Outsourced compliance: 30-50% saving vs in-house, 48hr response, 100% inspections without penalty

An outsourced compliance function provides companies with a designated Compliance Responsible Person and an integrated compliance programme covering all applicable regulations — including GDPR (data protection), AML (anti-money laundering under Law 10/2010), criminal compliance (Penal Code reform 2015), NIS2 (cybersecurity for essential and important entities), the whistleblowing channel obligation (Law 2/2023 for companies with 50 or more employees), and employment compliance — without requiring a full-time in-house compliance officer. In Spain, each of these regulatory frameworks has its own competent supervisory authority (AEPD, SEPBLAC, INCIBE, ITSS) with independent inspection powers, making an integrated approach more efficient and cost-effective than managing each regulation in isolation.

Our outsourced compliance team acts as your company’s compliance function: we know your sector, your regulatory environment, and your organisational culture, and we keep the programme updated and operational so that you can focus on your business with the confidence that compliance is covered.

Why fragmented compliance costs more and protects less

A company of 50 employees in the real estate, financial, or professional services sector may simultaneously be subject to GDPR (with DPO obligation if processing data at scale), AML regulations (with PBC programme and compliance responsible obligations before SEPBLAC), criminal compliance under the Penal Code (with a crime prevention model to exempt the legal entity from criminal liability), the whistleblowing channel under Law 2/2023 (if it has 50 or more employees), and pay transparency and equality plans under employment law. Managing these five regulations in a fragmented way — with different specialists for each, without coordination between them — costs between two and three times what an integrated compliance function costs, and generates more gaps because nobody has the overall picture.

The regulatory environment facing Spanish and European companies is significantly more complex today than five years ago. GDPR, the Law 2/2023 whistleblowing channel, NIS2, DORA for the financial sector, AML with its periodic updates, criminal compliance required by the 2015 Penal Code reform, pay transparency, and mandatory employment protocols collectively form a regulatory layer that no mid-sized company can ignore. The typical result is fragmentation: GDPR is handled by the DPO, AML is managed by the finance director, criminal compliance is reviewed by external counsel when remembered, and nobody specifically manages overall compliance. This fragmented model is inefficient, generates duplication, and inevitably leaves gaps.

Our integrated compliance function model

The outsourced compliance officer resolves this with a coherent model: a single function with visibility across the company’s entire regulatory map, identifying the interactions between different regulations (a security incident may simultaneously be a GDPR incident, a potential NIS2 event, and a criminal compliance concern), and maintaining an integrated programme rather than independent regulatory silos.

Our professionals begin with the regulatory diagnostic: we map all regulations applicable to the client by sector, size, and activity, assess the compliance status against each with a risk-based approach, and identify the gaps with the greatest sanction exposure. The resulting compliance programme prioritises the highest-risk obligations and builds on what already exists in the company, avoiding unnecessary bureaucracy. The function is activated monthly with regulatory monitoring, quarterly with internal audits of the most critical controls, and continuously to respond to management team queries and manage incidents.

For companies with activities in AML-regulated sectors or requiring enterprise risk management frameworks, the outsourced compliance function integrates with specialist sector-specific compliance services to provide complete coverage without overlaps or gaps.

What our outsourced compliance service includes

The service covers the complete regulatory diagnostic with applicable obligations map and compliance status assessment, design and implementation of the integrated compliance programme (policies, procedures, controls, registers), the outsourced compliance responsible function with availability for consultations within 24 hours, monthly regulatory monitoring with management team report, annual training programme with attendance records, periodic internal audits with remediation plan, whistleblowing channel management where outsourced, and accompaniment during inspections and information requests from the AEPD, SEPBLAC, Labour Inspectorate, and other applicable regulators.

Real results in outsourced compliance

Companies that implement the outsourced compliance function with our team save between 30% and 50% versus the cost of an equivalent in-house compliance officer. Maximum response time to an urgent regulatory incident is 48 hours. Inspections our clients have faced have concluded without penalty in 100% of cases where the compliance programme was active and updated. And the reassurance of knowing that a professional is monitoring the activity of the AEPD, SEPBLAC, and the Labour Inspectorate and flagging developments that affect the business has a value beyond the economic: it frees the management team to focus on running the business.

Frequently asked questions about outsourced compliance

Continuous regulatory monitoring is one of the most valuable elements of the service. European and Spanish regulators publish guidance, recommendations, and sanctioning decisions that are as important for understanding how legislation applies in practice as the statutory text itself. The AEPD’s sanctioning criteria reveal which aspects of the GDPR are prioritised in enforcement activity; SEPBLAC’s annual reports identify the sectors under greatest scrutiny; the Labour Inspectorate concentrates its activity periodically on specific subject areas. Following these patterns is an essential part of the preventive work of the compliance function.

Regulatory outsourcing: the compliance burden on Spanish businesses

Regulatory outsourcing addresses the reality that Spanish businesses face a growing and increasingly complex portfolio of regulatory compliance obligations that require specialist expertise and dedicated resources — but where the volume of activity does not justify building a full in-house compliance team. By outsourcing the compliance function to specialist advisers, businesses access the expertise they need without the fixed cost of dedicated headcount.

The principal regulatory frameworks driving demand for outsourced compliance services in Spain include:

• Anti-Money Laundering (Ley 10/2010 and modifications): mandatory for a wide range of businesses beyond financial institutions — real estate agents, lawyers, notaries, accountants, company service providers, gaming operators, and certain goods dealers above thresholds.
• Data Protection (GDPR/LOPDGDD — Ley Orgánica 3/2018): mandatory for all organisations processing personal data of EU individuals, enforced by the AEPD (Agencia Española de Protección de Datos) with significant fine authority.
• CSRD/ESG reporting: mandatory for large companies (see our CSRD reporting advisory) and increasingly expected by commercial counterparties of all companies.
• NIS2 cybersecurity: mandatory for essential and important entities under the EU NIS2 Directive, transposed into Spanish law.
• Employment equality: mandatory equality plans and pay audits for companies with 50+ employees.
• Trade sanctions and export controls: mandatory screening obligations for companies with international supply chains or customers.

AML compliance: the SEPBLAC framework

Spain’s AML framework requires in-scope entities (sujetos obligados) to maintain a comprehensive compliance programme:

• Appointment of a responsible compliance officer (representante ante el SEPBLAC)
• Risk assessment documentation (evaluación de riesgos)
• Customer due diligence (diligencia debida) procedures — including identification and verification of customers, beneficial owners, and politically exposed persons (PEPs)
• Ongoing transaction monitoring and reporting of suspicious transactions (comunicación de operaciones sospechosas — COS) to SEPBLAC
• Employee training on AML obligations
• Internal controls and audit

Our AML compliance service covers the full programme design, implementation, ongoing operation, and SEPBLAC representation. For businesses with complex or high-risk customer profiles (international clients, real estate transactions, financial intermediaries), we provide enhanced due diligence advisory as part of the ongoing compliance engagement.

GDPR/LOPDGDD compliance

Spanish data protection compliance requires: a record of processing activities (registro de actividades de tratamiento), documented lawful bases for all processing activities, privacy notices for data subjects, data processor agreements with third parties, a data breach response procedure, and — for certain high-risk processing activities — a Data Protection Impact Assessment (DPIA).

Our data protection compliance service provides: initial GDPR gap assessment, compliance programme design and implementation, DPO (Data Protection Officer) function as a service (mandatory for certain organisations), and ongoing compliance monitoring.

Contact our regulatory compliance team for a compliance programme diagnostic and scope assessment.

Regulatory framework: the compliance obligations landscape in Spain

The outsourced compliance function operates across a portfolio of regulatory instruments, each with its own competent authority and enforcement track:

Criminal Code Article 31 bis (Criminal Compliance): the 2015 reform introduced corporate criminal liability in Spain, with specific provisions for exemption or mitigation where an adequate compliance programme was in place and functioning at the time of the offence. The Supreme Court (STS) and the Fiscalía General del Estado have published criteria for assessing the adequacy of these models. A compliant Modelo de Cumplimiento Penal (Criminal Compliance Model) must: identify the criminal risks applicable to the company’s activities; establish specific prevention controls; assign a Compliance Body with genuine autonomy; include an information and whistleblowing channel; and define a disciplinary system for violations.

Law 10/2010 (AML — Prevención del Blanqueo de Capitales): companies in obliged sectors (financial institutions, legal professionals, accountants, real estate agents, auditors, notaries, certain construction and transport companies) must implement a full AML/PBC (Prevención del Blanqueo de Capitales) compliance programme. This includes: customer due diligence (KYC); ongoing transaction monitoring; suspicious transaction reports (STRs) to SEPBLAC; designated internal compliance body (Órgano de Control Interno — OCO); and periodic staff training. SEPBLAC inspections can result in sanctions up to EUR 10 million or 10% of annual turnover.

GDPR (Regulation 2016/679) and LOPDGDD (Organic Law 3/2018): the data protection compliance function — including DPO (where mandatory), ROPA maintenance, DPIA delivery, data subject rights management, and AEPD liaison — is integrated within the broader compliance function in our outsourced model.

NIS2 (Directive 2022/2555): applicable to essential and important entities in critical sectors (energy, transport, banking, healthcare, digital infrastructure). Requires an information security management framework, incident notification to INCIBE/CNCS, supply chain security management, and business continuity provisions. NIS2 Spain transposition is pending as of 2026; the Directive has been directly effective since October 2024 for all entities in scope.

Law 2/2023 (Whistleblowing): internal whistleblowing channels mandatory for companies with 50+ employees. Compliance function manages channel implementation, responsible person appointment, investigation process design, and annual AEPD registration. The obligation sits at the intersection of employment law, data protection, and criminal compliance.

Employment compliance obligations (LISOS framework): equality plan and pay audit (50+ employees), harassment prevention protocol, working-time registration, and remote work agreements. These obligations interact with the corporate compliance function — equality plan preparation requires coordination with the compliance function’s risk assessment of discrimination claims.

Sectors most affected by multi-regulation compliance requirements

Financial services (banks, insurance, investment firms, payment institutions): regulated by CNMV, Banco de España, and DGSFP — each with independent inspection and sanction powers. AML (SEPBLAC), DORA (EBA/ESMA/EIOPA oversight from 2025), NIS2, GDPR, and criminal compliance all apply simultaneously. An integrated compliance function that coordinates all regulatory tracks is essential for cost-efficiency.

Real estate and property: real estate agents, developers, and property management companies are obliged entities under AML Law 10/2010 — one of the most frequently inspected sectors by SEPBLAC. Criminal compliance under Article 31 bis is also relevant for construction companies that work with subcontractors (fraud, tax crimes, and labour violations committed by subcontractors can generate corporate criminal liability for the principal contractor under certain conditions).

Professional services (law firms, accounting firms, consultancies): law firms and accounting firms are obliged AML entities. The tension between professional confidentiality obligations and the AML duty to report suspicious transactions (tipping-off prohibition under Article 24 Law 10/2010) requires specific compliance protocol design.

Technology and digital platforms: GDPR, NIS2 (for qualifying digital infrastructure and service providers), AI Act (for companies deploying high-risk AI systems from 2025), and employment compliance (remote working as the default model creates specific obligations under Ley 10/2021) collectively form a demanding compliance landscape for technology companies.

Healthcare and life sciences: GDPR with health data obligations, LOPD/LOPDGDD for patient data, employment compliance (healthcare workers’ specific collective bargaining agreements), and sector-specific regulations from the AEMPS (Agencia Española de Medicamentos y Productos Sanitarios) for pharmaceutical and medical device companies.

Company size segmentation

Microenterprises (under 10 employees): fewer mandatory obligations, but criminal compliance (Article 31 bis) and GDPR apply from incorporation. Our micro-compliance package covers: Criminal Compliance Model (lightweight version), GDPR Privacy Policy and Cookie Policy, basic ROPA, and annual compliance health check. Fixed fee from EUR 2,400/year.

SMEs (10–49 employees): whistleblowing channel mandatory from 50 employees but recommended from 25; harassment prevention protocol mandatory; working-time registration; GDPR compliance. Multi-regulation compliance programme covering all applicable frameworks. Monthly retainer from EUR 800/month.

Companies with 50–250 employees: full compliance programme covering criminal compliance, AML (where applicable), GDPR with DPO (where mandatory), whistleblowing channel, equality plan and pay audit, employment compliance, and NIS2 (where in scope). Compliance committee governance model, board reporting. Monthly retainer from EUR 1,500/month.

Large companies and regulated entities (250+ employees, or regulated): full-scope compliance programme with dedicated compliance team member presence (on-site or hybrid). Integration with internal audit, legal, HR, and IT security functions. Annual compliance programme review and board audit committee reporting. Monthly retainer from EUR 3,500/month.

Worked example: multi-regulation compliance programme for a EUR 22M professional services firm

A Madrid-based management consultancy with 68 employees and EUR 22M annual revenue had no formal compliance programme. An initial diagnostic identified simultaneous exposure across four regulatory frameworks: GDPR (mandatory DPO due to systematic employee profiling in the performance management system); AML (consultancy activity falling within Law 10/2010 obliged entities scope following a 2022 SEPBLAC sector guidance update); criminal compliance (no Article 31 bis model — significant exposure given the company’s public procurement contracts); and whistleblowing channel (50+ employees — Law 2/2023 deadline already passed).

Compliance programme implemented (5 months):

1. Criminal Compliance Model: risk assessment identifying 11 applicable criminal risks (fraud, tax offences, bribery, data crimes). Control matrix with 38 specific prevention measures. Compliance Body constituted (2 independent directors + external compliance adviser = our team). Annual review process established.

2. AML programme: customer due diligence policy for all mandates; KYC procedure with enhanced due diligence triggers; STR protocol; SEPBLAC OCO appointment (our team as external Responsible Person); staff AML training (2 hours, 100% completion). SEPBLAC registration completed.

3. GDPR/DPO: formal DPO appointment (our team); ROPA updated (22 processing activities, 8 new ones undisclosed prior to engagement); DPIA completed for the performance management AI system; 4 DPAs executed with previously undocumented processors.

4. Whistleblowing channel: anonymous channel established (third-party platform); Responsible Person appointed; AEPD data protection impact assessment completed; communication to all employees; first-year investigation protocol tested with a simulated case.

Ongoing management: quarterly compliance committee meeting (attended by CEO and CFO), monthly compliance report to management, and annual board compliance review. ITSS inspection occurred 6 months after engagement — all employment compliance documentation (working-time register, harassment protocol, equality plan in progress) presented; no sanction.

Five common compliance mistakes in Spanish companies

1. Managing each regulation in isolation. GDPR, AML, criminal compliance, and whistleblowing all have overlapping documentation requirements — a whistleblowing channel processes personal data (GDPR), may generate STR obligations (AML), and is a component of the Criminal Compliance Model. Managing each separately creates duplication and gaps. An integrated compliance function eliminates both.

2. Appointing a nominal compliance officer without genuine independence. A compliance programme where the compliance officer reports to the same director whose conduct they are monitoring is not independent in the regulatory sense. The Criminal Compliance Model requires a compliance body with genuine autonomy to investigate, report, and if necessary escalate to external authorities. A nominal appointment creates documentary compliance without substantive protection.

3. Not updating the compliance programme when the company grows or changes sector. A compliance programme designed for a 30-person company does not automatically scale to a 70-person company — new regulatory thresholds trigger, new employees require training, and new activities may create new risk profiles. Annual review and update is a programme requirement, not optional maintenance.

4. Incomplete AML customer due diligence records. SEPBLAC inspections focus heavily on KYC file quality — are due diligence records complete for all clients? Are enhanced due diligence triggers identified and applied? Are STR reports filed within the required 10-day period? Incomplete records — even where the actual transactions are clean — generate procedural sanctions.

5. Failing to test the whistleblowing channel. A whistleblowing channel that receives no reports in its first 12 months is likely non-functioning, not demonstrating a clean compliance environment. The investigation protocol, the confidentiality safeguards, and the protection against retaliation must be tested (with simulated cases) and documented. Regulators increasingly expect evidence that the channel operates in practice, not just that it exists on paper.

How we work: outsourced compliance function

Compliance diagnostic (month 1): assessment of all applicable regulatory obligations by size, sector, and activity; gap analysis against each framework; risk scoring of identified gaps; and implementation programme proposal.

Programme implementation (months 2–4): Criminal Compliance Model, AML programme, GDPR/DPO establishment, whistleblowing channel, equality plan or harassment protocol (as applicable). Implementation sequenced by risk priority.

Ongoing management (continuous): monthly compliance monitoring activity (new regulation updates, internal incidents, training delivery); quarterly compliance committee reporting; annual full review and programme update; regulatory authority liaison as required.

Fee structure: fixed monthly retainer covering all ongoing compliance function activities. One-time implementation fee for initial programme design and rollout. Annual review fee included in the retainer. No hourly billing for standard compliance advisory — predictable, capped cost for all included services. Contact us for a tailored programme proposal.