Compliance is no longer the exclusive territory of large corporations. Since 2015, the reform of the Spanish Criminal Code introduced criminal liability for legal entities, and since then the regulatory ecosystem surrounding companies has not stopped growing. In 2026, a mid-sized SME must simultaneously manage obligations arising from at least six different regulatory frameworks: data protection, cybersecurity, anti-money laundering, equality, whistleblowing channels and, depending on the sector, specific sectoral regulations. Ignoring any of them is not an option: administrative fines can exceed hundreds of thousands of euros and, in some cases, reach criminal liability for the company's directors.
This checklist is not intended to replace personalised legal analysis — every company has its own risk profile — but to give you a situational map with which to identify which blocks are mandatory for your company, which apply according to your size or sector, and which it is worth anticipating even if they are not yet enforceable. At the end you will find a summary table with application thresholds and deadlines.
Block 1: Criminal compliance (crime prevention programme)
Article 31 bis of the Criminal Code (Organic Law 1/2015, of 30 March) establishes that legal entities are criminally liable for offences committed on their behalf or for their account by their legal representatives, directors or employees. Exemption from or mitigation of that liability requires having adopted and effectively implemented, before the commission of the offence, an organisation and management model that includes surveillance and control measures.
Circular 1/2016 of the General Prosecutor's Office sets out what that model must contain to be considered suitable by a court. The minimum elements are:
- Identification of criminal risk activities (criminal risk map).
- Specific prevention protocols and procedures.
- Sufficient financial resources to implement the model.
- Obligations to report possible risks and non-compliance to the supervisory body.
- A disciplinary system that sanctions non-compliance with the measures.
- Periodic verification and updating of the model.
There is no legal threshold of headcount or turnover that exempts a company from criminal liability. However, article 31 bis.3 of the Criminal Code provides for a simplified regime for small legal entities, in which supervisory functions may fall directly on the governing body. In practice, our team recommends a structured criminal compliance programme for any company with 10 or more employees or operating in high-risk sectors (construction, transport, food, financial services).
Block 2: Data protection (GDPR + LOPDGDD)
Regulation (EU) 2016/679 (GDPR) has been directly applicable throughout the European Union since 25 May 2018. In Spain, Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD) adapts and supplements the European regulation.
The basic obligations that apply to any company that processes data of natural persons are:
- Records of processing activities (RoPA): mandatory for all controllers and processors (art. 30 GDPR). Partial exemption for companies with fewer than 250 employees that do not habitually process special categories or criminal conviction data, but in practice almost all SMEs exceed at least one of those thresholds.
- Legal basis for each processing activity: consent, contract, legal obligation, legitimate interest or other bases under art. 6 GDPR. Documenting them is mandatory.
- Information clauses in forms, contracts and privacy policies.
- Data processing agreements (art. 28 GDPR): with every supplier that accesses personal data (accounting firm, cloud provider, CRM, email marketing, etc.).
- Breach notification procedure to the AEPD within 72 hours (art. 33 GDPR).
- Data Protection Officer (DPO) mandatory in certain cases (art. 37 GDPR and art. 34 LOPDGDD): public authorities, large-scale processing of special categories, or systematic large-scale monitoring.
The AEPD published in 2024 an updated risk analysis guide specifically aimed at SMEs. Fines can reach 20 million euros or 4% of total worldwide annual turnover, whichever is higher.
Block 3: Whistleblowing channel (Law 2/2023)
Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and combating corruption (transposition of EU Directive 2019/1937, known as the Whistleblowing Directive), establishes the obligation to have an internal reporting channel.
The application thresholds are:
- Mandatory from the date of entry into force (13 June 2023) for companies with 250 or more workers.
- Mandatory from 1 December 2023 for companies with 50 to 249 workers.
- Voluntary but recommended for companies with fewer than 50 workers, unless they operate in the financial sector, in which case the obligation may arise from sectoral legislation (e.g., the DORA Directive for financial entities).
The channel must guarantee confidentiality, acknowledgement of receipt within 7 days, a response within 3 months and independence of the system manager. The Independent Authority for the Protection of Whistleblowers (A-I) supervises compliance. Penalties for non-compliance range from 1,001 to 1,000,000 euros under article 64 of the law.
Block 4: Cybersecurity (NIS2 / RD 43/2021)
Directive (EU) 2022/2555, known as NIS2, significantly expands the scope of the previous NIS Directive. In Spain, transposition is under way via a bill that, at the date of this article (April 2026), is still in parliamentary proceedings, although the reference framework of Royal Decree 43/2021 remains in force for operators of essential services and digital service providers.
NIS2 introduces two categories of obligated entities:
- Essential entities: energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, public administration and space. Above 250 employees or 50 million euros in annual turnover.
- Important entities: postal services, waste management, manufacture of critical products, chemicals, food, general manufacturing, digital providers and research service providers. Between 50 and 250 employees or between 10 and 50 million euros.
Obligations include information systems security policies, incident management, business continuity, supply chain security and use of cryptography. Fines for essential entities can reach 2% of total worldwide annual turnover or 10 million euros.
Block 5: Anti-money laundering (AML/CFT)
Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing (successively amended, most recently by Law 4/2022) and its Regulation (RD 304/2014) establish a due diligence regime for so-called obliged entities. It does not affect all companies, but exclusively certain activities:
- Financial entities (banks, insurers, fund managers).
- Notaries, registrars, lawyers and auditors involved in certain transactions.
- Property developers and estate agents.
- Jewellers, auction houses and art galleries (from 10,000 euros in cash).
- Currency exchange offices and money transfer companies.
- Gambling operators.
- Virtual asset managers (cryptocurrencies): enhanced obligation since the transposition of the 5th AMLD.
If your company is an obliged entity, you must have: an AML manual, a designated compliance officer, a customer acceptance policy, due diligence procedures (basic, simplified and enhanced), ongoing staff training and reporting of suspicious transactions to SEPBLAC.
Block 6: Equality and pay register (employment obligations)
Royal Decree 902/2020, of 13 October, on pay equality between women and men, requires all companies (with no minimum headcount threshold) to maintain a pay register covering their entire workforce, broken down by sex and professional category, with reference to the gender pay gap.
Additionally, Royal Decree 901/2020 regulates equality plans. The obligation to negotiate and register an equality plan applies to:
- Companies with 50 or more workers (threshold in force since 7 March 2022).
- Companies of any size when so required by the applicable collective agreement.
- Companies penalised for sex discrimination, when the labour authority imposes it.
The plan must be registered in the Equality Plans Register (REGCON) of the MITES. Non-compliance can result in fines of up to 225,018 euros for a very serious infringement under the LISOS (RDL 5/2000).
Block 7: ESG and sustainability (CSRD and the supply chain)
Directive (EU) 2022/2464, known as the CSRD (Corporate Sustainability Reporting Directive), requires sustainability reports to be published under ESRS standards. The direct application dates are:
- Financial year 2024: large companies already subject to the NFRD (more than 500 employees).
- Financial year 2025: new large companies (more than 250 employees or 25 million in assets or 50 million in turnover).
- Financial year 2026: listed SMEs (with a simplified VSME standard).
However, SMEs that do not list and fall outside the direct scope of the CSRD are affected indirectly through the supply chain: their large customers will send them ESG questionnaires as a supplier approval condition. Getting ahead of this with a voluntary sustainability statement based on the VSME standard (published by EFRAG in December 2024) is a real competitive advantage in tenders and supplier competitions.
Block 8: AI Act (gradual application 2024–2026)
Regulation (EU) 2024/1689, known as the AI Act, entered into force on 1 August 2024 with a phased application calendar:
- 2 February 2025: prohibition of unacceptable AI practices (subliminal manipulation, social scoring by the public sector, etc.).
- 2 August 2025: application of governance obligations and general-purpose AI (GPAI) model requirements.
- 2 August 2026: full application for high-risk AI systems (Annex III).
For most SMEs, the immediate obligation is to classify the AI systems they use or deploy according to Annex III of the regulation and verify whether they are high-risk. If an SME uses AI tools for decision-making about human resources (recruitment, performance evaluation), credit scoring, access to essential services or components of critical infrastructure, it is likely dealing with a high-risk system with obligations around transparency, technical documentation, registration and human oversight.
Summary table: compliance thresholds and deadlines 2026
| Regulatory block | Main legislation | Application threshold | Maximum penalty | Status in 2026 |
|---|---|---|---|---|
| Criminal compliance | Criminal Code art. 31 bis (LO 1/2015) | All legal entities | Dissolution / fine up to five times the benefit obtained | In force |
| GDPR / LOPDGDD | Regulation (EU) 2016/679 + LO 3/2018 | Any company processing personal data | €20 M or 4% of global annual turnover | In force |
| Whistleblowing channel | Law 2/2023 | ≥ 50 workers (since Dec. 2023) | Up to €1,000,000 | In force |
| NIS2 / Cybersecurity | Directive (EU) 2022/2555 | Essential/important sectors ≥ 50 employees | Essential: €10 M or 2% global turnover; important: €7 M or 1.4% | Transposition in progress (ES) |
| AML/CFT | Law 10/2010 + RD 304/2014 | Obliged entities by sector only | Up to twice the benefit obtained | In force |
| Equality / Plan | RD 901/2020 + RD 902/2020 | Pay register: all companies; Plan: ≥ 50 | Up to €225,018 (LISOS) | In force |
| CSRD / ESG | Directive (EU) 2022/2464 | Direct: ≥ 250 emp.; SMEs: supply chain pressure | Varies by Member State | Phased 2024–2026 |
| AI Act | Regulation (EU) 2024/1689 | Any company using/deploying AI | €35 M or 7% of global annual turnover | Phased 2025–2026 |
How to build your compliance map in four steps
Step 1: Inventory of activities and assets
Before determining which regulations apply, you need to know what your company does, what data it works with, what technology it uses and in which sectors it operates. An inventory of business processes, data processing activities and information systems is the starting point for any serious compliance diagnosis. Without this inventory, the gap analysis will be superficial.
Step 2: Gap analysis by block
For each of the eight blocks above, assess whether the regulation applies to your company (size, sector or activity criteria), what controls you currently have in place and what distance exists between your actual situation and the regulatory requirements. The result is a gap matrix prioritised by risk level and urgency.
Step 3: Remediation plan with owner and deadline
Each identified gap must be translated into a concrete action, with a designated internal owner and a deadline. In practice, companies that fail at compliance do not do so because they are unaware of the regulation, but because of a lack of clear responsibility assignment and monitoring mechanisms.
Step 4: Continuous monitoring system
Compliance is not a project with an end date: it is a permanent management system. Regulations change, businesses evolve and risks transform. An annual review of the compliance map, combined with monitoring of regulatory developments (BOE, EUR-Lex, AEPD circulars, INCIBE, SEPBLAC), is the minimum required to keep the system current.
Frequently asked questions
Do I need a criminal compliance programme if I am a small company?
Criminal liability of legal entities has no minimum headcount or turnover threshold. What the Criminal Code does provide (art. 31 bis.3) is a simplified regime for small entities, in which the governing body can directly assume supervisory functions. This does not mean nothing needs to be implemented: it means the model can be lighter, but it must exist. A company with 15 employees operating in logistics or construction has a real criminal risk profile (workplace accidents, bribery, tax fraud) and the absence of a documented model prevents it from demonstrating exemption or mitigation before a court.
What happens if my company has fewer than 50 workers and no whistleblowing channel?
For companies with fewer than 50 employees, Law 2/2023 does not impose the obligation to have their own internal channel, although they may join a shared one (for example, through a trade association). However, if the collective agreement applicable to your sector requires it, or if your company belongs to the financial sector or receives EU funds, an obligation may arise from those sources. In any case, having a channel — even if not mandatory — significantly reduces the risk of a report going directly to the authority without passing through an internal filter.
How do I know whether my company is affected by NIS2?
The first filter is the sector: NIS2 affects highly critical sectors (energy, transport, banking, healthcare, digital infrastructure, public administration) and important sectors (manufacturing, food, postal services, digital providers). The second filter is size: generally, more than 50 employees or more than 10 million euros in turnover. If your company exceeds both filters in any of those sectors, it is likely an important or essential entity. The Spanish transposition (pending at the date of this article) may introduce additional nuances. The most prudent course is to carry out a situational diagnosis before the law enters into force.
Does the AI Act affect me even if I only use third-party AI tools?
Yes. The AI Act distinguishes between providers (those who develop AI systems), deployers (those who use them in a professional context) and importers. If your company uses a third-party AI tool to make decisions affecting people (employees, customers, candidates), you are acting as a deployer and have your own obligations: verifying that the system meets the regulation's requirements, maintaining usage records, ensuring human oversight and, in some cases, carrying out a fundamental rights impact assessment. It is not sufficient to rely on the provider.
If you want to assess your starting position or structure a comprehensive compliance programme for your company, the Summum Consultoría team has been supporting SMEs and mid-sized companies in implementing regulatory compliance systems in Castile and León and the Canary Islands since 2007. The starting point is always the same: knowing exactly where you are before deciding what to do.