Research Report: Navigating the Future of Healthcare – Spain’s Regulatory Framework for Artificial Intelligence

Many thanks to our sponsor Esdebe who helped us prepare this research report.

Abstract

The integration of Artificial Intelligence (AI) into global healthcare systems represents a paradigm shift with profound implications for patient care, diagnostics, treatment planning, and health system management. This transformative potential, however, is inextricably linked with significant ethical, safety, and societal considerations. Consequently, the rapid proliferation of AI necessitates the proactive establishment of robust, adaptable, and ethically grounded regulatory frameworks to ensure not only the efficacy and safety of AI applications but also their compliance with fundamental rights and societal values. This comprehensive research report undertakes an in-depth examination of Spain’s multifaceted initiatives in developing and implementing AI regulations specifically within the healthcare sector. It systematically compares these national and regional endeavors with prominent international standards, including the seminal European Union’s AI Act and the well-established guidelines from the U.S. Food and Drug Administration (FDA). The analysis extends beyond mere descriptive comparison, delving deeply into the inherent complexities of designing, implementing, and rigorously enforcing these sophisticated frameworks. Particular attention is paid to the formidable challenges associated with ensuring comprehensive compliance and clear accountability in a rapidly evolving technological landscape. Furthermore, the report critically evaluates the delicate and often precarious balance that regulators must strike between fostering an environment conducive to groundbreaking innovation in AI healthcare and rigorously upholding paramount principles of patient safety, data privacy, and ethical application. This exploration aims to provide a nuanced understanding of Spain’s strategic position in shaping the future of regulated AI in healthcare.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction: The Transformative Imperative of AI in Healthcare and the Regulatory Response

Artificial Intelligence, encompassing machine learning, deep learning, natural language processing, and computer vision, is rapidly emerging as a pivotal force in reshaping global healthcare landscapes. Its capabilities extend across the entire spectrum of medical practice, from expediting diagnostic processes through advanced image analysis to personalizing treatment regimens based on genomic data, optimizing hospital operations, and enhancing drug discovery pipelines. In Spain, a nation keenly aware of the opportunities and challenges presented by digital transformation, both national governmental bodies and influential regional administrations have proactively acknowledged the indispensable need for comprehensive, forward-looking regulatory frameworks to govern the responsible and effective deployment of AI within its healthcare sector. This report embarks on an exhaustive exploration of Spain’s pioneering regulatory initiatives, elucidating their scope, structure, and intent. It then proceeds to benchmark these domestic efforts against established international benchmarks, notably the European Union’s comprehensive AI Act and the pragmatic, risk-based approach adopted by the U.S. FDA. The subsequent analysis critically dissects the intricate challenges and fundamental considerations inherent in the formulation, robust enforcement, and continuous adaptation of such complex regulatory ecosystems, especially within the dynamic context of advanced AI technologies in a sensitive domain like healthcare.

The profound impact of AI in healthcare is multi-dimensional. On the one hand, it promises unprecedented improvements in diagnostic accuracy, potentially reducing misdiagnosis rates and enabling earlier detection of diseases like cancer or retinopathy. Predictive analytics can forecast disease outbreaks, identify at-risk patient populations, and optimize resource allocation within hospitals. Robotic surgery, AI-powered drug discovery, and intelligent patient monitoring systems offer avenues for enhanced precision, efficiency, and personalized care. However, these benefits are accompanied by inherent risks. The ‘black box’ nature of some AI algorithms raises questions of transparency and explainability, particularly when critical clinical decisions are influenced. The reliance on vast datasets for training AI models introduces significant data privacy and security concerns, especially given the highly sensitive nature of health information. Furthermore, algorithmic bias, if not meticulously addressed, could perpetuate or even exacerbate existing health disparities, leading to inequitable access or suboptimal care for certain demographic groups. It is against this backdrop of immense promise and substantial risk that Spain, mirroring global trends, has embarked on its journey to craft a regulatory environment that aims to harness AI’s potential while rigorously mitigating its perils. Spain’s proactive stance is particularly noteworthy given its commitment to human-centered AI, aligning closely with the broader European ethos of ethical technology development.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Spain’s Evolving Regulatory Landscape for AI in Healthcare

Spain has demonstrated a clear and strategic commitment to establishing a robust regulatory environment for Artificial Intelligence, recognizing its transformative potential while prioritizing ethical considerations, safety, and societal well-being. This commitment is evident through a combination of national-level initiatives designed to create overarching frameworks and regional-level strategies that tailor AI governance to specific local contexts within the healthcare sector.

2.1 National Level Initiatives: Forging a Cohesive Regulatory Architecture

At the national stratum, Spain has undertaken several pivotal legislative and institutional measures to lay the groundwork for comprehensive AI regulation, particularly impactful for the healthcare domain:

2.1.1 The Spanish Agency for the Supervision of Artificial Intelligence (AESIA)

Established through Royal Decree 729/2023 on August 22, 2023, the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) represents a cornerstone of Spain’s national AI governance strategy. Headquartered in A Coruña, Galicia, AESIA is conceived as a fully autonomous public agency, endowed with the critical mandate of overseeing the ethical, transparent, and compliant use of AI systems across all sectors, with a particular focus on those deemed ‘high-risk’ – a category that inherently includes many AI applications in healthcare. Its establishment was a direct response to the anticipated requirements of the European Union’s AI Act, positioning Spain as the first EU member state to create a dedicated national supervisory authority for AI, thereby underscoring its leadership in this domain.

AESIA’s foundational functions are multifaceted and comprehensive. Its primary responsibility is to supervise the effective application and enforcement of European and national AI regulations, ensuring that AI systems developed and deployed within Spain adhere strictly to established ethical guidelines and legal requirements. This includes monitoring the conformity assessment procedures for high-risk AI systems, which are subject to stringent obligations concerning risk management, data quality, transparency, human oversight, and robustness. For healthcare, this translates into AESIA scrutinizing AI systems used in diagnostics, treatment decisions, surgical assistance, and patient monitoring, demanding rigorous testing and validation processes.

Beyond mere compliance, AESIA is tasked with promoting a culture of responsible AI innovation. It is expected to provide guidance, facilitate dialogue among stakeholders, and contribute to the development of technical standards and best practices. Its role extends to fostering trust in AI technologies by ensuring transparency in their operation and impact, advocating for explainability, and promoting human-centric design principles. Furthermore, AESIA plays a crucial role in assessing the ethical and social impact of AI, particularly concerning fundamental rights. This includes evaluating potential biases in algorithms that could lead to discriminatory outcomes in healthcare access or treatment, and ensuring robust mechanisms for addressing such issues. The agency is also envisioned as a key point of contact for collaboration with other national and international regulatory bodies, particularly within the EU, to ensure a harmonized approach to AI governance. Its formation marks a significant step towards institutionalizing the oversight of AI, providing a dedicated body with the expertise and authority to navigate the complexities of this rapidly advancing field.

2.1.2 The Artificial Intelligence Regulatory Sandbox

In a pioneering move, Spain formally announced the creation of its Artificial Intelligence Regulatory Sandbox in September 2023, making it the first EU member state to implement such an initiative. This sandbox is not merely a theoretical concept but a practical, controlled testing environment designed to facilitate the safe and compliant development of cutting-edge AI technologies, particularly those classified as ‘high-risk’ under the forthcoming EU AI Act. The core philosophy behind a regulatory sandbox is to offer a supervised space where innovators can test their AI systems in real-world or simulated conditions, under the direct guidance and oversight of regulatory authorities, without immediately facing the full burden of conventional regulatory compliance. This allows for iterative development, early identification of potential risks, and collaborative problem-solving between developers and regulators.

For the healthcare sector, the AI Regulatory Sandbox holds immense promise. It enables medical device manufacturers, pharmaceutical companies, and health tech start-ups to develop and refine AI-powered diagnostic tools, therapeutic devices, clinical decision support systems, and patient management platforms. Participants can experiment with novel AI applications in a low-stakes environment, allowing for agile iteration and adaptation based on regulatory feedback. This iterative process helps in identifying and mitigating risks related to data privacy, algorithmic bias, system robustness, and clinical safety before widespread deployment. For instance, an AI system designed to assist radiologists in detecting anomalies on medical images could be tested within the sandbox, allowing developers to fine-tune its performance, demonstrate its accuracy and reliability, and address any potential biases in its training data under the watchful eye of AESIA and potentially the Spanish Agency of Medicines and Medical Devices (AEMPS).

The sandbox specifically aims to align its operations with the provisions of the EU AI Act, serving as a ‘real-world laboratory’ to test the practical implications of the Act’s requirements, particularly for high-risk AI systems. This includes adherence to requirements for robust risk management systems, high-quality training and testing datasets, detailed technical documentation, and clear human oversight mechanisms. The insights gained from the sandbox will not only benefit the participating innovators by accelerating their time-to-market for compliant products but also inform regulatory authorities, helping them refine future policies and guidance based on practical experience. It represents a pragmatic approach to regulation, acknowledging the dynamic nature of AI innovation and seeking to foster it responsibly rather than stifling it with overly rigid rules.

2.1.3 Draft Law for the Good Use and Governance of Artificial Intelligence (DLGUGAI)

Spain’s legislative efforts to domesticate and complement the European Union’s regulatory framework for AI are embodied in the proposed Draft Law for the Good Use and Governance of Artificial Intelligence (DLGUGAI). This legislative initiative signals Spain’s commitment to creating a comprehensive national legal framework that aligns with the principles and specific mandates of the EU AI Act, while also addressing unique national considerations. The DLGUGAI is designed to provide a cohesive legal foundation for the ethical and responsible development and deployment of AI across various sectors, with a significant emphasis on public services, including healthcare.

The DLGUGAI is expected to incorporate and elaborate on several key provisions that directly impact AI in healthcare. It will likely establish clear obligations for developers and deployers of AI systems, particularly for those categorized as high-risk. These obligations will encompass requirements for stringent risk management systems throughout the AI system’s lifecycle, ensuring that potential harms are identified, assessed, and mitigated. Data governance and quality standards are also expected to be central, demanding that datasets used for training, validation, and testing AI models are representative, free from bias, and compliant with data protection regulations like GDPR. Transparency obligations will likely mandate that users are informed when they are interacting with an AI system and that the outputs of AI are understandable where necessary for critical decision-making.

Furthermore, the DLGUGAI is anticipated to address specific societal concerns that have emerged with the rapid advancement of AI. A notable provision, aligned with broader European efforts, is the prohibition of certain AI practices deemed to pose an unacceptable risk to fundamental rights. While the precise list will mirror the EU AI Act (e.g., social scoring, real-time remote biometric identification in public spaces for law enforcement unless strict exceptions apply), its application in healthcare might involve restrictions on AI systems that could lead to unfair patient selection or resource allocation based on discriminatory factors.

Crucially, the draft law is expected to contain explicit obligations related to identifying AI-generated content, specifically to prevent the proliferation of ‘deepfakes’ and synthetic media that could mislead or harm the public. In healthcare, this could be vital for preventing the spread of misinformation regarding treatments, diagnoses, or public health campaigns. The enforcement mechanisms for the DLGUGAI are envisioned to be multi-agency, involving the newly established AESIA as the primary supervisory authority for AI compliance, and the Spanish Data Protection Agency (AEPD) for matters pertaining to data privacy and protection, reflecting the deeply intertwined nature of AI and data. This distributed enforcement model leverages the specific expertise of different regulatory bodies, aiming for a holistic approach to AI governance.

2.2 Regional Level Initiatives: Tailoring AI Governance to Local Healthcare Needs

Complementing the national framework, several autonomous regions within Spain have proactively developed their own AI strategies and guidelines, recognizing the unique needs and operational contexts of their regional healthcare systems. These regional initiatives allow for more granular implementation of national and European principles, fostering innovation while addressing local healthcare priorities and challenges.

2.2.1 Catalonia’s Health/AI Program and Guidelines

Catalonia, a region renowned for its robust healthcare system and vibrant technological ecosystem, has taken a leading role in regional AI governance within healthcare. The Health/AI Program, established in March 2023, is a testament to this commitment. This program is a strategic initiative designed to integrate AI into the Catalan healthcare system in a manner that is both technologically advanced and ethically sound. Its overarching goal is to support the responsible adoption of AI-based technologies across clinical practice, public health, and health management.

In March 2024, the Health/AI Program released a significant set of four new guidelines specifically on the use of AI in the healthcare sector. These guidelines are comprehensive, addressing various critical aspects of AI deployment: 1) Ethical and Legal Frameworks for AI in Health: This guideline provides a detailed roadmap for ensuring AI systems comply with ethical principles such as beneficence, non-maleficence, justice, and autonomy, alongside legal requirements like GDPR and the forthcoming EU AI Act. It emphasizes the need for ethical review boards and impact assessments. 2) Data Governance and Quality for AI in Health: Recognizing that the performance of AI models is heavily reliant on the quality and representativeness of their training data, this guideline focuses on best practices for data collection, storage, anonymization, security, and ensuring data diversity to mitigate algorithmic bias. 3) Clinical Validation and Integration of AI Systems: This guideline outlines rigorous methodologies for validating the clinical efficacy and safety of AI algorithms, including requirements for pilot projects, clinical trials, and clear protocols for integrating AI into existing clinical workflows. It emphasizes the importance of human oversight and the physician’s ultimate responsibility. 4) Public Engagement and Trust in AI in Health: This guideline highlights the critical need for transparency, public education, and patient involvement in the development and deployment of AI in healthcare to build and maintain trust. It advocates for clear communication about the capabilities and limitations of AI and the protection of patient rights.

These guidelines serve as a practical framework for healthcare institutions, research centers, and technology developers operating within Catalonia, aiming to ensure that AI-based technologies are developed, validated, and deployed safely, effectively, and in full compliance with both European and local regulations. They foster a climate of innovation while embedding ethical considerations from the earliest stages of AI development.

2.2.2 Galicia’s Law 2/2025 on AI Development and Promotion

Galicia, another autonomous community in Spain, has also enacted progressive legislation to govern AI. Law 2/2025, enacted in April 2025 (note: there might be a typo in the original article as this is a future date, assuming it intends to reflect a current or very recent legislative effort in the spirit of the article), stands as a significant legal instrument focused on the development, promotion, and ethical application of AI within the region. While its scope is broader than just healthcare, its provisions have direct and profound implications for the use of AI in public administration and services, including the Galician public health system (Servizo Galego de Saúde – SERGAS).

The law’s central tenet revolves around ensuring the ethical, safe, reliable, and human-centered implementation of AI. This human-centered approach is particularly pertinent in healthcare, where the ultimate goal of technology should be to augment human capabilities and improve patient outcomes without diminishing the human element of care. Specific provisions within Law 2/2025 likely include: requirements for the public sector to conduct AI impact assessments before deploying systems that could affect citizens’ rights; provisions for transparency regarding the use of AI in public services; and mechanisms for citizens to understand how AI decisions affecting them are made and to challenge those decisions. It may also promote the use of explainable AI (XAI) techniques to ensure that algorithms used in critical areas like diagnostics or resource allocation are interpretable by human professionals.

For the healthcare sector in Galicia, this law provides a regional legal mandate for the responsible adoption of AI in areas such as administrative efficiency, patient flow management, and potentially in clinical decision support within the public health system. It signals a regional commitment to leveraging AI for public good while embedding strong ethical safeguards and ensuring accountability. The establishment of AESIA in A Coruña (Galicia) further reinforces the region’s prominent role in national AI governance and its commitment to these principles.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. International Standards and Comparative Regulatory Approaches

The Spanish regulatory landscape for AI in healthcare does not exist in a vacuum. It is deeply influenced by, and seeks to align with, broader international efforts to govern AI, particularly those emanating from the European Union and the United States. Understanding these international benchmarks provides crucial context for evaluating Spain’s initiatives and highlights common challenges and divergent approaches.

3.1 The European Union’s Artificial Intelligence Act: A Global Benchmark

The European Union’s Artificial Intelligence Act, formally adopted and entering into force on August 1, 2024 (with staggered application dates for different provisions), represents a landmark piece of legislation globally. It is the world’s first comprehensive legal framework specifically designed to regulate AI, aiming to foster responsible AI development and deployment across all member states, including Spain. Its foundational principle is a risk-based classification system, which tailors regulatory requirements to the potential risks posed by different AI systems. This tiered approach is crucial for healthcare, where AI applications span a wide spectrum of risk profiles.

3.1.1 Risk-Based Classification of AI Systems

The EU AI Act categorizes AI systems into four distinct risk levels, each with corresponding regulatory obligations:

• Unacceptable Risk AI Systems: These are AI systems deemed to pose a clear threat to fundamental rights and are therefore prohibited. Examples include cognitive behavioural manipulation, social scoring by public authorities, or real-time remote biometric identification in public spaces for law enforcement, with narrow exceptions. In healthcare, this could prohibit AI systems designed to exploit vulnerabilities of patients or that arbitrarily discriminate in access to care based on non-medical factors.
• High-Risk AI Systems: This category is of paramount importance for healthcare. AI systems are classified as high-risk if they are intended to be used as safety components of products or as products covered by EU harmonization legislation that requires third-party conformity assessment (e.g., medical devices, which are already highly regulated), or if they fall into specific enumerated areas. For healthcare, this includes AI systems intended to be used as medical devices, in vitro diagnostic medical devices, or as components of such devices regulated under the Medical Device Regulation (MDR) and In Vitro Diagnostic Medical Device Regulation (IVDR). Furthermore, AI systems used for dispatching emergency services, for risk assessment in life and health insurance, or for diagnosis and treatment fall under this high-risk designation. The majority of clinical AI applications will fall into this category, subjecting them to stringent requirements.
• Limited Risk AI Systems: These systems pose specific risks related to transparency. They require certain transparency obligations to ensure users are aware that they are interacting with an AI system. Examples include chatbots or emotion recognition systems. While less directly impactful on clinical decision-making, such systems might be used in patient support portals or mental health apps, requiring clear disclosure.
• Minimal or Low-Risk AI Systems: The vast majority of AI systems fall into this category. They are subject to very light regulatory intervention, primarily encouraging adherence to voluntary codes of conduct. Examples include AI-powered spam filters or video games. In healthcare, this could include AI used for administrative tasks, inventory management, or non-critical scheduling, provided they do not directly impact patient health or safety.

3.1.2 Stringent Requirements for High-Risk AI Systems

For AI systems identified as high-risk, the EU AI Act imposes a comprehensive set of stringent requirements designed to ensure their safety, reliability, and ethical compliance throughout their entire lifecycle:

• Robust Risk Management System: Developers must establish, implement, document, and maintain a risk management system that continuously identifies, analyzes, and evaluates risks associated with their AI system, and takes appropriate mitigation measures.
• High-Quality Datasets and Data Governance: The AI Act mandates that training, validation, and testing datasets used for high-risk AI systems must be of high quality, representative, and relevant. This is critical in healthcare to avoid algorithmic bias, which could lead to disparate outcomes for different patient populations. Requirements include data governance practices, measures to detect and correct biases, and data protection safeguards.
• Technical Documentation and Record-Keeping: Extensive technical documentation must be prepared and maintained, demonstrating compliance with the Act’s requirements. This includes detailed information about the system’s design, training data, performance, and validation. Automated logging capabilities are required for high-risk AI systems to allow for post-market monitoring and traceability.
• Transparency and Provision of Information to Users: High-risk AI systems must be designed to be sufficiently transparent to enable deployers and users to interpret the system’s output and use it appropriately. Users must receive clear and comprehensive information regarding the AI system’s purpose, capabilities, limitations, and how to operate it safely.
• Human Oversight: Despite the advanced capabilities of AI, the Act firmly places humans in control. High-risk AI systems must be designed to be subject to human oversight, ensuring that a human can effectively monitor the system, intervene, and override its decisions where necessary, particularly in critical healthcare contexts.
• Accuracy, Robustness, and Cybersecurity: AI systems must be designed to achieve an appropriate level of accuracy, robustness, and cybersecurity in light of their intended purpose and the risks they pose. This includes protection against adversarial attacks and ensuring resilience to errors or unforeseen circumstances.
• Conformity Assessment: Before being placed on the market or put into service, high-risk AI systems must undergo a conformity assessment procedure, which often involves third-party evaluation to verify compliance with the Act’s requirements.

3.1.3 Alignment with General Data Protection Regulation (GDPR)

A fundamental aspect of the EU AI Act’s framework, especially relevant for healthcare, is its deep alignment with the General Data Protection Regulation (GDPR). The AI Act explicitly reinforces the principles and obligations enshrined in GDPR, ensuring that the development and deployment of AI systems fully respect fundamental rights, including the right to data protection and privacy. This synergy means that AI systems handling personal health data must comply with GDPR’s strict requirements for lawful processing, data minimization, purpose limitation, data security, and the exercise of individual rights (e.g., right of access, rectification, erasure, and objection). In the context of AI, GDPR’s provisions on automated individual decision-making (Article 22) become particularly pertinent, requiring safeguards when decisions significantly affecting individuals are based solely on automated processing, including profiling. This ensures that patients retain a right to human intervention and a right to challenge decisions made by AI systems impacting their health or treatment plans.

3.2 U.S. Food and Drug Administration (FDA) Guidelines: A Product-Centric Approach

In contrast to the EU’s broad, horizontal regulatory approach, the U.S. Food and Drug Administration (FDA) primarily regulates AI through its existing framework for medical devices. The FDA’s approach is more product-centric, focusing on AI algorithms embedded within or functioning as medical devices. Their guidelines have evolved to address the unique characteristics of AI, particularly machine learning (ML), in healthcare.

3.2.1 Risk-Based Approach and SaMD Classification

The FDA employs a risk-based approach for AI-based medical devices, classifying them into categories based on their intended use and the risk they pose to patients. A key concept here is Software as a Medical Device (SaMD), which refers to software intended to be used for one or more medical purposes without being part of a hardware medical device. Many AI applications in healthcare fall under SaMD. The FDA categorizes SaMD based on the combination of the significance of information provided by the SaMD to the healthcare decision and the state of the healthcare situation or condition:

• Class I (Low Risk): SaMD providing information to drive or inform clinical management, where the information is intended to inform patient management (e.g., assisting in lifestyle choices for non-serious conditions).
• Class II (Moderate Risk): SaMD providing information to drive or inform clinical management, where the information is intended to diagnose, treat, or mitigate a serious condition (e.g., image analysis software for cancer detection).
• Class III (High Risk): SaMD providing information to drive or inform clinical management, where the information is intended to diagnose, treat, or mitigate a critical condition, or where accurate information is essential to avoid death or major injury (e.g., AI for real-time surgical guidance).

Higher-risk devices, particularly Class II and Class III AI-SaMDs, are subject to more rigorous scrutiny and regulatory requirements.

3.2.2 Pre-Market Review for AI-Based Medical Devices

Before an AI system classified as a medical device can be marketed in the U.S., it must undergo a thorough pre-market review process to demonstrate its safety and efficacy. The specific pathway depends on its risk classification:

• Premarket Notification (510(k)): For most Class II devices, manufacturers must demonstrate that their device is substantially equivalent to a legally marketed predicate device. For AI-SaMD, this involves providing data on performance, clinical validation, and how the algorithm was trained and tested.
• Premarket Approval (PMA): Class III devices, which pose the greatest risk, require PMA, a more stringent process involving clinical trial data to demonstrate safety and effectiveness.
• De Novo Classification Request: For novel, low-to-moderate risk devices for which no predicate exists, the De Novo pathway can be used to create a new classification.

Recognizing the unique characteristics of machine learning algorithms that can learn and adapt over time, the FDA has introduced the Total Product Lifecycle (TPLC) approach for AI/ML-based SaMD. This approach acknowledges that AI models can change after market authorization through continuous learning. The FDA published a discussion paper in 2019 and a proposed regulatory framework in 2021 outlining a vision for regulating AI/ML-based SaMD that can evolve while maintaining safety and effectiveness. This framework proposes a ‘predetermined change control plan’ which outlines modifications (algorithm changes, data changes) that the manufacturer plans to implement, allowing for a more streamlined review of these changes without requiring a new premarket submission for every minor update.

3.2.3 Post-Market Surveillance

The FDA mandates robust post-market surveillance for all medical devices, including AI systems. This involves continuous monitoring of the device’s performance after its deployment to identify and mitigate any potential risks or adverse events that may emerge in real-world use. Manufacturers are required to maintain quality management systems, report adverse events (e.g., device malfunctions leading to patient harm or incorrect diagnoses), and track complaints. For AI/ML-based SaMD under the TPLC approach, post-market surveillance is particularly critical for verifying that the evolving AI model continues to meet its safety and effectiveness claims and that any modifications introduced through continuous learning do not introduce new, unacceptable risks. Real-world performance data collection and analysis are central to this ongoing oversight.

3.3 Comparative Analysis: EU AI Act vs. U.S. FDA Guidelines

While both the EU AI Act and the U.S. FDA guidelines aim to ensure safe and effective AI in healthcare, they represent fundamentally different regulatory philosophies:

• Scope and Philosophy: The EU AI Act is a horizontal, comprehensive regulation covering all AI systems across all sectors, with a focus on ‘use cases’ and fundamental rights. It’s a broad, ex-ante approach, meaning it places significant obligations on developers before the AI system is placed on the market. The FDA guidelines, conversely, are a vertical, sector-specific regulation focused solely on AI applications that qualify as ‘medical devices.’ It’s a product-centric, risk-based approach leveraging existing regulatory pathways for medical devices, with a strong emphasis on clinical validation and post-market performance.

• Definition of AI: The EU AI Act provides a broad, technology-agnostic definition of AI, aiming to future-proof the regulation. The FDA implicitly addresses AI through its existing definitions of software and medical devices, focusing on the functionality and intended use.

• Risk Categorization: Both use a risk-based approach, but their methodologies differ. The EU AI Act categorizes AI based on the level of risk to fundamental rights and safety, with ‘high-risk’ being a broad category. The FDA categorizes AI-SaMD based on the level of risk to patient health if the device fails or provides inaccurate information, aligning with traditional medical device classification.

• Regulatory Burden: The EU AI Act imposes significant upfront compliance burdens on high-risk AI systems, including extensive documentation, quality management systems, human oversight, and conformity assessments, potentially involving third-party audits. The FDA’s existing pre-market review pathways are well-established for medical devices, but the unique challenges of AI/ML adaptability have led to the TPLC approach for post-market modifications.

• Focus Areas: The EU AI Act has a stronger emphasis on ethical principles, fundamental rights, transparency, explainability, and bias mitigation. While the FDA also considers these, its primary focus remains on clinical safety, efficacy, and performance as a medical product. The EU’s emphasis on data governance and bias extends to the training data and the system’s design, whereas the FDA primarily focuses on the performance of the device given its intended use.

• Enforcement: The EU AI Act establishes national supervisory authorities (like AESIA in Spain) with powers to enforce the regulation, issue fines, and ensure compliance. The FDA uses its existing enforcement powers for medical devices, including recalls, warning letters, and civil penalties.

Spain’s initiatives, particularly the establishment of AESIA and the DLGUGAI, are clearly aligned with the EU AI Act’s comprehensive framework, aiming to implement its provisions effectively within the national context. The regulatory sandbox further reinforces this by providing a mechanism to test compliance with EU rules. While Spain will not directly implement FDA guidelines, it benefits from observing and learning from the FDA’s experience, particularly concerning the regulation of rapidly evolving AI/ML-based medical devices and the challenges of post-market surveillance for adaptive algorithms.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Challenges in Developing, Enforcing, and Adapting AI Regulatory Frameworks

The ambitious goal of regulating Artificial Intelligence in healthcare is fraught with inherent complexities and significant challenges. These challenges stem from the very nature of AI technology, the sensitive domain of healthcare, and the societal implications of its deployment. Regulators must navigate a precarious path, ensuring robust oversight without stifling innovation that promises to revolutionize patient care.

4.1 Compliance and Accountability: The Dynamic Nexus

Ensuring comprehensive compliance with AI regulations and establishing clear lines of accountability present formidable hurdles due to several intertwined factors:

4.1.1 The Dynamic and Evolving Nature of AI

Perhaps the most significant challenge is the rapid, often exponential, evolution of AI technologies. Regulatory cycles, inherently designed to be deliberate and thorough, struggle to keep pace with the swift advancements in AI algorithms, models, and applications. This ‘pacing problem’ means that by the time a regulation is drafted, enacted, and implemented, the underlying technology may have already evolved, potentially rendering some provisions obsolete or inadequate. For instance, the emergence of highly adaptable large language models (LLMs) and foundation models presents new regulatory dilemmas not fully anticipated in initial frameworks designed for more static, task-specific AI systems. Regulators must devise mechanisms for agile and adaptive governance, potentially through regularly updated technical standards, guidance documents, and iterative review processes, rather than relying solely on static legislation.

4.1.2 Data Privacy Concerns: The Fuel and The Vulnerability of AI

AI systems, particularly those employing machine learning, are data-hungry. Their effectiveness and accuracy are directly proportional to the volume, quality, and diversity of the datasets they are trained on. In healthcare, this necessity for vast amounts of personal health information (PHI) raises acute data privacy concerns. While GDPR and similar regulations provide a strong framework for data protection, the scale and complexity of AI necessitate deeper consideration. Challenges include:

• Re-identification Risk: Even with anonymization techniques, there’s a persistent risk of re-identifying individuals, especially when combining seemingly innocuous datasets.
• Data Sharing Agreements: Establishing secure, legally compliant, and ethically sound data sharing agreements between healthcare providers, research institutions, and AI developers is complex, involving multiple stakeholders and stringent contractual obligations.
• Synthetic Data Generation: While synthetic data offers a promising solution to privacy concerns, ensuring its representativeness and fidelity to real-world data, without inadvertently introducing biases, is an ongoing research and regulatory challenge.
• Consent Management: Obtaining explicit and informed consent for the use of health data in AI model training, particularly for secondary uses not initially foreseen, is a continuous ethical and practical challenge.

Maintaining robust technical and organizational safeguards against data breaches, unauthorized access, and misuse is paramount, especially as healthcare systems become increasingly digitized and interconnected.

4.1.3 Liability Issues: Tracing the Chain of Responsibility

Determining accountability and liability when an AI system causes harm is extraordinarily complex. In traditional medical malpractice, the liability typically rests with the healthcare professional or the medical device manufacturer. However, with AI, the chain of causation can be obscured:

• Is the developer liable for flaws in the algorithm’s design or training data?
• Is the deployer (e.g., hospital, clinician) liable for improper integration or misuse of the AI system?
• Could the AI itself, particularly in highly autonomous systems, be considered a source of liability, necessitating new legal concepts?
• What if the AI system ‘learns’ in real-world environments and makes an erroneous decision that was not present in its initial validation?

Existing legal frameworks may not be adequately equipped to address these nuanced scenarios, necessitating clearer legal frameworks that define roles, responsibilities, and liabilities for each stakeholder in the AI value chain – from the raw data provider to the algorithm developer, the system integrator, and the end-user clinician. This complexity also extends to insurance and indemnification, requiring innovative approaches to cover potential risks associated with AI-driven errors.

4.1.4 Technical Expertise within Regulatory Bodies

Another significant challenge for regulatory bodies globally, including those in Spain, is cultivating and retaining the necessary technical expertise to effectively understand, evaluate, and regulate sophisticated AI systems. Regulators need professionals with deep knowledge of machine learning algorithms, data science, cybersecurity, and clinical informatics to critically assess AI products and ensure their compliance. The demand for such expertise far outstrips supply, making it difficult for public sector bodies to compete with private industry for top talent. This disparity can lead to information asymmetries, where regulators may struggle to fully comprehend the intricate workings of the technologies they are tasked with overseeing, potentially impacting the effectiveness of their oversight.

4.2 Balancing Innovation and Safety: The Regulatory Tightrope

Regulators face the perpetual challenge of striking a delicate and often precarious balance between fostering technological innovation, which promises immense benefits, and rigorously ensuring patient safety and ethical adherence. An overly restrictive regulatory environment risks stifling groundbreaking research and development, potentially causing a nation to fall behind in technological advancements. Conversely, a lax approach can expose patients to untested or unsafe technologies, eroding public trust and leading to adverse outcomes.

4.2.1 Encouraging Innovation Through Adaptive Frameworks

To encourage innovation, regulators are increasingly adopting flexible and adaptive frameworks. Regulatory sandboxes, such as the one implemented in Spain, are prime examples. By providing a controlled, supervised environment for testing novel AI applications, sandboxes enable innovators to experiment safely, iterate rapidly, and gain early feedback from regulators. This reduces the ‘time-to-market’ for compliant AI solutions and lowers the perceived regulatory risk for developers. Beyond sandboxes, other strategies include:

• Fast-track approval pathways for truly breakthrough technologies that address unmet medical needs.
• Issuance of clear guidance documents and technical standards instead of rigid laws, allowing for quicker adaptation to technological changes.
• Promoting public-private partnerships and innovation hubs where regulators, academia, healthcare providers, and industry can collaborate on ethical AI development.
• Adopting a ‘learn-as-you-go’ approach for post-market surveillance of adaptive AI, as seen with the FDA’s TPLC framework, allowing for continuous iteration and improvement while maintaining oversight.

4.2.2 Ensuring Safety Through Robust Oversight

Despite the push for innovation, the paramount imperative in healthcare AI is ensuring patient safety. This requires robust oversight mechanisms throughout the entire AI system lifecycle:

• Rigorous Testing and Validation: AI systems must undergo extensive technical validation (e.g., performance metrics), clinical validation (e.g., comparison against human experts in real-world scenarios), and robust testing to demonstrate accuracy, reliability, and generalizability across diverse patient populations. This includes independent third-party verification where appropriate.
• Clinical Trials and Real-World Evidence: For high-risk AI in healthcare, clinical trials remain the gold standard for demonstrating safety and efficacy. Furthermore, leveraging real-world evidence (RWE) collected post-deployment can provide continuous insights into performance, potential biases, and unforeseen effects in heterogeneous clinical settings.
• Ethical Review Boards and Impact Assessments: Beyond technical validation, ethical review boards should scrutinize AI applications for potential ethical harms, societal biases, and fairness considerations. Mandatory AI impact assessments (AIA) can systematically evaluate the risks to fundamental rights and public well-being before deployment.
• Post-Market Surveillance and Vigilance: Continuous monitoring of AI systems after deployment is essential. This includes mechanisms for reporting adverse events, tracking system performance degradation, and implementing corrective measures. For adaptive AI, this also means monitoring for unintended consequences of continuous learning.
• Human-in-the-Loop Principles: Ensuring that AI remains a tool to augment human capabilities, not replace human judgment, especially in critical decision-making contexts. Clear roles for human oversight, intervention, and ultimate responsibility are crucial to prevent automation bias and ensure ethical accountability.

The regulatory frameworks in Spain, reflecting the EU AI Act, aim to achieve this balance by categorizing AI systems based on risk and imposing proportionate obligations. The challenge lies in the practical implementation and continuous adaptation of these principles in a rapidly evolving technological and clinical landscape.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Data Privacy and Security Considerations: The Unseen Bedrock of Trust

In the realm of AI in healthcare, data is not merely an input; it is the fundamental resource that fuels innovation, and simultaneously, the primary source of profound privacy and security vulnerabilities. The ethical and legal handling of patient data forms the unseen bedrock upon which public trust in AI applications is built. Spain’s regulatory efforts, particularly through their alignment with EU standards, place immense emphasis on this critical dimension.

5.1 GDPR Compliance: The Gold Standard for Health Data

The General Data Protection Regulation (GDPR), a cornerstone of EU privacy law, is inherently intertwined with any AI initiative involving personal data, especially sensitive health information. For AI systems in healthcare operating in Spain, strict adherence to GDPR provisions is not merely a legal obligation but an ethical imperative. Key aspects of GDPR compliance in the AI context include:

• Lawful Basis for Processing: Every processing activity of personal health data (e.g., for training AI models, real-time diagnostics) must have a clearly defined lawful basis, such as explicit consent from the data subject, a substantial public interest, or for scientific research purposes, with appropriate safeguards.
• Data Minimization: AI systems should be designed to process only the minimum amount of personal data necessary for their intended purpose. This principle encourages developers to build models that can function effectively with less personal information.
• Purpose Limitation: Data collected for one specific purpose (e.g., routine clinical care) should not be automatically used for a different purpose (e.g., training a commercial AI product) without a new lawful basis, typically further explicit consent or anonymization.
• Transparency and Information: Data subjects have the right to be informed about how their data is being used, including for AI model training. This includes clear, concise information about the AI system’s logic and the significance of its decisions, particularly if automated decision-making is involved.
• Individual Rights: Patients retain robust rights over their data, including the right to access, rectification, erasure (‘right to be forgotten’), restriction of processing, and data portability. AI systems and the data pipelines feeding them must be designed to accommodate these rights, even when data has been integrated into complex models.
• Data Protection Impact Assessments (DPIAs): For high-risk processing activities, such as those involving novel AI technologies processing sensitive health data at scale, mandatory DPIAs are required. These assessments proactively identify and mitigate privacy risks before the AI system is deployed.
• Accountability: Organizations are accountable for demonstrating GDPR compliance, including maintaining records of processing activities and implementing appropriate technical and organizational measures to ensure data security.

5.2 Data Anonymization and Pseudonymization: Mitigating Privacy Risks

To reconcile the need for vast datasets for AI training with strict privacy requirements, data anonymization and pseudonymization techniques are crucial. These methods aim to mitigate privacy risks while still enabling AI development and research:

• Anonymization: This involves irreversibly removing or altering personal identifiers so that the data subject cannot be identified directly or indirectly. True anonymization renders the data outside the scope of GDPR. Techniques include aggregation, generalization, k-anonymity (ensuring each individual in a dataset cannot be distinguished from at least k-1 other individuals), and differential privacy (adding statistical noise to data queries to prevent re-identification). However, achieving robust, irreversible anonymization, especially for complex health datasets, is technically challenging and often leads to a reduction in data utility.
• Pseudonymization: This involves replacing direct identifiers with artificial identifiers (pseudonyms). Unlike anonymization, pseudonymized data can still be linked back to an individual if additional information (the ‘key’) is available. GDPR considers pseudonymized data as personal data, but it offers enhanced security compared to direct identifiers. It allows for advanced analytics and AI training while reducing exposure of actual identities. For healthcare AI, pseudonymization is often a pragmatic compromise, balancing utility with privacy.

Regulators need to provide clear guidance on what constitutes effective anonymization and pseudonymization, as well as standards for their implementation, to ensure that these techniques genuinely mitigate risks without creating false senses of security.

5.3 Cybersecurity Risks for AI in Healthcare

The integration of AI into healthcare systems introduces new and complex cybersecurity risks that go beyond traditional data breaches. AI systems can become targets for novel attack vectors, threatening patient safety, data integrity, and system functionality:

• Adversarial Attacks: These involve intentionally manipulating AI input data to cause the model to make incorrect predictions (e.g., subtly altering a medical image to cause an AI diagnostic tool to misclassify a benign lesion as malignant, or vice versa). These attacks can be difficult to detect and pose a direct threat to diagnostic accuracy.
• Model Inversion Attacks: Attackers can attempt to reconstruct sensitive training data from the AI model’s outputs, potentially revealing patient health information that the model was trained on.
• Data Poisoning: Malicious actors could inject corrupted or biased data into the training datasets, leading to compromised model performance, systemic bias, or backdoors that can be exploited later.
• Integrity Breaches: Compromising the AI model itself, leading to inaccurate or manipulated outputs that could affect treatment decisions or patient outcomes.
• Supply Chain Vulnerabilities: AI systems often rely on numerous third-party libraries, datasets, and cloud services, each presenting potential points of vulnerability that attackers could exploit.

Mitigating these risks requires a multi-layered cybersecurity strategy, including robust encryption, access controls, regular security audits, threat intelligence, and the development of AI-specific security measures. The concept of ‘secure by design’ and ‘privacy by design’ must be embedded from the initial stages of AI system development.

5.4 Interoperability and Secure Data Sharing

The effectiveness of AI in healthcare is significantly enhanced by the ability to access and integrate data from various sources (e.g., electronic health records, wearable devices, genomic data, imaging systems). However, achieving interoperability and secure data sharing across fragmented healthcare IT systems and different AI platforms is a major challenge. Data silos, incompatible formats, and differing data governance policies hinder the creation of comprehensive datasets necessary for robust AI model training and deployment. Regulatory frameworks need to encourage and facilitate secure data exchange while maintaining stringent privacy and security safeguards, potentially through standardized data models, secure APIs, and federated learning approaches where models are trained on decentralized data without explicit data sharing.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Ethical Considerations Beyond Regulation: Building Trust in AI Healthcare

While robust regulatory frameworks are essential, the ethical deployment of AI in healthcare extends beyond mere legal compliance. A deeper consideration of ethical principles is necessary to build and maintain patient trust, ensure equitable access, and uphold professional integrity.

6.1 Bias and Fairness: Addressing Algorithmic Disparities

One of the most pressing ethical concerns in AI is algorithmic bias, which can arise from unrepresentative or historically biased training data. If AI models are primarily trained on data from specific demographic groups (e.g., predominantly white, male populations), they may perform poorly or even produce discriminatory results when applied to underrepresented groups. In healthcare, this could exacerbate existing health disparities, leading to:

• Differential Diagnostic Accuracy: An AI diagnostic tool might be less accurate for certain racial groups or genders, leading to misdiagnoses.
• Unequal Treatment Recommendations: An AI recommending treatment pathways might inadvertently favor or disfavor certain patient groups based on non-clinical factors present in its training data.
• Resource Allocation Bias: AI systems used for resource allocation (e.g., ICU bed assignments, patient triage) could inadvertently perpetuate existing societal inequities.

Addressing bias requires proactive measures: meticulously auditing training datasets for representativeness and quality, implementing fairness metrics to evaluate model performance across different demographic groups, developing bias detection and mitigation techniques, and ensuring diverse teams are involved in AI development and evaluation. Regulatory bodies like AESIA will play a crucial role in ensuring such measures are implemented.

6.2 Transparency and Explainability (XAI): Demystifying the ‘Black Box’

Many advanced AI models, particularly deep neural networks, operate as ‘black boxes,’ making it difficult for humans to understand how they arrive at a particular decision or prediction. In healthcare, where decisions can have life-or-death consequences, this lack of transparency and explainability (XAI) is a significant ethical hurdle. Clinicians need to understand the reasoning behind an AI’s recommendation to validate it, identify potential errors, and maintain their professional and legal responsibility. Patients, too, have a right to understand how AI influences their care.

Ethical considerations around XAI involve:

• Trust and Adoption: Clinicians are less likely to trust and adopt AI tools if they cannot understand their outputs.
• Accountability: If a critical error occurs, understanding the AI’s decision-making process is essential for assigning accountability and learning from mistakes.
• Clinical Reasoning: AI should augment, not replace, human clinical reasoning. Explainability facilitates a collaborative relationship between human and machine.

While full transparency of complex models remains challenging, regulators and developers are exploring various XAI techniques, such as feature importance scores, saliency maps for image analysis, and rule-based explanations, to provide actionable insights into AI’s decision-making process, proportionate to the risk of the application.

6.3 Human Oversight and Autonomy: Preserving the Human Element

The ethical principle of human oversight and the preservation of human autonomy in AI-assisted decision-making is paramount in healthcare. AI systems should be designed as tools to empower healthcare professionals, providing them with enhanced insights and efficiencies, rather than replacing their judgment or leading to automation bias. Key aspects include:

• Meaningful Human Control: Ensuring that a human is always ‘in the loop’ for high-stakes decisions, with the ability to understand, intervene, and override AI recommendations. The AI should serve as an assistant, not an autonomous decision-maker, in clinical contexts.
• Professional Responsibility: Clarifying that the ultimate responsibility for patient care and clinical decisions remains with the human healthcare professional, even when informed by AI.
• Patient Autonomy: Ensuring that AI systems do not diminish patient autonomy by making decisions about their care without their informed consent or ability to understand and participate in those decisions.

Ethical guidelines and regulations, including the EU AI Act, emphasize these human-centric principles to ensure AI serves humanity rather than dominating it.

6.4 Building Patient Trust and Public Engagement

Ultimately, the successful and ethical integration of AI into healthcare hinges on building and maintaining patient and public trust. This goes beyond legal compliance and requires proactive engagement:

• Clear Communication: Healthcare providers and AI developers must communicate clearly and transparently about what AI is, how it is used in healthcare, its benefits, and its limitations.
• Patient Education: Educating patients about AI in healthcare can empower them to ask relevant questions and make informed decisions about their care.
• Public Involvement: Involving patient advocacy groups, ethical committees, and the broader public in the design, development, and deployment of AI in healthcare can ensure that societal values and concerns are integrated from the outset.
• Ethical Governance Structures: Establishing internal ethical review boards, ombudsmen for AI-related concerns, and clear channels for redress can enhance accountability and trust.

Spain’s proactive approach, particularly its emphasis on ethical AI and human-centered principles, positions it well to foster this trust.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Conclusion: Spain’s Leadership in Regulating the AI Healthcare Frontier

Spain’s strategic and proactive approach to regulating Artificial Intelligence within its healthcare sector underscores a profound commitment to harnessing the transformative potential of AI while rigorously upholding paramount principles of safety, efficacy, data privacy, and ethical application. Through a meticulously constructed framework of national and regional initiatives, Spain is systematically laying the groundwork for a future where AI serves as a powerful accelerator for enhanced patient care and optimized health systems, without compromising fundamental human rights or public trust.

The establishment of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) stands as a pivotal institutional pillar, providing dedicated expertise and oversight for AI governance, particularly for high-risk applications prevalent in healthcare. This agency, alongside the pioneering AI Regulatory Sandbox, demonstrates Spain’s pragmatic approach to fostering innovation by providing controlled environments for safe experimentation and early compliance testing. The proposed Draft Law for the Good Use and Governance of Artificial Intelligence (DLGUGAI) further solidifies this commitment, aiming to create a comprehensive national legal framework fully aligned with the forward-looking principles of the EU AI Act, ensuring legal certainty and robust enforcement. Concurrently, regional initiatives, exemplified by Catalonia’s detailed Health/AI Program guidelines and Galicia’s foundational Law 2/2025, showcase a nuanced understanding of localized healthcare needs, allowing for tailored implementation and regional innovation within the broader national and European ethical parameters.

The alignment of Spain’s regulatory efforts with the European Union’s AI Act is a critical differentiator. The EU’s risk-based classification system, with its stringent requirements for high-risk AI systems in healthcare, provides a robust and comprehensive blueprint for ensuring safety, transparency, and human oversight. This synergy also reinforces the foundational importance of the General Data Protection Regulation (GDPR), ensuring that AI development and deployment respect the highest standards of data privacy and individual rights. While distinct from the U.S. FDA’s product-centric approach for medical devices, Spain’s proactive posture allows it to observe and integrate lessons from diverse international regulatory experiences, particularly regarding adaptive machine learning models and post-market surveillance.

Despite these commendable efforts, the journey of regulating AI in healthcare is laden with persistent challenges. The dynamic nature of AI technology consistently outpaces legislative cycles, demanding agile and adaptive regulatory mechanisms. The immense reliance on sensitive patient data necessitates continuous vigilance over privacy, security, and the complex issue of liability when AI systems contribute to adverse outcomes. The delicate balance between encouraging groundbreaking innovation and ensuring uncompromised patient safety remains a central tenet of the regulatory tightrope walk. Furthermore, addressing algorithmic bias, ensuring transparency and explainability, and maintaining meaningful human oversight are not merely technical challenges but profound ethical imperatives that underpin public trust.

Looking ahead, Spain is well-positioned to be a leader in the responsible integration of AI into healthcare, not just within the EU but globally. Continuous, iterative adaptation of regulatory frameworks, informed by real-world experiences from the sandbox and ongoing clinical deployment, will be crucial. This necessitates persistent, multi-stakeholder collaboration among regulatory bodies, healthcare providers, AI developers, academic institutions, ethicists, and crucially, patient advocacy groups. Fostering a culture of ethical AI, investing in education and training for healthcare professionals on AI literacy, and engaging the public in transparent dialogue will be paramount to navigate the evolving landscape successfully. By embracing these principles, Spain can solidify its role in shaping a future where AI truly revolutionizes healthcare for the betterment of all, ethically and safely.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

• en.wikipedia.org – Spanish Agency for the Supervision of Artificial Intelligence
• garrigues.com – Spain: the Artificial Intelligence Regulatory Sandbox has arrived
• twobirds.com – Spain AI Regulatory Horizon Tracker
• cuatrecasas.com – AI in Healthcare in Catalonia: latest guidelines
• hsfkramer.com – Searchlight AI: Spain
• spyro-soft.com – Regulation of AI in healthcare in 2024: EU and FDA approaches
• health.ec.europa.eu – Artificial Intelligence in healthcare
• techmag.es – AI in Healthcare: Spain Is Using AI for Better Patient Care
• medikaldevice.com – Medical Cloud AI in Spain
• Official Journal of the European Union – Regulation (EU) 2024/1689 on Artificial Intelligence (General reference for EU AI Act, specific link may vary based on exact publication)
• FDA.gov – Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) (General reference for FDA guidelines)
• AEPD.es – Spanish Data Protection Agency (General reference for AEPD’s role in data protection and AI)