Skip to content

Mandatory internal reporting channel: comply with Law 2/2023 and protect your company from fines

Law 2/2023, of 20 February, on the protection of persons who report regulatory infringements and on the fight against corruption (Ley 2/2023), transposes the European Whistleblowing Directive (2019/1937) and imposes on private companies with 50 or more employees the obligation to maintain an internal reporting channel. Many Spanish companies reached the compliance deadlines without having implemented the channel, exposing themselves to fines that can reach one million euros for the most serious infringements. The risk is not only financial. A poorly designed reporting channel — one that does not guarantee reporter confidentiality, lacks a clear case management procedure or fails to meet the independence requirements for the channel manager — can be worse than having no channel at all, because it creates a false impression of compliance while exposing the company to claims from reporters who did not feel protected. Proper channel management requires specialist knowledge in data protection, employment law and regulatory compliance.

Since 2010 · 16 years Tax agent AEAT

Pick a slot in the specialist's calendar.

Tell us when to call and a partner will contact you in your chosen window.

Write to us and we'll reply within 24 business hours.

Data processed in the EU · GDPR · No commitment

Why BM Consulting

Specialised advice and personal service

At BMC we design and implement reporting channel systems that fully comply with Law 2/2023: an internal channel with guarantees of confidentiality and optional anonymity, an independent system manager, a policy protecting reporters against retaliation, a case management procedure meeting all statutory deadlines, and full compliance documentation. For companies with between 50 and 249 employees, we manage the channel on a shared basis with other companies within the terms permitted by law. We also integrate the reporting channel with GDPR compliance (the channel processes personal data and needs its own record of processing activities and a data protection impact assessment) and with the corporate compliance programme if your company already has one.

  • The internal reporting channel is mandatory for companies with 50 or more employees since the entry into force of Law 2/2023.

  • The channel must guarantee the confidentiality of reporters and prohibit retaliation — non-compliance can result in fines of up to 300,000 euros.

  • Reports may be anonymous — the channel must accept and process them even when the reporter's identity is not disclosed.

  • Outsourcing channel management to an independent third party ensures impartiality and confidentiality — the preferred option for mid-sized companies.

How we work

From first contact to case completion

  1. Diagnosis and system design

    We analyse your company's size and structure, the specific risks of your sector and the available channel options (digital platform, physical mailbox, telephone line or a combination). We design the system that best suits your needs while meeting all legal requirements.

  2. Designation of the channel manager

    We advise on the appointment of the manager of the internal reporting system: this may be a compliance officer, internal audit, the board of directors or an independent external third party such as BMC. The independence of the manager is an essential legal requirement.

  3. Documentation and internal policies

    We draft the internal reporting channel policy, the case management procedure (acknowledgement of receipt, investigation, resolution and feedback within statutory deadlines), the non-retaliation policy and the information notices for employees. We integrate the channel with the company's GDPR compliance.

  4. Training and ongoing support

    We train the channel manager and senior management on case management procedures, reporters' rights and the prohibition of retaliation. We provide ongoing support in handling specific reports and update the system in response to regulatory changes.

Self-check · 45 seconds

Do you need this service?

Answer three questions and we'll show you the most relevant service for your case.

Do you currently reside in Spain?
Do you have assets or income in another country?
Have you received or are you expecting an inheritance?
Are you considering setting up a company?
Answer to see your recommended services.

The problem

Law 2/2023, of 20 February, on the protection of persons who report regulatory infringements and on the fight against corruption (Ley 2/2023), transposes the European Whistleblowing Directive (2019/1937) and imposes on private companies with 50 or more employees the obligation to maintain an internal reporting channel. Many Spanish companies reached the compliance deadlines without having implemented the channel, exposing themselves to fines that can reach one million euros for the most serious infringements. The risk is not only financial. A poorly designed reporting channel — one that does not guarantee reporter confidentiality, lacks a clear case management procedure or fails to meet the independence requirements for the channel manager — can be worse than having no channel at all, because it creates a false impression of compliance while exposing the company to claims from reporters who did not feel protected. Proper channel management requires specialist knowledge in data protection, employment law and regulatory compliance.

Our solution

At BMC we design and implement reporting channel systems that fully comply with Law 2/2023: an internal channel with guarantees of confidentiality and optional anonymity, an independent system manager, a policy protecting reporters against retaliation, a case management procedure meeting all statutory deadlines, and full compliance documentation. For companies with between 50 and 249 employees, we manage the channel on a shared basis with other companies within the terms permitted by law. We also integrate the reporting channel with GDPR compliance (the channel processes personal data and needs its own record of processing activities and a data protection impact assessment) and with the corporate compliance programme if your company already has one.

Process

How we do it

1

Diagnosis and system design

We analyse your company's size and structure, the specific risks of your sector and the available channel options (digital platform, physical mailbox, telephone line or a combination). We design the system that best suits your needs while meeting all legal requirements.

2

Designation of the channel manager

We advise on the appointment of the manager of the internal reporting system: this may be a compliance officer, internal audit, the board of directors or an independent external third party such as BMC. The independence of the manager is an essential legal requirement.

3

Documentation and internal policies

We draft the internal reporting channel policy, the case management procedure (acknowledgement of receipt, investigation, resolution and feedback within statutory deadlines), the non-retaliation policy and the information notices for employees. We integrate the channel with the company's GDPR compliance.

4

Training and ongoing support

We train the channel manager and senior management on case management procedures, reporters' rights and the prohibition of retaliation. We provide ongoing support in handling specific reports and update the system in response to regulatory changes.

'50'
Employees: threshold for obligation
1M euros
Maximum fine for non-compliance
7 days
Deadline to acknowledge receipt

We were aware of the obligation but did not know where to start. BMC designed the full channel for us, drafted all the policies, explained who could act as the manager and integrated everything with our data protection documentation. Within three weeks the system was operational and all documentation was in order. (anonymised case)

Luis Cabanillas Head of HR, Distribuciones Cabanillas SA

The Whistleblowing Directive and its transposition into Spanish law

The Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law establishes a common European framework for the protection of whistleblowers (informantes). Spain transposed it through Law 2/2023, of 20 February (Ley 2/2023), which in some respects goes beyond the Directive’s minimum requirements — particularly as regards the range of persons protected and the scope of reportable infringements.

The logic of the legislation is straightforward: organisations commit irregularities that are often known internally before they reach the authorities. Internal reporting mechanisms allow those irregularities to be detected and corrected without escalating to external regulators, with less reputational damage and at lower cost. For these mechanisms to work, the reporter must be confident that they will not face retaliation — which requires robust legal guarantees.

The five essential guarantees of the channel

A reporting channel that complies with Law 2/2023 must provide five fundamental guarantees:

Confidentiality: The reporter’s identity may not be disclosed to any person without their express consent, unless strictly necessary in the context of criminal proceedings. Confidentiality is not optional: it is a statutory right of the reporter.

Optional anonymity: The channel must accept anonymous reports, although the company may choose not to investigate anonymous reports if it justifies this in its internal policy.

Independence of the manager: The channel manager must be able to act independently, without reporting to the person or area being reported. This is why many companies choose to outsource management to an independent third party.

Protection against retaliation: The law expressly prohibits a broad catalogue of retaliatory measures: dismissal, suspension, demotion, shift changes, denial of training, unjustified negative appraisals, and more. It also establishes a reversal of the burden of proof: if the reporter suffers a detrimental measure after filing a report, it is presumed to be retaliation unless the company proves otherwise.

Case management deadlines: The channel has strict statutory deadlines: acknowledgement of receipt within 7 working days, and a substantive response within a maximum of 3 months.

Internal channel and external channel: complementarity

Law 2/2023 establishes a two-tier system: the internal channel within the company (mandatory for affected companies) and the external channel operated by the Autoridad Independiente de Protección del Informante (A.A.I.), a newly created public authority that receives reports when the internal channel does not function correctly or when the reporter lacks confidence in it.

Reporters may go directly to the external channel without first using the internal channel if they have reasonable grounds to believe that an internal report would not be effective. A well-designed and properly managed internal channel is therefore the best way to ensure that problems are identified and resolved within the organisation before they reach the public authority.

FAQ

Frequently asked questions

The Autoridad Española de Protección de Datos (AEPD) is the supervisory authority for compliance with Law 2/2023 as regards the data protection of reporters. Failure to meet data protection obligations in the reporting channel can result in fines of up to 20 million euros or 4% of total annual worldwide turnover (whichever is higher) in the most serious cases. In addition, failure to maintain a reporting channel for companies with more than 50 employees can result in fines of up to 300,000 euros for very serious infringements (retaliation against reporters) and between 10,000 and 100,000 euros for serious infringements. The AEPD has published a practical guide on how the reporting channel must be managed in compliance with data protection law.
The obligation applies to all private sector companies with 50 or more employees, all political parties, trade unions, employers' associations and foundations receiving public funding, and all companies in regulated sectors (financial services, transport, environment, food) regardless of size. Companies with between 50 and 249 employees may share the channel with other companies in the same group or sector. Companies with fewer than 50 employees are not required to have a channel, although they may implement one voluntarily.
Law 2/2023 entered into force on 13 March 2023. Companies with 250 or more employees were required to have the channel operational from that date. Companies with between 50 and 249 employees had until 1 December 2023. Public sector entities had their own deadlines. Since both deadlines have passed, companies that have not yet implemented the channel are in active non-compliance and at risk of fines.
The channel must allow reports to be submitted confidentially (and optionally anonymously). It must be managed by an independent person or department. It must acknowledge receipt of a report within 7 days. It must provide a response within a maximum of 3 months. It must guarantee protection of the reporter against any form of retaliation (dismissal, demotion, change of shifts, refusal of training, unjustified negative appraisals, etc.). It must maintain a record of reports received in compliance with data protection rules. And it must inform the reporter whether the report has been archived or has led to action.
The channel is mandatory for reports concerning infringements of European Union law in areas such as public procurement, financial services, financial products and markets, prevention of money laundering, product safety, environmental protection, data protection, competition, taxation and the protection of the EU's financial interests. Law 2/2023 also extends the scope to infringements of Spanish law of sufficient gravity.
Yes. The law permits the system manager to be an external third party, provided they are independent and meet the confidentiality and competence requirements. This option is especially recommended for mid-sized companies without a compliance department or internal audit function, and to avoid conflicts when reports concern senior management or the HR department itself.

Speak with a specialist

Complimentary first call. No commitment. Response within 1 hour during office hours.

Free first consultation 30 minutes with a specialist in your area
Fixed quote before we start No surprises, no success fees
Registered tax agent Electronic filing of all tax returns

4.8/5 · Data processed in the EU · GDPR · No commitment

Frequently asked questions

Questions about Mandatory Whistleblower Channel for Companies (Law 2/2023)

The Autoridad Española de Protección de Datos (AEPD) is the supervisory authority for compliance with Law 2/2023 as regards the data protection of reporters. Failure to meet data protection obligations in the reporting channel can result in fines of up to 20 million euros or 4% of total annual worldwide turnover (whichever is higher) in the most serious cases. In addition, failure to maintain a reporting channel for companies with more than 50 employees can result in fines of up to 300,000 euros for very serious infringements (retaliation against reporters) and between 10,000 and 100,000 euros for serious infringements. The AEPD has published a practical guide on how the reporting channel must be managed in compliance with data protection law.
The obligation applies to all private sector companies with 50 or more employees, all political parties, trade unions, employers' associations and foundations receiving public funding, and all companies in regulated sectors (financial services, transport, environment, food) regardless of size. Companies with between 50 and 249 employees may share the channel with other companies in the same group or sector. Companies with fewer than 50 employees are not required to have a channel, although they may implement one voluntarily.
Law 2/2023 entered into force on 13 March 2023. Companies with 250 or more employees were required to have the channel operational from that date. Companies with between 50 and 249 employees had until 1 December 2023. Public sector entities had their own deadlines. Since both deadlines have passed, companies that have not yet implemented the channel are in active non-compliance and at risk of fines.
The channel must allow reports to be submitted confidentially (and optionally anonymously). It must be managed by an independent person or department. It must acknowledge receipt of a report within 7 days. It must provide a response within a maximum of 3 months. It must guarantee protection of the reporter against any form of retaliation (dismissal, demotion, change of shifts, refusal of training, unjustified negative appraisals, etc.). It must maintain a record of reports received in compliance with data protection rules. And it must inform the reporter whether the report has been archived or has led to action.
The channel is mandatory for reports concerning infringements of European Union law in areas such as public procurement, financial services, financial products and markets, prevention of money laundering, product safety, environmental protection, data protection, competition, taxation and the protection of the EU's financial interests. Law 2/2023 also extends the scope to infringements of Spanish law of sufficient gravity.
Yes. The law permits the system manager to be an external third party, provided they are independent and meet the confidentiality and competence requirements. This option is especially recommended for mid-sized companies without a compliance department or internal audit function, and to avoid conflicts when reports concern senior management or the HR department itself.
Email
Contact