What Is the Deadline for Companies with 50–249 Employees to Implement Whistleblowing Channels in Spain?

What is the deadline for companies with 50 to 249 employees to set up a whistleblowing channel in Spain? The answer, established by Law 2/2023 of 20 February (published in the Boletín Oficial del Estado as BOE-A-2023-4513), was 1 December 2023. That statutory cut-off has now passed, yet many mid-sized Spanish businesses still operate without a compliant internal reporting system, or have systems that fall short of the law’s technical and procedural requirements. With the Autoridad Independiente de Protección del Informante (AAI), Spain’s dedicated whistleblower authority, moving into active oversight in 2025–2026, and administrative fines reaching up to €1,000,000 for very serious infractions, the compliance window for remediation is narrowing fast.

Executive Summary: The Deadline and What It Means in 2026

Under Law 2/2023 of 20 February, Spain’s transposition of EU Directive 2019/1937 on the protection of persons who report breaches of Union law, every private-sector company with 50 or more employees is required to maintain an internal information system (sistema interno de información) through which workers and other stakeholders can report regulatory breaches. The statutory deadline for companies with 50 to 249 employees was 1 December 2023. Larger companies, with 250 or more workers, were required to comply within three months of the law’s entry into force, which was 13 March 2023.

If your organisation missed that deadline, you are already in potential breach. Industry observers expect that the AAI’s growing operational capacity throughout 2025 and 2026 will translate into proactive inspections and a sharper sanctions regime. Penalties for not implementing a whistleblowing channel in Spain are classified into minor, serious, and very serious categories, with the most severe infractions carrying fines of up to €1,000,000 for legal persons. The guidance below sets out, step by step, exactly what is required, who is in scope, and how to build a compliant system now.

Deadline and Statutory Citation Under Law 2/2023 Spain

Law 2/2023, of 20 February, regulating the protection of persons who report regulatory breaches and the fight against corruption (Ley reguladora de la protección de las personas que informen sobre infracciones normativas y de lucha contra la corrupción), was published in the BOE on 21 February 2023 and entered into force twenty days later, on 13 March 2023. The full consolidated text is available under reference BOE-A-2023-4513.

The law created a two-tier deadline structure for private-sector companies based on employee headcount:

• Companies with 250 or more employees, required to have an operational internal reporting system within three months from entry into force, i.e. by 13 June 2023.
• Companies with 50 to 249 employees, given an extended deadline of 1 December 2023.
• Companies with fewer than 50 employees, not obligated by headcount alone, though sector-specific rules may still apply.

The following comparison table summarises these obligations at a glance.

What Counts as “50 Employees”, Headcount Rules and Group Aggregation

The 50-employee threshold is calculated on the basis of the total workforce, including permanent, fixed-term, and part-time contracts. Part-time employees are counted proportionally according to standard Spanish labour law practice. Temporary agency workers (trabajadores cedidos por ETT) performing duties at the company also count toward the threshold during their assignment period.

A critical question for corporate groups is whether employees of different subsidiaries are aggregated. Under Law 2/2023, the obligation to implement an internal reporting system applies at the level of each legal entity that meets the headcount threshold individually. However, group companies with 50 to 249 employees may share resources and even a single reporting channel, provided each entity formally adopts the system and the confidentiality requirements are met at entity level. This distinction, entity-level obligation with group-level resource sharing, is a frequent source of confusion and warrants careful structuring.

Which Companies Are in Scope: SMEs, Groups, and Public-Interest Entities

Headcount is the primary trigger, but it is not the only one. Law 2/2023 Spain extends the obligation to implement whistleblowing channels to entities of any size in certain regulated sectors. These include:

• Financial services, entities subject to anti-money-laundering obligations under Law 10/2010, including banks, insurers, investment firms, and payment institutions.
• Public procurement, entities receiving public funds or engaged in public contracts may be required to maintain channels regardless of headcount.
• Political parties, trade unions, and employer organisations that receive or manage public funds.
• Foundations receiving public subsidies.

For compliance officers, the practical decision tree is straightforward:

1. Does your legal entity have 50 or more employees? → Mandatory channel.
2. Does your entity fall into a regulated sector listed in the law, regardless of size? → Mandatory channel.
3. Is your entity part of a group where the parent or another subsidiary has the obligation? → Assess whether a shared channel is permissible and formally adopted.
4. None of the above? → No legal obligation, but a voluntary channel is strongly recommended.

Group Company Obligations, Parent-Level vs Subsidiary-Level Channels

Groups of companies may establish a single internal reporting channel at group level, but only where all subsidiaries individually falling within scope have formally approved and adopted it. Each subsidiary retains its own legal obligation: the group-level channel is a shared resource, not a delegation of responsibility. The responsable del sistema (system manager) may serve multiple group entities, but confidentiality firewalls and entity-specific procedures must be maintained. Early indications suggest that the AAI will scrutinise group arrangements closely to ensure they are not used to dilute protections at subsidiary level.

Whistleblowing Channel Requirements Spain: Minimum Technical and Procedural Standards

Law 2/2023 sets out detailed requirements for internal reporting systems. Understanding these is essential to answering what is the deadline for companies and what they must actually deliver by that deadline. The law’s requirements can be grouped into five core areas:

• Reporting formats. The system must allow reports to be submitted in writing (including electronically) and orally (by telephone or voice messaging, and in-person meetings on request).
• Confidentiality. The identity of the reporter must be kept strictly confidential throughout the process and may not be disclosed without the reporter’s express consent, except where required by judicial proceedings.
• Anonymous reporting. The law requires that anonymous reports be accepted and processed. However, the system is not required to guarantee anonymity technologically, it must simply not reject a report on the sole basis that it is anonymous.
• Investigation timelines. The responsable del sistema must acknowledge receipt of a report within seven calendar days. The investigation must be completed within a maximum of three months from acknowledgement, extendable by a further three months in cases of particular complexity.
• Protection against retaliation. The whistleblower protection act Spain provisions prohibit any form of retaliation, including dismissal, demotion, harassment, or adverse changes to working conditions. This protection extends to facilitators and connected persons.

Anonymous Reporting Requirements Spain: Data Protection and Limitations

While anonymous reporting is permitted, it creates tension with data-protection obligations and the right of defence of persons accused. Companies must design systems that balance the ability to receive and investigate anonymous tips with compliance under Spain’s Organic Law 3/2018 (LOPDGDD) and the EU General Data Protection Regulation (GDPR). A data protection impact assessment (DPIA) is generally required before launching the reporting channel. The Spanish Data Protection Agency (AEPD) has indicated that companies must implement privacy-by-design principles, including data minimisation, access controls, and defined retention periods.

Role of the Data Protection Officer (DPO) and AEPD Considerations

Where a company has appointed a DPO, that officer must be involved in designing and overseeing the data-processing activities of the whistleblowing channel. The DPO reviews the DPIA, advises on retention policies (data relating to reports should generally not be kept beyond the time necessary for the investigation, subject to legal hold obligations), and ensures that access to reported information is restricted to authorised personnel. The AEPD has emphasised that the internal reporting system must comply with the purpose-limitation principle: data gathered through the channel may not be used for purposes unrelated to the investigation of the reported breach.

Who Should Run the Internal Reporting System Spain: Appointing the Responsable del Sistema

Law 2/2023 requires every obligated entity to appoint a responsable del sistema de información interna, a person or collegiate body responsible for managing the reporting channel, ensuring its proper functioning, and safeguarding confidentiality. This role carries specific statutory duties:

• Receiving and acknowledging reports within seven calendar days.
• Ensuring investigations are conducted impartially and within statutory timeframes.
• Communicating outcomes to the reporter and, where appropriate, to affected persons.
• Maintaining records and ensuring data-protection compliance.
• Reporting annually on the system’s functioning to the entity’s governing body.

The responsable must act independently and cannot be removed or penalised for actions taken in the proper discharge of their duties. For companies with 50 to 249 employees, the role may be combined with other compliance or legal functions, provided independence is preserved. Alternatively, the entire channel management function may be outsourced to a third-party provider, a model that is increasingly common among smaller obligated entities that lack the internal capacity to run the system. Outsourcing versus running an in-house channel is a strategic decision that depends on cost, governance needs, and risk appetite.

Implementation Checklist and Timeline for Companies with 50–249 Employees

Whether your company missed the 1 December 2023 deadline or is auditing an existing system for gaps, the following ten-point implementation checklist provides a structured path to compliance. This checklist addresses the core whistleblowing channel requirements Spain companies must satisfy under Law 2/2023.

1. Board or senior management resolution. Formally approve the establishment (or remediation) of the internal reporting system and designate the responsable del sistema.
2. Draft the internal reporting policy. Define the scope of reportable breaches, eligible reporters, confidentiality protocols, investigation procedures, and retaliation protections.
3. Select the reporting platform. Choose a technology solution that supports written and oral reporting, maintains audit trails, and complies with data-protection requirements. Options include in-house software, third-party SaaS platforms, or outsourced managed services.
4. Conduct a Data Protection Impact Assessment (DPIA). Assess risks to data subjects and implement privacy-by-design safeguards. Consult with the DPO where appointed.
5. Establish investigation Standard Operating Procedures (SOPs). Define how reports are triaged, investigated, escalated, and closed within the three-month (extendable to six-month) window.
6. Appoint and train the investigation team. Ensure investigators have the skills, independence, and authority to conduct impartial inquiries.
7. Communicate the system to all stakeholders. Provide clear information to employees, contractors, suppliers, and other eligible reporters about how to access the channel and what protections apply.
8. Deliver compliance training. Train managers, HR personnel, and the broader workforce on the law’s requirements, reporting procedures, and non-retaliation obligations.
9. Define record-retention protocols. Establish retention periods for reported data (generally limited to the time necessary for the investigation plus any subsequent legal proceedings) and secure destruction procedures.
10. Set KPIs and schedule periodic audits. Monitor channel usage, response times, investigation outcomes, and reporter satisfaction. Report annually to the governing body.

For organisations starting from scratch, a realistic implementation timeline is approximately three to four months, covering governance approvals (weeks 1–2), platform procurement and DPIA (weeks 3–6), policy drafting and SOP development (weeks 4–8), training roll-out (weeks 8–10), and go-live with monitoring (weeks 10–12).

Template Policy Elements

An effective internal reporting policy under Law 2/2023 should include, at minimum, the following clauses:

• Purpose and legal basis (Law 2/2023, EU Directive 2019/1937).
• Scope of reportable matters (regulatory breaches, criminal offences, serious or very serious administrative infractions).
• Who may report (employees, former employees, contractors, shareholders, board members, job applicants, and others with a professional connection).
• Reporting channels available (written, oral, in-person) and how to access them.
• Confidentiality and anonymity provisions.
• Investigation process, timelines, and rights of the reported person.
• Non-retaliation protections and remedies.
• Data-protection framework, retention, and access restrictions.
• Role and contact details of the responsable del sistema.
• External reporting options (AAI and competent sectoral authorities).

Enforcement, AAI Whistleblower Authority Spain Oversight (2025–2026), and Penalties

Law 2/2023 created the Autoridad Independiente de Protección del Informante, A.A.I. (the AAI), as Spain’s dedicated external reporting and supervisory authority. The AAI serves as both the external channel for whistleblower reports and the enforcement body for compliance with the law’s organisational obligations. The authority reached key operational milestones in 2025, and the likely practical effect for 2026 is a significant increase in supervision and sanctioning activity.

The penalty framework under Law 2/2023 is structured into three tiers:

• Minor infractions, failure to comply with procedural requirements (e.g., incomplete record-keeping). Fines for legal persons of up to €100,000.
• Serious infractions, failure to establish an internal reporting system, or operating one that materially fails to meet statutory requirements. Fines for legal persons of up to €600,000.
• Very serious infractions, obstruction of reporting, retaliation against whistleblowers, or breach of confidentiality obligations. Fines for legal persons of up to €1,000,000.

In addition to financial penalties, very serious infractions may result in a public reprimand and a prohibition on obtaining public subsidies for up to four years. For individual executives or compliance officers found responsible, personal fines of up to €300,000 may apply for very serious infractions.

Typical Inspection Triggers and Regulator Priorities

Industry observers expect the AAI to prioritise inspections triggered by: direct complaints from reporters whose submissions were ignored or mishandled; referrals from labour inspectors, the AEPD, or sectoral regulators; and random compliance audits of obligated entities. Companies that can demonstrate good-faith remediation efforts, even if the original deadline was missed, are widely expected to face lower sanctions than those that have taken no steps at all.

Practical Scenarios: SME Decisions, Group-Company Examples, and Outsourcing vs In-House

To illustrate how the whistleblowing channel requirements Spain imposes under Law 2/2023 play out in practice, consider three common scenarios:

Scenario A, Single company, 75 employees. A mid-sized Spanish services company with 75 employees on permanent and fixed-term contracts. The company appoints its existing Head of Legal as responsable del sistema, selects a cloud-based reporting platform with built-in case management, and drafts a bilingual (Spanish/English) policy. Total implementation cost is moderate, and the channel goes live within ten weeks.

Scenario B, Multi-subsidiary group, 180 employees across three entities. A holding company has three Spanish subsidiaries, each with roughly 60 employees. Individually, none exceeds 249; collectively, the group crosses the threshold. Two subsidiaries exceed 50 employees and are individually obligated. The group establishes a shared reporting platform at parent level, but each subsidiary formally adopts the policy, appoints a local contact person, and maintains entity-level confidentiality procedures. The responsable del sistema sits at group level and reports to each subsidiary’s board.

Scenario C, 60-employee company with limited internal capacity. A small manufacturing firm with 60 employees has no in-house legal or compliance function. The firm outsources the entire channel to a specialist third-party provider under a managed service agreement. The SLA specifies: 24-hour report acknowledgement, investigation support, monthly compliance reporting, and annual audit. The outsourced model costs between €3,000 and €8,000 per year depending on complexity, a fraction of the potential fine for non-compliance.

Penalties for Not Implementing Whistleblowing Channel Spain: Risk Mapping

The risk of non-compliance is not merely theoretical. Companies operating without a channel, or with one that fails to meet statutory standards, face escalating exposure as AAI oversight matures. The following risk map helps compliance teams prioritise remediation:

Beyond financial penalties, the reputational damage of being publicly sanctioned, particularly in sectors reliant on public procurement or regulated market access, can be far more costly. Companies that demonstrate proactive remediation, documented training, and genuine engagement with oversight authorities are best positioned to mitigate both financial and reputational risk.

Conclusion: Immediate Next Steps for Compliance

The question of what is the deadline for companies with 50 to 249 employees to implement whistleblowing channels in Spain has a clear statutory answer: 1 December 2023, under Law 2/2023. That deadline has passed. The practical question now is how quickly non-compliant organisations can close the gap before the AAI’s enforcement activity accelerates further in 2026. Compliance teams should conduct an immediate gap assessment, initiate or complete the ten-point implementation checklist outlined above, and engage qualified legal counsel in Spain for review and ongoing advisory support. Timely action remains the most effective defence against both regulatory penalties and the reputational consequences of non-compliance.

Sources

1. Boletín Oficial del Estado (BOE), Ley 2/2023, de 20 de febrero
2. Cuatrecasas, Legal Flash on Law 2/2023
3. Clifford Chance, Spain Transposition of the Whistleblowing Directive
4. Garrigues, Whistleblowing Channels in Spain: Key Aspects of the New Law
5. CMS, Expert Guide: Whistleblower Protection in Spain
6. Freshfields, EU Whistleblowing Directive Finally Implemented in Spain
7. European Commission, EU Rules on Whistleblowing (Directive 2019/1937)