Are Ceos and Board Directors Criminally Liable Under Spain's 2026 Tech Laws? What Founders, Boards and Investors Must Do Now

Last updated: June 1, 2026

CEO criminal liability in Spain has moved from a theoretical boardroom risk to a concrete legislative priority. On 26 May 2026, Spain’s Council of Ministers approved a draft Organic Law on Artificial Intelligence, the country’s first comprehensive attempt to transpose and extend the EU AI Act at national level, with provisions that explicitly contemplate personal accountability for executives who fail to prevent platform and AI-related harms. The draft builds on Spain’s existing corporate criminal liability framework under Article 31 bis of the Código Penal, but extends its reach into algorithmic decision-making, content moderation and social media regulation.

For founders, board directors, general counsels and investors, the immediate question is no longer whether liability can attach, but what governance and transactional safeguards must be in place before the final law takes effect.

Quick Answer, Can CEOs and Directors Be Criminally Liable Under Spain’s 2026 Tech Laws?

Short answer: Yes. Under Spain’s existing Criminal Code (Article 31 bis) and the draft Organic Law on AI approved on 26 May 2026, CEOs and board directors can face criminal exposure where personal imputation is established, particularly where oversight failures lead to or facilitate criminally relevant harms caused by AI systems or platform operations.

Key actions boards and founders should take now:

• Document board oversight immediately. Adopt formal AI governance policies, recorded in minutes, with named accountability for risk identification and escalation.
• Audit and update your compliance programme. Ensure it meets the Article 31 bis threshold for an effective prevention model, this remains the primary statutory defence for both the entity and its directors.
• Embed AI-specific provisions in M&A and investment documentation. Investors and acquirers should require express representations, indemnities and escrow mechanisms addressing director liability under Spain’s evolving AI law governance framework.

Why This Matters Now, The May 26, 2026 Draft Organic Law on AI

Spain’s move to regulate AI at the national level did not emerge in a vacuum. The EU AI Act (Regulation 2024/1689) set the pan-European baseline, but it explicitly left room for Member States to adopt supplementary rules, particularly regarding enforcement structures, penalties and the designation of national competent authorities. Spain’s Council of Ministers seized that opportunity on 26 May 2026 by approving the preliminary draft of a new Organic Law on AI (Ley Orgánica de Inteligencia Artificial), as announced via the official La Moncloa press conference.

The draft proposes the formal establishment of a national AI supervisory authority (building on the existing AESIA concept), mandatory risk assessments for operators of high-risk systems, and, critically, provisions addressing executive accountability for platform-related harms. These provisions dovetail with parallel political proposals on social media regulation in Spain, which have called for personal criminal accountability where senior executives fail to remove illegal content or take corrective action after being notified of harms.

Where the Draft Sits in Spain’s Legislative Process

Because the text remains a preliminary draft, the final provisions could change during parliamentary debate. However, the direction of travel, toward greater personal accountability for executives and directors, is clear from both the government’s public statements and the EU-level framework that underpins it.

Legal Mechanics, How CEO Criminal Liability Attaches Under Spanish Law

To understand director liability under AI rules in Spain, practitioners must start with the existing criminal framework before layering on the new tech-specific proposals. Spain’s approach is two-track: criminal liability can attach to the legal entity and, separately and concurrently, to the individual directors or executives whose conduct made the offence possible.

Article 31 bis and the Compliance Programme Defence

Article 31 bis of the Código Penal, as published in the Boletín Oficial del Estado (BOE), establishes that a legal entity may be held criminally liable for offences committed on its behalf by its legal representatives, administrators, or persons authorised to make decisions, as well as for offences committed by subordinates where inadequate supervision by management made the offence possible.

Crucially, Article 31 bis also provides a statutory defence: if the entity had adopted and effectively implemented, before the offence occurred, a compliance programme (modelo de prevención) that includes adequate oversight and control measures, the entity may be exempt from liability. For boards, this means the compliance programme is not a discretionary “nice to have”, it is the primary legal shield. For deeper background on compliance model standards, see our coverage of board governance and corporate oversight.

The compliance programme must satisfy several conditions to qualify: it must identify risk activities, establish protocols for decision-making and financial management, impose reporting obligations, create a disciplinary system for breaches, and require periodic verification and updating. Courts have consistently held that a compliance programme that exists only on paper, without evidence of real implementation, training, monitoring and remediation, will not qualify.

When Individuals Are Personally Liable

Individual criminal liability for directors and CEOs operates independently of the entity’s liability. Under Articles 31 and 31 bis of the Criminal Code, a natural person (director, CEO, sole administrator) may be criminally imputed where they:

• Directly authorised or ordered the conduct constituting the offence (e.g., instructing deployment of an AI system known to be non-compliant).
• Failed to exercise due oversight over subordinates, making the offence possible through negligent supervision.
• Had knowledge of the risk and failed to act, for instance, receiving internal reports of algorithmic discrimination or illegal content and taking no corrective action.

The standard is not limited to intentional conduct. Negligence (including imprudencia grave, serious negligence) can suffice in cases involving harms to public safety, data protection or fundamental rights. The draft Organic Law on AI is expected to extend this framework by defining specific AI-related duties whose breach could constitute criminal negligence. Industry observers expect that once the final text is enacted, courts will apply the Article 31 bis framework to AI governance failures just as they have applied it to anti-corruption and data protection offences. For related context on investigative procedures, see our guide to white collar crime and corporate investigations.

Who Can Be Liable, Practical Examples by Role

CEO criminal liability in Spain does not apply uniformly to every person in a leadership position. The scope of personal exposure depends on the individual’s actual authority, their decision-making role and their knowledge of the relevant risk. Below is a breakdown by common corporate roles, together with illustrative scenarios.

• CEO / Managing Director. Bears primary operational responsibility. Scenario: a CEO approves the rollout of a recommendation algorithm for a social media platform despite internal reports flagging that it amplifies illegal content, and fails to implement a corrective plan, potential imputation for negligent oversight.
• Board Directors (non-executive). Responsible for oversight and challenge. Scenario: the board receives quarterly AI-risk reports but never discusses them, records no challenge in minutes, and fails to establish an escalation process, potential imputation for failure to supervise.
• Sole Director (administrador único). Concentrates all governance authority. Scenario: a sole director of a high-risk AI operator approves deployment of a healthcare diagnostic tool without commissioning a mandatory impact assessment, liability for both the entity and the individual is highly likely.
• Chief Product Officer / Head of AI. Holds delegated authority for product decisions. Scenario: the CPO is aware that training data contains biased inputs causing discriminatory outcomes and fails to escalate the matter to the board, potential liability for the individual and the company if harm results.

Platform and Social Media Operator Obligations Under Spain’s Proposals

Platform liability in Spain is set to intensify. The draft Organic Law on AI intersects with existing and proposed social media regulation in Spain, creating a layered obligations framework. Operators of platforms, digital service providers (DSPs) and AI system developers will each face distinct compliance duties, and the failure of senior executives to implement them is precisely where director-level criminal triggers emerge.

The obligations framework aligns with the EU AI Act’s risk-classification approach but adds Spain-specific enforcement teeth, including the possibility of administrative sanctions being escalated to criminal proceedings where systemic failures are attributable to identifiable decision-makers.

Board Governance Checklist, Immediate and Medium-Term Actions for Board Oversight of AI

Given the clear direction of travel toward personal accountability under Spain’s AI law governance proposals, boards should not wait for final enactment. The following checklist provides actionable steps that reduce exposure under both the current Article 31 bis regime and the anticipated new framework.

• Establish a formal AI oversight framework. Designate responsibility for AI risk to a board committee (audit committee or a dedicated technology/ethics committee). Record the mandate, membership and reporting cadence in a board resolution.
• Adopt an AI-specific risk policy. Document acceptable use standards, prohibited applications, data governance requirements and escalation triggers. Cross-reference to the entity’s existing compliance programme.
• Implement board-level reporting KPIs. Require management to report on AI risk at least quarterly, covering system inventories, incident logs, regulatory interactions and corrective actions taken.
• Record minutes that demonstrate challenge. Board minutes should evidence active discussion of AI risks, questions raised by directors, and decisions taken, including dissent where applicable. Generic “noted without comment” entries are a red flag in any subsequent investigation.
• Require third-party audits for high-risk systems. Commission independent assessments before deploying any AI system that could affect safety, fundamental rights or regulatory compliance.
• Oversee third-party and vendor risk. Ensure that outsourced AI models and third-party platforms comply with the same governance standards through contractual obligations and audit rights.
• Update the compliance programme. Revise the entity’s modelo de prevención under Article 31 bis to include AI-specific risk identification, training requirements and monitoring mechanisms.

Template Oversight KPIs and Reporting Cadence

• Monthly: AI incident log (number, severity, resolution status); new system deployments and impact assessments completed.
• Quarterly: Board risk dashboard (system inventory, open corrective actions, regulatory correspondence, third-party audit results).
• Annually: Full compliance programme review; independent audit of AI governance framework; board self-assessment of AI competence.

Investor and M&A Due Diligence Checklist for AI/Platform Risk

The evolving rules on CEO criminal liability in Spain have direct implications for investor due diligence on AI-powered companies. Transaction counsel and venture capital teams should treat AI governance as a first-tier diligence workstream, equivalent in importance to financial statements or material contracts. The following checklist covers the key areas where exposure commonly hides.

• Technical diligence. Review the target’s AI system inventory: model architecture, training data provenance, bias testing records, conformity assessments (if high-risk) and post-deployment monitoring protocols.
• Governance diligence. Request board minutes, AI risk policies, compliance programme documentation, audit committee mandates and evidence of ongoing oversight (KPI reports, escalation records).
• Regulatory diligence. Check for past or pending regulatory interactions, complaints filed, sanctions imposed and corrective action plans issued. Verify registration or notification status with the national supervisory authority.
• Contractual diligence. Review existing vendor and customer contracts for AI-related representations, limitation of liability clauses and indemnification obligations, particularly where the target deploys third-party models.
• Red flags. Absence of formal AI policy; board minutes with no AI discussion; unresolved regulatory correspondence; reliance on a single outsourced model without audit rights; no incident log.

Sample Representations and Indemnity Language

Transaction documentation should include express protections. Industry observers expect these provisions to become standard in Spanish tech M&A by late 2026. Below are illustrative model clauses for negotiation:

• AI compliance representation: “The Company has adopted and maintains an AI governance framework that is designed to comply with all applicable requirements of the EU AI Act and Spanish national implementing legislation (including, when enacted, the Organic Law on AI), and no director or officer has received notice of any investigation, enforcement action or formal complaint relating to the Company’s AI systems.”
• Specific indemnity: “The Seller shall indemnify and hold harmless the Buyer against any Loss arising from (i) criminal or administrative proceedings against any current or former director or officer of the Company relating to the deployment, operation or oversight of AI systems prior to Completion, and (ii) any penalty or sanction imposed on the Company in connection with non-compliance with the EU AI Act or the Organic Law on AI.”
• Escrow provision: “An amount equal to [€X / X% of the purchase price] shall be deposited in escrow for a period of [24] months following Completion to secure the Seller’s obligations under the AI indemnity provisions of this Agreement.”

Insurance, Indemnities and Transactional Protections

Directors’ and officers’ (D&O) insurance is a critical, but imperfect, risk-transfer mechanism for director liability under AI rules in Spain. Standard D&O policies typically cover defence costs and civil liability but frequently exclude criminal fines and penalties imposed on the insured individual. The practical effect is that a director facing criminal charges may be covered for legal defence costs but left personally exposed to any fine or disqualification order.

Practical Negotiation Priorities for Investors

• Review policy wording. Confirm whether the D&O policy covers investigation costs and regulatory proceedings, not just court actions. Engage a specialist broker to benchmark coverage against the draft Organic Law on AI obligations.
• Negotiate carve-outs and extensions. Press for side-A (personal liability) coverage extensions that include AI-related regulatory investigations. Request express coverage for AESIA proceedings once the supervisory authority is operational.
• Complement insurance with contractual protections. D&O coverage gaps should be bridged by escrow holdbacks, clawback rights and seller indemnities in transaction documentation, as illustrated above.
• Factor in run-off tail coverage. In M&A transactions, ensure that outgoing directors benefit from run-off D&O policies that extend for at least six years post-completion, given the potential lag between an AI governance failure and a resulting enforcement action.

Practical 30/90/180-Day Roadmap for Founders, Boards and Investors

Waiting for the final Organic Law on AI to be promulgated before acting is a high-risk strategy. The Article 31 bis compliance programme defence requires that measures be in place before an offence occurs. The following roadmap sets out pragmatic milestones.

• Days 0–30: Convene a board briefing on the draft Organic Law on AI and its implications. Commission an AI system inventory and initial risk map. Appoint an internal lead for AI governance.
• Days 31–90: Adopt a formal AI risk policy and update the compliance programme to incorporate AI-specific provisions. Implement quarterly board-level AI risk reporting. Begin third-party audits for any high-risk AI systems currently deployed.
• Days 91–180: Complete the first cycle of board AI risk reporting and evidence it in minutes. Engage a D&O insurance broker to review and extend coverage. Update investor due diligence packs and data room materials to include AI governance documentation. Monitor the BOE for promulgation of the Organic Law on AI and adjust the compliance programme accordingly.

Conclusion, CEO Criminal Liability in Spain Requires Action Now

The convergence of Spain’s draft Organic Law on AI, the EU AI Act’s national implementation requirements and the existing Article 31 bis corporate criminal liability framework means that CEO criminal liability in Spain is no longer a future risk, it is a present governance obligation. The likely practical effect of the 2026 changes will be to extend existing criminal imputation doctrines to AI and platform operations, raising the stakes for every director, founder and investor in the Spanish tech ecosystem.

Five priority actions to take immediately:

1. Adopt and document an AI-specific board oversight framework and compliance programme.
2. Record active board challenge and escalation in minutes at every meeting.
3. Commission third-party audits for all high-risk AI systems.
4. Update M&A and investment documentation with express AI representations, indemnities and escrow provisions.
5. Review and extend D&O insurance coverage to address AI and platform regulatory risk.

For context on how Spain’s broader legal landscape interacts with these technology-specific rules, including dispute resolution mechanisms, see our analysis of arbitration in Spain and its relationship to the Ley Orgánica framework.

Sources

1. La Moncloa, Council of Ministers Press Conference (May 26, 2026)
2. BOE (Boletín Oficial del Estado), Spanish Criminal Code / Article 31 bis
3. European Commission, AI Act Regulatory Framework
4. ECIJA, Artificial Intelligence and Criminal Liability of Legal Entities
5. BM.consulting, AI Director Liability Spain 2026
6. BoardAgenda, Directors Should Be Liable for AI Boardroom Use
7. C1Brokers, Insurance for Company Managers: CEO Liability in Spain