Spain's AIPI publishes Recommendation 1/2026 on the Internal Reporting System

Since the Spanish Independent Whistleblower Protection Authority (AIPI) came into operation in September 2025, numerous questions of interpretation have arisen regarding the design and implementation of the Internal Reporting System (SII), which is regulated by Law 2/2023 of 20 February, on the protection of persons reporting regulatory infringements and the fight against corruption.

The AIPI has published three non-binding technical recommendations to address these concerns and establish clear and consistent criteria,. Among these is Recommendation 1/2026, designed as a technical compliance manual for the design and implementation of an SII, the content of which is analysed below.

Practical SII guidelines

Recommendation 1/2026 provides a cross-cutting interpretative guide on the design and implementation of the SII, covering everything from the subjective scope of the obligation to the requirements of the reporting channel, the management procedure and its application within groups of companies.

Who must comply?

The obligation to have an SII applies to any natural or legal person in the private sector with an organised presence or establishment in Spain and with 50 or more employees.

To determine whether the threshold of 50 employees is reached, the recommendation uses the indicative criteria of Royal Decree 901/2020 on equality plans as a reference. In practice, this means that the entire workforce in Spain must be counted, regardless of the workplace to which they are assigned or their contractual status.

Technical and organisational requirements

• Technological support. The AIPI places at the heart of the system a secure, end-to-end encrypted digital platform that guarantees the confidentiality (and, where applicable, the anonymity) of both the individuals involved and the content of communications.
• Communication channels. The SII must be multi-channel, allowing reports to be made: in writing (secure online form, dedicated email or post), and verbally (telephone, voicemail system and face-to-face meeting at the whistleblower’s request within a maximum of seven days). Oral communications must be recorded in full, either via secure recording or a complete transcript, giving the whistleblower the option to review the content, request changes and validate it with their signature, in accordance with Article 7.2 of Law 2/2023.
• “Single point of contact”. All internal channels capable of receiving reports covered by the Law 2/2023 (ethics, harassment, compliance, etc.) must be channelled through the reporting system officer (RSIO), who assumes a central role in oversight and monitoring.
• Handling deadlines. The three-month period for resolution (extendable in exceptional cases to six months) is interpreted as a maximum deadline, although it is desirable to close cases in less time where the nature of the case makes this reasonable.
• RSIO model. The possibility of appointing a collegiate body as head of the SII (up to five members, with at least one internal) is highlighted as a means of strengthening independence, minimising conflicts of interest and generating greater confidence in the system.

Groups of companies

With regard to corporate groups, Recommendation 1/2026 emphasises that the obligation to have an SII is strictly individual: each company must assess whether it meets the requirements of article 10 of Law 2/2023 and, where applicable, approve its own SII and formally appoint its RSII.

The parent company may establish a general policy on the SII and whistleblower protection, whilst always respecting the autonomy of each company and the need to adapt the system to its specific circumstances.

The recommendation does, however, allow for the group to have a single operational SII covering several entities or for the same person or body to act as the RSIO in different companies, provided each company adopts an express agreement of adherence or designation and its autonomy, independence and capacity for adaptation are preserved. Under no circumstances does the existence of a common system or responsible person make the group a single obliged entity, nor does it alter the individual nature of the obligations under Law 2/2023.

Where the parent company is domiciled outside Spain, this does not prevent the use of a single group SII. Spanish regulations do not require a system “specific” to Spain, but they do require that the common system, insofar as it relates to the Spanish entity, fully complies with the substantive, procedural and organisational conditions set out in Law 2/2023. Where it does not, the global system must be adapted or a separate SII implemented in accordance with national regulations.

Osborne Clarke comment

Recommendation 1/2026 represents a significant step forward. It provides technical certainty, standardises interpretative criteria and offers organisations a clear roadmap for designing, implementing and managing a reliable SII aligned with a culture of integrity.

Although non-binding, it is emerging as the practical supervisory standard that the AIPI will apply to assess compliance with Law 2/2023 and, where appropriate, decide whether to initiate disciplinary proceedings. It is therefore essential that organisations review the configuration of their internal policies in order to bring them into line with the standards set out in this recommendation.