Spain pushes ahead with AI rules

Spain is moving on two tracks at once: national rules aimed at social media and AI harms, and a parallel European debate over whether parts of the EU AI Act should be eased before key obligations bite. On May 13, Spain’s digital transformation minister, Oscar Lopez, told Reuters that Madrid would push ahead despite lobbying from large technology companies. At the same time, EU institutions are negotiating a compromise text that would adjust parts of the bloc’s AI rulebook before major compliance duties take effect in August 2026. ### What exactly did Spain say it would do? Oscar Lopez said Spain would proceed with rules to make social networks and AI safer, even as what he called “powerful voices” pressed against measures affecting high-risk AI and platform algorithms. Reuters reported that Lopez argued the profits of a handful of technology companies should not override the rights of users. (usnews.com) Reuters’ account said the Spanish package includes proposals that would force companies to disclose how social media recommendation algorithms work and would curb certain high-risk AI uses. Separate reporting tied to the same package said Spain has also discussed tougher protections for minors online, including limits around social media access for under-16s and stronger liability for failures to remove illegal content. (usnews.com) ### How does this connect to the EU AI Act rather than just Spain? The European Union’s AI Act is already in force, but it applies in stages. The European Commission’s AI Act Service Desk says general provisions, including AI literacy and bans on prohibited practices, began applying on February 2, 2025, while most of the remaining rules start on August 2, 2026. Those August 2026 obligations include Annex III high-risk AI rules, Article 50 transparency duties, innovation measures such as sandboxes, and the start of national and EU-level enforcement. (newseu.cgtn.com) A Council compromise text confirmed on May 13 would amend parts of that timetable and several implementation rules. Digital Watch Observatory, summarizing the compromise approved by EU member-state representatives, said the draft changes cover AI literacy, conformity assessment, AI regulatory sandboxes, real-world testing and high-risk system obligations. ### Are Brussels actually softening the law? (ai-act-service-desk.ec.europa.eu) On May 7, the Council of the European Union and European Parliament negotiators reached a provisional agreement to simplify and streamline parts of the AI Act under the EU’s “Omnibus VII” package. The Council said the proposal broadly maintained the Commission’s approach while reducing recurring administrative costs and preserving protections, including a new prohibition related to non-consensual intimate content and child sexual abuse material. (dig.watch) The same Council statement said the co-legislators introduced fixed delayed dates for some high-risk AI rules: December 2, 2027 for stand-alone high-risk systems and August 2, 2028 for high-risk AI embedded in products. The compromise text also said providers would still need to register certain exempted systems in the EU database for high-risk systems. (consilium.europa.eu) ### What changes in the compromise text matter most for companies? The compromise text would revise AI literacy from an outcome-style duty to a measures-based duty. Digital Watch Observatory said the wording would shift from requiring providers and deployers to ensure a sufficient level of literacy to requiring them to take measures supporting AI literacy, without guaranteeing a specific level for each individual. (consilium.europa.eu) Conformity assessment and high-risk classification remain central because those determine what technical documentation, testing, registration and oversight evidence companies must maintain. The Council said the simplification package responds to delayed standards, national governance structures and conformity-assessment frameworks that had made compliance more burdensome than expected. (dig.watch) ### So what should legal, product and compliance teams be doing now? August 2, 2026 remains the live date on the Commission’s public implementation timeline for the majority of AI Act rules, even though the Omnibus deal would delay some high-risk obligations if it is finalized. IAPP reported last week that companies should not treat a proposal as current law and should plan against the existing timetable unless and until the legal text changes. (consilium.europa.eu) That means teams still need to identify which systems fall into transparency or high-risk buckets, map who is acting as provider or deployer, and assemble documentation around human oversight, monitoring and registration where required. The next formal step is legislative completion in Brussels: the Council has said it will approve Parliament’s position if Parliament adopts the compromise text at first reading. (dig.watch) (ai-act-service-desk.ec.europa.eu)