It is reported that passive sharing is mandated and is effective in both the mobile (based on commercial agreements) and fixed sectors. In addition, Art. 3.2 of Directive 2014/61/EU establishes that Member States shall ensure that, upon written request of an undertaking providing or authorised to provide public communications networks, any network operator must meet all reasonable requests for access to its physical infrastructure under fair and reasonable terms and conditions, including price, with a view to deploying elements of high-speed electronic communications networks. Such written request shall specify the elements of the project for which the access is requested, including a specific time frame.

It is reported that Spain does not mandate functional separation for operators with significant market power in the telecom sector. However, accounting separation is required for SMP operators. Telefónica is required in several markets, all operators in relation to the call termination markets in fixed or mobile networks with respect to their own networks and Cellnex Telecom in the market for the transmission of television signals.

It is reported that the National Commission for Markets and Competition (CNMC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Art. 46bis of Law 40/2015 provides that the information and communications systems for the collection, storage, processing and management of the electoral census, the municipal registers of inhabitants and other population registers, fiscal data related to owned or assigned taxes and data, on users of the national health system, as well as the corresponding processing of personal data, shall be located and provided within the territory of the European Union. The data may not be transferred to a third country or international organisation, with the exception of those that have been the object of an adequacy decision of the European Commission or when so required for compliance with the international obligations assumed by the Kingdom of Spain.

The European Union General Data Protection Regulation (GDPR) provides a comprehensive framework for data protection that applies to all EU Member States. Spain implemented the GDPR in 2018 through the Organic Law No. 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights.

Under the EU Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws that implemented the Directive have been overturned.
According to Art. 5 of Law 25/2007, the retention period for telecommunication data shall be, as a general rule, one year. Nevertheless, depending on the circumstances, the actual timeframe may vary (e.g. from six months to two years).

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
Act 34/2002 transposes Directive 2000/31/EC. In Spain, the safe harbour framework is mainly defined in this Act. Under certain circumstances, online intermediaries will be exempt from a wide array of liabilities, including contractual liability, administrative liability, tortious (delictual) or extra-contractual liability, criminal liability, civil liability or any other type of liability, for all types of activities initiated by third parties, including copyright and trademark infringements, defamation, misleading advertising, unfair commercial practices, unfair competition, publications of illegal content, etc, relating to the content and data uploaded by users. Nevertheless, safe harbour, as a general rule, only applies if the intermediaries are not aware of the illegality (intermediaries with a passive role) or if aware (intermediaries with an active role) do not act to stop it. In this line, hosting providers and service providers that provide links to content or search tools have a greater obligation to act diligently in cases where data storage or user activities may be illegal.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
Act 34/2002 transposes Directive 2000/31/EC. In Spain, the safe harbour framework is mainly defined in this Act. Under certain circumstances, online intermediaries will be exempt from a wide array of liabilities, including contractual liability, administrative liability, tortious (delictual) or extra-contractual liability, criminal liability, civil liability or any other type of liability, for all types of activities initiated by third parties, including copyright and trademark infringements, defamation, misleading advertising, unfair commercial practices, unfair competition, publications of illegal content, etc, relating to the content and data uploaded by users. Nevertheless, safe harbour, as a general rule, only applies if the intermediaries are not aware of the illegality (intermediaries with a passive role) or if aware (intermediaries with an active role) do not act to stop it. In this line, hosting providers and service providers that provide links to content or search tools have a greater obligation to act diligently in cases where data storage or user activities may be illegal.

In accordance with the Sole Additional Provision of Law 25/2007, mobile telephony service providers that offer prepaid card activation systems are required to maintain a registry of the identities of customers who purchase SIM cards. Before completing the sale, operators must inform customers about the existence and purpose of this register, its availability under the terms outlined in the subsequent section, and the rights specified in Art. 38.6 of Law 32/2003. The process of identification must be conducted using an official identity document, with the register recording the purchaser's name, surname, nationality, identification document number, and the nature or designation of the document.

Art. 85 of the Utilities Directive (2014/25/EU) contains provisions allowing contracting public entities to reject foreign goods not covered by any EU international commitments from its tender procedures. In these cases, a tender submitted for the award of a supply contract may be rejected where the proportion of the products originating in third countries exceeds 50% of the total value of the products constituting the tender (Art. 85.2). Additionally, in cases of equivalent offers, the provisions provide for a preference for European tenders and tenders covered by EU's international obligations. In practice, this possibility has rarely been used.
In Spain, the Directive has been transposed with the Royal Decree-Law 3/2020.

The Law on Public Sector Contracts, Art. 1, applies the principles of freedom of access to tenders and non-discrimination and equality of treatment among bidders. However, Art. 68 stipulates that tenderers may not participate in public procurement procedures when they do not come from countries that are part of the EU, the European Economic Area or the WTO Government Procurement Agreement or countries that admit the participation of Spanish companies in their public procurement procedures (principle of reciprocity).
Additionally, Art. 68(2) stipulates that specific administrative clauses may require non-European companies that are awarded works contracts to open a branch in Spain, with the appointment of proxies or representatives for their operations, and to be registered in the Mercantile Register.

According to the Royal Decree 571/2023, both local and foreign private entities can establish and own businesses with no limits on foreign ownership.

Decree-Law No.20/2022 extended the temporary regime from Royal Decree-Law No. 8/2020, which requires approval from the Ministry for Industry, Trade, and Tourism for certain foreign direct investments (FDI) in Spain. This regime, initially set to end in March 2020, has been extended to December 31, 2024. The General Screening Mechanism applies to FDIs in strategic sectors such as telecommunications, artificial intelligence, robotics, semiconductors, cybersecurity, aerospace, nanotechnologies, advanced materials, advanced manufacturing systems, and activities that may impact national security, public order, and public health. Temporarily, Royal Decree-Law 20/2022 requires FDI transactions to receive authorisation if they involve: (i) listed companies in Spain or unlisted companies where the investment exceeds EUR 500 million; (ii) investors or beneficial owners controlling more than 25% of the investor from other EU or EFTA countries; or (iii) acquisitions where the investor holds at least 10% of the Spanish company's share capital or gains control according to criteria in Art. 7.2 of Law 15/2007 on Competition Defence.