🇪🇸🔐🏷️ Regulation Friday: AI Law, Big Sleep and mandatory labeling

€35 million fines quoting the Pope. A Google agent that finds vulnerabilities before humans do. And a European law that from August will require labeling all AI-generated content. Three stories that seem disconnected but share the same thread: artificial intelligence is no longer the Wild West. Rules, guardians, and labels are arriving.

🇪🇸 Spain passes its AI Law: €35M fines and an encyclical as moral framework

On Tuesday, May 26, the Council of Ministers approved Spain's AI Law bill. The regulation adapts the European AI Act (approved by the European Parliament in March 2025) to Spanish law, and it does so with an approach that has surprised everyone.

Spokesperson Minister Elma Saiz and Minister of Digital Transformation Óscar López presented the law with three pillars: algorithm transparency, accountability of directors at AI provider companies, and protection of minors. But what drew the most attention was the explicit reference to the Pope's encyclical on AI, published just 24 hours earlier.

López called the owners of big tech companies "great techno-oligarchs" who don't want "regulation, data protection, or protection of minors," and positioned the Vatican document as inspiration for the law's ethical framework. Sanctions range from €500,000 or 0.5% of worldwide revenue in mild cases, up to €35 million or 7% of the infringing company's global business volume in the most serious cases.

From laws that penalize violators, to technology that prevents before it happens.

🔐 Google Big Sleep: the agent that finds bugs before they become exploits

Google presented Big Sleep, an AI cybersecurity agent capable of detecting critical vulnerabilities in software. The name is no accident — it's the spiritual successor to Project Zero, Google's security team that for years found the most serious bugs in the industry. Only now, there are no humans at the wheel.

Big Sleep analyzes source code looking for known vulnerability patterns — buffer overflows, memory leaks, SQL injections — and does so at a speed and scale that no human team could match. Google says it has already found real vulnerabilities in third-party software that human security teams had overlooked.

The approach is smart: it's not about replacing security auditors, but augmenting their capacity. Big Sleep finds the problem, generates a detailed report, and leaves the decision of how to patch it to humans. It's assisted cybersecurity, not autonomous — but the leap is enormous.

And while security agents find bugs, European regulators set a date for a new requirement.

🏷️ August 2026: the EU requires AI labeling

The European Commission just opened a public consultation on the guidelines that flesh out the AI Act's transparency obligations. And the key date is August 2, 2026.

From that day onward, providers of AI systems will be required to inform people when they interact with AI systems (chatbots, virtual assistants) and to label certain AI-generated or AI-manipulated content — such as deepfakes or synthetic images — via metadata or machine-readable marks.

This isn't optional or a recommendation. It's law. Any company publishing AI-generated content without properly labeling it faces the sanctions provided for in the regulation. And not just big tech companies: also agencies, content creators, and small businesses using tools like ChatGPT, Midjourney, or any image or video generator.

A law citing the Pope, an agent protecting software, and regulation demanding transparency. AI is no longer an experiment — it's an industry. And like every industry, it needs rules. The good news is that, for the first time, they're starting to be written.

— Max