OpenAI IPO: when AI becomes financial infrastructure

The European regulation on artificial intelligence (AI Act) has already completed its legislative process in the EU: it was approved by the Parliament and the Council, published in the Official Journal of the EU on July 12, 2024, and came into force on August 1, 2024. However, its obligations apply gradually between 2025 and 2027, with a particular focus on general-purpose models and high-risk systems. In parallel, the European Commission is deploying implementing acts, guidelines, and governance structures such as the AI Office, while Member States, including Spain, are adapting their internal organization and approving complementary regulations. The key next steps involve the full application of the general regime in 2026 and the completion of the regime for high-risk systems in 2027, along with the development of technical standards and codes of conduct.

Current status of the AI Act in the European Union

Formally, the AI Act has completed its entire ordinary legislative cycle. According to the institutional summary, the European Parliament approved the regulation on March 13, 2024, and the Council definitively adopted it on May 21, 2024, thus concluding the co-decision phase (digital-strategy.ec.europa.eu, es.wikipedia.org). Subsequently, the Regulation was published in the OJEU on July 12, 2024, and, as provided in its own final clause, came into force on August 1, 2024, 20 days after publication.

From a substantive point of view, therefore, there are no pending legislative phases in the EU for the base text: the AI Act is already binding law in all Member States. What is now underway is the implementation phase and the development of secondary-level norms (implementing acts, delegated acts, guidelines, and technical standards), along with various fine-tuning adjustments to facilitate its practical application.

Implementation timeline

The application of the AI Act obligations is gradual, with milestones spread between 2025 and 2027, as reflected in the official framework and specialized analyses (digital-strategy.ec.europa.eu, artificialintelligenceact.eu, oeiac.cat):

• February 2, 2025: prohibitions related to AI systems considered to pose an unacceptable risk (e.g., certain forms of manipulation or social scoring) and obligations associated with AI literacy begin to apply.
• August 2, 2025: rules on general-purpose AI models come into force, as well as governance elements (notifying authorities and notified bodies), surveillance regime, and part of the sanctions framework.
• August 2, 2026: the general application of the regulation is activated for most AI systems, including obligations for high-risk systems in areas such as employment, essential services, or certain uses in administration.
• August 2, 2027: the deployment of the regime for some high-risk systems with more complex requirements is completed, in line with the longer transitional period provided by the AI Act itself and subsequent adjustments of the so-called simplification package or “AI omnibus” (digital-strategy.ec.europa.eu, ecosistemastartup.com).

This phased deployment aims to give companies, administrations, and assessment bodies time to adapt technical processes, compliance structures, and supervisory capacities, avoiding abrupt disruptions in highly regulated sectors.

Next steps at the EU level

With the main text already approved, the European agenda focuses on implementation and support instruments. The European Commission is working on:

• Implementing acts and technical guidelines that specify risk assessment criteria, transparency requirements, data rules, and conformity methodology, with special attention to general-purpose AI models (digital-strategy.ec.europa.eu, artificialintelligenceact.eu).
• Development of codes of practice and voluntary frameworks for providers to demonstrate early compliance, particularly in the field of generative AI (oeiac.cat).
• Full operation of the European Artificial Intelligence Office, responsible for coordinating the application of the regulation, centralizing information on general-purpose models, and supporting national authorities (ec.europa.eu – creation of the AI Office).
• Implementation of controlled testing environments (regulatory sandboxes) at national and European levels, with specific support for SMEs and startups to test AI solutions under supervision (aesia.digital.gob.es).

Additionally, the so-called digital simplification package (“AI omnibus”) has introduced adjustments in application deadlines for certain high-risk systems until the end of 2027, aiming to harmonize the schedule with other pieces of European digital regulation (ecosistemastartup.com).

Adaptation and next steps in Spain

As it is a Regulation, the AI Act is directly applicable but requires national organizational and procedural adjustments. In Spain, the priority is to designate and strengthen the competent authorities to supervise and sanction, including the Spanish Artificial Intelligence Supervisory Agency (AESIA), which is already working on a general approach to the regulation and guidance materials (aesia.digital.gob.es).

Among the steps being addressed or planned are:

• Definition of the role of AESIA and other sectoral regulators (data protection, consumer protection, financial supervisors) in market surveillance and sanctioning procedures.
• Approval of internal organizational and procedural rules (possibly via laws and royal decrees) to articulate inspections, incident notification channels, and coordination with the European AI Office.
• Development of national guidelines and support tools for companies, with a special focus on SMEs and public administrations, aligned with the European Commission’s guidelines and implementing acts.

In summary, the core European legislation is already closed, and the current cycle shifts towards practical application: development of detailed rules in Brussels and building the institutional framework in Member States, including Spain.

Key functions of the AEPD regarding technology companies

The Spanish Data Protection Agency (AEPD) is the independent authority responsible for ensuring compliance with data protection regulations in Spain, including the application of the General Data Protection Regulation (GDPR) to technology companies processing user data within Spanish territory. Its functions range from supervision and control to sanctioning powers and issuing interpretative criteria. In the case of large platforms and digital services (social networks, cloud services, mobile applications, artificial intelligence, etc.), the AEPD acts as a guarantor of individuals' rights against the massive and often automated use of their personal data.

Supervision and control of regulatory compliance

Regarding technology companies, the AEPD has the competence to supervise compliance with the obligations of the GDPR and the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD). This includes:

Firstly, the AEPD can verify that companies have an appropriate legal basis for each data processing activity (consent, contractual necessity, legitimate interest, etc.) and that they respect the principles of data minimization, purpose limitation, and limited data retention. It also controls that data protection impact assessments are carried out when the technologies used pose a high risk to individuals' rights (for example, facial recognition, behavioral profiling, or AI systems making significant automated decisions).

Additionally, the Agency supervises the existence and actions of data protection officers (DPOs) in those technology companies required to appoint them, and reviews privacy policies, legal notices, and consent mechanisms to ensure they are clear, accessible, and understandable to users. In the security domain, the AEPD controls that appropriate technical and organizational measures are applied to protect information against unauthorized access, loss, or data breaches.

Investigation, inspections, and sanctioning powers

The AEPD has broad investigative powers over technology companies. It can initiate inspections ex officio (on its own initiative) or based on complaints and reports from citizens and organizations. These inspections may include requests for information, system audits, algorithm analyses, and review of contracts with processors and data handlers.

When violations are detected, the AEPD can impose corrective measures and financial penalties. In the context of large technology platforms, this translates into the ability to order the suspension of certain processing activities, require changes to default settings, or demand modifications in service design to comply with privacy by design and by default. Fines can be especially significant in the technology sector, given the volume of data processed and the global scale of many companies, serving as a strong incentive for regulatory compliance.

Protection of user rights and complaint management

Another central function is the protection of the rights of users of technological services. The AEPD processes complaints related to the exercise of rights of access, rectification, erasure, restriction of processing, portability, and objection, as well as against automated decisions and profiling. If a technology company does not adequately respond to a rights request or unjustifiably denies it, the Agency can intervene, demand compliance, and, if applicable, sanction.

In the digital environment, this is especially relevant for cases involving content removal, the right to be forgotten in search engines, deletion of profiles or data on social networks, messaging services, and personalized advertising platforms. The AEPD acts as a guarantor against power imbalances between large technology providers and individual users.

Guidance, guidelines, and European coordination

Besides its control role, the AEPD performs a guidance and prevention function specifically aimed at technology companies. It publishes guides, criteria, and technical recommendations on the use of cookies and tracking technologies, mobile app development, video surveillance, biometric data processing, big data, artificial intelligence, or business models based on behavioral advertising. These guidelines serve as a reference for companies to design privacy-respecting services from the conception phase.

At the European level, the AEPD participates in GDPR cooperation and consistency mechanisms, especially relevant for large platforms operating in multiple Member States. It collaborates with other supervisory authorities in joint investigations, exchanges information, and contributes to the development of common opinions and technical standards, directly impacting how technology companies must organize their data processing at the EU scale.

Prevention, awareness, and new technologies

Finally, the AEPD plays a preventive and social awareness role regarding the risks of the digital economy. It promotes information campaigns on internet privacy, responsible use of social networks, and protection of minors, all directly related to the services of technology companies. It also analyzes the impact of new technologies and trends (such as cloud services, the Internet of Things, or generative AI systems) to anticipate problems and propose frameworks that protect fundamental rights in a rapidly innovating environment.

Initial summary

In the United States and the European Union, a technology company wishing to go public must primarily comply with requirements on financial transparency, corporate governance, and investor protection. In the U.S., the framework revolves around the Securities and Exchange Commission (SEC) and the filing of the registration statement (such as the Form S‑1) prior to listing on markets like Nasdaq or NYSE. In the EU, the core is the Prospectus Regulation and the rules of each Member State and regulated market (for example, Euronext, BME, Deutsche Börse), supervised by authorities such as the CNMV in Spain. Although technical details vary, the core is very similar in both jurisdictions: detailed prospectuses, audited accounts, capitalization requirements, and a strict continuous disclosure regime.

Key requirements in the United States

1. Registration with the SEC and prospectus

In the U.S. context, the central step for an initial public offering (IPO) is the registration of the share offering with the SEC. This is usually done through the Form S‑1, which acts as the offering prospectus. It includes:

• Audited financial statements for several fiscal years.
• Description of the business model, specific risks (including technological and cybersecurity), and intended use of proceeds.
• Detailed information about the management team, shareholding structure, and corporate governance mechanisms.
• Relevant risk factors for investors.

The SEC reviews the S‑1, issues comments, and the company must respond and, if necessary, amend the document until it is declared effective. Without this effectiveness, the public offering cannot be closed nor can trading begin.

2. Market requirements (Nasdaq, NYSE)

Besides the SEC, each exchange sets its own admission conditions. Although they vary by segment, they usually include:

• Minimum company size (market capitalization, net worth, or revenues).
• Minimum number of shareholders and percentage of free float (shares held by the public).
• Minimum financial history (e.g., several years of audited statements).
• Corporate governance rules (independent directors, audit committees, etc.).

Technology companies that are not yet profitable often use alternative segments or criteria (e.g., based more on capitalization than profits), but always under a regulatory framework protecting investors.

3. Post-listing obligations

Once listed, the company becomes an issuer subject to periodic reporting to the SEC (forms 10‑K, 10‑Q, 8‑K, among others) and to the transparency rules of the exchange where it is listed. For technology companies, disclosure requirements on cybersecurity risks, data protection, and dependence on key technologies become particularly relevant.

Key requirements in the European Union

1. Prospectus and national supervision

In the EU, the central instrument is the prospectus regulated by the Prospectus Regulation, which applies to public offerings of securities and admission to trading on regulated markets. The prospectus must contain:

• Audited historical financial information.
• Description of the business, risks, and sector-specific factors for technology (intellectual property, platform dependence, digital regulation, etc.).
• Corporate governance, capital structure, and significant shareholder agreements.
• Details of the offering: number of shares, indicative price range, use of proceeds.

This prospectus is submitted to the competent authority of the home Member State (for example, the CNMV in Spain, BaFin in Germany, AMF in France). Once approved, it can be passported for offerings in other Member States.

2. Stock market requirements

In parallel, each regulated market (such as Euronext, BME Growth, or the main market of Bolsa de Madrid) adopts its specific admission rules, which typically require:

• Minimum capitalization or minimum offering volume.
• Minimum free float and number of shareholders.
• Audited financial information for a specified period.
• Compliance with codes of good governance and, in some segments, the figure of a listing sponsor or registered advisor.

For smaller or early-stage technology companies, there are SME or growth markets in various countries (such as BME Growth), with somewhat more flexible requirements but maintaining sufficient information levels for investors.

3. Transparency obligations and market rules

A technology company already listed in the EU is subject to the full set of securities market rules, including:

• Requirements for continuous and periodic disclosure (interim and annual financial reports).
• Obligations regarding inside information and market abuse, supervised by the national authority.
• Rules on corporate governance, remuneration, and internal control, often through codes of good governance that companies must follow or explain if they do not (comply or explain).

For technology companies, these frameworks are complemented by sectoral regulations (data protection, digital services, artificial intelligence, cybersecurity) which, while not formal IPO requirements, influence the content of prospectuses and the information provided to the market.