentation review, post-market monitoring oversight, and enforcement coordination, without the divided attention that horizontal regulators carry between data-protection and AI workstreams.

The EU AI Act timeline and AESIA's positioning

The EU AI Act entered into force on 1 August 2024 with staggered applicability:

  • February 2025: prohibited-practice rules apply.
  • August 2025: general-purpose AI model obligations apply.
  • 2 August 2026: full applicability across all risk tiers, high-risk AI system obligations, conformity assessments, post-market monitoring, the lot [Source: EU AI Act timeline, artificialintelligenceact.eu · verified 2026-05-23].

AESIA's December 2025 launch is eight months ahead of the full-applicability milestone. That gap is the editorial signal: Spain wants enforcement infrastructure operational before the deadline rather than scrambling to staff a regulator after it bites.

What AESIA expects from AI service providers

AESIA published a compliance template pack covering five documentation surfaces:

  1. Risk-assessment files mirroring Annex IV of the AI Act, intended use, foreseeable misuse, risk mitigation measures.
  2. Human-oversight protocols documenting how human reviewers intervene in automated decisions.
  3. Transparency disclosures for end users, in line with Article 50 (mandatory disclosure that the interaction is with an AI system, plus disclosure of synthetic media when applicable).
  4. Data-governance records, training-data sources, lawful basis, data-quality measures.
  5. Post-market monitoring plans, how the provider tracks real-world performance and incident reports.

Providers serving Spanish users are expected to maintain these files in Spanish or with certified translation available on regulator request. The templates are published on the AESIA official portal.

What this means for AI girlfriend operators

AI companion platforms fall under the EU AI Act's general-purpose AI category and inherit Article 50 transparency obligations. The implication for our catalog is concrete:

  • A platform that ships a public risk-assessment file, named DPO, transparent data-governance documentation, and an Article 50 disclosure scores well on our /methodology/ai-companions/ Privacy & Compliance dimension (14% weight).
  • A platform that ships only a generic privacy policy with no risk-assessment surface, no human-oversight protocol, and no transparent training-data disclosure scores poorly on the same dimension.

the Candy.ai full audit is the closest match in our scored catalog, twelve legal URLs published, named DPO, USC 2257 exemption documented. Joi.ai and OurDream's published review ship lighter documentation surfaces. AESIA's templates don't change our rubric, they validate it by raising the floor on what regulators expect to see.

The 2026-2027 cascade

Other EU member states are likely to follow Spain's sectoral model rather than the horizontal data-protection-authority extension. Germany's BNetzA AI Act mandate is closest to the Spanish blueprint in scope. France, Italy, and Portugal have signalled interest in dedicated AI regulators in 2026 budget cycles, none confirmed yet. The practical reader takeaway: if your platform of choice can survive AESIA's documentation expectations today, it survives the EU AI Act floor tomorrow, regardless of which member state stands up the next dedicated regulator.

Where to go next

For the full legal perimeter covering EU + UK + US + Asia regulatory regimes affecting AI companion services, our /safety/ai-companion-legal/ guide is the canonical reference. For the per-platform compliance scoring, the /methodology/ai-companions/ page lays out the 14% Privacy & Compliance weight, and the Pillar listicle at our 8-platform ranking flags compliance posture per pick.

Resources

Frequently asked questions

What is AESIA?

AESIA (Agencia Española de Supervisión de Inteligencia Artificial) is Spain's Artificial Intelligence Supervisory Agency, established by Royal Decree and operational from December 2025. It is the first dedicated AI supervisory body within any EU member state, predating the full applicability of the EU AI Act in August 2026. AESIA's mandate covers risk-assessment audits, transparency-documentation review, and enforcement coordination with the EU AI Office in Brussels.

Does AESIA affect AI girlfriend platforms serving Spanish users?

Yes when those platforms qualify as AI providers under the EU AI Act and reach Spanish users. AI companion services fall under the general-purpose AI category and inherit Article 50 transparency obligations (mandatory disclosure that the user is interacting with an AI system). AESIA expects providers serving Spanish users to publish risk-assessment files, human-oversight protocols, and data-governance documentation in line with the AI Act Annex IV template.

When does the EU AI Act become fully applicable?

The EU AI Act entered into force on 1 August 2024 with staggered applicability dates. Prohibited-practice rules applied from February 2025. General-purpose AI obligations applied from August 2025. Full applicability across all risk tiers, including high-risk AI system obligations, lands on 2 August 2026. AESIA's December 2025 launch positions Spain to enforce the August 2026 milestones with a fully staffed regulator already in place.

How do other EU member states compare on AI-specific regulators?

As of May 2026 Spain is the only EU member state with a dedicated AI-specific supervisory agency. Germany routes AI Act enforcement through the Federal Network Agency (BNetzA) under a horizontal market-surveillance model. France relies on the existing CNIL data-protection authority extended with AI competencies. Italy's Garante per la protezione dei dati personali handles AI cases alongside its data-protection mandate. The Spanish model is closer to a sectoral regulator and likely sets the template other member states copy 2026-2027.

What documentation does AESIA expect from AI service providers?

AESIA published compliance templates covering risk-assessment files (mirroring Annex IV of the AI Act), human-oversight protocols, transparency disclosures for end users, data-governance records (training-data sources, lawful basis, data-quality measures), and post-market monitoring plans. Providers serving Spanish users are expected to maintain these files in Spanish or to provide certified translation on regulator request. The templates are published on the AESIA official portal and on Boletín Oficial del Estado for the founding royal decree.

Spain's AESIA Goes Live: Europe's First Dedicated AI Supervisory Agency