The EU AI Act (Regulation EU 2024/1689) Annex III is fully enforceable from August 2026. Spanish SMEs using AI in marketing, HR or document management have up to 90 days to comply. Fines: up to 7% of annual turnover.

The EU AI Act is the world's first comprehensive AI regulation. It entered into force partially in August 2024 (prohibitions) and February 2025 (general purpose models). The milestone that directly affects most Spanish SMEs is August 2026: the obligations of Annex III (high-risk systems) become fully enforceable. If your company uses AI for hiring, credit scoring, education management, critical infrastructure, border control or legal applications, you are in the scope of Annex III. If you only use AI for marketing (website chatbot, content generator, lead scoring), you are likely in limited risk, but you still need to document use and transparency.

What obligations does the EU AI Act impose on a Spanish SME?

The obligations are tiered by AI-system category. The classification is binding and the criteria are detailed in the Regulation's annexes:

80% of Spanish SMEs that use AI fall into limited risk (customer-service chatbots, content generation, scoring) — but they are still in scope and must comply with mandatory transparency.

How much does it cost to comply with the AI Act for a Spanish SME in 2026?

For an SME of 20-200 employees with 1-3 AI systems in production (chatbot, scoring, RAG), the realistic compliance cost as a turnkey project:

ItemSME 20-50 emp (1-2 AI systems)SME 50-200 emp (2-4 AI systems)
Initial audit and inventory€2,500-4,000€4,000-7,000
Risk classification and gap analysis€3,000-5,500€5,500-9,000
Remediation plan + policies + procedures€4,500-7,500€7,500-13,000
Technical controls and transparency rollout€2,500-4,500€4,500-8,000
Mandatory team training (8 h)€1,500-2,500€2,500-4,500
ISO 42001 light (AI governance · optional)€5,000-8,500€8,500-14,000
Total 90-day project (with ISO 42001)€19,000-32,500€32,500-55,500
Total 90-day project (without ISO 42001)€14,000-24,000€24,000-41,500
Year-2 maintenance€2,500-5,000/yr€5,000-9,000/yr

The Red.es Kit Consulting voucher (Order TDF/38/2026) subsidises up to €24,000 in strategic advisory. A Segment A or B SME can use that voucher to fully cover phases 1-3 (audit, classification, remediation plan).

Which AI systems fall within high-risk Annex III?

Annex III lists 8 high-risk areas. The Spanish SME must review them one by one and declare whether it has systems in each:

  1. Biometrics and identification: facial recognition, biometric authentication, categorisation by biometric features.
  2. Critical infrastructure: management and operation of traffic, water, gas, energy, essential supplies.
  3. Education and vocational training: admission, evaluation of results, allocation to institutions.
  4. Employment, worker management: hiring, CV screening, task allocation, performance evaluation, disciplinary decisions.
  5. Access to essential services: credit scoring, insurance premium setting, eligibility for public services.
  6. Law enforcement: predictive risk analysis, evaluation of evidence reliability, profiling.
  7. Migration, asylum and border control: reliability analysis of applications, identification.
  8. Justice and democratic processes: legal research, interpretation of facts, influence on elections or referendums.

If an SME has an automated CV-screening system, it is within Annex III (item 4) and must comply with all high-risk obligations. If it only uses spam filters and marketing chatbots, it is in limited risk.

Real case: an 18-employee consultancy implements AI Act compliance in 90 days

A boutique consultancy of 18 employees based in Madrid had two AI systems in production: (1) a RAG chatbot trained on each client's documentation for internal answers, and (2) a sales-lead scoring engine based on machine learning. Neither was documented under the AI Act and management did not know whether it had Annex III obligations.

Project delivered in 12 weeks (3 months) with a fixed budget of €18,000 (€8,000 covered by Kit Consulting). Deliverables:

The consultancy moved from high regulatory risk (potential sanction of 7% of turnover = €250,000) to compliant. It additionally won two new contracts where the client required a supplier with documented AI compliance.

What steps does a 90-day AI Act compliance project follow?

  1. Day 1-10: kickoff, appointment of internal AI lead, full inventory of AI systems in production and in development.
  2. Day 10-25: risk classification per the Regulation's annexes. Analysis of each system across 5 dimensions (data, model, use, users, decisions).
  3. Day 25-40: gap analysis vs requirements by category. Drafting of risk-prioritised remediation plan.
  4. Day 40-60: drafting of use policies, human oversight procedures, fundamental rights impact assessment (FRIA), transparency notices.
  5. Day 60-75: rollout of technical controls (logging, automatic records, model version control, operational human oversight).
  6. Day 75-85: mandatory training for all staff (minimum 8 hours) and specific training for executives and developers.
  7. Day 85-90: closure, internal audit, final documentation, compliance communication to management.

FAQ

Is my SME bound by the EU AI Act if I only use ChatGPT and Copilot?

Yes, in part. ChatGPT and Copilot are foundation models (GPAI — General Purpose AI), regulated by the AI Act since February 2025. As a user, you do not have the provider obligations (OpenAI, Microsoft), but you must document use, ensure transparency with your team and apply internal policies if use affects employment decisions or decisions that impact customers.

Do I have to register with AESIA or in any database?

Only providers and operators of high-risk systems (Annex III) must register in the EU database (EUDAMED for AI). A typical SME user has no registration obligation but must be able to demonstrate compliance in an inspection. AESIA (Spanish AI Supervisory Agency, headquartered in A Coruña) is the competent authority in Spain and publishes regular technical guidance.

Have real fines already been imposed for AI Act non-compliance?

As of 2026 there is still an adaptation period; most European authorities have not yet imposed sanctions, but inspections have begun. The maximum fines are: €35M or 7% of turnover for prohibited systems; €15M or 3% for Annex III high-risk non-compliance; €7.5M or 1.5% for supplying incorrect information. For an SME: the cap is 1.5% of the lower amount (turnover or absolute figure).

Is the AI Act compatible with GDPR?

Yes, they are complementary. GDPR protects personal data; the AI Act protects the integrity of the automated decision system. An employee scoring system can be GDPR-compliant (legal basis, transparency, rights) and, at the same time, be an Annex III system under the AI Act (robustness, human oversight obligations). Both must be complied with.

What is ISO 42001 and do I need to implement it?

ISO 42001 (2023) is the first international standard for an AI management system. Its goal is to ensure governance, ethics and continuous improvement in the use of AI in an organisation. It is not mandatory, but it is the most efficient way to demonstrate AI Act compliance to third parties (clients, investors, auditors). In 2026 very few companies are certified in Spain; being among the first is a competitive advantage.

Can employees use generative AI without the company complying with the AI Act?

Not legally. If employees use ChatGPT, Copilot or Gemini at work, the company must have a documented use policy, employee training, controls on confidential data (no uploading of sensitive information to public AI) and a registry of AI systems in use. Without this, an incident (data leak, discriminatory decision) exposes the company to GDPR + AI Act sanctions.

Mini-glossary

Official sources

Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs.