Skip to content
Legal

Regulatory Compliance: Legal Certainty for Your Organisation

Data protection, criminal compliance, AML, whistleblowing and financial regulation. Build a compliance culture that protects your business.

Handled by the responsible partner

Offices in Spain In practice since 2010 REAF · ICAM EN · ES · FR · DE native
Discuss your compliance needs

We accept a limited number of mandates each quarter. Inquiries are prioritised by urgency and fit with our current pipeline.

300+
Compliance programmes implemented
98%
Favourable resolution
10+
Regulations covered
5
Offices in Spain
Our services

Practice areas

People & Compliance

Employment relations, mobility and regulatory protection.

72 hrs Maximum breach notification window — we manage it for you

Data Protection & Privacy

GDPR compliance and data protection officer

€1M+ Maximum administrative fine for serious AML violations

AML & Financial Crime

Anti-money laundering and regulatory compliance

Article 31 bis Spanish Criminal Code — basis for corporate criminal exemption

Criminal Compliance

Criminal risk prevention programs

50+ Employees: threshold for mandatory channel under Law 2/2023

Whistleblowing Channel

Whistleblowing channel per EU Directive

Art. 252 CP Criminal provision (LO 1/2015)

Criminal Defence: Unfair Administration

Criminal defence for directors charged under art. 252 CP

Art. 301–304 CP Criminal provisions (LO 5/2010 and LO 1/2015)

Criminal Defence: Money Laundering

Criminal defence in money laundering cases (arts. 301–304 CP)

2026 Year of DAC8 automatic reporting to AEAT entering into force

DAC8 & Crypto-Asset Reporting

DAC8 Directive compliance for CASP providers, effective 2026

+200 Spanish public tenders advised

Public Procurement

Tenders, appeals and compliance in public contracts

6 months Maximum statutory period for CNMV authorisation of investment firms and SGIICs

Financial Regulatory

Regulatory compliance for financial institutions and fintechs

Art. 31 bis CP Criminal liability exemption provision requiring real documented internal investigations

Internal Investigations

Corporate internal investigations and integrity due diligence

€120,000 Criminal threshold per tax and year

Criminal Defence — Tax Fraud

BMC’s regulatory compliance practice advises companies across all sectors on the design, implementation and ongoing management of compliance programmes. We cover the full spectrum of non-labour regulatory compliance: criminal, data protection, AML, financial regulation, public procurement, and internal investigations.

Why compliance has become a strategic function

The regulatory burden on Spanish and European companies has grown steadily over the past decade and accelerated sharply between 2022 and 2026. Law 2/2023 on whistleblower protection, the NIS2 Directive, the Artificial Intelligence Act, the MiCA Regulation for crypto-assets, DORA for the financial sector, and tightening AML obligations have created a compliance ecosystem that demands specialist knowledge, dedicated resources, and continuous updating.

Companies that treat compliance as a minimum obligation are losing competitive ground. Private equity funds conducting due diligence, acquirers in M&A transactions, and large corporate clients during supplier approval processes are increasingly treating compliance programme maturity as an indicator of management quality and future contingency risk.

Criminal compliance: exemption as an objective

Art. 31bis of the Spanish Criminal Code allows legal entities to be exempt from criminal liability if they have adopted and effectively implemented — before the offence is committed — an organisational and management model including surveillance and control measures to prevent offences of the same type. A well-designed and implemented criminal compliance programme is not just a defensive shield: it is a corporate governance asset that reduces the cost of capital and facilitates access to financing and public procurement.

Our approach combines risk mapping, ethics code and protocol drafting, implementation of the whistleblowing channel, and training and supervision of the Compliance Officer or Compliance Committee.

AML: obligations and PBC/AML risk management

Anti-money laundering compliance is one of the highest-sanction-risk areas for companies included in the obliged-entity catalogue under Law 10/2010. SEPBLAC intensified its inspections from 2022, and penalties for non-compliance can reach 10% of annual turnover or twice the benefit obtained.

We design prevention manuals, implement KYC/KYB due diligence procedures adapted to each obliged entity’s risk profile, and prepare organisations for inspections by the SEPBLAC and the Banco de España.

Data protection: GDPR as a competitive advantage

Personal data protection is today a critical component of corporate reputation and an increasing requirement from clients, partners, and regulators. Beyond formal GDPR and LOPDGDD compliance, a robust privacy system — Records of Processing Activities, Data Protection Impact Assessments, breach protocols, staff training — is a real differentiator in B2B markets and a standard requirement in due diligence processes.

Our outsourced DPO acts as an extension of the client’s team, registered with the AEPD, conducting periodic audits and available for operational queries.

Financial regulation: authorisations and ongoing compliance

Financial institutions, fintechs, and crypto-asset companies operate in one of the most demanding and fast-changing regulatory environments. CNMV and Banco de España authorisations, MiCA compliance for crypto-asset issuers and CASPs, MiFID II and DORA adaptation, and ongoing regulatory compliance management require a specialist team with practical experience in authorisation processes.

Internal investigations: methodology, independence, and chain of custody

When a report reaches the whistleblowing channel or an irregularity is detected internally, the management of the internal corporate investigation is decisive in containing the damage, preserving evidence, and demonstrating to the regulator or prosecutor that the company acted diligently. We direct independent investigations with forensic methodology — chain of custody, structured interviews, documentary and digital analysis — and produce reports that support disciplinary decisions and are usable in judicial proceedings.

Public procurement: preparation, tendering, and defence

Public procurement represents one of the largest markets for professional services, technology, and infrastructure companies. Correct preparation of tender documentation, compliance with technical and financial solvency requirements, and defence of the company’s interests before the Central Administrative Review Tribunal (TACRC) are services BMC provides with practical experience in the Spanish Public Procurement Law (Law 9/2017 LCSP).

When to contact the compliance team

We recommend a regulatory compliance review when:

  • Your company exceeds 50 employees and has not yet implemented the mandatory whistleblowing channel (Law 2/2023).
  • You operate in an AML-obliged sector (financial services, real estate, professional services, crypto-assets) without an up-to-date PBC programme.
  • You have received a communication from the AEPD, SEPBLAC, CNMV, or Banco de España.
  • You are preparing for an M&A transaction or investor due diligence and need to evidence a mature compliance system.
  • You have detected a potential internal irregularity requiring formal investigation.
  • Your activity is affected by MiCA, DORA, NIS2, or the AI Act and you need an adaptation plan.

An initial compliance consultation is the starting point for mapping your organisation’s regulatory risk profile and prioritising the most urgent compliance measures.

Go deeper with our most recent analysis:

Methodology

Our approach

Diagnosis

Risk analysis and compliance gap assessment in your organisation.

Programme design

Development of policies, procedures and whistleblowing channels.

Implementation

Training, internal communication and control deployment.

Monitoring

Periodic review and adaptation to regulatory changes.

Why choose us?

What sets us apart

Multidisciplinary expertise

We cover all compliance dimensions: criminal, labour, tax and regulatory.

Pragmatic approach

Effective programmes tailored to the size and sector of each organisation.

Always current

Continuous regulatory monitoring and proactive adaptation.

FAQ

Frequently asked questions

Criminal compliance demonstrates that a company has adopted adequate measures to prevent criminal offences. Under Art. 31bis of the Spanish Criminal Code, an effective programme can exempt or mitigate the criminal liability of the legal entity.
Yes, since June 2023 for companies with more than 50 employees (Law 2/2023). Absence can result in fines up to €1 million.
Law 10/2010 imposes AML obligations on financial institutions, real estate agencies, professional advisers in specific transactions, notaries, auditors, and crypto-asset service providers.
GDPR requires a DPO for public authorities, large-scale systematic monitoring, and large-scale processing of special data categories. Many companies appoint one voluntarily.
MiCA (EU 2023/1114) sets the European regulatory framework for crypto-asset issuers and service providers (CASPs). CNMV or Banco de España authorisation is mandatory to operate in Spain.

Talk to the partner · Legal

Three ways to start. A partner answers — not a junior.

No escalation, no internal handoffs. We tell you in the first conversation whether we can add real value.

Handled by the responsible partner · Reply < 24 business hours · Professional secrecy from first email

Need a compliance programme?

Complimentary first consultation with our regulatory compliance specialists.

bm.consulting

Not sure where to start?

Our advisors will guide you with no commitment. First conversation at no charge.

AEAT Colaborador Social 4.9/5 on Google · 47 reviews 30+ nationalities served
Email
Contact