Law 2/2023, of 20 February, regulating the protection of persons who report on regulatory infringements and combating corruption, transposes the EU Directive 2019/1937 (Whistleblower Directive) and requires companies with 50 or more employees to implement an internal communication channel for reporting irregularities. Non-compliance is not an option: the sanctions are significant and the law is in force.
Who is required and since when
The obligation to have an internal reporting system applies to:
- Private sector companies with 50 or more employees: adaptation deadline expired 1 December 2023 (companies with between 50 and 249 employees) and 1 September 2023 (companies with 250 or more employees)
- Political parties, trade unions and business organisations that receive public funding of any amount
- Public sector foundations and entities that manage public funds
- Companies in regulated sectors regardless of the number of employees: financial services, anti-money laundering, product safety, environmental protection, road safety
Companies with between 50 and 249 employees may share the whistleblowing channel with other companies in the same group, but must maintain independent handling of each report.
What the channel must include to be compliant
The law sets out minimum requirements that the internal reporting system must meet:
Accessibility and confidentiality
The channel must be accessible to all employees, directors, partners, contractors and suppliers. It must guarantee the confidentiality of the reporter’s identity from the moment of receipt through to resolution, and must include an option for anonymous reporting — although the company is not required to force anonymity.
System manager
There must be a formally designated manager for the internal reporting system: this may be a natural person (compliance officer, legal director) or an external legal person. The manager must have sufficient independence to investigate without conflicts of interest.
Response deadlines
- 7 business days to acknowledge receipt of the report
- 3 months to communicate the measures taken or planned (extendable to 6 months in particularly complex cases)
Registration and investigation
All reports must be registered, investigated diligently and documented. The register must be maintained for a maximum period of 10 years, subject to GDPR guarantees.
Protection of the reporter
The law prohibits any form of retaliation against a person who makes a report in good faith: dismissal, demotion, transfer, pay discrimination, exclusion from procurement processes. The company must document that it has not taken any retaliatory measure.
Implementation steps
Step 1: Designate the system manager
This may be an internal person (compliance officer, legal director, internal auditor) or an external party (law firm, specialist provider). For companies without an existing compliance structure, outsourcing is the most efficient option.
Step 2: Choose the technology
The channel may be web-based, telephone, postal or in-person. Specialist digital platforms offer technical confidentiality guarantees (end-to-end encryption, bidirectional anonymous communication) that are difficult to achieve with generic tools.
Step 3: Update the privacy policy
The processing of personal data in the channel is subject to the GDPR and requires a clear legal basis, a specific privacy policy and, in many cases, consultation with the DPO if one exists.
Step 4: Internal communication
All obligated persons (employees, contractors, suppliers) must be informed of the existence of the channel, how it works and the confidentiality guarantees. The communication must be documented.
Step 5: Investigation procedure
There must be a formal protocol setting out how each report is investigated, who is involved, how it is documented and how it is resolved. This protocol forms part of the company’s overall compliance system.
Channel design: internal vs external
An internal channel (managed by a compliance officer or legal director within the company) is the default option for large organisations with a mature compliance function. However, for the majority of SMEs affected by the obligation, an externally managed channel offers several advantages:
- Independence: the external manager has no hierarchical relationship with any person against whom a report might be made
- Technical expertise: specialist providers typically have experience investigating reports and managing the statutory timelines
- Cost efficiency: a shared external platform costs significantly less than building and maintaining proprietary technology
- Immediate deployment: external providers can have a compliant channel operational within days of engagement
The law does not require an external channel, but the conditions for a compliant internal channel — genuine independence, guaranteed confidentiality, documented protocols — are in practice difficult to achieve without specialist support.
Interaction with the criminal compliance programme
The whistleblowing channel required by Law 2/2023 and the channel required by Article 31 bis.5.4 of the Criminal Code (as part of a criminal compliance programme) are compatible and can be the same instrument, provided it meets the requirements of both laws. Companies that already had a whistleblowing channel for criminal compliance purposes should review whether its design meets the additional requirements of Law 2/2023 — in particular, the option for anonymous reporting and the prohibition on retaliation with reversal of the burden of proof.
How BMC can help
Our whistleblowing channel team implements internal reporting systems compliant with Law 2/2023, including the designation of an external system manager, configuration of the technology platform, drafting of the privacy policy and investigation protocol, and training for the management team.
If your company has not yet implemented the channel, or wishes to review whether its existing system meets the legal requirements, contact our criminal compliance team for an initial assessment. The risk of not acting is significantly greater than the cost of implementation.
