Compliance checklist for SMEs: what obligations you have in 2026

·

Compliance is no longer the exclusive territory of large corporations. Since 2015, the reform of the Spanish Criminal Code introduced criminal liability for legal entities, and since then the regulatory ecosystem surrounding companies has not stopped growing. In 2026, a mid-sized SME must simultaneously manage obligations arising from at least six different regulatory frameworks: data protection, cybersecurity, anti-money laundering, equality, whistleblowing channels and, depending on the sector, specific sectoral regulations. Ignoring any of them is not an option: administrative fines can exceed hundreds of thousands of euros and, in some cases, reach criminal liability for the company's directors.

This checklist is not intended to replace personalised legal analysis — every company has its own risk profile — but to give you a situational map with which to identify which blocks are mandatory for your company, which apply according to your size or sector, and which it is worth anticipating even if they are not yet enforceable. At the end you will find a summary table with application thresholds and deadlines.

Block 1: Criminal compliance (crime prevention programme)

Article 31 bis of the Criminal Code (Organic Law 1/2015, of 30 March) establishes that legal entities are criminally liable for offences committed on their behalf or for their account by their legal representatives, directors or employees. Exemption from or mitigation of that liability requires having adopted and effectively implemented, before the commission of the offence, an organisation and management model that includes surveillance and control measures.

Circular 1/2016 of the General Prosecutor's Office sets out what that model must contain to be considered suitable by a court. The minimum elements are:

There is no legal threshold of headcount or turnover that exempts a company from criminal liability. However, article 31 bis.3 of the Criminal Code provides for a simplified regime for small legal entities, in which supervisory functions may fall directly on the governing body. In practice, our team recommends a structured criminal compliance programme for any company with 10 or more employees or operating in high-risk sectors (construction, transport, food, financial services).

Block 2: Data protection (GDPR + LOPDGDD)

Regulation (EU) 2016/679 (GDPR) has been directly applicable throughout the European Union since 25 May 2018. In Spain, Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD) adapts and supplements the European regulation.

The basic obligations that apply to any company that processes data of natural persons are:

The AEPD published in 2024 an updated risk analysis guide specifically aimed at SMEs. Fines can reach 20 million euros or 4% of total worldwide annual turnover, whichever is higher.

Block 3: Whistleblowing channel (Law 2/2023)

Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and combating corruption (transposition of EU Directive 2019/1937, known as the Whistleblowing Directive), establishes the obligation to have an internal reporting channel.

The application thresholds are:

The channel must guarantee confidentiality, acknowledgement of receipt within 7 days, a response within 3 months and independence of the system manager. The Independent Authority for the Protection of Whistleblowers (A-I) supervises compliance. Penalties for non-compliance range from 1,001 to 1,000,000 euros under article 64 of the law.

Block 4: Cybersecurity (NIS2 / RD 43/2021)

Directive (EU) 2022/2555, known as NIS2, significantly expands the scope of the previous NIS Directive. In Spain, transposition is under way via a bill that, at the date of this article (April 2026), is still in parliamentary proceedings, although the reference framework of Royal Decree 43/2021 remains in force for operators of essential services and digital service providers.

NIS2 introduces two categories of obligated entities:

Obligations include information systems security policies, incident management, business continuity, supply chain security and use of cryptography. Fines for essential entities can reach 2% of total worldwide annual turnover or 10 million euros.

Block 5: Anti-money laundering (AML/CFT)

Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing (successively amended, most recently by Law 4/2022) and its Regulation (RD 304/2014) establish a due diligence regime for so-called obliged entities. It does not affect all companies, but exclusively certain activities:

If your company is an obliged entity, you must have: an AML manual, a designated compliance officer, a customer acceptance policy, due diligence procedures (basic, simplified and enhanced), ongoing staff training and reporting of suspicious transactions to SEPBLAC.

Block 6: Equality and pay register (employment obligations)

Royal Decree 902/2020, of 13 October, on pay equality between women and men, requires all companies (with no minimum headcount threshold) to maintain a pay register covering their entire workforce, broken down by sex and professional category, with reference to the gender pay gap.

Additionally, Royal Decree 901/2020 regulates equality plans. The obligation to negotiate and register an equality plan applies to:

The plan must be registered in the Equality Plans Register (REGCON) of the MITES. Non-compliance can result in fines of up to 225,018 euros for a very serious infringement under the LISOS (RDL 5/2000).

Block 7: ESG and sustainability (CSRD and the supply chain)

Directive (EU) 2022/2464, known as the CSRD (Corporate Sustainability Reporting Directive), requires sustainability reports to be published under ESRS standards. The direct application dates are:

However, SMEs that do not list and fall outside the direct scope of the CSRD are affected indirectly through the supply chain: their large customers will send them ESG questionnaires as a supplier approval condition. Getting ahead of this with a voluntary sustainability statement based on the VSME standard (published by EFRAG in December 2024) is a real competitive advantage in tenders and supplier competitions.

Block 8: AI Act (gradual application 2024–2026)

Regulation (EU) 2024/1689, known as the AI Act, entered into force on 1 August 2024 with a phased application calendar:

For most SMEs, the immediate obligation is to classify the AI systems they use or deploy according to Annex III of the regulation and verify whether they are high-risk. If an SME uses AI tools for decision-making about human resources (recruitment, performance evaluation), credit scoring, access to essential services or components of critical infrastructure, it is likely dealing with a high-risk system with obligations around transparency, technical documentation, registration and human oversight.

Summary table: compliance thresholds and deadlines 2026

Regulatory block Main legislation Application threshold Maximum penalty Status in 2026
Criminal compliance Criminal Code art. 31 bis (LO 1/2015) All legal entities Dissolution / fine up to five times the benefit obtained In force
GDPR / LOPDGDD Regulation (EU) 2016/679 + LO 3/2018 Any company processing personal data €20 M or 4% of global annual turnover In force
Whistleblowing channel Law 2/2023 ≥ 50 workers (since Dec. 2023) Up to €1,000,000 In force
NIS2 / Cybersecurity Directive (EU) 2022/2555 Essential/important sectors ≥ 50 employees Essential: €10 M or 2% global turnover; important: €7 M or 1.4% Transposition in progress (ES)
AML/CFT Law 10/2010 + RD 304/2014 Obliged entities by sector only Up to twice the benefit obtained In force
Equality / Plan RD 901/2020 + RD 902/2020 Pay register: all companies; Plan: ≥ 50 Up to €225,018 (LISOS) In force
CSRD / ESG Directive (EU) 2022/2464 Direct: ≥ 250 emp.; SMEs: supply chain pressure Varies by Member State Phased 2024–2026
AI Act Regulation (EU) 2024/1689 Any company using/deploying AI €35 M or 7% of global annual turnover Phased 2025–2026

How to build your compliance map in four steps

Step 1: Inventory of activities and assets

Before determining which regulations apply, you need to know what your company does, what data it works with, what technology it uses and in which sectors it operates. An inventory of business processes, data processing activities and information systems is the starting point for any serious compliance diagnosis. Without this inventory, the gap analysis will be superficial.

Step 2: Gap analysis by block

For each of the eight blocks above, assess whether the regulation applies to your company (size, sector or activity criteria), what controls you currently have in place and what distance exists between your actual situation and the regulatory requirements. The result is a gap matrix prioritised by risk level and urgency.

Step 3: Remediation plan with owner and deadline

Each identified gap must be translated into a concrete action, with a designated internal owner and a deadline. In practice, companies that fail at compliance do not do so because they are unaware of the regulation, but because of a lack of clear responsibility assignment and monitoring mechanisms.

Step 4: Continuous monitoring system

Compliance is not a project with an end date: it is a permanent management system. Regulations change, businesses evolve and risks transform. An annual review of the compliance map, combined with monitoring of regulatory developments (BOE, EUR-Lex, AEPD circulars, INCIBE, SEPBLAC), is the minimum required to keep the system current.

Frequently asked questions

Do I need a criminal compliance programme if I am a small company?

Criminal liability of legal entities has no minimum headcount or turnover threshold. What the Criminal Code does provide (art. 31 bis.3) is a simplified regime for small entities, in which the governing body can directly assume supervisory functions. This does not mean nothing needs to be implemented: it means the model can be lighter, but it must exist. A company with 15 employees operating in logistics or construction has a real criminal risk profile (workplace accidents, bribery, tax fraud) and the absence of a documented model prevents it from demonstrating exemption or mitigation before a court.

What happens if my company has fewer than 50 workers and no whistleblowing channel?

For companies with fewer than 50 employees, Law 2/2023 does not impose the obligation to have their own internal channel, although they may join a shared one (for example, through a trade association). However, if the collective agreement applicable to your sector requires it, or if your company belongs to the financial sector or receives EU funds, an obligation may arise from those sources. In any case, having a channel — even if not mandatory — significantly reduces the risk of a report going directly to the authority without passing through an internal filter.

How do I know whether my company is affected by NIS2?

The first filter is the sector: NIS2 affects highly critical sectors (energy, transport, banking, healthcare, digital infrastructure, public administration) and important sectors (manufacturing, food, postal services, digital providers). The second filter is size: generally, more than 50 employees or more than 10 million euros in turnover. If your company exceeds both filters in any of those sectors, it is likely an important or essential entity. The Spanish transposition (pending at the date of this article) may introduce additional nuances. The most prudent course is to carry out a situational diagnosis before the law enters into force.

Does the AI Act affect me even if I only use third-party AI tools?

Yes. The AI Act distinguishes between providers (those who develop AI systems), deployers (those who use them in a professional context) and importers. If your company uses a third-party AI tool to make decisions affecting people (employees, customers, candidates), you are acting as a deployer and have your own obligations: verifying that the system meets the regulation's requirements, maintaining usage records, ensuring human oversight and, in some cases, carrying out a fundamental rights impact assessment. It is not sufficient to rely on the provider.

If you want to assess your starting position or structure a comprehensive compliance programme for your company, the Summum Consultoría team has been supporting SMEs and mid-sized companies in implementing regulatory compliance systems in Castile and León and the Canary Islands since 2007. The starting point is always the same: knowing exactly where you are before deciding what to do.