Tax: Export controls on dual-use material: The challenge of duality in an era of global uncertainty

M&A: Analysis of the mid-market in Spain during the year 2025

Commercial: Customer Service Act: regularoty impact and challenges for the retail sector

IP-Media: Transparency and the right of access in the face of automated decisions by artificial intelligence

TAX

Export controls on dual-use material: The challenge of duality in an era of global uncertainty

YOLANDA CANO
Of Counsel

In today’s international trade ecosystem, technological sophistication has blurred the lines between civilian and military use. What is now an essential component for the telecommunications or medical industries may tomorrow become a critical part of a defence system. This ambivalent nature defines dual-use material: goods, software, and technologies that, although designed for legitimate commercial purposes, have the potential to be applied in the development of weaponry or nuclear capabilities.

For high-technology companies, exporting is no longer merely a matter of logistics and tariffs; it is an exercise in technical geopolitics. Ignoring the “invisible border” of export controls is not only an operational risk but also a vulnerability that can compromise the long-term viability of any transnational organization.

From European Regulation to Extraterritoriality

Regulatory compliance in this field is not a suggestion, but a strict mandate articulated through multiple levels of governance.

Within the European Union, the central pillar is Regulation (EU) 2021/821. This text not only harmonizes control criteria but also introduces modern variables such as technical assistance and the control of brokering services. Dual-use items are those included in Annex I of the Regulation.

In Spain, the Interministerial Board for the Regulation of Foreign Trade in Defence and Dual-Use Material (JIMDDU) acts as the final filter, ensuring that each transaction aligns with international commitments derived from the Wassenaar Arrangement, the Nuclear Suppliers Group, and the Missile Technology Control Regime (MTCR).

A critical technical aspect that many organizations underestimate is the application of third-country regulations, specifically those of the United States. Due to the prevalence of U.S. components or intellectual property in global supply chains, Spanish companies are often subject to U.S. Department of Commerce regulations (EAR) or U.S. Department of State regulations (ITAR), even in transactions that never physically involve U.S. territory.

Technical Classification

Export Control Classification is not an administrative process but a deep technical audit. Determining whether a product is subject to export controls requires a detailed analysis of its performance specifications.

How do I know if my product is dual-use?

Export control is not limited solely to items that might “naturally” be considered dual-use material.

For example, in the textile industry, aramid fibres (commercially known as Kevlar or Nomex) are used in protective clothing for motorcyclists or industrial gloves. However, due to their extremely high tensile strength and heat resistance, they are strictly controlled because they are the primary component of bulletproof vests, military helmets, missile engine reinforcements, and aerospace components.

Beer fermentation tanks may also be classified as dual-use items, due to the possibility of their diversion toward the manufacture of chemical weapons.

And so the list goes on—hence the need for proper technical classification.

Technical Classification is a process that consists of comparing a product’s specifications with official control lists:

• Annex I of Regulation (EU) 2021/821: Contains an alphanumeric list (codes such as 1A002 or 3A001) divided into categories (Electronics, Sensors, Materials, etc.).

• Analysis of technical parameters

• Request for Technical Information: When acting as a distributor rather than a manufacturer. If the supplier is based in the U.S., they must provide the Export Control Classification Number (ECCN).

•Expert opinions: In complex cases (chemistry, software, technical textiles), it is essential to rely on engineers or specialized consultants who can issue a binding report.

It is therefore crucial to stress that an incorrect classification—whether due to omission or misinterpretation of technical notes—may result in multi-million-euro financial penalties, loss of export privileges, and, in serious cases, criminal liability.

The Internal Compliance Program (ICP): More Than a Protocol

Current regulatory trends require companies not only to comply, but also to demonstrate a culture of compliance. The design of a robust Internal Compliance Program (ICP), while not mandatory but strongly recommended by the European Commission, should be structured around seven fundamental pillars:

1. Senior Management Commitment: A clear communication policy that prioritizes legality over sales volume.

2. Organizational Structure: Appointment of control officers with sufficient resources and authority to halt suspicious operations.

3. Transaction Control Processes: “Know Your Customer” (KYC) protocols to verify end-use and end-user.

4. Information Security: Protection of sensitive data and intangible technology transfers (emails, cloud systems, servers).

5. Continuous Training: Technical training for commercial and engineering departments.

6. Preventive Audits: Annual reviews to identify gaps before they become violations.

7. Recordkeeping and Documentation: Full traceability of every decision made throughout the export process.

Competitive Advantage: Legal Certainty as a Brand Value

Far from being a barrier, export control—when managed with excellence—becomes a commercial differentiator.

In a market saturated with suppliers, companies that present solid export licenses and certified compliance programs project an image of being safe and responsible partners. This facilitates entry into high-value markets, improves relationships with regulators, and streamlines supply chains by minimizing customs delays.

Ultimately, organizations that succeed in embedding compliance into their operational DNA will not only be protected against sanctions but will also be better positioned to lead the next wave of global technological innovation. Export control is not the end of a sale; it is the guarantee that technology will continue to build the future—placed in the right hands.

February 2026

---

M&A

Analysis of the mid-market in Spain during the year 2025

MANUEL ARMADA
Associate

The M&A market in Spain closed 2025 with an apparent contradiction: fewer deals were signed than in previous years, but the investment volume increased significantly. Far from being a temporary phenomenon, this pattern confirms a structural shift in how buyers and investors approach the mid-market.

Investor interest remains strong, particularly in the mid-market and lower-mid-market sectors, although under significantly more demanding criteria. A "good company in an attractive sector" is no longer sufficient: the focus is now on the actual quality of the business, the visibility and recurrence of cash flow generation, and the anticipation of risks as key elements of the process.

From expectation to evidence

One of the major differences compared to previous cycles is the level of analysis prior to the start of investment operations. In today's mid-market, processes move forward when there is clear evidence on very specific aspects: recurring revenue, customer concentration, sustainable margins, and an operational structure that is not overly dependent on the founder or a single key person.

When these conditions are not sufficiently met, the impact is immediate. The transaction doesn't necessarily fall through, but its structure changes: downward price adjustments, a redefinition of the scope, or conditional structures that shift some of the risk to the seller. In this context, "spot" transactions are becoming less common, in favor of more sophisticated risk-sharing arrangements.

Structuring as a risk management mechanism

The widening gap between seller and buyer expectations is not being resolved with more negotiation, but with more structure: Earn-Outs linked to actual results, more detailed price adjustments (net debt, normalized working capital, closed definitions) and greater involvement of the management team are now part of the market standard.

It is also increasingly common for the scope of the transaction to be worked out before signing: non-strategic assets, loss-making lines of business, or legal risks are segregated to facilitate the closing. In practice, the economic value of the transaction is determined well before closing and depends both on the degree of prior preparation and on the contractual architecture itself.

The increase in contractual complexity

Another clear trend is the increasing structural complexity of transactions. In contrast to the classic single-seller model, processes involving multiple shareholders, divergent interests, and, in many cases, a presence in several jurisdictions are gaining ground. These types of transactions demand much more intensive coordination, not only at the legal and tax levels, but also in the internal alignment of the sellers.

Experience shows that many processes are not prolonged—or fail—due to a lack of investor interest, but rather to insufficient management of this internal complexity. The ability to present a cohesive sales position, with clear boundaries and consistent guarantees, has become a critical success factor.

Sector analysis

From a sectoral perspective, the market maintains a solid foundation. Real estate continues to be one of the main drivers of activity in terms of the number of transactions, while technology and software are entering a stabilization phase after years of peak growth, with a focus on industrial digitalization and automation.

Professional services continue to show stability in the mid-market, especially for financial investors seeking platforms with the capacity for both organic and inorganic growth. Meanwhile, the industrial sector plays a central role, not so much due to volume, but rather the complexity and sophistication of the transactions it generates.

Forecast for 2026

The outlook for 2026 is reasonably positive: the forecast of a gradual decrease in interest rates, the high liquidity of private equity funds, and the reactivation of cross-border transactions point to greater dynamism. However, a widespread or automatic recovery is not expected for all sectors…

Buyers will remain demanding. Well-prepared assets with streamlined processes and clear structures will attract the most interest. Sectors such as defense, artificial intelligence applied to industry, and certain specialized industrial niches are emerging as particularly attractive.

Conclusion

In today's mid-market M&A landscape, the difference between a successful deal and one that falls short lies less in the multiple and more in risk management prior to the acquisition process. Early preparation, regulatory anticipation, alignment between partners, and a rigorous structure have become key determinants.

Today, more than ever, value is built before the contract is signed. And those who understand this in time have a head  start.

February 2026

---

COMMERCIAL

Customer Service Act: regularoty impact and challenges for the retail sector

ALBERTO CHENLO
Associate

Over recent decades, the relationship between companies and consumers has evolved significantly, driven by digitalization, distance contracting, and the growth of e-commerce. This process has not only expanded the retail market—by allowing companies to reach more customers and diversify their sales channels—but has also led to a notable increase in the number of consumer complaints, particularly in a sector where customer service often covers both physical stores and online platforms.

In this context, on 26 December, Act 10/2025 of 26 December regulating customer service (“Customer Service Act”) (BOE-A-2025-26698) was published. Its main objective is to guarantee minimum standards of quality, effectiveness, and accessibility in consumer service in order to prevent conflicts and reduce litigation.

I. Key aspects

Scope of application

The Customer Service Act will apply to companies and corporate groups that annually exceed any of the following thresholds:

≥ 250 employees
> Euro 50 million in turnover
> Euro 43 million in total assets

Customer information

Clear, visible, and easily accessible information must be provided on the available customer service channels, whether in the contract, on the invoice, or on the homepage of the website, ensuring that it is prominently displayed. This obligation applies to all sales channels and requires that the information be understandable to any consumer, incorporating easy-to-read formats and accessibility measures.

Likewise, before the consumer becomes bound to the company, information must be provided on (i) contact channels, (ii) complaint registration and tracking systems, (iii) out-of-court dispute resolution mechanisms, and (iv) customer service opening hours. This information will form an integral part of the contract with the consumer.

In telephone customer service, the information described above must be provided, additionally incorporating accessible informational voice messages at no extra cost so that consumers can consult it at any time.

Communication channels

At least three (3) customer service channels must be available: postal, telephone, and electronic, in addition to the channel through which the contract with the consumer was concluded.

Language

It shall be guaranteed that consumers may submit complaints in Spanish in all cases and, additionally, in any of the official languages of the relevant autonomous community when customer service is addressed to residents of communities with a co-official language. Likewise, at the consumer’s request, service shall be provided in the chosen official language, provided that the company operates in that community and the requested language is officially recognized. Responses to complaints must be issued in the same language in which the consumer submitted the complaint.

Use of automated answering systems

The exclusive use of automated answering machines, bots, or similar systems is expressly prohibited, guaranteeing the right to personalized assistance by an operator. In this context, their use must ensure the option to access personalized assistance through the available alternatives at any time during the interaction and from its outset.

Service levels

Ninety-five per cent (95%) of calls must be answered within an average time of less than three (3) minutes from the moment the consumer makes the request. For these purposes, a telephone communication will not be deemed to have been effectively answered if it does not allow the consumer to explain the reason for the call and request personalized assistance.

Supervised service and call continuity

In the event of dissatisfaction with the service provided, the person who initiated the communication may request that it be escalated to a supervisor or to a specific quality control area, which must handle the matter during that same communication. If the transfer cannot be made within a period of less than three (3) minutes, the company may make contact subsequently, always within the same business day on which the request was received. Likewise, companies may not interrupt communications due to prolonged waiting times.

Accessibility

When a consumer in a situation of vulnerability submits a complaint in person, the company must provide the necessary support and personalized, individual assistance to ensure proper handling. In the case of persons with hearing disabilities, the telephone channel must be accessible and supplemented, at the user’s choice, with an alternative system of instant written messaging via a widely used mobile application or with video interpretation in sign language, or any other equivalent means. Likewise, for elderly people or people with disabilities, the telephone channel must ensure priority service.

Handling and resolution of complaints

It must be ensured that complaints can be identified and tracked through a code or identification method that allows the status of their processing to be known in an accessible and agile manner. Likewise, at the consumer’s request, a receipt must be provided reflecting the content, date, and time of receipt.

Complaint resolutions must be duly reasoned, addressing all issues raised and, in the event of rejection, including information on the available out-of-court dispute resolution systems. In cases of incomplete submission, a minimum period of ten (10) business days shall be granted for rectification, from which point the resolution period will begin to run; if, after that period, the consumer has not provided the required documentation, the complaint will be deemed resolved. The company shall bear the burden of proof if it alleges delays attributable to the consumer.

All complaints must be resolved within a maximum period of fifteen (15) business days from receipt. In particular, those relating to billing or undue charges must be responded to within a maximum period of five (5) business days.

Satisfaction surveys

An accessible system must be in place to assess consumer satisfaction once complaints have been resolved, in order to detect possible deficiencies in service provision. The results must be recorded, and the system must be designed in accordance with universal and cognitive accessibility criteria, incorporating tools such as video interpretation in sign language (Svisual), instant written messaging, and other supports that ensure its use by vulnerable consumers.

Cooperation with consumer associations

Stable cooperation must be maintained with the most representative consumer associations within the relevant territorial or sectoral scope, in order to guarantee and improve the quality and effectiveness of customer service.

Evaluation and audit system

Companies must have a system in place to periodically evaluate the quality of their customer service. As a general rule, the evaluation will be annual, although smaller companies may carry it out biennially if their volume of activity justifies it. Likewise, the documentation and its audit must be published on the company’s website and updated when necessary to adapt to service conditions or amend identified deficiencies.

An annual audit must be commissioned to verify the reliability and accuracy of the published measurements regarding customer service quality. The audit will verify that the company has an implemented and documented quality evaluation system, consistent with the version submitted to the Administration, and that the measurement error for each parameter does not exceed 5% of its actual value. The audit must be carried out by an entity accredited by the National Accreditation Body. Smaller companies may carry out this audit biennially.

Sanctions regime

Failure to comply with the obligations imposed by the Customer Service Act will constitute a consumer law infringement, punishable in accordance with the general regime provided for in the General Law for the Defense of Consumers and Users (LGDCU) and the applicable regional legislation.

II. Adaptation period

Companies subject to the Customer Service Act will have a period of twelve (12) months to adapt their customer service systems to the provisions of the Act.

III. Conclusions

i. The Customer Service Act represents a paradigm shift for companies in the retail sector, which could entail an overload of customer service departments.

ii. Companies will need to review and update their customer service policies, ensuring compliance with response times, provision of personalized service from the first contact, and agile tracking of incidents. They must also ensure that complaints can be submitted and answered in the same language in which the consumer filed them, including the official languages of the relevant autonomous community, and that channels are accessible for persons with disabilities or in situations of vulnerability, incorporating tools such as instant written messaging, video interpretation in sign language, and other systems that facilitate effective communication.

iii. It will be necessary to assess and, where appropriate, renegotiate contracts with external customer service providers, including a review of KPI/SLA indicators and potential penalties, to ensure compliance with quality standards, response times, and language requirements, especially in call-center services handling orders, returns, or online incidents.

iv. The obligation to implement periodic evaluation systems and external audits of customer service requires prior planning, investment in measurement tools, and coordination with accredited auditors, ensuring that the published data are reliable, auditable, and enable the identification of opportunities for improvement in the shopping experience.

v. Ultimately, it will be essential for retail sector companies to closely monitor the implementation and evolution of the Customer Service Act, as it represents a significant change in the regulation of consumer rights and in corporate responsibilities regarding service quality, response times, and the accessibility of customer service systems.

February 2026 

---

IP-MEDIA

Transparency and the right of access in the face of automated decisions by artificial intelligence

FLORENCIA ARRÉBOLA
Associate

The significant increase in the use of artificial intelligence systems to make decisions of all kinds that affect people has generated considerable debate surrounding privacy and fundamental rights in the digital context. When such decisions are made without any human intervention—that is, solely and exclusively automated—the General Data Protection Regulation (GDPR) establishes safeguards designed to prevent the data subject from being left unprotected.

The Judgment of the Court of Justice of the European Union (CJEU), dated February 27, 2025, issued in case C-203/22, resolved a case relating to an automated credit assessment, which has served as a precedent for the protection of the individual against the abusive use of artificial intelligence and to precisely define the scope of the right of access and its relationship with automated decisions.

The CJEU ruling is based on a specific case where an automated credit assessment carried out by a company resulted in the denial of a contract to a consumer. Specifically, Dun & Bradstreet (“D&B”) performed a credit assessment on a customer who had a mobile phone service contract. The mobile phone operator then denied the contract renewal based on D&B's credit assessment. In response, the customer exercised their right of access to information regarding the criteria used to determine their creditworthiness. The Court ordered the aforementioned company to provide information on the logic applied in creating the customer's profile. The Court concluded that data controllers have an obligation to describe the procedures used to understand what personal data was used and how for automated decision-making.

Article 22 of the GDPR recognizes the right of every data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The purpose of this article is to prevent the controller from circumventing its provisions by fabricating human involvement, since automated decision-making occurs when decisions are made about a person through purely automated processes. Individuals have the right not to be subject to decisions made solely through such processing if those decisions produce legal effects or significantly affect them, as their rights and freedoms must be safeguarded against decisions that could affect fundamental aspects of their lives, guaranteeing adequate oversight by the competent authorities.

In accordance with Article 15 of the GDPR, the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, the right to access such data and information about its processing, the recipients of the data, and that the controllers of this processing provide meaningful information about the logic applied in automated processes, is guaranteed.

In this context, the reference to article 15 of the GDPR should be understood as referring to article 15 paragraph 1, letter h, which expressly recognizes the data subject's right to obtain meaningful information about the logic involved in automated decision-making processes, as well as the significance and envisaged consequences of such processing for the data subject, in direct connection with the provisions of Article 22 of the GDPR. Both articles must be interpreted together, since only through effective access to this information is it possible to understand the decision taken and exercise the rights recognized by data protection law.

The Court maintains that data subjects must be guaranteed the right to obtain a clear, understandable, and accessible explanation of the logic applied in automated decisions, enabling them to understand the criteria used and the influence of their personal data on the final outcome. It also affirms that the information provided must be genuinely useful to the affected individual and acknowledges that the right of access is not absolute and must be balanced with other fundamental rights, such as the protection of third-party rights and trade secrets, thus determining the scope of information that must be disclosed by the courts.

The ruling set a precedent for organizations using such automated systems to review their transparency policies, specifically considering Article 12.1 of the GDPR, which states that all information provided to data subjects must be concise, easily accessible, and easy to understand, and must use clear and plain language. It has also introduced a greater requirement for accountability for data controllers, who can no longer use the technical complexity of artificial intelligence systems as a pretext to limit the exercise of rights recognized by the GDPR.

The interpretation made by the CJEU aligns with the general orientation of the European Union on the regulation of artificial intelligence, and particularly with the doctrine of the European Data Protection Board (EDPB), which emphasizes that a decision will be automated when there is no real human intervention, that it is not significant and can only be merely symbolic; implying that the intervening person must have the effective ability to review the automated result, assessing all relevant data and modifying the final decision if it is considered pertinent to do so.

In conclusion, the CJEU judgment of 27 February 2025 represents a significant step forward in the effective protection of the right of access and in the requirement of transparency regarding automated decisions. Its interpretation reaffirms the idea that the development of technological innovation must be closely linked to respect for fundamental rights and that artificial intelligence must be designed and applied responsibly, ensuring that individuals maintain effective control over the use of their data and over decisions that affect them in the digital environment.

February 2026

*These articles do not constitute legal advice.