Corporate criminal liability in Spain has now been in force for fifteen years since its introduction by Organic Law 5/2010. Over that period, the Criminal Division of the Supreme Court — complemented by Prosecution Service guidelines — has steadily refined its jurisprudence on what constitutes a genuinely effective compliance programme. Companies with programmes drafted several years ago and not since updated face the real risk that a court will find their prevention model inadequate, maintaining full corporate criminal exposure.
The Legal Framework: Article 31 bis and LO 1/2015
Article 31 bis of the Criminal Code, as amended by Organic Law 1/2015 of 30 March, establishes that legal persons are criminally liable for offences committed in their name, on their behalf and for their direct or indirect benefit by their legal representatives or by those who, acting individually or as members of a body, are authorised to take decisions in the name of the legal person. Liability also arises when the offence is committed by persons subject to the authority of those representatives and the offence was made possible because supervisory, oversight and control duties were seriously breached.
A legal person may be exempt from liability if, before the offence was committed, the governing body had adopted and effectively implemented organisational and management models containing adequate oversight and control measures to prevent offences of the same nature or to significantly reduce the risk of their commission.
The offences most commonly generating corporate criminal liability in Spain include: fraud (Article 251 bis), tax and social security offences (Articles 310 bis and 318), money laundering (Article 302 bis), market and consumer offences (Article 288), bribery (Article 427 bis), influence peddling (Article 430), and — since LO 5/2022 — environmental offences (Article 328).
Supreme Court Jurisprudence: The Established Standards
The Second Chamber of the Supreme Court has developed a consistent body of case law that now constitutes the operative standard for corporate criminal compliance in Spain.
STS 154/2016 (29 February) laid the foundation: the Court requires that the compliance model be genuine — not a reputational whitewashing instrument but a real internal control system with dedicated human and material resources and periodic update mechanisms.
STS 221/2016 (16 March) clarified that corporate criminal liability cannot flow automatically from the liability of a director. It is necessary to demonstrate a structural organisational defect within the company that facilitated the commission of the offence.
STS 668/2017 (11 October) addressed the role of the compliance officer: the Court confirmed that the oversight function may be assigned to a collegiate body, but it must be operationally autonomous and not subordinate to whoever holds executive authority in the company.
More recent rulings from 2023 and 2024 have deepened the requirement that the criminal risk map be specific to the company’s actual activities — rejecting generic, off-the-shelf models not tailored to the organisation’s sector and concrete structure.
The Compliance Officer: Position, Autonomy and Personal Liability
The ASCOM (Spanish Compliance Association) regulations and standards UNE 19601 and ISO 37301 have defined the profile and functions of the compliance officer. The Supreme Court has accepted that, in medium and large companies, the model oversight function may fall on a body with autonomy and independence from the board of directors. Without that autonomy, the model cannot be considered adequate.
A question of growing significance is the personal criminal liability of the compliance officer. Article 31 ter of the Criminal Code allows fines to be imposed on the company’s representative who failed to adopt the necessary measures to prevent criminal activity. The prevailing academic view is that a compliance officer who was aware of the criminal risk and failed to act may incur personal criminal liability as an omissive participant in the offence.
New Developments for 2025–2026: AI and Emerging Criminal Risk Vectors
The entry into force of the EU AI Act (Regulation 2024/1689) introduces a new criminal risk vector that compliance programmes must now address. High-risk AI systems used in employment decisions, credit approvals or solvency assessments can, if calibrated with bias or deployed in a discriminatory manner, generate liability for offences against workers’ rights (Article 311 of the Criminal Code), employment discrimination (Article 314), or, in the financial sector, for conduct potentially classified as market offences.
The criminal risk map of any company that develops or uses AI systems must incorporate, from August 2026 onwards, an analysis of criminal risks associated with algorithmic bias, the absence of human oversight, and the use of prohibited systems under Article 5 of the AI Act.
Additionally, the transposition of EU Directive 2023/1791 on energy efficiency and the growing CSRD reporting requirements are creating new grounds for criminal liability through fraudulent sustainability disclosures — a category that several EU member states are already developing in their domestic criminal frameworks.
The Internal Whistleblowing Channel: Obligations Under Law 2/2023
The EU Whistleblower Protection Directive (Directive 2019/1937/EU), transposed in Spain by Law 2/2023 of 20 February, sets specific requirements for the internal reporting channel that go beyond the criminal compliance programme requirements:
- Mandatory scope: Companies with fifty or more employees are required to have an internal reporting channel.
- Confidentiality: The identity of the reporting person must be protected with technical and organisational measures.
- Response timelines: Acknowledgement of receipt within seven calendar days and communication of follow-up measures within three months.
- Channel manager autonomy: The channel must be managed by an autonomous person or unit, which may be an external third party.
- Protection against retaliation: The law expressly prohibits dismissal, demotion and any form of retaliation against reporting persons.
Companies that maintain separate channels for Law 2/2023 and their criminal compliance programme should integrate them. Duplicate channels create confusion and may undermine the credibility of the entire reporting system.
Programme Review and Certification: UNE 19601
The UNE 19601:2017 standard — Criminal Compliance Management System — is the national benchmark for implementing and certifying criminal compliance programmes. Although certification is not legally required and does not automatically confer exemption from liability, it constitutes powerful evidence in criminal and administrative proceedings, demonstrating that the programme has been audited by an independent third party against the most demanding standard in the Spanish market.
A thorough programme review must cover: an updated criminal risk map, a review of internal reporting protocols, updated training and communication materials, a review of documented controls, and an assessment of the reporting channel’s effectiveness under Law 2/2023.
Compliance Programme Review Checklist for 2026
An effective criminal compliance programme in 2026 should satisfy the following criteria:
- Updated risk map: Does it cover digital and AI risks, environmental risks, and supply chain risks?
- Documented tone from the top: Is there evidence that management actively promotes a compliance culture?
- Operational reporting channel: Does it meet the requirements of Law 2/2023 and is it integrated with the criminal compliance programme?
- Verifiable training records: Is there documentary evidence of training delivered to each employee according to their risk level?
- Compliance officer autonomy: Does the compliance officer report directly to the board or audit committee?
- Effectiveness testing: Have incident simulations or internal channel audits been conducted?
- Post-ruling updates: Have the lessons from the 2024 and 2025 Supreme Court rulings been incorporated?
At BMC our legal team is available to review your criminal compliance programme and adapt it to current judicial standards. See our criminal compliance services.
