Whistleblower law in Spain #

Spain implemented Directive (EU) 2019/1937 through Ley 2/2023, de 20 de febrero. The Spanish framework combines the standard 50-worker private-sector trigger with a broad public-sector obligation and a meaningful regional-authority layer.

Applicable law #

• Ley 2/2023 — official BOE text
• AIPI — external information channel

Who must establish an internal channel #

Private-sector entities with 50 or more workers must maintain an internal information system. All public-sector entities are in scope. Municipalities below 10,000 inhabitants may share means, and private entities with 50-249 workers may share resources for the system.

External reporting authority #

The national external channel is run by the Autoridad Independiente de Protección del Informante . Autonomous community authorities may handle regional and local matters within their territory unless a convention assigns them to the national authority.

Data protection authority #

For GDPR complaints and privacy guidance, the competent authority is the Agencia Española de Protección de Datos (AEPD) .

Key compliance points #

• Spain’s public-sector obligation is broader than the simple private-sector 50-worker rule.
• The national external system expressly supports written and verbal submissions.
• The regional-authority layer matters in practice, especially for local or single-region cases.

Official sources #

• Ley 2/2023 — official BOE text
• AIPI — external information channel
• AIPI — who we are
• AEPD

Deploy your reporting channel →

Last updated: April 24, 2026