Whistleblowing channel: is your company bound by Law 2/2023?

·

Since Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption entered into force in March 2023, thousands of Spanish companies have been asking themselves the same question: Am I required to implement a whistleblowing channel or not? The answer depends on several factors — workforce size, sector of activity and legal form — and has real economic consequences. In September 2025, the Independent Authority for the Protection of Whistleblowers (AIPI) was launched, the state body that supervises compliance and can impose fines of up to one million euros. This is no longer a theoretical obligation.

What is a whistleblowing channel and what does Law 2/2023 require?

A whistleblowing channel — referred to in the law as an Internal Information System (IIS) — is the formal mechanism through which employees, suppliers, contractors, interns and any person connected to the organisation can confidentially, and even anonymously, report irregular conduct: corruption, fraud, violations of European law, serious labour or environmental infringements, among others.

Law 2/2023 transposes Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law. The stated objective is twofold: to protect the whistleblower from retaliation and to establish a system that allows irregularities to be detected before they escalate.

Consult the official text at BOE-A-2023-4513.

Which companies are required? The 50-employee threshold

The general rule is clear: all private sector companies with 50 or more employees must have an Internal Information System. The headcount is calculated on the annual average, including part-time workers on a proportional basis.

The implementation deadlines have already passed:

In other words: if in 2026 you have 50 or more employees and still do not have an operative channel that complies with the law, you have been in breach for more than two years.

Regulated sectors: the exception that extends the obligation below 50 employees

Law 2/2023 includes a critical exception that many SMEs overlook: private sector entities with fewer than 50 employees that operate in any of the following sectors are equally required, regardless of their size:

If your company provides financial advisory services, manages funds, operates as an insurance broker or is subject to anti-money laundering regulations (Law 10/2010), the obligation exists even if you have 12 employees.

Summary table: who must have a whistleblowing channel?

Type of entity Workforce threshold Obligation Original expired deadline
Private company (general sector) 250 or more employees Yes, mandatory 13 June 2023
Private company (general sector) 50–249 employees Yes, mandatory 1 December 2023
Private company (general sector) Fewer than 50 employees Not mandatory (unless regulated sector)
Financial sector, AML/CTF, transport, environment Any size Yes, mandatory 13 June 2023
Political parties, trade unions, foundations with public funding ≥ €100,000 Any size Yes, mandatory 13 June 2023
Public administrations and public bodies All Yes, mandatory 13 June 2023

What requirements must the channel meet?

Having a generic email inbox is not enough. Law 2/2023 sets out specific technical and organisational conditions that the IIS must meet:

Confidentiality and anonymity

The system must guarantee the confidentiality of the whistleblower's identity throughout the entire process. It must also allow anonymous communications — that is, the channel cannot reject a report simply because the sender has not identified themselves. The system manager is prohibited from disclosing the identity without the whistleblower's express consent, unless a contrary legal obligation exists.

System manager

The company must formally appoint a person responsible for the Internal Information System. This may be an internal employee with sufficient autonomy, a collegiate body (compliance committee) or an external third party — a common option for organisations without an internal compliance structure. Since November 2025, the AIPI requires this appointment to be formally communicated.

Response deadlines

Expanded accessibility

The channel is not only for current employees. Former employees, candidates in selection processes, suppliers, subcontractors, self-employed persons linked to the organisation and any person who has had a labour or commercial relationship with it and became aware of the infringement in that context must also be able to use it.

Prohibition of retaliation

The law expressly prohibits any retaliatory measure against the whistleblower: dismissal, demotion, change of conditions, refusal to promote, psychological pressure, blacklisting, or any other detrimental measure. The burden of proof is reversed: if the whistleblower suffers harm within the two years following the report, the company must prove that the measure is unrelated to the report.

The AIPI: the body that can now impose sanctions

During the first two years that Law 2/2023 was in force, the lack of a supervisory authority with sanctioning capacity created a perception of low regulatory pressure. That changed on 1 September 2025, when the Independent Authority for the Protection of Whistleblowers (AIPI) formally began its activities. From that point, companies subject to the obligation that fail to comply are exposed to real sanctions.

The sanctioning regime of Law 2/2023 distinguishes three levels:

Type of infringement Examples Fine for legal persons
Very serious No channel in place; retaliation against the whistleblower; disclosure of identity Up to €1,000,000
Serious Channel with substantial technical deficiencies; failure to appoint a responsible person; failure to observe deadlines Up to €600,000
Minor Minor formal or procedural non-compliance Up to €100,000

In addition to financial penalties, very serious infringements can result in a ban from contracting with the public sector and exclusion from subsidies and grants for a specified period — ancillary sanctions that for many SMEs are more damaging than the fine itself.

How to implement a whistleblowing channel step by step

If your company is required to have one and still does not have a compliant IIS, the steps are as follows:

  1. Situation audit: review whether the company is actually required, what already exists (inboxes, informal procedures) and what gaps there are relative to the legal requirements.
  2. Model selection: internal proprietary channel, external technology platform or full outsourcing to a specialist third party. Each option has advantages depending on size and sector.
  3. Appointment of the responsible person: formal appointment and notification to the AIPI.
  4. Policy and procedure: drafting the whistleblowing policy (scope, reportable matters, investigation process, protection of the whistleblower) and integrating it into the compliance system.
  5. Internal communication: informing all staff — and the relevant value chain — of the existence of the channel and how to access it.
  6. Training: for the system manager and middle managers on the correct handling of reports and the prohibition of retaliation.
  7. Periodic review: the channel must be audited at least once a year to verify its operation and update the procedure if the regulations or the company's structure change.

At Summum Consultoria we support this entire process from the initial diagnosis through to the launch of the channel and the training of the responsible person. See our whistleblowing channel implementation service for the full scope.

Can a whistleblowing channel also be a competitive advantage?

Beyond regulatory compliance, organisations that implement a robust IIS gain tangible benefits in their internal management. Detecting irregularities early prevents them from escalating into reputational crises, litigation or regulatory investigations. Employees who know they have a secure channel place greater trust in management, which has a positive impact on the working environment and talent retention.

Furthermore, many public procurement processes and due diligence assessments in corporate transactions already include the whistleblowing channel as a criterion for verifying a company's level of compliance. Having one that is compliant and documented adds value in tender processes and in merger and acquisition negotiations.

For companies working in the supply chains of large corporations, the pressure is direct: corporate buyers increasingly require their suppliers to have functioning reporting mechanisms, in line with the requirements of ESG policies and due diligence regulations on human rights and the environment.

Relationship with other compliance obligations

The whistleblowing channel is not an island. Its implementation integrates naturally with other compliance obligations and standards that the company may already have or be considering:

Frequently asked questions

I have 45 employees and I am not a financial company. Am I required to have a whistleblowing channel?

As a general rule, no. Law 2/2023 sets the mandatory threshold at 50 employees for the non-regulated private sector. However, if you have 45 employees and expect to grow, or if any of your activities fall within the regulated sectors (financial services, anti-money laundering, transport or environment), a specific verification is advisable. In addition, implementing one voluntarily can add compliance value and protect you against potential criminal liability of the legal person.

Is publishing a generic email address on the intranet sufficient?

No. A generic email inbox does not technically guarantee the confidentiality required by law — the mail server administrator can access messages — nor does it effectively allow anonymous communications. The law requires a system that technically guarantees confidentiality and allows two-way communication with the whistleblower (to request clarifications or send acknowledgements) without revealing their identity. There are specific platforms, some of them very affordable, that meet these technical requirements.

What happens if a report turns out to be false?

The law protects the whistleblower who acts in good faith, even if the reported facts are ultimately unproven or incorrect. The protection does not, however, cover someone who knowingly makes false or malicious reports. In that case, the reporter may incur civil or criminal liability for false accusation or defamation, and the company can take legal action. The internal procedure must be designed to detect these situations and document them properly.

Can I outsource the whistleblowing channel to a third party?

Yes. Law 2/2023 expressly allows companies to entrust the management of the channel to an external third party — a law firm, a compliance consultancy or a specialist technology platform — provided that the same conditions of confidentiality, independence and response deadlines are guaranteed. Liability remains with the company, which must supervise that the third party operates in accordance with the law. This option is particularly suitable for companies with between 50 and 100 employees that do not have an established compliance department.