Our Expert in Spain
Spanish corporate criminal compliance in 2026 demands more than a policy document filed in a drawer. Heightened prosecutorial scrutiny, fresh legislative amendments and tightening EU transposition deadlines mean that companies operating in Spain face material criminal-liability exposure unless they can demonstrate a genuinely implemented crime prevention model, a modelo de prevención de delitos. This guide provides the tactical blueprint that general counsel, compliance officers and SME owners need: the nine core elements of a defensible modelo, realistic expectations on exemption versus mitigation, the standards that matter (UNE 19601 and ISO 37301), and a month-by-month implementation timeline.
TL;DR, five things to do now:
The regulatory environment around corporate criminal liability in Spain has shifted perceptibly since mid-2025. Several overlapping reforms converge in 2026, each raising the stakes for companies without robust crime prevention models.
The Fiscalía General del Estado has signalled an enforcement posture that prioritises compliance penal verification in economic-crime investigations. Prosecutors increasingly request compliance documentation early in proceedings, not as an afterthought during sentencing. Industry observers expect that this front-loaded approach will accelerate the practical distinction between companies that can produce a credible modelo and those that cannot. The Fiscalía’s published guidance continues to treat the existence and genuine operation of a crime prevention model as a key factor in deciding whether to pursue charges against the legal entity itself.
Additionally, organic-law amendments tightening penalties for repeat offenders (multirreincidencia) have raised the consequences of a conviction, making pre-emptive compliance investment more cost-effective than ever. Companies with prior sanctions or pending proceedings face compounding risk if they cannot demonstrate an upgraded programme.
Three sectoral areas carry elevated criminal-compliance risk in 2026:
| Date | Requirement / Event | Who It Affects |
|---|---|---|
| Early 2026 | Organic-law amendments, tighter penalties for repeat corporate offenders | All companies with Spanish operations |
| 2026 (various) | EU transposition deadlines for pay-transparency and labour-reporting rules | Employers, HR and compliance departments |
| 2026–2027 | Sectoral rule rollouts, algorithmic audits, procurement integrity measures | Firms in fintech, recruitment, public procurement |
A modelo de prevención de delitos is a structured crime prevention model that a legal entity adopts and implements to detect and prevent criminal offences committed within, or on behalf of, the organisation. Under Spain’s Código Penal, the modelo serves as the primary mechanism through which a company can either exclude or substantially reduce its corporate criminal liability.
Spain introduced corporate criminal liability through Organic Law 5/2010, substantially reforming the framework in 2015. The Código Penal now provides that a legal entity may be exempt from criminal liability if, before the offence occurred, it had adopted and effectively implemented organisational and management models that include measures of oversight and control adequate to prevent the relevant category of crime. Where the modelo exists but was not fully effective, it operates as a mitigating factor at sentencing.
Critically, there is no statutory obligation to adopt a modelo. However, the practical reality in 2026 is that any company without one faces an almost irrebuttable presumption of organisational negligence if a crime is committed within its sphere. The modelo has become a de facto requirement for any entity with meaningful economic activity in Spain.
At a baseline, the modelo must be documented with sufficient granularity to demonstrate genuine implementation. This includes a risk map specific to the entity, written policies and procedures addressing each identified risk, evidence that training was delivered and received, records of monitoring and audit activity, and a disciplinary framework showing that violations are sanctioned. Courts consistently reject modelos that exist only on paper.
The central question for every compliance officer is whether a well-designed modelo can actually shield the company from criminal liability or whether it merely softens the blow. The honest answer is nuanced: full exemption is legally available but practically demanding, while mitigation is more commonly achieved.
The Tribunal Supremo has developed a body of case law establishing that a modelo de prevención de delitos can constitute a complete defence, but only when the company proves that the model was genuinely adopted before the offence, that it was appropriately tailored to the entity’s risk profile, and that its supervisory mechanisms were functioning at the time of the offence. The court applies a substantive test: was the modelo a living system, or a decorative document? Landmark decisions have rejected modelos where the company could not produce training records, where the compliance officer lacked independence, or where known risks were not mapped.
Conversely, the Tribunal Supremo has recognised compliance programme mitigation even where the modelo fell short of the threshold for full exemption. A partially implemented model, or one adopted after the offence but before sentencing, can reduce penalties by one or two degrees, a significant practical benefit that can mean the difference between a fine that threatens solvency and one that is manageable.
Based on prosecutorial guidance and court practice, the factors that most strongly influence whether a modelo achieves exemption or mitigation include:
A crime prevention model that will withstand scrutiny from prosecutors, courts and regulators must contain at least nine interlocking elements. Each element serves a distinct function, and the absence of any one creates a vulnerability that can undermine the entire programme.
The risk map is the foundation of the modelo. It must identify every criminal offence in the Código Penal catalogue that is theoretically attributable to the company, assess the likelihood and impact of each, and assign a residual risk score after accounting for existing controls. The risk map should be entity-specific, a subsidiary in construction faces different risks than one in financial services.
Common mistakes include copying a generic risk matrix from an industry template without tailoring it, failing to update the map after organisational changes, and omitting newer offence categories such as those related to algorithmic discrimination or environmental crimes.
| Risk Category | Likelihood (1–5) | Impact (1–5) | Residual Score | Priority Control |
|---|---|---|---|---|
| Fraud / misappropriation | 3 | 5 | High | Segregation of duties, approval thresholds |
| Bribery / corruption | 2 | 5 | High | Third-party due diligence, gift policy |
| Labour-rights violations | 3 | 4 | Medium-High | HR audit, pay-transparency reporting |
| Environmental offences | 2 | 4 | Medium | Environmental management system |
| Data-protection breaches | 3 | 3 | Medium | DPIA, access controls |
Each risk identified in the risk map must be addressed by a written policy stating the expected conduct, the prohibited behaviour, and the applicable controls. Policies should be drafted in plain language, translated into all working languages of the organisation, and approved at board level. Procedures must operationalise the policies, for example, specifying exactly how a gift above a certain threshold is to be reported, by whom, and within what timeframe. Version control and accessible distribution records are essential evidence.
Controls are the operational mechanisms that prevent or detect the criminal conduct identified in the risk map. They range from financial controls (dual signatures, approval thresholds, reconciliation protocols) to operational safeguards (access restrictions, automated alerts, physical security). Segregation of duties ensures that no single individual can authorise, execute and record a transaction without oversight. Courts have been particularly attentive to whether the company’s control environment is proportionate to the risks it faces, over-engineered controls that are routinely bypassed are worse than simpler controls that are consistently applied.
Training is the mechanism that transforms written policies into understood obligations. It must be role-specific (a procurement manager needs different training from a warehouse operative), periodic (annual minimum, with event-driven updates), and documented with attendance records and comprehension testing. Communication programmes should ensure that the modelo is visible across the organisation, through intranet pages, induction materials, posters and leadership messaging. A modelo that employees have never heard of will fail any court test.
An effective internal reporting channel is now non-negotiable. Post-transposition whistleblowing requirements mandate that companies above certain employee thresholds maintain confidential reporting channels, protect reporters from retaliation, and investigate reports within defined timescales. The channel must be accessible to employees, contractors and, ideally, third parties. Investigation protocols should guarantee independence (the investigator cannot be the person accused), proportionality, and documentation. Whistleblowing channels and investigations in Spain are a complex compliance area that merits dedicated guidance.
The modelo must be monitored continuously, not just at annual review. Key performance indicators should track metrics such as the number of reports received through the whistleblowing channel, training completion rates, audit findings closed within target timescales, and policy-exception requests. Internal audits, whether conducted by an in-house function or external provider, should test the design and operating effectiveness of controls at least annually. Audit reports and management responses must be retained as evidence.
A compliance programme that detects violations but imposes no consequences is, in the court’s eyes, a programme that tolerates crime. The disciplinary framework must be codified (typically within the company’s internal regulations or collective bargaining agreement), proportionate, and consistently applied regardless of the seniority of the offender. Equally, positive incentives, compliance KPIs in bonus structures, recognition programmes, reinforce the culture of compliance penal that prosecutors assess.
Criminal liability can attach to a company through the acts of agents, distributors, consultants and joint-venture partners. The modelo must include a risk-based due-diligence process for onboarding and monitoring third parties. High-risk categories (government-facing intermediaries, agents in high-corruption jurisdictions, subcontractors in regulated sectors) require enhanced due diligence, including background checks, contractual compliance clauses and periodic re-certification.
Every element above generates documentation that may one day need to be presented to a prosecutor or judge. The “evidence pack” should be maintained in a centralised, tamper-evident repository and include, at a minimum:
Two standards dominate the crime prevention model landscape in Spain: UNE 19601, the Spanish-specific criminal compliance management standard published by AENOR, and ISO 37301, the international compliance management systems standard. Both are valuable, but they serve different purposes and carry different weight before Spanish courts.
| Criterion | UNE 19601 | ISO 37301 |
|---|---|---|
| Scope | Criminal compliance, specifically mapped to Spanish Código Penal offences | General compliance management, all regulatory obligations, all jurisdictions |
| Approach | Prescriptive: specifies controls, roles and documentation for criminal risk | Management-system framework: Plan-Do-Check-Act cycle for compliance generally |
| Certification body | AENOR and accredited Spanish certification bodies | Any ISO-accredited certification body worldwide |
| Court recognition in Spain | High, designed to mirror Código Penal requirements; cited by Tribunal Supremo | Moderate, recognised as evidence of compliance culture, but less specific to criminal liability |
| Best use | Companies whose primary concern is corporate criminal liability in Spain | Multinational groups seeking a single compliance framework across jurisdictions |
UNE 19601 is the recommended choice for any company whose operations are predominantly Spanish or whose primary compliance concern is criminal liability under the Código Penal. Its prescriptive structure maps directly to the statutory requirements for a modelo de prevención de delitos, and AENOR certification provides strong, though not conclusive, evidence of programme adequacy before Spanish courts.
Multinational groups that need a unified compliance management system across multiple jurisdictions may find ISO 37301 more practical. It provides a scalable framework that can incorporate local criminal-compliance requirements (including UNE 19601 controls) within a broader management system. Industry observers note that the most robust approach for Spanish subsidiaries of international groups is dual alignment: ISO 37301 as the overarching framework with UNE 19601 as the criminal-compliance module.
Regardless of which standard is chosen, the nine core elements described in this guide should be mapped to the relevant clauses. Both standards require a risk assessment, a compliance policy, defined roles, training, monitoring, reporting channels and continuous improvement. The mapping exercise itself, documented and retained, constitutes valuable evidence that the modelo was designed with reference to recognised benchmarks.
The governance structure of the modelo determines its credibility. A crime prevention model supervised by a compliance officer who reports to the very executives whose conduct the modelo is designed to control will not survive judicial scrutiny.
The compliance officer (or compliance body, in larger organisations) should meet the following minimum requirements:
The compliance officer should present a written report to the board or audit committee at least quarterly, covering KPIs, incident summaries, investigation outcomes, training statistics and any material changes to the risk map. Extraordinary escalation protocols must be defined for high-severity incidents, bribery allegations, regulatory raids, whistleblower reports implicating senior management. Board minutes should reflect discussion of compliance matters, demonstrating tone at the top.
The Código Penal and prosecutorial guidance both recognise a proportionality principle: the modelo should be scaled to the size, complexity and risk profile of the entity. An SME with twenty employees does not need the same infrastructure as an IBEX-35 group, but it does need the same core elements in a lighter form.
For smaller companies, a defensible modelo can be built around six core controls:
Companies in sectors affected by 2026 transposition deadlines should layer additional controls onto their modelo. Labour-intensive businesses must integrate pay-transparency reporting and working-conditions audits. Public-procurement bidders should ensure their modelo is certifiable, as tender eligibility may depend on it. Firms deploying algorithmic decision-making in hiring or credit scoring should add AI-specific risk controls addressing discrimination, transparency and data protection, areas where criminal-compliance exposure is growing.
A credible modelo cannot be built overnight. Industry observers estimate that a company starting from scratch needs six to twelve months to design, implement and embed a programme that will withstand prosecutorial scrutiny. The following timeline provides a practical roadmap.
| Month | Milestone | Deliverable |
|---|---|---|
| 1–2 | Scoping and risk assessment | Completed risk map, gap analysis against current controls, board mandate |
| 3–4 | Policy drafting and governance design | Approved policies, compliance officer appointed, reporting lines established |
| 5–6 | Control implementation and channel setup | Operational controls, whistleblowing channel live, third-party due-diligence process active |
| 7–8 | Training rollout | Role-specific training delivered, attendance and comprehension documented |
| 9–10 | First monitoring cycle | KPI dashboard populated, initial internal audit completed |
| 11–12 | Review and certification readiness | Management review, remediation of audit findings, certification application (if pursuing UNE 19601) |
Internal audit sample questions:
Spanish corporate criminal compliance in 2026 is no longer optional in any practical sense. A well-designed, genuinely implemented modelo de prevención de delitos remains the most effective tool available to protect a company from criminal liability, or, at minimum, to substantially mitigate the consequences. Companies that invest now in the nine core elements, align with recognised standards, and build the evidence trail that courts demand will be materially better positioned than those that wait. For tailored guidance, consult a specialist compliance lawyer through the Global Law Experts lawyer directory.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Jordi Sot Ball-Llosera at Toda & Nel-lo, a member of the Global Law Experts network.
posted 12 minutes ago
posted 14 minutes ago
posted 34 minutes ago
posted 57 minutes ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
posted 2 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message