Artificial Intelligence and Criminal Proceedings: Evidence, Digital Identity and New Risks (2026 Guide)

Artificial intelligence and the technologies surrounding it have ceased to be a promise of the future and have become an everyday reality in the criminal courts. In this guide we bring together the five fronts where that impact is already tangible: cognitive attacks using generative AI, the threat of quantum computing to secrecy and data custody, the criminal implications of the European Digital Identity Wallet (eIDAS 2), the debate over harassment in the metaverse and the emergence of neuro-rights in the face of brain-based evidence. As criminal defence lawyers specialising in cybercrime, we analyse the risks each technology creates, who can be held liable and which lines of defence are taking shape.

1. Cognitive Attacks: Social Engineering in the AI Era

The year 2026 marks a turning point in cybercrime. The spread of multimodal AI models has allowed criminal organisations to scale their social engineering attacks to unprecedented levels of sophistication. We are no longer talking about simple phishing emails full of spelling mistakes, but about personalised cognitive attacks: cybercriminals no longer just attack systems, they attack the people operating them, exploiting their trust in what they see and hear.

The paradigmatic example is videoconference fraud: real-time voice and image cloning has broken the "proof of life" barrier, and cases are increasingly frequent in which financial executives authorise multi-million transfers after holding videoconferences with what they believe is their CEO, when it is in fact a hyper-realistic synthetic avatar.

The criminal law question splits into two levels:

• The deceived employee: the defence focuses on proving the absence of intent or gross negligence, by showing that the deception was technically undetectable for an average human.
• The company: prosecutors are beginning to treat the lack of biometric verification protocols as an organisational failure, which opens the door to corporate criminal liability. AI security auditing is emerging as the new standard of due diligence.

2. Quantum Computing: Encryption, Data Custody and Negligence

The ability to decrypt RSA keys in seconds forces an urgent migration to post-quantum cryptography. The risk is not only in the future: in attacks known as Harvest Now, Decrypt Later, encrypted data is stolen today to be decrypted tomorrow, once the technology allows it.

The criminal dimension of this scenario revolves around the duty of custody. The GDPR and the Criminal Code require "adequate security measures", and failing to upgrade systems to quantum-resistant encryption may be deemed punishable gross negligence if it results in the leak of clients' sensitive data. Chief information security officers (CISOs) are in the spotlight: the technical decision rests with them, and its omission can turn into criminal blame.

For professions bound by professional secrecy, the threat is qualitatively greater: the confidentiality promised today is only worth as much as the encryption protecting it tomorrow.

3. eIDAS 2: Digital Identity as a New Target of Crime

The full roll-out of the European Digital Identity Wallet concentrates the national ID, the driving licence and banking credentials in one official app. Bureaucracy is simplified, but a critical single point of failure is created for fraud.

Two behaviours concentrate the criminal risk:

• Digital identity theft: accessing someone else's Wallet, even with tacit consent (for example, between spouses) to sign a document, can constitute an offence of forgery of a public document and identity theft. "Lending" one's identity is no longer an administrative infraction: it is a severe criminal risk.
• Biometric phishing: cybercriminals are no longer after passwords, they are after the user's face. Through real-time deepfakes, facial biometrics are spoofed to authorise operations in the Wallet. For the victim, the burden of proof consists of showing that the biometric system failed.

4. Harassment in the Metaverse: an Offence Against Moral Integrity?

It seemed like science fiction, but it is a real legal debate: the question arises whether conduct such as "sexually assaulting" a person's avatar in an immersive virtual reality environment could amount to a criminal offence. Even without physical contact, it is being discussed whether the psychological impact and the humiliation could fall within an offence against moral integrity (art. 173 CP), possibly with a hate-based aggravating factor. It remains to be seen how the Spanish courts will respond to such cases.

The doctrinal foundation points to an underlying idea: in fully immersive environments (haptic VR), the avatar may not be a mere drawing, but a projection of the personality of the person controlling it. On that reading, attacking the avatar is attacking the dignity of the real person behind the headset.

At the precautionary level, virtual restraining orders are already being proposed: measures prohibiting the aggressor from connecting to the same servers or platforms as the victim, on pain of a breach offence. Classic geolocation is replaced by "IP-location" in immersive cyberbullying.

5. Neuro-Rights: Brain Evidence and the Right Against Self-Incrimination

Devices capable of reading brain waves and decoding intentions or memories are entering the consumer market and forensic laboratories. The question is the most intimate one possible: whether the brain is the last refuge of privacy beyond the reach of the law.

The battleground is the P300 test: an involuntary brain wave emitted milliseconds after recognising a familiar stimulus. If a suspect is shown the image of the murder weapon and their brain emits a P300, they know what it is, even if they verbally deny it. The prosecution could argue that this is not a "statement" protected by the right to remain silent, but physical biometric evidence, like a fingerprint or DNA.

The defence position is the opposite: extracting information from the brain without consent is an invasion of physical and moral integrity (art. 15 of the Spanish Constitution) and violates the core of the right against self-incrimination. Unlike a fingerprint, a thought is cognitive content. Chile was a pioneer in legislating neuro-rights; in Spain and Europe, the legal battle is just beginning, and scholars are calling for a kind of habeas mentem: no court order should be able to force the extraction of thoughts, memories or emotions by technological means.

Common Threads: Evidence, Liability and Defence

These five fronts share three features that define technology-related criminal litigation:

1. Expert evidence is the centre of gravity. Proving that a video was an undetectable deepfake, that a biometric system failed or that a brain wave does not amount to a statement requires highly specialised technical expert reports on both sides of the proceedings.
2. Liability is shifting towards the organisation. From the deceived employee to the company's organisational failure; from the Wallet user to the state biometric system; from the individual operator to the CISO who failed to migrate the encryption: the question is no longer only who acted, but who should have prevented it.
3. Fundamental rights mark the limit. Moral integrity (art. 173 CP), physical and moral integrity (art. 15 of the Spanish Constitution) and the right against self-incrimination delimit how far technology may go as an investigative tool.

Anyone facing a criminal investigation in any of these scenarios — as a suspect or as a victim — must secure the preservation of digital evidence and a solid expert strategy from the outset. In a field where technology evolves faster than the law, the difference between a conviction and an acquittal is often decided by the technical quality of the evidence and the strength with which the constitutional limits on obtaining it are argued.