On the 1st of September 2025, Spain’s Independent Authority for Whistleblower Protection (in Spanish, the Autoridad Independiente de Protección del Informante, or "AAI") officially began operations, following Order PJC/908/2025 of the 8th of August, which set this start date.
It may not yet be on your radar, but if your company employs 50 or more people or operates in a regulated sector, you should take note.
Why? Because the A.A.I. is the new body responsible for monitoring, supervising and enforcing compliance with Law 2/2023, which regulates the protection of individuals who report regulatory breaches and the fight against corruption. In other words, it's no longer enough to say your company has a whistleblowing channel; there is now an independent authority empowered to verify whether it actually works as required.
Written by Abigail Sked
Paralegal
A NEW PLAYER IN COMPLIANCE
The A.A.I. has been created as an independent public authority with its own legal personality and full autonomy, under Royal Decree 1101/2024 of the 29th of October, which approved its Statute.
Its central role is to ensure that whistleblowers - whether employees, contractors, suppliers or anyone with a connection to an organisation - can report wrongdoing safely, confidentially and without fear of reprisals.
The Authority has full sanctioning powers, meaning it can open investigations and impose fines on companies or entities that fail to meet their obligations on whistleblowing channels. It will also work in coordination with the Spanish Data Protection Agency (AEPD) and other competent authorities.
Structure of the A.A.I
The design of the Authority seeks to guarantee political and operational independence:
-
Presidency (Presidencia): appointed by the Council of Ministers and ratified by the Congress of Deputies, for a single, non-renewable five-year term. The President directs and represents the institution.
-
Advisory Committee (Comisión Consultiva): a body supporting the President, with representatives from various institutions and civil society, providing guidance on best practices.
-
Specialised Departments:
-
Whistleblower Protection (Protección del Informante): responsible for implementing the whistleblower protective and support measures from Law 2/2023 and managing the external reporting channel.
-
Oversight and Sanctions (Seguimiento y Régimen Sancionador): in charge of supervising internal systems and processing sanctions.
-
Administration (Gerencia): responsible for administrative and financial management.
-
Core Functions of the A.A.I.
The Independent Authority for Whistleblower Protection is far more than an advisory body. Its key powers include:
-
Managing and processing reports through its own external channel.
-
Supporting whistleblowers and guaranteeing protection from retaliation.
-
Supervising internal channels within organisations to ensure compliance with Law 2/2023.
-
Investigating breaches and imposing financial penalties where appropriate.
-
Encouraging and promoting a culture of integrity and transparency (the reporting culture) in both the public and private sectors.
Who needs a whistleblowing channel?
Many organisations are still catching up. Under Law 2/2023, an internal reporting channel is mandatory in the following cases:
-
Private companies with 50 or more employees.
-
Public administrations and entities, including public universities, public sector foundations and corporations with public participation.
-
Companies in sensitive or regulated sectors covered by EU law on financial services, products and markets, prevention of money laundering or terrorist financing, transport security and environmental protection referred to in the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council, even if they have less than 50 employees.
-
Political parties, trade unions, business organisations and their foundations, whenever they receive or manage public funds.
This means even SMEs in certain sectors may be required to have a compliant system in place. Failure to do so can lead to fines, loss of trust and reputational damage.
What this means for companies
The launch of the A.A.I. raises the stakes on compliance. It's not enough to rely on a generic email address or a simple inbox. Whistleblowing channels must now meet specific requirements around confidentiality, security, accessibility and case management.
Our software is fully aligned with these legal standards.
The A.A.I. has the authority to request information on how a company’s internal system operates, demand improvements or open sanction proceedings if shortcomings are detected. Crucially, it also manages external reporting: if employees do not trust their company’s channel, they can go directly to the Authority.
Conclusion
The creation of the A.A.I. reinforces the message that regulatory compliance and whistleblower protection are not optional. They are binding legal obligations now subject to much stricter oversight. In addition to mandatory internal reporting channels, companies must also be prepared for the possibility of external reports being made to the Authority.
If your company faces an A.A.I. procedure, our team of labour, corporate, tax and criminal law specialists can prepare the necessary submissions and ensure your defence.
whistleblowing Channel Software
If your organisation has not yet implemented a whistleblowing channel or if you're unsure whether your current one meets all the requirements of Law 2/2023 now is the time to act.
At CONESA LEGAL, we provide secure, bilingual (English-Spanish) software, developed specifically for whistleblowing channel compliance. It guarantees confidentiality, traceability and ease of use, both for the whistleblower and the organisation.
Get in touch today to see how we can implement it in your company. We can have it up and running in under 48 hours.
