What the Authority for the Protection of Whistleblowers expects to find when reviewing a company’s reporting channel

The Independent Authority for the Protection of Whistleblowers (AIPI) is the public body established by Law 2/2023, which transposed Directive (EU) 2019/1937 (“Whistleblowing Directive”) into Spanish law and regulates the protection of persons reporting non-compliance with legal requirements and aims to combat corruption.

Operating since September 2025, the AIPI is responsible for ensuring the proper application of Law 2/2023, including protecting whistleblowers, handling sanctioning proceedings for infringements under the Law 2/2023, and issuing recommendations and crime-prevention frameworks for public administrations.

Entities required to have a reporting channel

Recommendation 1/2026 provides guidance for companies required to implement a reporting channel (also referred to as an “Internal Reporting Channel” or “IRC”) on how to design and implement it properly.

In particular, it clarifies how the 50-employee threshold, above which private sector entities must establish an IRC, should be calculated. For this purpose, the AIPI adopts the criteria used in Royal Decree 901/2020 on equality plans. Accordingly, the headcount must include the entire workforce, regardless of contract type or work centre, including remote workers and part-time employees.

Requirements for the reporting channel

According to Recommendation 1/2026, the reporting channel must operate through a secure and encrypted digital platform ensuring confidentiality. In practice, this implies the use of specific software. The AIPI encourages companies to consolidate existing reporting mailboxes (e.g., harassment or ethics channels) into a single reporting channel. The system must be clearly identifiable and operationally independent, even where group companies share resources with their parent company.

Companies must adopt, through their Management body, an internal policy guaranteeing the absence of reprisals against whistleblowers and setting out their rights and duties. For the IRC to be valid, the Management body must formally approve both its creation and its policy of use. In addition, companies must adopt a complaint management procedure explaining how reports will be handled and provide visible access to this information on the company’s website. The policy must also include information on external reporting channels, including the AIPI and, where applicable, the competent regional authority.

The AIPI also recommends implementing technology enabling traceability of reports and communication with the whistleblower, including anonymous whistleblowers, and providing training to employees on the operation of the system. Where reports are received verbally (by telephone or in person), they must be documented through recording or transcription. In the case of transcription, the whistleblower must be given the opportunity to review, rectify and confirm the record.

The responsible for the channel and notification to the authorities

The AIPI indicates that the responsible for the channel must enjoy genuine independence, autonomy and authority within the organisation. It must act impartially and ensure that the persons concerned are informed, respecting the presumption of innocence and the right to honour.

If duly justified by the size of the company, the responsible person may not be a senior manager, but a committee. If a committee is appointed, the AIPI recommends that it comprise no more than five members, including at least one employee of the company.

The appointment and dismissal of the responsible person or committee must be notified to the competent authorities. Under Article 8.3 of Law 2/2023, notifications must be submitted to the AIPI or, where applicable, to the competent authority of the relevant Autonomous Region.

According to the AIPI’s current interpretation, if the company has offices in several Autonomous Regions, or in a single Region that does not have an authority with sanctioning powers in matters of whistleblower protection, it must notify only the AIPI. Whereas if the company only operates in an Autonomous Region with its own authority with such sanctioning powers (at the moment, Andalusia, Catalonia, Valencia and Galicia), it must only notify the Autonomous Region authority, although the AIPI recommends that it also notify the AIPI as well.

Notifications must be submitted within ten working days of the appointment or dismissal. However, for appointments and dismissals made between 13 March 2023 (entry into force of Law 2/2023) and 10 February 2026 (when the AIPI online portal became operational), the deadline has been extended to 10 April 2026, using the form available on the AIPI website.

Although the Recommendation is not legally binding, it constitutes the supervisory standard that the AIPI will apply when assessing compliance with Law 2/2023 and when deciding whether to initiate sanctioning proceedings. Companies should therefore review their internal policies and the technical configuration of their reporting channels to ensure alignment with these criteria.