The Artificial Intelligence (AI) Guidelines, developed within the framework of Spain’s regulatory sandbox pilot for AI, provide practical recommendations to facilitate compliance with Regulation (EU) 2024/1689 on Artificial Intelligence (AI Regulation). This Regulation establishes a risk-based legal framework to ensure the safety, protection of fundamental rights, and trust in AI systems, without hindering innovation.
Although these guidelines are non-binding, they serve as a key support tool until harmonized rules are adopted at the European level. They are periodically updated and structured into: introductory guides, technical guides, a checklist usage manual, and a compilation of checklists and practical examples.
Introductory Guides:
- Introductory Guide to the AI Regulation:
Provides an overview of the AI Regulation, explaining its objectives, scope, governance system, roles and responsibilities of various actors, key obligations (especially for high-risk AI), and implementation dates. - Practical Guide and Examples to Understand the AI Regulation:
Explains the Regulation in an accessible way, using examples and representative use cases. It includes a glossary of key terms and an introduction to the technical guides of the Spanish AI sandbox, illustrating their relationship with the obligations applicable to high-risk AI systems. This guide aims to facilitate understanding and preparation for regulatory compliance.
Core Guidelines:
- Conformity Assessment Guide:
Describes the conformity assessment process outlined in the Regulation, detailing the two possible procedures: internal control by the provider and assessment by a notified body. - Quality Management System Guide:
Explains how providers must establish and maintain a quality management system in compliance with Article 17 of the Regulation, identifying the minimum required elements. - Risk Management Guide:
Details how to establish and maintain an ongoing risk management system in accordance with Article 9 of the Regulation, aimed at identifying, evaluating, and mitigating risks to health, safety, and fundamental rights throughout the AI system’s lifecycle. - Human Oversight Guide:
Explains the requirements of Article 14 of the Regulation to ensure that AI systems are under effective human control, enabling users to understand their functioning, manage risks, and intervene or stop the system, when necessary, with clear responsibilities between the provider and the deployer. - Data and Data Governance Guide:
Expands on the requirements of Article 10 of the Regulation, addressing the quality, adequacy, and representativeness of data, lifecycle management, bias analysis and mitigation, personal data protection, documentation, and ongoing system monitoring. - Transparency Guide:
Explains how to comply with Article 13 of the Regulation, ensuring that AI systems are understandable and overseen. It requires the provider to offer clear instructions on the purpose, limitations, risks, data, results, human oversight, changes, and maintenance, supported by international standards and a self-assessment questionnaire. - Accuracy Guide:
Describes how to comply with Article 15 of the Regulation regarding the accuracy of AI systems, which must be defined, measured, and maintained throughout their lifecycle using appropriate metrics, continuous monitoring, integration with human oversight, bias mitigation, robustness, and cybersecurity. - Robustness Guide:
Explains how to ensure the robustness and reliability of AI systems in accordance with Article 15 of the Regulation, including the definition of metrics, continuous monitoring and documentation, and mechanisms to ensure that, in the event of failure, the system issues alert or safely halts, preventing risks to safety and fundamental rights. - Cybersecurity Guide:
Details the necessary measures to protect AI systems from cyberattacks, in compliance with Article 15 of the Regulation, through adequate risk management, security controls throughout the lifecycle, technical documentation, and personnel training. - Record-Keeping Guide:
Explains the record-keeping, conservation, and management requirements for AI system logs, ensuring traceability, risk control, human oversight, and protection of fundamental rights. Records must be kept for at least six months and managed with clearly defined responsibilities, appropriate security measures, and a focus on continuous improvement. - Post-Market Surveillance Guide:
Describes the obligations under Article 72 of the Regulation, requiring providers to have a post-market surveillance plan and system to collect and analyze data throughout the system’s lifecycle, detect incidents or deviations, and maintain proportional regulatory compliance with proper documentation. - Incident Management Guide:
Explains how and when to notify serious incidents in AI systems as per Article 73 of the Regulation, stating that the provider (or deployer) must report to the Market Surveillance Authority within defined timeframes, integrating this process into their Quality Management System. - Technical Documentation Guide:
Details the technical documentation required by the Regulation (Articles 11 and 18, Annex IV), which must be produced by the provider, maintained throughout the system’s lifecycle, and preserved for at least ten years.
Checklist Manual for Requirements Guides:
Provides a practical checklist that allows entities to self-assess their level of compliance with the AI Regulation, identify gaps, and define an Adaptation Plan, supported by guiding measures and additional measures validated within Spain’s regulatory sandbox.
These guidelines, developed by the Spanish Agency for Artificial Intelligence Supervision (Agencia Española de Supervisión de Inteligencia Artificial), play a vital role in facilitating the responsible and effective implementation of AI systems in Spain, ensuring alignment with EU regulations and fostering innovation in a secure, ethical, and transparent manner.
Read the full report here: GUIDELINES
At Asphalion, digitalisation is at the core of our processes, embedded across our regulatory and quality activities, enabling greater efficiency, strengthened oversight, and sustainable compliance in a rapidly evolving landscape.
Contact us for further information: [email protected]
