Companies and their staff face tougher exposure when decisions breach regulations. Law No. 2/2023, which implements a European directive, requires organizations with more than 50 employees to establish a channel for reporting conduct that violates the rules. Any employee can submit a completely anonymous complaint, allowing whistleblowers to come forward without risk of retaliation.
The goal is clear: encourage organizations to maintain high vigilance against unlawful behavior and to act quickly if complaints reveal issues. This approach also carries potential legal consequences if the reported facts prove true.
In Alicante, the latest figures from the INE Corporate Center Directory show that firms with more than 50 workers must implement this anonymous reporting system. For those with over 250 employees, a specific milestone applies — 94 companies in this group must comply by June 13, while the remaining affected firms have until December 1 to implement the requirement.
Deadlines have already sparked discussion among business leaders, and information sessions are being organized. Recently, the Círculo Empresarial de Elche y Comarca and Grupo Asesor Ros hosted such an event to discuss the new obligations.
The Elche business park gathers many of the largest companies in the region that will be affected by the regulations. This initiative emphasizes the practical shift toward formal whistleblowing channels and the enforcement of the rule as a mandatory measure rather than a voluntary one.
Alexander Perez, a partner at the involved consultancy, notes that the key innovation is the formal whistleblowing channel itself. This is a departure from traditional compliance plans, which often focus on general promises of adherence rather than a concrete reporting mechanism. The whistleblowing channel is designed to be mandatory and integrated into the company’s compliance framework.
Beyond the reporting mechanism for employees, each affected company must have a process to handle these complaints and appoint a responsible person to whom reports are directed. The new Independent Whistleblower Protection Agency serves as an authority to ensure confidentiality and, when appropriate, protect the anonymity of the complainant.
This is a particularly contentious aspect. There is concern that complaints could be unfounded or driven by personal motives. Critics worry about a modern version of a prior system where accusations could spread without solid proof. Pérez stresses the importance of balancing accountability with safeguards to prevent misuse while preserving the right to report legitimate concerns.
Planeta Huerto adopts a penalty compliance plan with Devesa & Calvo
From the legal perspective, Juan Jose Cortes of Devesa & Calvo explains that the law provides a filter to prevent improper use of the reporting channel. The person responsible for the internal information system must receive training and follow criteria that determine whether a complaint should be processed. If the matter is personal, or the facts are clearly incorrect or merely reflect a viewpoint about how things should have been done differently, the report should not be processed as an irregularity or violation.
Complaints may target colleagues involved in unlawful acts, or even the company itself if a party is suspected of wrongdoing or tax evasion. Any act contrary to European Union law, or any serious offense, is within the scope of the channel. When there are indications that a report could constitute a crime, the responsible officer should forward it to the prosecutor for action. Spain recognizes criminal liability for legal entities, so organizations can be held liable alongside individuals responsible.
New regulations also affect political parties, trade unions, commercial associations, and their foundations that manage public funds. The absence of a whistleblowing channel can lead to substantial penalties, ranging from six hundred thousand to one million euros. The law allows external providers to manage these internal information systems, provided they guarantee independence, confidentiality, data protection, and reporting privacy. The changes signal a major shift in how companies operate and how compliance is approached, with an emphasis on concrete mechanisms to ensure adherence to the law.