Spain's Law 2/2023 of 20 February, regulating the protection of persons who report regulatory breaches and combating corruption, transposed Directive (EU) 2019/1937 — the Whistleblowing Directive — into Spanish law. In force since March 2023, it imposes specific and enforceable obligations on private-sector companies with fifty or more employees, creating a new regulatory framework designed to transform internal reporting culture in Spanish organisations.
Scope: Who Is Obliged
The primary threshold is fifty employees. The headcount calculation covers all permanent, fixed-term and part-time workers, with part-time employees weighted by their effective working hours over the preceding twelve months. Corporate groups may centralise the channel at group level provided each entity’s employees can access it.
Certain entities are obliged regardless of headcount: financial sector entities regulated under CNMV or Banco de España supervision, anti-money laundering obligated entities, public contractors and concessionaires, political parties, trade unions and employer organisations receiving public funding. Public-sector bodies — local councils with populations over 10,000, national public institutional sector entities and regional audit bodies — are also subject to the law.
The Internal Information System (SII): Design Requirements
The SII is the law’s term for the internal whistleblowing channel. Key design requirements include:
Multi-channel access: reporters must be able to submit reports in writing — physical or electronic — and verbally, including through a face-to-face meeting option. An exclusively written channel does not satisfy the legal requirement.
Robust confidentiality: the reporter’s identity and any information that could indirectly reveal it must be accessible only to the channel manager. Information cannot be shared with third parties except where necessary for the investigation or required by a competent authority, and then only with prior notice to the reporter.
Functional independence: the SII manager — whether internal or external — must have full autonomy to handle reports without interference from company management. Where a collegiate compliance body manages the channel, it must include at least one member with legal training and statutory independence safeguards.
Strict deadlines: acknowledgement of receipt within seven working days; communication to the reporter of actions planned or taken within a maximum of three months from acknowledgement.
External channel information: the SII must inform reporters of their right to use the AAPI’s external channel.
Internal vs. External Channel: The Dual-Track System
The law creates a dual-track system. The internal channel — the company’s SII — is the preferred route, but reporters may go directly to the AAPI’s external channel without having used the internal channel first and without needing to justify that choice.
The AAPI — an independent body attached to the Spanish parliament (Cortes Generales) — can receive anonymous reports, investigate, bring sanctioning proceedings and order interim protective measures. It is now operational for receiving reports, with its sanctioning powers progressively being exercised.
Sanctions: Up to 1 Million Euros
The sanctioning regime is significantly more severe than standard employment law:
| Infringement tier | Examples | Fine for legal persons |
|---|---|---|
| Very serious | Retaliation, obstructing reports, breaching confidentiality | 300,001 – 1,000,000 € |
| Serious | Failing to implement SII, missing deadlines, no independence | 100,001 – 300,000 € |
| Minor | Procedural irregularities | Up to 100,000 € or reprimand |
The AAPI may publish sanctioning resolutions on its website, creating significant reputational risk beyond the financial penalty. In the most serious cases it may also recommend the temporary disqualification of responsible directors.
Retaliation Protection: Burden of Proof Reversal
The law’s most innovative protection mechanism is the presumption of linkage: where an adverse measure is taken after a report, the law presumes a connection between the two, and it is the company that must demonstrate the measure was based on objective grounds unrelated to the report.
Prohibited retaliatory acts include dismissal, professional demotion, shift changes, contract suspension, intimidation, harassment, exclusion from promotion or training, negative references and any other unfavourable treatment. Reporters are entitled to free legal assistance in retaliation-related proceedings.
Outsourced Channels: Benefits and Requirements
Outsourcing the channel to a specialist third party is a valid and increasingly adopted approach, particularly for SMEs lacking internal resources to manage the channel with the required guarantees.
Key benefits include: perceptible independence from management — increasing reporter confidence — 24/7 technical availability, management by professionally trained specialists and reduced risk of internal leaks. Contracts with providers must include GDPR Article 28 data processing terms, reinforced confidentiality clauses and escalation protocols for cases requiring urgent action.
Integration with Criminal Compliance
The whistleblowing channel is a necessary — but not sufficient — element of an effective criminal compliance programme qualifying for the exemption or mitigation of corporate criminal liability under Art. 31 bis of the Penal Code. The Supreme Court has emphasised that the programme must be genuine and effective: the channel must be known, accessible and actively used, with records of reports received and investigations conducted.
Full functional integration between the channel, the criminal risk map, response protocols and an autonomous compliance body with supervisory authority is the core of a model compliant with the UNE 19601 standard for criminal compliance management systems.
Implementation Roadmap
A correct SII implementation follows these stages: (1) current compliance diagnosis and sector-specific risk analysis; (2) design of the channel — internal or outsourced — and report-handling procedures; (3) designation and training of the system manager; (4) board-level approval of the internal policy; (5) communication to all staff and publication on the intranet; (6) logging of reports received and follow-up tracking; and (7) annual audit of system operation.
Implementation is not a one-off project but a live system requiring ongoing maintenance, continuous training and updates as the regulatory landscape evolves.
