One year after the entry into force of Law 2/2023 of 20 February, governing the protection of persons reporting regulatory infringements and fighting corruption — which transposes Directive (EU) 2019/1937 of the European Parliament and of the Council — the implementation landscape in Spain shows uneven progress. Many large companies have their channel operational, but effective implementation in the 50-to-249-employee segment — the most numerous — shows insufficient compliance rates, with growing sanction risk as the Independent Authority for the Protection of Informants (A-IPI) consolidates its supervisory capabilities.
The regulatory framework: Law 2/2023 and the Whistleblowing Directive
Directive (EU) 2019/1937 of 23 October 2019 established a minimum European standard for the protection of persons reporting infringements of EU law. Spain transposed the Directive late — the deadline was 17 December 2021 — through Law 2/2023, published in the Official State Gazette on 21 February 2023. The Spanish law goes beyond the Directive’s minimum in several respects: it extends protection to informants reporting infringements of national law (not only EU law) and creates a specific independent administrative authority (the A-IPI) for supervision and support of informants.
The subjective scope of the obligation to maintain an internal channel covers private-sector entities with 50 or more workers, political parties, trade unions, and employers’ organisations receiving public funding, and private-sector foundations. Municipalities with fewer than 10,000 inhabitants may share a channel with the provincial council.
Internal channel requirements: what Law 2/2023 demands
Article 5 of Law 2/2023 establishes the minimum requirements for the internal information channel:
Accessibility and communication channels. The channel must allow information to be submitted both in writing and verbally, and in the latter case the informant may request an in-person meeting with the system manager. The channel may be managed internally (by the compliance officer, internal audit function, or an ad hoc body) or outsourced to a trusted third party, provided that the informant’s confidentiality is guaranteed.
Confidentiality and identity of the informant. The informant’s identity is strictly confidential. Data that could identify the informant may only be communicated to the judicial authority or Public Prosecutor upon request. Anonymous reports must be accepted and processed (although the law does not require this, the A-IPI has indicated that failure to process anonymous reports may be indicative of a deficient reporting system).
Acknowledgement of receipt and follow-up. The system manager must send an acknowledgement of receipt within seven working days of receiving the information. Within three months of the acknowledgement of receipt, the system manager must inform the informant of the actions planned or taken as follow-up to the information.
System manager. The law requires the designation of a physical person or unit as manager of the internal information system. This person must act with functional independence, must have access to all information necessary to handle the report, and may not be sanctioned or disadvantaged for performing their duties.
Protection of informants. Informants who meet the requirements of good faith and reasonableness cannot suffer reprisals of any kind: dismissal, demotion, modification of working conditions, harassment, exclusion from promotion, or any other adverse measure. The law establishes a presumption of retaliation in favour of the informant: if in the year following the submission of the report the informant suffers an adverse measure, it is presumed to be retaliation unless the employer proves otherwise.
The sanction regime: the A-IPI
The Independent Authority for the Protection of Informants (A-IPI), provided for in Article 25 of Law 2/2023, is the body responsible for overseeing compliance with the law, attending to informants, and conducting sanction procedures. Its organisation and operation are governed by Royal Decree 1101/2023.
The sanction regime of Law 2/2023 (Articles 61 to 70) distinguishes between very serious, serious, and minor infringements:
Very serious infringements: violating the informant’s confidentiality, taking reprisals, obstructing the investigation, or revealing the informant’s identity. Fine of €601,001 to €1,000,000 for legal entities (€300,001 to €600,000 for individuals).
Serious infringements: not having a mandatory information channel, not adequately managing the channel, failing to process received information, or not taking follow-up measures. Fine of €100,001 to €600,000 for legal entities (€50,001 to €300,000 for individuals).
Minor infringements: formal procedural non-compliance. Fine of up to €100,000 for legal entities (up to €50,000 for individuals).
First-year balance: recurring implementation errors
Analysis of whistleblower channel systems implemented in the first year reveals a series of recurrent errors that compromise both the channel’s effectiveness and its soundness in the event of a sanction procedure:
Channel without automated acknowledgement of receipt. The requirement to send an acknowledgement of receipt within seven working days is one of the most frequently violated. Systems that do not automatically generate the acknowledgement leave the informant without confirmation and expose the company to sanctions for procedural deficiency.
System manager without genuine independence. Designating the HR director or legal officer as channel manager creates an obvious conflict of interest when the report concerns management. The manager’s independence must be functionally and visibly real, not merely formal.
Channel limited to EU law infringements. Some systems have been designed exclusively for the EU law infringements covered by the Directive, ignoring that Law 2/2023 extends protection to infringements of Spanish law in areas including public procurement, money laundering prevention, occupational safety, environment, and data protection.
Absence of information management policy. The Law does not formally require a documented policy, but the A-IPI considers it an essential element of the system. Without a policy approved by the governing body, it is difficult to demonstrate in a sanction procedure that the channel operates to the required standards.
Lack of worker training. The law requires workers to be informed of the existence and operation of the channel. Mere publication on the intranet is not sufficient; documented training is required on the channel, informants’ rights, and the prohibition of retaliation. In the first year, many companies have been able to show they had a channel but not that their workers knew about it or understood their rights under it.
Sector-specific considerations
Financial sector and regulated entities: companies supervised by the Bank of Spain, CNMV, or DGSFP have pre-existing compliance obligations under sector-specific regulations (MIFID II, AML/CFT, Solvency II). Law 2/2023 does not replace these sector obligations but adds an additional layer. Regulated entities should ensure their whistleblower channel covers both the sector-specific obligations and the broader scope of Law 2/2023.
Listed companies: companies listed on Spanish stock exchanges are subject to the additional requirements of the Securities Market Act (Ley del Mercado de Valores, LMV) regarding the communication of irregularities. The A-IPI and CNMV have begun coordinating their supervisory activities to avoid regulatory gaps.
Multinational groups: parent companies outside Spain may be subject to the Whistleblowing Directive as transposed in their home country. In groups with multiple EU jurisdictions, a shared internal channel is possible provided it meets the minimum requirements of each Member State’s transposing legislation. Given the differences in national transpositions (notably in scope and anonymous report handling), a legal review of the shared channel against each applicable jurisdiction is strongly recommended.
At BMC our legal team advises companies on whistleblower channel implementation, first-year audits, and A-IPI procedure defence. See our whistleblowing compliance services.
