Developments in compliance: current situation of whistleblowing channels and new crimes as a result of the European criminal reform

The fact that companies cannot carry out their activity outside of provable ethical and compliance standards is a reality to which no organization is oblivious. However, in order for the culture of compliance, once implemented, to be consolidated, evolve and be sustainable over time, it is necessary to address the continuous developments that are emerging in the field of compliance, which determine the need to review and, where appropriate, adapt the different elements that make up corporate compliance systems.

Here are some recent developments to keep in mind:

Progress in regard to whistleblowing channels

The regulation of whistleblowing channels has intensified significantly since the entry into force of the so-called European Whistleblowing Directive, and, particularly in Spain, since its transposition into Spanish law through Law 2/2023 on whistleblower protection.

Since its publication, the law has been the subject of numerous articles and forums in which the interpretative questions arising from the practical implementation of internal information systems (IIS) have been raised, particularly within private‑sector companies. These questions vary in scope and concern, for example,  the composition of the body responsible for the SII when opting for the collegiate structure, the possibilities of outsourcing beyond the reception of communications, the interaction between the procedure for the management of the information received through the SII and the internal protocols required by labor regulations,  the way to proceed in the case of multinational business groups, how to guarantee anonymity when communicating through digital channels, or those arising around the obligation to immediately send the information received to the Public Prosecutor's Office in the event that it concerned facts that constitute a crime.

Some issues, such as the attribution of the status of personal‑data controller to the management body of the entities, have already been the subject of consultation and response by the Spanish Data Protection Agency (Legal Report 0054/2023, of June 2023), ­­­although the literal wording of the law maintains its initial wording. However, to resolve the remaining questions, it will be necessary to wait until the advisory function that the Statute governing the operation of the Independent Whistleblower Protection Authority (AINPI) assigns to it –among other powers– begins to be exercised through circulars and recommendations, as well as through the consultation, hearing, and public‑information procedures provided for in that Statute.

At present the situation is as follows. On 1 September 2025, the AINPI officially became operational, in accordance with Order PJC/908/2025, of 8 August. The first duty that for the obligated subjects derives from the implementation of the state authority is to notify the appointment of the head of the IIS, as well as that of the members of the body, if it is collegiate. Combining the provisions of Article 8.3 of Law 2/2023, with the provisions of point 4 of the Single Transitional Provision of the aforementioned Statute, the deadline for making such notification is two months, which, at the date of drafting of this article, would have already been fulfilled.

The initial confusion about where and how to proceed to comply with this obligation to notify, not clarified by virtue of the first informative note published by the AINPI on September 1, 2025, has been definitively cleared up in the second informative note published by the state authority on October 8, 2025.

Thus, although the first note alluded to the work that was being carried out for the development of the website and electronic headquarters "with the aim of offering a functional platform that contemplates the appropriate security and confidentiality measures legally required", the truth is that it offered a series of email addresses to contact the AINPI,  distinguishing between those authorized for "general or informative matters" and those provided for specific matters, among which "matters related to the communication of the Head of the Information System" were expressly indicated.

A query directly addressed to the state authority –handled, incidentally, with great promptness– together with the state authority’s second information notice, resolved the doubts by confirming that the "two-month period will begin to compute from the date on which the specific notification form of the person responsible for the internal information channel is accessible through the website of the Independent Authority for the Protection of Whistleblowers". The matter is therefore settled: the two-month period for notifying the person in charge of the IIS to the AINPI has not yet begun to run and, when the time comes, the entities will have a specific form to materialize it.

In the meantime, the AINPI website is being enriched with information and content that allows contextualizing the functions of this new independent administrative authority and aims to serve as a guide, both for the subjects obliged to implement internal information systems, and for the potential users –whistleblowers– of those systems.

For its part, the obligation to notify the regional authorities in operation is already enforceable (although in some cases only for public sector entities). However, in this instance the uncertainties relate to the highly non‑uniform criteria applied by the different Autonomous Communities, namely: those that determine the circumstances in which companies are required to notify (depending on the location of the registered office and/or the establishments, factories or offices, depending on where the activity is carried out,  etc.), as well as those that specify the information or documentation required to carry out the notification (certificate of appointment, power of attorney, electronic certificate, identification data, etc.).

In any case, it should be noted that, regardless of whether notification to the relevant regional authority is required, the AINPI indicates that, at least during an initial period, all obligated entities should submit the information to the state authority.

Criminal law reform to sanction the violation of EU restrictive measures

In a different vein, on October 31, 2025, the Draft Organic Law amending the Spanish Criminal Code to introduce offences penalizing the violation of the European Union’s restrictive measures was published.

The reform addresses the transposition of a European Directive (see here) issued in a context in which the events of war have highlighted the importance of the EU having an effective and homogeneous criminal framework that criminally punishes the circumvention of international sanctions.

The regulation of new crimes provides for the criminal liability of legal persons for their commission, which will make it necessary for organizations to update their risk assessments. The inherent risk arising from the offences in question will depend on the companies’ activities, and those for which such risk is present will need to strengthen their internal policies in order to minimize the residual risk.

The compliance function will face at this point a task that is not without complexity since we are dealing with blank criminal provisions. In other words, the definition of the criminal conduct included in the new criminal offences must necessarily be completed in the light of non-criminal rules, in this case, the European regulations and the Council of Europe's foreign security policy decisions that impose the restrictive measures required by the European Union, as well as the national regulations that implement them. Thus, as stated in the Preamble to the draft organic law, “a conduct cannot be deemed criminally unlawful if it is not so under those European Regulations”.

Therefore, the challenge in terms of compliance will consist, fundamentally, of identifying the wide and varied regulatory framework that is applicable and analyzing it in depth. All this in order to acquire sufficient knowledge to extract and approach the specific risks faced by each company due to its activity, and to promote the design and effective implementation of those measures that contribute to preventing their materialization.