Spain is entering an era of intensified Big Tech enforcement, even if the implementation of the Digital Services Act is stalled in parliament. Europe’s alphabet soup of regulations—the GDPR, the DMA, the DSA, and EU AI Act and the NIS2—aim to ensure fair competition, increase security and transparency, defend consumers, and regulate emerging technologies. The fines that come with the enforcement regime can reach billions of euros and are much higher than anything Spain has seen before. The question for some government officials in Madrid isn’t whether it is regulatory overload; it’s whether the regulations are enough to keep Big Tech in line. But the U.S. tech giants aren’t remaining idle either. GDPR in Spain: Full Steam Ahead The General Data Protection Regulation (GDPR), which aims to protect the data of individuals, allows for company fines of up to 4% of global annual turnover or €20 million in the mosxpret serious cases, whichever penalty is higher. “In terms of GDPR, enforcement is very rigorous,” Paula González de Castejón, DLA Piper IPT partner, said. Last week the Spanish data watchdog, Agencia Española de Protección de Datos (AEPD), handed the airport operator Ania a €10 million fine for its use of biometric data. In November, a Commercial Court in Madrid ordered Meta to pay €479 million to 87 Spanish digital media outlets for unfair competition and misuse of personal data on Facebook and Instagram. Other GDPR-related sanctions in Spain include a €1.2 million fine for telecommunications company Orange, a €5 million fine for insurer Generali, and a €1 million fine imposed on the Spanish professional football league LaLiga. In November, Spanish Prime Minister Pedro Sánchez said Meta officials will be summoned to testify before Congress over allegedly tracking the mobile browsing habits of millions of users. Critics see it as a political power play, however. Evidence Through Investigations “Parliament cannot impose fines or binding orders,” said González. “But the idea is to put pressure on these Big Tech companies and to obtain and gather evidence and information.” At a later stage, she added, that information may be used in investigations or for enforcement by the Spanish Data Protection Agency, the European Commission or even the antitrust watchdog Comisión Nacional de los Mercados y la Competencia (CNMC). Investigations into Big Tech are notoriously difficult though. “Platforms control much of the evidence regulators need, creating a significant information imbalance,” said Ecija partner Daniel López, who specializes in privacy and digital regulation. Analyzing tracking technologies, ranking algorithms, or adtech systems requires multidisciplinary teams, he said, and the complexity is heightened by cross-border jurisdictions, sequencing issues, and greater room for procedural challenges. Lagging Regulations The European Commission is taking a strict approach with Big Tech. The Commission is the sole enforcer of the Digital Marketing Act (DMA), with the ability to issue a fine in the amount of 10% of the company’s worldwide turnover. Under the DMA, it imposed a €500 million fine on Apple and a €200 million fine on Meta for breaching the “anti-steering” obligation in April 2025. No fines have been issued under the EU AI Act, at least not yet. The Act entered into force in 2024, but its various provisions are still being implemented. The enforcement of the Digital Services Act (DSA), which aims to protect users against illegal and harmful content, has not been as straightforward. In December, the European Commission issued its first fine to Elon Musk’s X, a €120 million penalty for breaching transparency obligations under the DSA. In response, Musk reportedly called for the European Union to be abolished. X and Meta have been contacted for comment. On a national level, DSA enforcement is another story. González said that although the CNMC have yet to be granted “sufficient powers and resources to carry out these specific investigations”. Given Spain’s power-sharing government and deadlock in parliament, “a resolution in 2026 is feasible, though not assured,” said López. “Pieces of legislation that require a majority in the parliament are not foreseeably going to be approved in the next couple of years,” said Javier Torre de Silva, a partner at CMS Albiñana & Suárez de Lezo and head of the firm’s technology, media and electronic communications group in Spain. “Once the Spanish governance law is approved, the CNMC will be able to fully enforce the DSA, including conducting audits, demanding data access and imposing substantial fines,” López said. “Combined with new responsibilities under the European Media Freedom Act, this will produce a more integrated and interventionist model of oversight, particularly in areas such as minors’ safety, disinformation and transparent recommender systems,” he added. Still, the CNMS in its antitrust capacity has already been active in watching over Big Tech: in 2023, it imposed a €194 million fine on Amazon and Apple for collusion in online device sales. Big Tech and Big Law “Spain is entering a phase of intensified enforcement,” said López, adding that companies should expect investigations that integrate privacy, content governance, advertising transparency and competition aspects rather than treating them separately. “Preparing for this shift requires stronger internal auditability, the ability to clearly explain algorithmic and data-processing decisions, and updated DSA risk assessments tailored to Spain,” he said. López also considers transparent and proactive engagement of Big Tech companies with regulators to be essential. Navigating the digital transformation, especially in light of the European regulations and the multi-jurisdictional nature of enforcement, may be overwhelming for clients, however. On the other hand, Torre de Silva said the DSA is also beneficial for tech companies because it limits the liability of the services providers. “It clarifies the rules of the game in terms of compliance. We don’t foresee big changes, because Big Tech are already making huge efforts to comply with the DSA.” Joaquín Hervada, litigation and regulatory partner at DLA Piper, said that the biggest concerns lately are around AI, the risks of supply chains, and everything around data centers from design and construction to the power supply and compliance. “We are in a really challenging and interesting moment right now,” González said.