Whistleblowing Channel: Law 2/2023 Compliance Made Simple

Spain's whistleblowing framework is established by Law 2/2023 of 20 February on the Protection of Persons who Report Regulatory Infringements and the Fight against Corruption, which transposed EU Directive 2019/1937 on whistleblower protection. Law 2/2023 requires private companies with 50 or more employees, public entities, and all companies operating in financial services regardless of size to implement an Internal Information System (Sistema Interno de Información, SII) with specific requirements: a confidential and optionally anonymous reporting channel, a designated responsible person (Responsable del Sistema), acknowledgement within 7 days, a substantive response within 3 months, anti-retaliation protections for reporters, and coordination with GDPR obligations for personal data processed through the channel. Non-compliant organisations face sanctions of up to EUR 1 million for serious infringements.

Our team combines expertise in regulatory compliance, employment law, and data protection to implement whistleblowing systems that function in practice — not only on paper.

The Gap Between Having a Channel and Being Compliant

Law 2/2023, transposing EU Directive 2019/1937 into Spanish law, establishes a comprehensive framework for whistleblower protection that extends far beyond enabling a contact form. The law requires a structured Internal Information System with a formally designated responsible person, statutory processing deadlines, genuine confidentiality guarantees, and effective protection against retaliation. Organisations that have installed a generic inbox or a third-party whistleblowing tool without structuring the system around it are technically non-compliant — and potentially exposed to sanctions reaching EUR 1 million.

Designing a System That Works Under Pressure

The first step in any implementation is system design. A 60-employee manufacturing company and a 5,000-employee financial services group require fundamentally different architectures. We analyse the organisational structure, risk profile, and corporate culture to recommend whether the channel should be managed internally by the designated responsible person or outsourced to an independent third party. Outsourcing typically provides greater perceived credibility for potential whistleblowers — a critical factor in whether employees actually use the system — and removes the conflict-of-interest concerns that arise when the channel is managed internally.

Integration with Criminal Compliance

The relationship between a whistleblowing channel and a criminal compliance programme is direct and legally significant. Spanish courts have confirmed that a functional internal reporting system is one of the elements they examine when assessing whether a legal entity’s compliance programme should have exculpatory effects on criminal liability. A channel that exists on paper but generates no investigations and no corrective measures will not satisfy this standard. We design the investigation protocol to produce the documented evidence trail that compliance programmes require.

GDPR Considerations Specific to Whistleblowing

The processing of personal data in whistleblowing systems presents specific challenges that require close coordination with the Data Protection Officer. The AEPD has issued specific guidance on impact assessments for these systems, retention periods for data relating to both whistleblowers and reported individuals, and the limits of the reported person’s right to information when it could compromise the investigation. We integrate all of these requirements from day one, avoiding the retroactive GDPR remediation that many organisations face after deploying their channels without adequate data protection planning.

The Internal Investigation Protocol

A whistleblowing channel is only as effective as the investigation process that follows a report. Law 2/2023 requires the designated responsible person to acknowledge receipt of a report within seven days and to communicate the outcome of the investigation within three months. These deadlines are not aspirational — they are legal obligations with sanction exposure attached. We design investigation protocols that specify who conducts the investigation for different categories of reported conduct, what evidence-gathering steps are required, how potential conflicts of interest are managed, and how the outcome is communicated to the reporter.

The Responsible Person: Appointment and Training

The designation of the responsible person (Responsable del Sistema) is a formal appointment that must be documented. Law 2/2023 requires the responsible person to have the authority to conduct investigations, access relevant information, and recommend corrective measures. Where the responsible person role is outsourced, our team manages the complete lifecycle: report receipt, acknowledgement, investigation coordination, outcome communication, and compliance documentation. The integration with the criminal compliance programme ensures that reports alleging criminal conduct are handled with the procedural rigour that a potential criminal proceeding requires.

Interaction with the Anti-Retaliation Framework

Law 2/2023 establishes comprehensive protections for reporters against retaliation: dismissal, demotion, salary reduction, change of duties, coercion, discrimination, and negative performance assessment are all forms of prohibited retaliation. The law creates a reversal of the burden of proof in employment proceedings. Our employment law team advises on how to handle situations where a report is received and an employment decision affecting the reporter is subsequently required — ensuring the decision is legally defensible and demonstrably independent of the report.

Multinational Groups and Multi-Jurisdiction Channels

For multinational groups with operations in multiple EU member states, Law 2/2023 allows a centralised internal channel at group level as long as the channel is genuinely accessible to employees in all jurisdictions. We design group-level whistleblowing systems that comply with the requirements of the EU Directive as transposed in each operating jurisdiction, manage the cross-border data flows in compliance with GDPR international transfer rules, and ensure that the local law variations across member states are reflected in the system’s operational procedures.

Sectors Most Affected

Financial services: all companies in the financial sector are subject to Law 2/2023 regardless of employee count, due to the sector-wide applicability of the EU Directive. Financial sector entities also have overlapping whistleblowing-adjacent obligations under DORA, Solvency II, and MiFID II that require coordination.

Large companies (50+ employees): the primary obligated category. The focus for established programmes is quality assurance — whether the system is genuinely trusted, whether investigations produce documented outcomes, and whether the governing body receives meaningful reporting on channel activity.

Public sector and public contract recipients: public entities and companies that receive public grants or contracts above EUR 15 million in the prior year are in scope regardless of employee count.

Professional services: professional secrecy creates specific complications for whistleblowing channels. The investigation protocol must be designed to respect client privilege while achieving the objectives of the Law.

Company Size Segmentation

SMEs (10–49 employees): not currently obligated for the internal channel, though external reporting to the AIAI (Autoridad Independiente de Protección del Informante) is available for employees of any-size organisation. SMEs preparing for growth to 50+ employees should implement proactively.

Companies with 50–249 employees: obligated since 1 December 2023. Can share an internal channel within a group structure, subject to conditions. The channel must be accessible to employees, former employees, shareholders, suppliers, and subcontractors.

Companies with 250+ employees: obligated since June 2023. Full implementation required including dedicated responsible person appointment, investigation protocol, and annual activity report to the governing body.

Worked Example: Channel Implementation for a Manufacturing Group

A Spanish manufacturing group (180 employees across three entities) implemented Law 2/2023 compliance. BMC’s approach: group-level shared channel covering all three entities. Outsourced management model recommended due to ownership concentration. External Responsable del Sistema appointed through BMC’s compliance team. Third-party anonymous reporting platform deployed at all facilities. Investigation protocol designed for three categories (labour disputes, regulatory infringements, criminal conduct). DPIA completed and retention policy established. All managers trained on anti-retaliation obligations. Full implementation: 8 weeks.

Common Mistakes We Fix

1. Deploying a technology platform without building the governance structure around it. A reporting tool is not a compliant system. The law requires a designated responsible person, a documented investigation procedure, GDPR-compliant data architecture, and anti-retaliation protocols.

2. Managing the channel internally without addressing conflict-of-interest risk. Where the responsible person reports to executives who could be the subject of reports, whistleblowers are unlikely to use the channel. External management provides the perceived independence that encourages actual use.

3. Not integrating with the criminal compliance programme. Reports alleging criminal conduct must be handled with the evidentiary rigour that criminal proceedings require. A standard HR investigation does not meet this standard.

4. Missing the GDPR requirements. Whistleblowing channels process sensitive personal data. A system without a DPIA, without a retention policy, and without a procedure for the reported individual’s rights is simultaneously non-compliant with Law 2/2023 and GDPR.

5. Not training line managers on anti-retaliation obligations. The most common retaliation is not dramatic — it is the negative performance review or exclusion from meetings applied to an employee who filed a report. The burden-of-proof reversal means the employer must prove the adverse treatment was unconnected to the report.

Regulatory Framework: Law 2/2023 and EU Directive 2019/1937

Law 2/2023 of 20 February on the Protection of Persons who Report Regulatory Infringements transposes EU Directive 2019/1937. Key provisions:

Art. 7 Law 2/2023: internal reporting channel obligation for private entities with 50+ employees, public entities, and all financial-sector entities regardless of size. The channel must be designed to guarantee the confidentiality of the reporter’s identity.

Art. 9 Law 2/2023: the Responsable del Sistema must acknowledge receipt within 7 days and communicate the outcome of the investigation within 3 months (extendable to 6 months for complex cases).

Art. 14 Law 2/2023: comprehensive anti-retaliation protections. Retaliation includes dismissal, salary reduction, change of duties, negative references, denial of training, exclusion from promotion, and psychological pressure.

Art. 16 Law 2/2023: reversal of burden of proof in employment proceedings where retaliation is alleged. The employer must prove that adverse treatment was not connected to the report.

Arts. 20-21 Law 2/2023: sanctions regime. Failure to implement the required system: sanctions of up to EUR 300,000 (serious) or EUR 1,000,000 (very serious). Retaliation against reporters: up to EUR 1,000,000.

How We Work

Phase 1 — Assessment (1 week): review of governance structure, employee population, regulatory obligations, and risk profile. Recommendation on internal vs external management model.

Phase 2 — Implementation (4–6 weeks): responsible person designation, investigation protocol design, GDPR data architecture, technology deployment, employee and manager training.

Phase 3 — Ongoing management: where we act as external Responsable del Sistema, we manage the complete channel lifecycle — report receipt, 7-day acknowledgement, investigation coordination, 3-month outcome communication, and annual governing body report.

Fixed-fee implementation packages are available for all size categories.

The External Reporting Channel and the AIAI

Law 2/2023 established the AIAI (Autoridad Independiente de Protección del Informante), the national external reporting body to which any person can report infringements of EU law directly, bypassing the internal company channel. The AIAI has investigative powers and coordinates with the Ministerio de Hacienda, AEAT, AEPD, and other regulatory bodies.

For companies, a functional, trustworthy internal channel reduces the probability of employees going directly to the AIAI — which generates a regulatory investigation with external publicity. If the internal channel fails to investigate credibly, employees will use the AIAI, and the company faces the consequences of an external investigation it does not control.

ESG and Supply Chain Dimension

The Corporate Sustainability Due Diligence Directive (CSDDD) requires affected persons — including supply-chain workers — to be able to report human rights and environmental concerns. The CSRD (ESRS G1) requires disclosure of how many reports were received, their categories, outcomes, and any remediation measures taken. A channel that generates no reports (because it is not trusted) or produces reports but no documented outcomes is a CSRD disclosure problem as well as a Law 2/2023 compliance failure.

Geographic Coverage

Our whistleblowing practice covers all of Spain. For Madrid-headquartered companies, our local presence enables rapid response to AIAI investigation notifications and direct engagement with the authority. For multinational groups with Spanish operations, we advise on the Spanish-specific compliance requirements that must be layered onto group-level programmes — including anti-retaliation protections, Spanish-language accessibility requirements, and the formal Responsable del Sistema appointment process. For cross-border investigations, we coordinate with correspondent law firms across the EU to manage multi-jurisdiction evidence gathering and data protection compliance. Our whistleblowing practice is available to companies across all Spanish provinces, with in-person meetings in Madrid and Málaga and remote service for all other locations. Initial consultations to assess compliance status and the recommended implementation approach are provided at no charge.

The External Reporting Channel and the AIAI

Law 2/2023 also established the AIAI (Autoridad Independiente de Protección del Informante), the independent external reporting authority to which any person can report infringements of EU law directly, bypassing the internal company channel. The AIAI has investigative powers and can coordinate with the Ministerio de Hacienda, the AEAT, the AEPD, and other regulatory bodies.

For companies, the existence of the AIAI creates both an incentive and a risk. The incentive: a functional, trustworthy internal channel reduces the probability of employees going directly to the AIAI — which generates a regulatory investigation with external publicity. The risk: if the internal channel fails to investigate credibly, employees will use the AIAI, and the company will face the consequences of an external investigation rather than an internal one it controls.

Well-designed internal channels — managed by an independent, trusted responsible person — are the most effective tool for keeping whistleblowing internal, managing it appropriately, and demonstrating compliance. Channels that exist on paper but produce no investigations generate the worst of both worlds: regulatory sanction for non-compliance and employee distrust that leads to external reporting.

ESG and Supply Chain Dimension

Whistleblowing channels are increasingly relevant beyond the strict employment and criminal compliance dimensions. The Corporate Sustainability Due Diligence Directive (CSDDD), which will require large EU companies to monitor their supply chains for human rights and environmental abuses, includes a requirement for affected persons (including supply-chain workers) to be able to report concerns. The CSRD (Corporate Sustainability Reporting Directive) requires disclosure of the governance of the internal reporting system and the outcomes of investigations under ESRS G1.

For companies subject to CSRD, the whistleblowing channel is part of the ESG governance infrastructure that must be disclosed — how many reports were received, what categories, what outcomes, what remediation measures were taken. A channel that generates no reports (because it is not trusted) or that produces reports but no documented outcomes (because investigations are poorly managed) is a CSRD disclosure problem as well as a Law 2/2023 problem.

Geographic Coverage

Our whistleblowing compliance practice covers all of Spain, with particular experience in:

Madrid: the AIAI and the Ministerio de Justicia (which oversees Law 2/2023 enforcement in the private sector) are based in Madrid. For companies headquartered in Madrid, our local presence enables rapid response to AIAI investigation notifications and direct engagement with the authority.

Multinational groups with Spanish operations: Law 2/2023 requires that the channel be accessible and functional for all employees in Spain — even if the group’s global whistleblowing programme is managed from another jurisdiction. We advise on the Spanish-specific compliance requirements that must be layered onto group-level programmes, including the specific anti-retaliation protections, the Spanish-language accessibility requirements, and the Responsable del Sistema appointment.

Cross-border investigations: where a report made through the Spanish channel concerns conduct in another jurisdiction, the investigation protocol must address how evidence is gathered across borders, how local employment law in each relevant jurisdiction affects the investigation, and how findings are communicated across jurisdictions without breaching data protection requirements. Our network of correspondent law firms across the EU covers the most common multi-jurisdiction investigation scenarios.