Regulatory and compliance

Whistleblower protection law approved by Spain's Congress

Published on 23rd Feb 2023

Legislation to protect those reporting legal breaches to combat corruption transposes the EU's Whistleblowing Directive 

The Spanish legislation has a long tradition of contemplating and regulating the creation of reporting channels through which a private entity can be informed, even anonymously, of the commission of acts or conduct that may be contrary to general or sectoral regulations.

However, the obligation to set up such reporting systems has not, until now, been accompanied by a centralised and comprehensive regulation addressing whistleblower protection and establishing minimum standards for reporting channels.

Finally, despite a year's delay, Spain has approved the final text of the law, the main objective of which is to protect persons who, in an employment or professional context, detect serious or very serious criminal or administrative offences and report them through the mechanisms regulated therein.

The new Law 2/2023 on the protection of persons who report breaches of law and on combating corruption was published in the Official State Journal on 21 February, 2023 and enters into force on the 13 March. With the approval of this law, Directive (EU) 2019/1937 of 23 October 2019, known as the Whistleblowing Directive, is transposed into Spanish law.

Scope of application

In addition to protecting those who report breaches of EU law under the directive, the law also covers serious and very serious criminal and administrative offences under Spanish law, so that both internal and external channels can concentrate their investigative activity on those breaches that are considered to have the greatest impact on society as a whole.

In addition, and in relation to the subjective scope; that is, the persons who are protected against possible retaliation, the law extends this protection to volunteers, trainees, trainees and persons participating in selection processes, as well as persons assisting whistleblowers or persons in their entourage who may suffer retaliation.

Internal reporting channels

In the private sector and as foreseen by the directive, there's an obligation to implement internal reporting channels for all companies with more than 50 employees; and regardless of the number of employees: certain legal persons in the financial sector or with obligations relating to the prevention of money laundering or terrorist financing, transport and environmental security; and all political parties, trade unions, business organisations, as well as foundations dependent on them, provided that they receive public funds for their financing.

Being aware of the cost that this new obligation may cause for companies, the law allows companies in the private sector that have between 50 and 249 workers to share the internal reporting channels, as well as the resources for the reception of complaints and all information that may be carried out.

In addition, groups of companies may have a common information system for the whole group and may appoint a single person to be responsible for this system.

In the public sector, the law has extended the obligation to have internal information channels to its full extent. Accordingly, public administrations, whether territorial or institutional, independent authorities or other bodies managing social security services, universities, companies and foundations belonging to the public sector, as well as public law corporations, must set up such system.

Management of Information Systems

Internal information systems must meet certain requirements, such as (among others) accessibility, confidentiality safeguards (it is advisable to provide for whistleblower anonymity), good whistleblower monitoring, investigation and protection practices.

The law establishes the need to have a policy or strategy that sets out the general principles of the internal information and whistleblower protection systems and that is duly publicised within the entity.

The person in charge of the internal system, who is appointed by the management or governing body, shall be independent and autonomous. In legal entities where there is already a person responsible for the compliance function, this person may be appointed as the person responsible for the information system.

Retaliation and protection 

The law prohibits and declares null and void any conduct that can be qualified as retaliation taken within two years of the completion of investigations. The law sets out, without limitation, a number of intolerable conducts towards whistleblowers that are considered retaliatory, such as: termination of contracts, intimidation, unfavourable treatment, reputational damage or cancellation of a permit.

Protective measures are not only directed in favour of whistleblowers, but also in favour of those persons to whom the facts related in the communication refer.

Finally, the advantages and effectiveness that leniency programmes have demonstrated in certain sectoral areas have led to the inclusion in this law of a specific regulation of these programmes, which establishes that the informant may be exonerated or see the sanction mitigated if he or she has reported prior to the initiation of the investigation or sanctioning procedure.

External reporting channel 

The law recognises that one of the main factors discouraging potential whistleblowers is the lack of confidence in the effectiveness of communications and, to this end, it regulates the external reporting channel; that is, an external communication channel managed by the Independent Authority for the Protection of Whistleblowers and governed by the principles of independence and autonomy in the reception and processing of information on offences, to guarantee the completeness, integrity and confidentiality of the information, prevent access to it by unauthorised personnel and allow it to be stored for a long period of time.


In addition to prohibition of retaliation, the law also provides for a detailed system of penalties for actions or omissions that limits the rights and guarantees introduced in this law, especially those aimed at hindering, preventing, frustrating or slowing down the investigations or the gathering of information. Likewise, the communication or disclosure of breaches of the legal system in the knowledge that they are false will also be sanctioned.

This sanctioning procedure considers fines of up to €300,000 for natural persons and up to €1 million for legal persons.

Deadline for the establishment of information systems

Entities obliged to establish an internal information system must implement it within a maximum period of three months from the entry into force of the law.

As an exception, private sector entities with 249 or fewer employees and municipalities with less than 10,000 inhabitants will have until 1 December 2023.

Osborne Clarke comment

As the barometer of the Sociological Research Centre indicates, in Spain there is "a high level of perception of corruption and a high level of social concern about this phenomenon". On the other hand, there are few complaints. The new legislation aims to provide whistleblowers with a regulatory framework that guarantees adequate protection and confidentiality, creates a climate of trust between the whistleblower and the administration, and joins the anti-corruption measures that have been developed. The aim is for the whistleblower not to be considered a "informant" but a defender of legality.


* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?

3 Upcoming Events