Spain Whistleblowing Law 2/2023: mandatory reporting channel for companies
Law 2/2023 of 20 February transposes EU Directive 2019/1937 and requires companies with 50+ workers to set up an internal reporting channel by 1 December 2023. We cover requirements, timelines and penalties.
Regulatory framework: from Directive to Law 2/2023
EU Directive 2019/1937 on the protection of persons reporting breaches of Union law required transposition by 17 December 2021. Spain, belatedly, adopted Law 2/2023 of 20 February regulating the protection of persons reporting regulatory breaches (BOE No. 44, 21 February 2023).
Who does it apply to?
| Entity | Obligation | Deadline |
|---|---|---|
| Companies with ≥ 250 workers | Mandatory internal channel | From 13 June 2023 |
| Companies with 50-249 workers | Mandatory internal channel | From 1 December 2023 |
| Companies with < 50 workers | Not mandatory (voluntary) | , |
| Public sector (any size) | Mandatory internal channel | From 13 June 2023 |
| Parties, unions, foundations > €5M grant | Mandatory internal channel | From 13 June 2023 |
Additionally, all law firms structured as commercial companies may be subject depending on headcount.
Internal channel requirements (Arts. 5 et seq.)
- Independence: the channel must be managed by a "person or body responsible for the internal information system" with impartiality guarantees.
- Confidentiality: communications must be confidential. The responsible party may outsource to a third party (SaaS provider, external lawyer) provided confidentiality is guaranteed.
- Permitted channels: written (web form, physical mailbox), oral (telephone line, voicemail), in person.
- Acknowledgement: within 7 business days of receipt.
- Response deadline: 3 months from acknowledgement (extendable to 6 months for complex cases).
- Prohibition of retaliation (Art. 36): any retaliatory act is null and void by operation of law.
Whistleblower protection
The law protects those who in good faith report:
- Infringements of EU law.
- Infringements of national law related to public procurement, financial services, environment, food safety, data protection, or workers' rights.
Protection includes: reversal of the burden of proof in retaliation cases, free legal aid, anonymity (if the whistleblower expressly requests it and the technical system allows it).
Sanctions (Arts. 63-68)
| Infringement | Fine |
|---|---|
| Failure to set up mandatory channel | €1,001 to €300,000 |
| Retaliation against whistleblower | €10,001 to €300,000 |
| Revealing whistleblower identity | €1,001 to €300,000 |
| Bad-faith false reports | €1,001 to €300,000 |
The enforcement body is the Independent Authority for the Protection of Informants (A.A.I.), created by the law itself.
Implementation checklist
- [ ] Designate responsible for the internal information system.
- [ ] Choose channel(s): web form + telephone line as a minimum.
- [ ] Draft reporting management policy (procedure, timelines, retaliation).
- [ ] Register the channel in the A.A.I. internal information systems registry.
- [ ] Inform workers and third parties (suppliers, clients) of the channel's existence.
- [ ] Train the system responsible in case management and data protection.
- [ ] Review employment contracts to include a clause on channel use.
Try Lexiel free · 28 days
Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.