What happens on August 2 if your website does not comply with the AI Act?

On July 12, 2024, Regulation (EU) 2024/1689 was published, better known as the AI Act or Artificial Intelligence Regulation. It is the first law that regulates how artificial intelligence can be developed, marketed, and used within the European Union. August 2, 2026 is the date set for its entry into force. Therefore, if your e-commerce […]

Accessibility & Web Compliance

AEPD

AI

Artificial Intelligence

On July 12, 2024, Regulation (EU) 2024/1689 was published, better known as the AI Act or Artificial Intelligence Regulation. It is the first law that regulates how artificial intelligence can be developed, marketed, and used within the European Union.

August 2, 2026 is the date set for its entry into force. Therefore, if your e-commerce business incorporates any type of artificial intelligence, it is essential to identify which legal requirements you must comply with, which practices are expressly prohibited, and how the new regulation may impact your digital activity.

But beyond the obligations imposed by the AI Act, it is important to pay special attention to the penalty regime set out in the Regulation, since non-compliance can lead to significant financial and reputational consequences for the affected companies.

In this article, we will explore this issue in depth and analyze the consequences of possible breaches of the Artificial Intelligence Regulation that may occur on your e-commerce website.

1. Transparency obligations

Regulation (EU) 2024/1689 establishes a set of transparency obligations that will be mandatory for those responsible for deploying certain AI systems, a category that includes any company integrating third-party artificial intelligence tools into its platform.

And today, most e-commerce businesses use some AI-powered tool, such as automated chat systems, personalized recommendation engines, product content generators, or behavioral analysis tools. Therefore, it is important to take into account the obligation to identify the use of AI on your website, as AI-powered tools on your site will have to comply with the following requirements:

The chatbot must identify itself
AI-generated content, deepfakes, and AI-manipulated content must be clearly labeled
The use of emotion recognition systems must be disclosed

2. Tools for affected parties

2.1. Who can file a complaint?

Under the AI Act (RIA), the following may submit complaints:

Any natural or legal person. Any individual or entity that has grounds to believe that a breach of the Regulation has occurred has the right to file a complaint with the relevant market surveillance authority.

Downstream providers: Specifically, in the case of general-purpose AI models, these providers have the right to file complaints with the AI Office regarding possible infringements committed by providers of such models.

The Spanish Organic Law Draft adapts and specifies these mechanisms as follows and establishes that the following may file complaints:

Any natural or legal person. To facilitate this process, AESIA (Spanish Agency for the Supervision of Artificial Intelligence) must establish a single-window system. Once the complaint is received, AESIA has a period of 10 working days to forward it to the competent supervisory authority.
Other supervisory authorities: If other authorities (such as the Spanish Data Protection Agency or sectoral authorities) detect indications of infringement in the exercise of their duties, they must bring them to the attention of the competent market surveillance authority.

2.2. What protection mechanisms exist?

Administrative sanctions are not the only risk. The AI Act strengthens individual protection mechanisms for citizens.

Right to explanation. Individuals affected by decisions made by high-risk AI systems have the right to obtain explanations from the deployer regarding the role the AI played in that decision. In e-commerce, this applies especially to creditworthiness assessment systems for access to financing or to automated pricing decisions.

Right to lodge complaints with authorities. Any natural or legal person who has grounds to believe that the AI Act has been infringed may file a complaint with the relevant market surveillance authority. In such cases, it is not necessary to be a direct victim of economic harm, which opens the door to complaints from consumer organizations, digital rights associations, or individual users.

Civil liability. The AI Act does not itself establish a civil liability regime, but it states that existing consumer rights and legal remedies regarding compensation for potential damages remain applicable.

Whistleblower protection. The Regulation explicitly refers to Directive (EU) 2019/1937 on the protection of whistleblowers. Individuals who report breaches of the Regulation are protected under EU law, ensuring safe channels to report misconduct without fear of retaliation. Therefore, employees, contractors, or any person reporting breaches of the AI Act are protected against retaliation, increasing the likelihood that violations will be exposed from within organizations themselves.

The Spanish Draft Law proposes the exercise of these rights through the following tools:

Single Complaints Window. To simplify the process, AESIA (Spanish Agency for the Supervision of Artificial Intelligence) must establish a centralized system where anyone can submit a complaint.

Whistleblower protection. The protection mechanism of Law 2/2023 is incorporated for those reporting breaches in a work or professional context, ensuring confidentiality and support from the Independent Authority for Whistleblower Protection.

3. AI Act penalties: consequences of non-compliance with the AI Regulation

One of the aspects that most concerns companies is the sanctions regime established by the AI Act. Unlike other regulations that are limited to setting out general principles, the Artificial Intelligence Regulation introduces a detailed sanctions system with fines that can reach very high amounts.

3.1. Who oversees compliance in Spain?

The AI Act assigns oversight to the national competent authorities of each Member State, which must be designated and communicated to the European Commission. In Spain, the legislation is not yet final, but the enforcement system of the AI Regulation can be anticipated through the Draft Organic Law on the proper use and governance of artificial intelligence.

It should be noted that a decentralised supervision system is established, designating different bodies as market surveillance authorities. Below, we outline the competences assigned specifically to the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) and the Spanish Data Protection Agency (AEPD).

Spanish Agency for the Supervision of Artificial Intelligence (AESIA)

The AESIA acts as the main and, in many cases, default authority for AI supervision in Spain. The AESIA will be the market surveillance authority for the following AI systems:

AI systems engaging in prohibited practices: systems that use subliminal techniques, exploit individuals’ vulnerabilities, perform classifications of individuals or groups, or infer emotions in workplace and educational settings.

High-risk AI systems as defined in the AI Regulation, in sectors such as water, gas and electricity supply infrastructure; education and vocational training; employment and workforce management; essential services and benefits; and radio equipment.
Transparency obligations under Article 50 of the AI Regulation.

Obligations not expressly assigned to another authority, and therefore falling under its default competence.

Spanish Data Protection Agency (AEPD)

The AEPD (together with regional data protection authorities within their scope) assumes responsibility in areas where the processing of sensitive data and biometrics is central. The AEPD will act as the market surveillance authority for the following AI systems:
AI systems engaging in prohibited practices, such as those creating facial recognition databases through the non-selective scraping of facial images from the internet, or those biometrically classifying individuals based on sensitive data (race, political opinions, sexual orientation, religious beliefs, etc.).
High-risk systems involving remote biometric identification and biometric categorisation, except when used specifically for law enforcement, justice, or democratic processes.
AI systems used in migration, asylum, and border control management, including the use of emotion recognition systems in this context.

Cooperation and support between AESIA and AEPD

If an authority informs the AESIA that it lacks the technical or human resources to supervise AI systems, the AESIA will temporarily assume those functions.
The AESIA also has the power to provide technical assistance and support in handling cases for other supervisory authorities (such as the AEPD), provided this is formalised through an agreement and does not affect the independence of those authorities.

3. AESIA sanctioning procedure

The AESIA may begin an investigation on its own initiative or because it receives a complaint from a citizen, a company, or an association.

Initiation of the procedure
- By complaint. The AI Act expressly recognizes the right of any natural or legal person to file a complaint with the competent authority if they believe the Regulation has been violated. In our case, this complaint must be submitted to AESIA. A customer who was not informed that they were interacting with an AI, a user who received unlabeled AI-generated content, or someone who was subject to an automated decision without explanation may trigger an investigation by filing a formal complaint.
- Ex officio actions. AESIA not only reacts to external requests or reports but also has a structure designed for proactive monitoring of the artificial intelligence ecosystem, allowing it to initiate proceedings when it independently detects risks or non-compliance. It is granted inspection, verification, and sanctioning powers in accordance with applicable European and national regulations. This inspection capacity is the basis for detecting infringements without the need for a prior complaint.

Investigation and supervision phase
The Certification, Investigation, and Supervision Department is responsible for the technical work. It investigates the artificial intelligence system, assesses whether it complies with the law, and proposes the necessary measures or fines.

Legal assessment phase
Once the investigation phase is completed, the case is transferred to the General Secretariat, specifically to the Legal and Institutional Relations Division, which is responsible for reviewing the investigated cases and preparing the draft sanctioning decision, ensuring compliance with the applicable AI infringement regulations.

Decision and exhaustion of administrative remedies
Final authority to resolve sanctioning proceedings lies with the Director of the Agency. It is important to note that acts and decisions issued by the Director in the exercise of these public functions exhaust the administrative route. This means that once the Director issues a decision, there is no further appeal to a higher administrative body (except in tax matters), and the interested party may proceed directly to the contentious-administrative courts.

4. Types of sanctions

The severity of the sanction will depend on the type of non-compliance committed and the level of risk posed to individuals’ rights and to the objectives pursued by the Regulation. Article 99 of the AI Act establishes a three-tier sanctions framework based on the seriousness of the infringement.

Tier 1 – Prohibited practices

The most serious infringements are sanctioned most severely: violations of absolute prohibitions. These include subliminal manipulation of users to influence their decisions, exploiting vulnerabilities to alter purchasing behaviour, social scoring systems, and biometric categorisation used to infer sensitive data.

The maximum penalty is €35,000,000 or 7% of global annual turnover, whichever is higher. This follows the same mechanism as the GDPR, although with a higher percentage, since the GDPR caps fines at 4% of global turnover.

Tier 2 – Breach of general obligations

This second tier covers infringements that, while not the most serious, are still significant. Particularly relevant in e-commerce are:

Failure to comply with deployer obligations: using the system according to the provider’s instructions, monitoring its operation, suspending it if risks arise, and reporting incidents.

Failure to comply with transparency obligations: not identifying a chatbot as AI, not informing users about emotion recognition systems, or not labelling AI-generated content.

For these breaches, fines can reach up to €15,000,000 or 3% of global turnover, whichever is higher.

Tier 3 – Providing inaccurate information to authorities

If, during an investigation, incorrect, incomplete, or misleading information is provided to the competent authorities, the Regulation provides for fines of up to €7,500,000 or 1% of global turnover. This tier is intended to discourage attempts to conceal or minimise the scope of an infringement during proceedings.

4.1. Factors for determining the fine

Authorities must consider several factors when setting the exact amount of the penalty:

The nature, seriousness, and duration of the infringement and its consequences.
Whether the operator has previously been sanctioned for the same infringement by other authorities.
The degree of cooperation in remedying the infringement and mitigating harm.
Intent or negligence.
Technical and organisational measures already implemented by the operator to prevent risks.
Whether the operator reported the infringement and to what extent.

The Regulation explicitly encourages proactive transparency: reporting a detected issue may significantly reduce the final penalty.

4.2. Beyond fines: non-monetary sanctions

The sanctioning regime under the Regulation is not limited to the imposition of fines; it also provides for other consequences that may be harmful to e-commerce businesses.

Restriction. Restriction is a measure aimed at limiting the availability of an AI system without completely banning it. It involves placing limits on its marketing or putting into service. This measure applies in cases of non-compliance that has not been remedied.
Prohibition. This is the most severe market control measure and consists of completely preventing the AI system from being placed on the market or put into service. It applies when the operator fails to adopt the corrective measures required within the given deadline.
Withdrawal of the AI system from the market. This measure affects systems that have already been manufactured and placed on the market but have not yet reached the end user (for example, those stored in distributors’ or importers’ warehouses), with the aim of stopping their distribution before they are used by deployers. Market surveillance authorities have the power to order the immediate withdrawal of a non-compliant AI system. For an e-commerce business, this may mean the mandatory deactivation of a chatbot, recommendation engine, or any other feature that provides a competitive advantage. Moreover, this measure may be applied as a precautionary step, even before the sanctioning procedure is concluded.
Recall of an AI system. These measures aim to ensure the return of an AI system already made available to deployers to the provider, or to remotely disable its use. They affect systems already in operation by the end user, with the purpose of eliminating the risk posed by a system already in use.
Warnings. The Regulation explicitly provides for warnings, which may take different forms and serve as a formal notice of non-compliance before resorting to more severe administrative fines.
Publication of sanctions. Member States are required to report annually to the Commission on imposed fines, and sanctioning decisions are often made public. In the e-commerce market, where consumer trust is a key asset, a public sanction for algorithmic manipulation can be more costly than the fine itself.
Combination with GDPR sanctions. When an AI Act infringement also involves a breach of the GDPR, authorities may initiate parallel proceedings. This can occur in many cases involving the use of biometric data, behavioural profiling, or recommendation systems. While the Regulation recognises the principle of non bis in idem to prevent double punishment for the same facts, where infringements are legally distinct even if arising from the same conduct, cumulative sanctions are possible and the total amount may be significant.

4.3. SMEs and startups: proportionality but not exemption

The Regulation introduces a specific rule for SMEs and startups: the fine will be the lower of the applicable amounts, whether the percentage of turnover or the fixed maximum for the tier. However, this is not an exemption but only a proportionality adjustment, as companies that violate absolute prohibitions will still face significant penalties relative to their size.

Our solution: AI Sentinel by Lawwwing

Adapting to AI Act requirements before they become fully applicable not only helps reduce the risk of sanctions, but also allows businesses to anticipate a digital environment where transparency will become increasingly important. As the use of artificial intelligence systems in websites and e-commerce platforms grows, users will pay closer attention to how content is generated and the role automated tools play in their browsing experience.

In this context, clearly informing users about the use of AI systems, explaining their functions, and ensuring proper oversight can help strengthen trust between businesses and customers. Beyond a legal obligation, transparency is becoming a key differentiator in digital relationships.

For this reason, it is advisable to assess in advance the level of compliance of a website or e-commerce platform and implement the necessary measures to align with the Regulation’s requirements. Early preparation facilitates adaptation to new obligations and reduces uncertainty in an increasingly demanding regulatory framework.

In this article

1. Transparency obligations 2. Tools for affected parties 2.1. Who can file a complaint?2.2. What protection mechanisms exist?3. AI Act penalties: consequences of non-compliance with the AI Regulation 3.1. Who oversees compliance in Spain?3. AESIA sanctioning procedure 4. Types of sanctions 4.1. Factors for determining the fine 4.2. Beyond fines: non-monetary sanctions 4.3. SMEs and startups: proportionality but not exemption Our solution: AI Sentinel by Lawwwing

In this article

How can we help you?

If you have any questions, our specialists are here to assist you whenever you need it.

Live Chat

Share this article

Blog