The Criminal Code is the statute that defines offences and sets out penalties in Spain. For companies, its relevance has grown exponentially since LO 5/2010 introduced corporate criminal liability. Today, a director must know the Criminal Code not only to avoid personal liability but also to protect the company from convictions that could lead to its dissolution. This guide analyses LO 10/1995 from the practical perspective of someone managing a company in Spain.
This guide examines Organic Law 10/1995, of 23 November, in its current state following the 2015 reform, with particular attention to economic offences and the implications of criminal compliance for legal entities.
What is the Criminal Code and how is it structured?
Organic Law 10/1995, of 23 November, on the Criminal Code (CP), published in BOE no. 281 of 24 November 1995, replaced the 1973 Criminal Code and entered into force on 24 May 1996. Its adoption as an organic law — required by art. 81 CE, as it affects fundamental rights — required an absolute majority of Congress.
Since its entry into force, the CP has been reformed on more than forty occasions. The most significant for the business sphere were LO 5/2010, which introduced corporate criminal liability, and LO 1/2015, which reformed it substantially and redefined the most relevant offence types for companies.
The CP is structured in two books and a Preliminary Title:
Preliminary Title (arts. 1–9). Basic criminal guarantees: the principle of legality, non-retroactivity and the prohibition of analogy in malam partem.
Book I: General Provisions (arts. 10–137). Contains the general part of criminal law: the theory of the offence (conduct, typicity, unlawfulness, culpability), grounds excluding liability (art. 20 CP), modifying circumstances (arts. 21 and 22 CP), the catalogue of penalties and security measures, and grounds extinguishing criminal liability (limitation, pardon, death of the offender).
Book II: Offences and Their Penalties (arts. 138–616 sexies). The special part: 26 titles with specific offence types. It begins with offences against life and physical integrity and covers economic and fiscal offences, environmental offences, corruption and constitutional offences.
Corporate criminal liability: art. 31 bis CP
The dual-track system
Art. 31 bis CP establishes a dual-track liability system. The legal entity is criminally liable when the offence is committed by persons in a directing position — legal representatives or de facto or de jure directors — (first track), or when the offence is committed by employees under those directors’ authority and there has been a serious failure to exercise supervision (second track). In both cases, the offence must have been committed in the name and benefit of the legal entity.
Corporate liability is autonomous from that of natural persons: the company may be convicted even if the responsible natural person has not been identified or prosecuted, and even if they have died or are in absentia.
Exemption through criminal compliance (art. 31 bis.2 and .4 CP)
The legal entity is exempt from liability if, before the offence was committed, it adopted and effectively implemented organisational and management models appropriate to prevent offences of the same nature. The model requirements are: identification of criminal risk activities, decision-making protocols, financial resource management to prevent illegal activities, a whistleblowing channel, a disciplinary system and periodic verification.
The model must be supervised by an autonomous monitoring and control body — the Compliance Officer or compliance committee — with autonomous powers of initiative and control (art. 31 bis.2.b CP). In small companies, the management body may assume this function.
Specific mitigating circumstances for legal entities (art. 31 quater CP)
When the legal entity cannot benefit from the exemption, art. 31 quater CP provides four specific mitigating circumstances that reduce the penalty: confessing the infringement to the authorities before becoming aware that proceedings are directed against it; cooperating with the investigation by providing new and decisive evidence; repairing or reducing the harm before the oral trial; and implementing, before the trial, effective measures to prevent and detect future offences.
Economic offences most relevant to companies
Fraud (arts. 248–251 bis CP)
Fraud (art. 248 CP) is the most common asset offence in the business sphere. Its five elements are sufficient deception, induced error in the victim, an act of asset disposition, harm, and the perpetrator’s intent to profit. In commercial practice, fraud appears in the sale of non-existent or overvalued assets, in raising investment on false promises, in the use of worthless cheques and promissory notes, and in the falsification of contracts to obtain bank financing.
Art. 250 CP regulates aggravated forms. The most common aggravating circumstance in business litigation is harm exceeding €50,000; when this concurs with the use of fictitious written contracts, art. 250.2 CP can raise the penalty to 4 to 8 years imprisonment.
Art. 251 bis CP establishes corporate criminal liability for the offences in arts. 248–251 CP, making criminal compliance an indispensable risk management tool for companies with significant commercial activity.
Misappropriation (art. 252 CP)
Art. 252 CP, as worded since the 2015 reform, covers misappropriation: anyone who, being obliged to deliver or return money, securities or other fungible assets, applies them to their own or another’s use without the owner’s consent, causing harm. Unlike fraud, the perpetrator obtains the thing lawfully — by deposit, mandate, administration — and defrauds afterwards.
In the business sphere, misappropriation arises when a director or authorised signatory uses company funds for personal purposes, when a professional applies to their own accounts money received from clients to settle personal debts, or when an employee with access to bank accounts makes unauthorised withdrawals.
Breach of fiduciary duty (art. 252 CP, second paragraph)
The 2015 reform integrated breach of fiduciary duty into art. 252 CP, previously covered by art. 295 CP. Breach of fiduciary duty consists in infringing the fiduciary duties inherent in the position of administrator of another’s assets, exceeding the powers conferred and causing financial harm to the administered assets.
For company directors, this offence type is highly relevant: business decisions involving conflicts of interest, undisclosed related-party transactions that harm the company, diversion of corporate resources to companies owned by the director, or approval of disproportionate remuneration may fall within this offence type if the harm is significant and the disloyalty is deliberate.
Money laundering (arts. 301–304 CP)
Art. 301 CP defines money laundering broadly: any act of acquisition, possession, use, conversion, transmission or concealment of assets of criminal origin, with knowledge of that origin. The scope of the offence is notable: it does not require the person to have participated in the prior offence; knowledge of the illicit origin of the assets suffices.
Negligent money laundering (art. 301.3 CP) sanctions failure to exercise due diligence in verifying the origin of funds, with a financial penalty. This offence type is particularly relevant for companies that receive payments from clients without following the due diligence procedures required by Law 10/2010 on the prevention of money laundering.
Legal entities are criminally liable for money laundering (art. 302.2 CP), with penalties that may include dissolution. An anti-money laundering management system compliant with Law 10/2010 is simultaneously a legal requirement and an element of the criminal compliance programme.
Offences against the Treasury and Social Security (arts. 305–310 bis CP)
Art. 305 CP defines the tax offence: defrauding the Treasury by evading payment of taxes where the defrauded amount exceeds €120,000. The penalty is 1 to 5 years imprisonment. Social Security fraud (art. 307 CP) has the same threshold and penalties.
Art. 305 bis CP regulates the aggravated form: penalties of 2 to 6 years when the defrauded amount exceeds €600,000, when intermediaries or structures are used to conceal the responsible party, or when the offence is committed within a criminal organisation.
Art. 310 bis CP regulates corporate criminal liability for these offences. The fine may be double to five times the defrauded amount. This provision means that a company used as a vehicle for a tax fraud may be convicted and dissolved, regardless of the directors’ liability.
Document falsification (arts. 390–399 CP)
Arts. 390 and 392 CP regulate document falsification. The criminalised conduct includes alteration of essential elements of a document, simulation of a wholly or partially false document, attribution to third parties of statements they did not make, and falsification of facts. In the business sphere, document falsification frequently accompanies other offences: invoice manipulation (tax offences), contract manipulation to obtain financing (fraud), or accounting falsification to present fictitious financial statements.
Accounting falsification is specifically criminalised in art. 290 CP: directors who falsify the annual accounts or other documents that must reflect the company’s legal or economic situation, to cause financial harm to the company, its shareholders or third parties, may be sentenced to 1 to 3 years imprisonment and a fine.
Book I of the CP: general part applied to business
Grounds excluding criminal liability (art. 20 CP)
Art. 20 CP lists the grounds excluding criminal liability. For the business sphere, the most relevant are the state of necessity — acting to avoid a greater harm — and compliance with a duty or exercise of a right (art. 20.7 CP). Superior orders do not excuse criminal liability: a director cannot invoke instructions from above to justify criminal conduct.
Relevant mitigating circumstances for directors (art. 21 CP)
In criminal proceedings for economic offences, the most relevant mitigating circumstances in art. 21 CP are confession (art. 21.4 CP: confessing the infringement before proceedings are directed against the person) and damage repair (art. 21.5 CP: repairing the harm before the oral trial). Both have a significant impact on sentencing and may make suspended sentences accessible.
The mitigating circumstance of undue delay (art. 21.6 CP) applies when the proceedings have suffered excessive delays not attributable to the accused, a frequent occurrence in complex economic criminal cases.
Aggravating circumstances relevant to business (art. 22 CP)
The aggravating circumstances in art. 22 CP most frequently applied in economic offences are: abuse of public position (art. 22.7 CP, in corruption offences); repeat offending (art. 22.8 CP, when the convicted person was previously convicted of an offence of the same nature); and cruelty (in frauds causing particular harm to victims). The application of aggravating circumstances prevents suspended sentences and raises the applicable penalty range.
Penalties and their enforcement: practical aspects for directors
Suspension of custodial sentences (arts. 80–87 CP)
Suspension of enforcement of an imprisonment sentence (art. 80 CP) is possible when the sentence does not exceed 2 years and the convicted person has no prior convictions. The court may extend the suspension period to 5 years and make it conditional on payment of civil liability, compliance with prohibitions and participation in a treatment programme. In economic offences, suspension is typically made conditional on full payment of the civil liability arising from the offence.
Civil liability arising from offences (arts. 109–122 CP)
Anyone criminally liable for an offence is also civilly liable (art. 116 CP). Civil liability arising from an offence includes restitution, damage repair and indemnification for material and moral harm. The criminal court may simultaneously order payment of civil liability, sparing the injured party the need to bring a separate civil action. Criminally convicted legal entities are also jointly and severally civilly liable with the natural persons who committed the offence.
Criminal compliance as a corporate risk management tool
An effective criminal compliance programme is not a document in a drawer. According to the Prosecutor General’s Circular 1/2016 and the case law of the Second Chamber of the Supreme Court — particularly STS 154/2016, of 29 February, the first judgment analysing art. 31 bis CP in its reformed wording — the compliance model must be genuine, operational, verifiable and tailored to the company’s specific risks.
The minimum elements courts verify are: an up-to-date risk map, an operational whistleblowing channel with genuine access for employees and third parties, effective operation of the supervisory body, compliance training, and real application of the disciplinary regime in cases of non-compliance.
Certification of the compliance model against UNE 19601 or ISO 37301 creates a favourable presumption, although courts treat it as a relevant indication but not in itself sufficient to prove the model’s effectiveness.
Implications for companies: a preventive roadmap
A company’s criminal risk map depends on its size, sector and business model. However, there are cross-cutting risks that every company should manage:
Fraud and asset misuse risk. Internal financial controls, segregation of duties, dual authorisation for significant payments and counterparty verification are the basic preventive measures. Criminal compliance does not only prevent the company’s own offences: it also reduces the risk of becoming a victim of fraud.
Tax criminal risk. Whether a tax regularisation is classified as a criminal offence depends heavily on documentation of the tax treatment adopted and the existence of opinions from independent advisers. Voluntary regularisation before the criminal investigation is formally directed against the taxpayer may extinguish criminal liability (art. 305.4 CP).
Money laundering risk. Companies subject to Law 10/2010 must implement client due diligence systems. Other companies should at a minimum verify identity and the origin of funds in transactions of significant amounts.
Corruption risk. Arts. 419–431 CP regulate bribery and influence peddling. Art. 286 ter CP criminalises corruption in international commercial transactions. Every company with activity in regulated sectors or with public contracts must have an operational anti-corruption programme.
Environmental risk. Arts. 325–331 CP criminalise environmental offences and territorial planning violations. Corporate criminal liability is expressly provided for in art. 327 CP. Industrial or construction companies with activities of environmental impact must include these risks in their compliance map.
Defence in economic criminal proceedings
Economic criminal proceedings have characteristics that distinguish them from other criminal proceedings: long investigative phases — frequently exceeding the 6-month legal limit — voluminous documentation (accounts, emails, records), prosecution experts (UDEF, ONIF, AEAT) with technical resources far superior to those usually available to the defence, and the overlap with parallel administrative proceedings (tax inspections, penalty proceedings).
Criminal defence of a company requires precise coordination between the criminal lawyer, the tax adviser and the internal compliance team. The defence strategy must be defined from the earliest stage of the proceedings: what position to adopt before the court, whether to cooperate with the investigation (with or without acknowledgment of facts), whether to advance damage repair to build the mitigating circumstance in art. 21.5 CP, and whether the company should maintain procedural distance from individual suspects or adopt a joint defence strategy.
In tax offences, spontaneous tax regularisation before the investigation is formally directed against the taxpayer extinguishes criminal liability (art. 305.4 CP). It is one of the few mechanisms for early extinguishment of liability in Spanish criminal law, and its application requires very rapid action the moment indications of a possible tax offence are detected.
BMC guidance for companies on the Criminal Code
Criminal exposure for Spanish companies is a growing reality: the number of legal entities investigated and convicted has increased steadily since 2010. Preventive management — through verifiable criminal compliance programmes — and immediate response when signs of irregularity emerge are the two fundamental protective levers.
At BMC, the team led by Raúl Herrera García (ICAM Madrid registration no. 79,836) advises companies on the design and implementation of criminal compliance programmes, on the response to criminal investigations affecting legal entities, and on the defence of directors under investigation for economic offences: money laundering, tax offences, fraud, breach of fiduciary duty and breach of corporate duties.
Early action in the investigative phase, before prosecution theories solidify, is the highest-impact decision for the final outcome of the proceedings. For an initial assessment of your company’s criminal risk or to review the robustness of your compliance programme, contact our team.
