Law No. 2/2011 amended the Spanish Copyright Act to create an administrative body – the Second Section of the Intellectual Property Commission – which orders injunctions against information society services that infringe on copyright. Its functioning was later amended by Law No. 21/2014. The IP Commission targets particularly websites providing links to infringing works in a purposeful and massive way; it may also require payment, advertising, and access service providers to stop providing their services to the infringer.
The Copyright Act also implements (Art. 31.1) the InfoSoc Directive (2001/29/EC) mandatory exception for temporary acts of reproduction which are transient or incidental, have no independent economic significance, and are an integral and essential part of a technological process whose sole purpose is to enable (a) a transmission in a network among third parties by an intermediary, or (b) a lawful use. It also provides that (Arts. 138, 139.1.h, 141.6) copyright owners may ask for injunctions, where appropriate, against an intermediary whose services are resorted to by a third party to infringe copyright, even where the intermediary’s activity is not infringing in itself. The Copyright Act creates (Art. 32) a compulsory levy on news aggregators, and lastly, it establishes (Art. 138) inducement, contributory and vicarious liability for copyright infringements.

The EU Directive on Audiovisual Media Services (AVMS) covers traditional broadcasting services as well as audiovisual media services provided on-demand, including via the Internet. Art. 13.1 provides for Member States to secure a minimum 30% share of European works in the catalogues as well as "ensuring prominence" of those works. "Prominence" involves promoting European works by facilitating access to such works using any appropriate means to ensure their prominence. The Directive has been implemented by Member States in different ways, ranging from very extensive and detailed measures to a mere reference to the general obligation to promote European works.
In Spain, Law 13/2022, General Law on Audiovisual Communication, repealed Law 7/2010 on Audiovisual Communication, transposing the EU Directive on Audiovisual Media Services (AVMS). According to Art. 116 of Law 13/2022, VOD providers in Spain must reserve at least 30% of their catalogue for European works, with at least half of that quota for works in the state's official language or one of the official languages of the Autonomous Communities. Of this sub-quota, 40% must be for works in the official languages of the Autonomous Communities, ensuring at least 10% for each. Additionally, under Art. 119, VOD providers with annual revenues of EUR 50 million or more must allocate 5% of their revenue to finance European audiovisual works, purchase rights, or contribute to relevant funds. The provider must also ensure that 70% of the mentioned percentage goes to independent audiovisual works.

Only an individual or legal entity with interests in or ties to Spain has the right to acquire a ".es" domain. "Interests" or "ties" in Spain are broadly interpreted and include local presence from individuals and incorporated or unincorporated entities that are based, resident or registered in Spain. Examples are companies which wish to aim their services, either partly or in full, at the Spanish market and those that wish to offer information, products or services that are culturally, historically or socially linked to Spain. The latter is allowed, even if there is no local branch or service that is marketed in Spain.

The European Union and Spain have adopted the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty. The treaty was ratified on 14 December 2009 and came into effect on 14 March 2010.

The Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) is key in harmonising national laws concerning trade secrets. Spain transposed the Directive through Law 1/2019, of February 20, 2019, on Trade Secrets.

It is reported that passive sharing is mandated and is effective in both the mobile (based on commercial agreements) and fixed sectors. In addition, Art. 3.2 of Directive 2014/61/EU establishes that Member States shall ensure that, upon written request of an undertaking providing or authorised to provide public communications networks, any network operator must meet all reasonable requests for access to its physical infrastructure under fair and reasonable terms and conditions, including price, with a view to deploying elements of high-speed electronic communications networks. Such written request shall specify the elements of the project for which the access is requested, including a specific time frame.

It is reported that Spain does not mandate functional separation for operators with significant market power in the telecom sector. However, accounting separation is required for SMP operators. Telefónica is required in several markets, all operators in relation to the call termination markets in fixed or mobile networks with respect to their own networks and Cellnex Telecom in the market for the transmission of television signals.

It is reported that the National Commission for Markets and Competition (CNMC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Art. 46bis of Law 40/2015 provides that the information and communications systems for the collection, storage, processing and management of the electoral census, the municipal registers of inhabitants and other population registers, fiscal data related to owned or assigned taxes and data, on users of the national health system, as well as the corresponding processing of personal data, shall be located and provided within the territory of the European Union. The data may not be transferred to a third country or international organisation, with the exception of those that have been the object of an adequacy decision of the European Commission or when so required for compliance with the international obligations assumed by the Kingdom of Spain.

The European Union General Data Protection Regulation (GDPR) provides a comprehensive framework for data protection that applies to all EU Member States. Spain implemented the GDPR in 2018 through the Organic Law No. 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights.

Under the EU Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws that implemented the Directive have been overturned.
According to Art. 5 of Law 25/2007, the retention period for telecommunication data shall be, as a general rule, one year. Nevertheless, depending on the circumstances, the actual timeframe may vary (e.g. from six months to two years).

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
Act 34/2002 transposes Directive 2000/31/EC. In Spain, the safe harbour framework is mainly defined in this Act. Under certain circumstances, online intermediaries will be exempt from a wide array of liabilities, including contractual liability, administrative liability, tortious (delictual) or extra-contractual liability, criminal liability, civil liability or any other type of liability, for all types of activities initiated by third parties, including copyright and trademark infringements, defamation, misleading advertising, unfair commercial practices, unfair competition, publications of illegal content, etc, relating to the content and data uploaded by users. Nevertheless, safe harbour, as a general rule, only applies if the intermediaries are not aware of the illegality (intermediaries with a passive role) or if aware (intermediaries with an active role) do not act to stop it. In this line, hosting providers and service providers that provide links to content or search tools have a greater obligation to act diligently in cases where data storage or user activities may be illegal.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
Act 34/2002 transposes Directive 2000/31/EC. In Spain, the safe harbour framework is mainly defined in this Act. Under certain circumstances, online intermediaries will be exempt from a wide array of liabilities, including contractual liability, administrative liability, tortious (delictual) or extra-contractual liability, criminal liability, civil liability or any other type of liability, for all types of activities initiated by third parties, including copyright and trademark infringements, defamation, misleading advertising, unfair commercial practices, unfair competition, publications of illegal content, etc, relating to the content and data uploaded by users. Nevertheless, safe harbour, as a general rule, only applies if the intermediaries are not aware of the illegality (intermediaries with a passive role) or if aware (intermediaries with an active role) do not act to stop it. In this line, hosting providers and service providers that provide links to content or search tools have a greater obligation to act diligently in cases where data storage or user activities may be illegal.

In accordance with the Sole Additional Provision of Law 25/2007, mobile telephony service providers that offer prepaid card activation systems are required to maintain a registry of the identities of customers who purchase SIM cards. Before completing the sale, operators must inform customers about the existence and purpose of this register, its availability under the terms outlined in the subsequent section, and the rights specified in Art. 38.6 of Law 32/2003. The process of identification must be conducted using an official identity document, with the register recording the purchaser's name, surname, nationality, identification document number, and the nature or designation of the document.