Skip to main content Required by EU law for organizations with 50+ employees

Whistleblower law in Spain #

Spain implemented Directive (EU) 2019/1937 through Ley 2/2023, de 20 de febrero. The Spanish framework combines the standard 50-worker private-sector trigger with a broad public-sector obligation and a meaningful regional-authority layer.

Applicable law #

Who must establish an internal channel #

Phased deadlines: 13 June 2023 for 250+ employees, 1 December 2023 for 50-249. Municipalities below 10,000 inhabitants may share means; 50-249 entities may share resources.

Penalties and enforcement #

Spain has the harshest no-channel penalty in the EU. Failing to have an internal information system is a muy grave (very serious) infraction under Art. 63.1.g — verbatim, “Incumplimiento de la obligación de disponer de un Sistema interno de información en los términos exigidos en esta ley.”

Infraction tier (Art. 65)Legal personsNatural persons
Leveup to €100,000€1,001–10,000
Grave€100,001–600,000€10,001–30,000
Muy grave (incl. no internal system, retaliation, breach of confidentiality, obstruction)€600,001–1,000,000€30,001–300,000

For muy grave infractions the authority may add (Art. 65.2): public reprimand, a ban on subsidies / tax benefits for up to 4 years, and a ban on public-sector contracting for up to 3 years.

An honest assessment of enforcement. Two things make Spain different from the rest of the region. First, the headline is real: up to €1,000,000 for simply not having a compliant system. Second, enforcement is actually switching on: the national authority (AIPI) only began operating on 1 September 2025 and activated channel supervision around February 2026, and in December 2025 it made its first public move — referring a channel-mismanagement matter (the PSOE/Salazar case) to its Monitoring & Sanctions Department. That is a referral, not yet a completed fine — no company has been fined to date — but Spain is the clearest “enforcement is arriving” signal of any market we track.

External reporting authority #

The national external channel is run by the Autoridad Independiente de Protección del Informante . Autonomous community authorities may handle regional and local matters within their territory unless a convention assigns them to the national authority.

Data protection authority #

For GDPR complaints and privacy guidance, the competent authority is the Agencia Española de Protección de Datos (AEPD) .

Key compliance points #

Official sources #


Deploy your reporting channel →

Last updated: