Spain has completed the domestic implementation of the EU Digital Services Act, embedding new obligations directly into its national supervisory system. The Comisión Nacional de Mercados y la Competencia (CNIL – National Markets and Competition Commission) now acts as the designated Digital Services Coordinator for Spain, and enforcement proceedings against non-compliant intermediaries began in early 2025. Technology companies operating in Spain – whether incorporated as a Sociedad Anónima (SA) or a Sociedad Limitada (SL) – must treat compliance as an active obligation, not a pending project.
Digital services regulation in Spain applies to all providers of intermediary services with users located in Spain, including online platforms, app marketplaces, hosting providers, and search engines. The EU Digital Services Act became directly applicable across Spain from February 2024, with national-level enforcement powers now fully operational. Companies that fail to meet their obligations risk supervisory investigations, periodic penalty payments, and temporary suspension of access to the Spanish market.
This alert explains what has changed, which business categories are affected, and the immediate steps international technology companies must take to avoid enforcement action.
What changed and when it took effect
The EU Digital Services Act established a tiered compliance system for digital intermediaries across all member states. For very large online platforms and very large online search engines – those reaching more than 45 million average monthly active users in the EU – direct Commission supervision applied from August 2023. For all other intermediary service providers, national-level obligations became enforceable from February 17, 2024.
Spain's national implementation goes further in several respects. Spanish digital services legislation now requires intermediary providers to designate a local legal representative if they have no establishment in Spain. This representative must be accessible to both users and the national Digital Services Coordinator. The obligation applies regardless of where the company is incorporated. A technology company registered in Delaware or Singapore, serving Spanish users through a website or mobile application, must comply on the same terms as a Spanish-domiciled entity.
Algorithmic accountability requirements have also been reinforced under Spanish regulatory practice. Providers of recommendation systems must publish accessible, plain-language explanations of how content is ranked and personalised. This intersects directly with AI Act compliance obligations for companies deploying AI-driven recommendation or moderation tools – a dual-regime exposure that many international operators have not yet fully mapped.
Software liability rules under Spanish civil and commercial legislation have been clarified through recent supervisory guidance. Hosting providers can no longer rely on a generalised absence of knowledge defence once they have received a specific notice of illegal content and failed to act promptly. The standard for "expeditious removal" is measured in hours for manifestly illegal material, not days.
For a detailed review of how these obligations interact with intellectual property protection duties, see our analysis of intellectual property law in Spain.
To receive an expert assessment of your digital services compliance position in Spain, contact us at info@ferrazwhitmore.com.
Who is affected: threshold criteria and business categories
The Digital Services Act and Spain's implementing measures apply to any provider of intermediary services that offers services to recipients located in Spain. The key business categories are:
- Online platforms – marketplaces, social networks, app stores, collaborative economy platforms
- Hosting service providers – cloud infrastructure, content delivery, web hosting
- Online search engines with Spanish user bases
- Providers of mere conduit and caching services
- Technology companies using AI-driven content moderation or algorithmic recommendation
The threshold for very large online platform status is 45 million average monthly active users across the EU. Companies below this threshold are regulated by Spain's national Digital Services Coordinator rather than directly by the European Commission. This distinction matters significantly for enforcement exposure: national proceedings tend to move faster, and Spanish authorities have demonstrated a willingness to open investigations within weeks of a notified complaint.
Micro-enterprises and small enterprises – generally those with fewer than 50 employees and an annual turnover below EUR 10 million – benefit from a lighter regime under the Act. However, this exemption does not extend to notice-and-action procedures for illegal content. Every provider, regardless of size, must implement a mechanism for users to flag illegal content and must act on valid notices without undue delay.
Technology licensing arrangements add a further layer of complexity. A company that licenses its platform technology to a Spanish operator may itself qualify as an intermediary service provider if it retains operational control over the service. Practitioners advising on technology licensing in Spain consistently flag this risk to international licensors who assume that local operator contracts shield them entirely from regulatory exposure.
Registro Mercantil (the Spanish Commercial Register) filings are not directly triggered by digital services obligations. However. Any structural adaptation. such as establishing a Spanish subsidiary or appointing a local representative through a formal power of attorney executed before a Notario (Spanish civil law notary). will require engagement with standard Spanish corporate formalities. The Tribunal Supremo (Supreme Court of Spain) has confirmed in its technology-related case law that foreign companies cannot avoid Spanish jurisdiction simply by routing services through third-party operators.
For comprehensive guidance on structuring your technology operations in Spain, visit our AI and technology law practice in Spain.
Immediate actions for international companies
The compliance window has already closed for many obligations. International technology companies serving Spanish users should treat the following as priority actions.
1. Appoint a legal representative in Spain. If your company has no establishment in Spain, designate a representative who can receive official communications from the national Digital Services Coordinator. This appointment should be documented formally. Failure to comply is itself a reportable non-conformity under the supervisory regime.
2. Audit your notice-and-action mechanism. Review whether your current illegal content reporting system meets Spanish regulatory standards. The mechanism must be easy to access, must generate an acknowledgement to the reporting user, and must allow for internal escalation of manifestly illegal material within a defined timeframe.
3. Publish or update your terms of service and transparency report. Spanish regulatory practice requires that terms be available in Spanish and that annual transparency reports disclose content moderation statistics. Platforms that operate in Spain without a Spanish-language terms document are already non-compliant.
4. Map your AI Act exposure. If your service uses algorithmic recommendation, automated content moderation, or AI-generated outputs, assess whether you face dual obligations under both the Digital Services Act and the EU AI Act. The timelines for AI Act compliance overlap with ongoing digital services enforcement. Treating them as separate projects increases the risk of regulatory gaps.
5. Review your software liability position. Examine your contractual and operational arrangements for handling notices of illegal content. If your response workflow does not meet the expeditious-action standard under Spanish digital services legislation, restructure it before your next supervisory contact.
Related digital services developments in Portugal are covered in our alert on digital services regulation in Portugal, which highlights where the two regimes diverge for Iberian market operators.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. As a law firm with deep expertise in Spain, our team combines Portuguese civil law tradition with English common law practice to deliver cross-border legal solutions in AI regulation, digital services compliance, and technology law. We advise technology companies, international investors, and in-house legal teams navigating the EU's evolving digital regulatory regime – from AI Act compliance and algorithmic accountability reviews to software liability analysis and technology licensing structuring. Our attorneys have advised on digital services matters across both civil law and common law systems, and the firm's Lisbon base provides direct access to Spanish, Portuguese, and EU regulatory bodies. Engaging a lawyer in Spain with cross-border technology experience is essential when obligations span multiple EU member states. To discuss how Spain's digital services rules apply to your operations, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.