Skip to main content
Try Lexiel for freeTry now →
Compliance Officer: functions, responsibilities and legal framework in Spain
Compliance11 minEquipo Lexiel

Compliance Officer: functions, responsibilities and legal framework in Spain

The Chief Compliance Officer has become a key figure after Law 2/2023 and the AI Act. We analyse their functions, criminal liability, whistleblowing channel duties and best practices per COSO and UNE 19601.

complianceLaw 2/2023whistleblowing channelUNE 19601COSOcriminal liability

What is a Chief Compliance Officer (CCO)?

The Chief Compliance Officer (CCO) is responsible for ensuring the organisation operates within the applicable legal and ethical framework. With the proliferation of regulations in recent years (GDPR, AI Act, Law 2/2023, DORA, NIS2), the CCO has moved from an ornamental figure to a strategic pillar of corporate governance.

Key legal framework

Law 2/2023: Whistleblowing

Law 2/2023 of 20 February on the protection of persons reporting regulatory infringements requires organisations with 50 or more workers to:

  • Implement an accessible and confidential internal reporting channel.
  • Designate a system information manager (which may be the CCO or equivalent role).
  • Establish a whistleblower protection policy preventing retaliation.
  • Register the system with the Independent Informant Protection Authority (A.A.I.) where sector rules require it.

Non-compliance can result in fines of up to €1,000,000 for legal entities or €300,000 for responsible individuals.

Criminal liability of legal persons: Art. 31 bis CP

Article 31 bis of the Penal Code established criminal liability for legal persons. To be exonerated, the company must demonstrate it had an effective organisation and management model ("criminal compliance") that includes supervision, reporting channels, and disciplinary systems.

UNE 19601: Criminal Compliance Standard

UNE 19601:2017 provides requirements for criminal compliance management systems in Spain. Certification facilitates defence in criminal proceedings and can be obtained through ENAC-accredited auditors.

CCO functions

  1. Compliance risk mapping: Identify and prioritise regulatory risks (criminal, GDPR, labour, ESG).

  2. Policy design: Code of Ethics, Anti-Corruption Policy, Privacy Policy, Criminal Compliance Manual.
  3. Whistleblowing channel management: Receipt, investigation and resolution of internal reports.
  4. Training and culture: Periodic compliance training programmes for all staff.
  5. Regulatory monitoring: Track BOE, EUR-Lex, AEPD, CNMC developments.
  6. Board reporting: Periodic reports on compliance status and corrective actions.

CCO in AI companies: AI Act

Under Regulation (EU) 2024/1689 (AI Act), the CCO must inventory all AI systems, classify their risk level (Art. 6 + Annex III), and implement provider/operator obligations for high-risk AI.

Lexiel helps compliance teams analyse complex regulations, draft internal policies and monitor regulatory changes in real time, with citations from verified official sources.

Try Lexiel free · 28 days

Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.

LEX-BLOG
Get started free

Weekly legal updates

Legislative changes, relevant case law, and Lexiel news. No spam. Unsubscribe anytime.

GDPR compliant. We never share your email with third parties.