1.Introduction

Setting 1 September 2025 as the official date for the implementation of the Independent Whistleblower Protection Authority (A.A.I.), a body provided for in Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

In view of the imminent entry into service of the A.A.I., we consider it essential to recall the obligations arising from Law 2/2023 and its implementing regulations, as well as the actions we recommend be taken as soon as possible.

2. Regulatory context

Law 2/2023, of 20 February, transposes Directive (EU) 2019/1937 into Spanish law and extends its scope to serious and very serious criminal and administrative offences.

Its main objective is to guarantee the protection of persons who report regulatory infringements, establishing procedures and guarantees to ensure confidentiality, data protection and independence in the management of reporting channels.

Under this Law, all private entities with 50 or more employees are required to have an Internal Reporting System (IRS) in place to receive and process reports, including anonymous ones, and to guarantee the confidentiality of whistleblowers and affected persons.

In addition, the system must allow complaints to be submitted both in writing and verbally, and ensure that the facts are investigated within a maximum period of three months, which may be extended in particularly complex cases.

Royal Decree 1101/2024, of 29 October, approved the Statute of the A.A.I., which is the body responsible for processing information received through the external channel, adopting measures to protect and support whistleblowers, and investigating and resolving disciplinary proceedings related to Law 2/2023.

The Sole Transitional Provision of the Statute establishes that, once the A.A.I. is operational, the entities subject to it must communicate the appointment (and, where applicable, the dismissal) of the person responsible for their SII within a maximum period of two months.

3. Immediate obligation: notification of the person responsible for the IIS

From 1 September 2025, a non-extendable period of two months (until 1 November 2025) begins for submitting the following information to the A.A.I.:

· Identity and contact details of the person responsible for the Internal Information System.

· Date of appointment and, where applicable, date of termination of the previous person responsible.

· Means of communication enabled to receive complaints (post, telephone, platform, etc.).

Order PJC/908/2025 does not yet specify the electronic procedure for sending this communication. However, the A.A.I. plans to enable an electronic form for this purpose.

It is important to remember that the person responsible must be formally appointed by the entity’s administrative or governing body.

In addition, the existence and operation of the channel enabled for communications must be clearly and accessibly publicised, and employees must be informed and trained on its purpose and use.

4. Risks of non-compliance

Article 63.1 g) of Law 2/2023 establishes as a very serious offence ‘failure to comply with the obligation to have an internal information system in accordance with the terms of this law’, with penalties of up to €1,000,000 for legal persons.

For all the above reasons, it is essential that entities review and, where necessary, adapt their internal information systems to ensure compliance with Law 2/2023 and the new obligations arising from the implementation of the A.A.I.

The correct appointment and communication of the person responsible for the SII, as well as the proper management and publicity of the reporting channel, are key elements in avoiding legal and reputational risks.

We remain at your disposal to answer any questions and design an action plan tailored to the needs of your organisation.