In December 2025, the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) published a set of detailed guidance documents and templates aimed at helping providers and deployers of high-risk AI systems under the EU AI Act comply with the relevant requirements of the law. The materials are also available in English.

Developed through Spain’s AI regulatory “sandbox” with input from industry, technical experts, and authorities, the guidance is non-binding and offers practical recommendations to providers and deployers of high-risk AI systems. AESIA emphasizes that these documents are living resources, subject to regular updates to reflect evolving standards and European Commission guidelines. They will be updated if the Digital Omnibus amending the Act is adopted.

What Is in the Guidance?

The guidance is divided into four main parts:

  • Introductory Guides (01–02): Overview of the AI Act and key compliance principles.
  • Technical Guides (03–15): Practical recommendations relating to:
    • Conformity assessments
    • Risk management systems
    • Technical documentation
    • Record-keeping and transparency
    • Human oversight requirements
  • Toolkit of Checklists and Templates (16 and zip file): Guide 16 explains how to use compliance checklists, and is complemented by a free, downloadable toolkit with ready-to-use templates and examples to aid implementation.

Why Does It Matter?

The guidance offers a practical roadmap for compliance with the AI Act and reflects Spain’s collaborative approach centered on its national AI sandbox, bringing together regulators, industry, and technical experts. Several EU countries are taking similar steps to support organizations seeking to comply with the AI Act. Germany, for instance, has issued guidance on high-risk AI classifications and safety standards. The Netherlands published an AI Act Guide outlining obligations and risk categories with practical compliance steps. The French CNIL also has issued recommendations focused on GDPR compliance, including data annotation, development security, and model governance—complete with checklists—helping companies navigate personal data use in AI systems. These efforts, like Spain’s, seek to equip organizations with the necessary tools that will allow them to comply with the AI Act.

*          *          *

The Covington team continues to monitor regulatory developments on AI, and we regularly advise the world’s top technology companies on their most challenging regulatory and compliance issues in the EU and other major markets. If you have questions about AI regulation, or other tech regulatory matters, we are happy to assist with any queries.

Tags: AI Act, European Union, guidance, High-Risk AI, Spain, Templates
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan CooperEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act…

Anna Sophia Oberschelp de Meneses advises on EU data protection, cybersecurity, and consumer law. Her practice covers the full range of Europe’s digital regulatory framework, including GDPR, ePrivacy, NIS2, the Cyber Resilience Act, the AI Act, the Digital Services Act, the Data Act, the European Health Data Space, and EU consumer protection law, including product safety, product liability, and consumer rights legislation. She focuses on the operational side of compliance — helping clients design policies and processes, draft documentation, and build the internal frameworks needed to meet regulatory requirements in practice.

She also advises on contentious matters, drawing on experience managing investigations before national regulators and proceedings before national courts and the Court of Justice of the European Union. She works closely with Covington’s disputes teams on matters at the intersection of regulatory compliance and litigation.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less