Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and combating corruption, transposes European Directive 2019/1937 (the Whistleblower Directive) into Spanish law. The regulation establishes the obligation to have an internal reporting channel for companies with 50 or more employees, political parties, trade unions and foundations receiving public funds. For most private sector entities, the implementation deadlines have already passed — making compliance an immediate operational priority rather than a future planning matter.
Context: The Whistleblower Directive and Spain’s Delayed Transposition
Directive 2019/1937/EU of the European Parliament and of the Council, of 23 October 2019, set a transposition deadline of 17 December 2021. Spain, like several other Member States, missed that deadline: Law 2/2023 was not published in the BOE until 20 February 2023, more than a year late. This delay did not exempt companies from compliance obligations: during the intervening period, the Directive could be invoked directly against public sector bodies, and many private sector organisations chose to implement reporting channels early to avoid exposure.
Law 2/2023 goes further than a straightforward transposition. It broadens the scope of protection and introduces additional obligations beyond what the Directive strictly requires. Notably, it extends the channel obligation to political parties, trade unions and employer organisations receiving annual public funding exceeding €100,000, and covers infringements not directly addressed by the Directive, including those related to product safety, environmental protection and public procurement.
Scope of Application
Private sector entities with more than 249 employees were required to have implemented the channel by 13 June 2023. Those with between 50 and 249 employees had an extended deadline of 1 December 2023. Public sector entities, regardless of size, were also covered from the law’s entry into force.
The 50-employee threshold is calculated based on the average workforce over the preceding calendar year, counting both indefinite contracts and fixed-term contracts of more than one month. Corporate groups that collectively exceed 50 employees may implement a single shared channel across group companies, provided the independence of channel management and the confidentiality of each informant are guaranteed.
Companies with fewer than 50 employees fall outside the mandatory scope, although the law enables these entities to implement a voluntary channel meeting the same standards. In practice, many SMEs with public sector contracts or that form part of larger groups’ supply chains choose to implement one voluntarily to meet client requirements or to qualify for tenders that make it a condition.
Channel Requirements
The channel must guarantee the confidentiality of the informant’s identity throughout the process, except where disclosure is mandatory in the context of judicial investigations. The channel manager — internal or external — has 7 days to acknowledge receipt and 3 months to investigate and respond. The law expressly prohibits retaliation against informants.
The technical and organisational requirements are specific:
Confidentiality: The system must ensure that the informant’s identity is not accessible to anyone outside the channel manager, including internally. This means the channel cannot be managed directly by the human resources department or company management unless organisational measures guarantee their independence. Most medium and large companies opt to outsource channel management to a specialist external provider or independent legal adviser.
Anonymous reporting: Unlike the optionality permitted by the Directive, Spanish law requires channels to accept anonymous reports. The manager must maintain a two-way communication system with the anonymous informant allowing for clarifications or additional information to be requested without revealing their identity.
Response timelines: Acknowledgement of receipt must be issued within a maximum of seven business days of receiving the communication. The outcome of the investigation and any measures adopted must be communicated to the informant within a maximum of three months of acknowledgement, extendable by a further three months in particularly complex cases.
Prohibition of retaliation: The law establishes reinforced protection against retaliation: the burden of proof that any measure taken against an informant — dismissal, sanction, change in working conditions — is not retaliatory falls on the employer. This reversal of the burden of proof has direct practical implications for the management of employment relationships involving workers who have submitted a report.
Penalties
The enforcement regime distinguishes between very serious infringements (fines of up to one million euros for legal entities), serious and minor offences. The absence of the channel or its inadequate functioning constitutes a very serious infringement.
Very serious infringements also include retaliation against informants, unlawful disclosure of an informant’s identity, and obstruction of investigations. Serious infringements cover failure to comply with management timelines or failure to issue acknowledgements of receipt. Minor infringements cover lesser procedural irregularities.
For individuals acting in a professional capacity, the maximum fine for very serious infringements is €300,000. In both cases, the penalty decision may include publication of the sanction, with corresponding reputational damage.
The competent supervisory authority at national level is the Independent Authority for Whistleblower Protection (A.A.I.), whose creation was provided for in the law itself but which had not completed its formal establishment by the end of 2023. In the interim, autonomous communities and local authorities can create their own supervisory bodies for public sector entities within their territory.
Integration with the Criminal Compliance Framework
Implementing an effective reporting channel is not only a legal obligation under Law 2/2023 — it is also a fundamental element of the criminal liability prevention model required by Article 31 bis of the Criminal Code for a legal entity to obtain exemption from or mitigation of criminal liability. The channel requirements of the Criminal Code and Law 2/2023 are compatible and complementary: a channel designed in accordance with Law 2/2023 can simultaneously serve as the reporting mechanism for the criminal compliance model, provided it also covers the criminal infringements relevant to the company’s activities.
This integration reduces operational costs and avoids duplication of channels, but requires the channel manager to have specific training in both whistleblowing law and criminal compliance. A technically compliant channel with deficient investigation procedures may be insufficient to demonstrate the due diligence required under Article 31 bis of the Criminal Code.
Implementation Recommendations
Companies that do not yet have a channel, or that have one implemented before Law 2/2023 without the current requirements, should carry out an audit and adaptation process in four steps: first, verify whether the entity falls within the law’s scope and which deadline applied; second, review existing documentation — channel policy, investigation procedure, privacy notice — against the law’s requirements; third, implement or adjust the technological platform to guarantee confidentiality and two-way anonymous communication capability; and fourth, train the channel manager and communicate its existence and operation to all staff.
At BMC we offer the design and implementation of whistleblower channels as part of our compliance services. See our legal compliance services.
