Whistleblower law in Spain #
Spain implemented Directive (EU) 2019/1937 through Ley 2/2023, de 20 de febrero. The Spanish framework combines the standard 50-worker private-sector trigger with a broad public-sector obligation and a meaningful regional-authority layer.
Applicable law #
Who must establish an internal channel #
- Private-sector entities with 50 or more workers must maintain an internal information system (Sistema interno de información).
- All public-sector entities.
- Financial / AML, environmental, and transport-safety entities — regardless of headcount.
Phased deadlines: 13 June 2023 for 250+ employees, 1 December 2023 for 50-249. Municipalities below 10,000 inhabitants may share means; 50-249 entities may share resources.
Penalties and enforcement #
Spain has the harshest no-channel penalty in the EU. Failing to have an internal information system is a muy grave (very serious) infraction under Art. 63.1.g — verbatim, “Incumplimiento de la obligación de disponer de un Sistema interno de información en los términos exigidos en esta ley.”
| Infraction tier (Art. 65) | Legal persons | Natural persons |
|---|---|---|
| Leve | up to €100,000 | €1,001–10,000 |
| Grave | €100,001–600,000 | €10,001–30,000 |
| Muy grave (incl. no internal system, retaliation, breach of confidentiality, obstruction) | €600,001–1,000,000 | €30,001–300,000 |
For muy grave infractions the authority may add (Art. 65.2): public reprimand, a ban on subsidies / tax benefits for up to 4 years, and a ban on public-sector contracting for up to 3 years.
An honest assessment of enforcement. Two things make Spain different from the rest of the region. First, the headline is real: up to €1,000,000 for simply not having a compliant system. Second, enforcement is actually switching on: the national authority (AIPI) only began operating on 1 September 2025 and activated channel supervision around February 2026, and in December 2025 it made its first public move — referring a channel-mismanagement matter (the PSOE/Salazar case) to its Monitoring & Sanctions Department. That is a referral, not yet a completed fine — no company has been fined to date — but Spain is the clearest “enforcement is arriving” signal of any market we track.
External reporting authority #
The national external channel is run by the Autoridad Independiente de Protección del Informante . Autonomous community authorities may handle regional and local matters within their territory unless a convention assigns them to the national authority.
Data protection authority #
For GDPR complaints and privacy guidance, the competent authority is the Agencia Española de Protección de Datos (AEPD) .
Key compliance points #
- Spain’s public-sector obligation is broader than the simple private-sector 50-worker rule.
- The national external system expressly supports written and verbal submissions.
- The regional-authority layer matters in practice, especially for local or single-region cases.
Official sources #
- Ley 2/2023 — official BOE text
- AIPI — external information channel
- AIPI — who we are
- AIPI — sanctioning procedure
- Oficina Antifrau de Catalunya — whistleblower authority
- AEPD
Deploy your reporting channel →
Last updated: