The corporate whistleblower channel: mandatory as of December 1, 2023

As of December 1, 2023, the mandatory whistleblowing channel is a reality for all companies with 50 or more workers. Failure to do so means being exposed to penalties of up to €1,000,000.

What is Law 2/2023 and why is it relevant?

Following the recent publication in the Official State Gazette (BOE) of Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption (hereinafter, ” the Law “), it is essential to understand the foundations and importance of this new regulation. The law, in force since March 13, 2023, responds to the late transposition of Directive 2019/1937 of the European Parliament and of the Council, of October 23, 2019, on the protection of persons who report infringements of Union Law.

The main objective of the Law is to protect those who, in a work or professional environment, identify serious or very serious criminal or administrative infractions. Establishes mechanisms to report these irregularities and, at the same time, seeks to prevent retaliation against whistleblowers.

Obligations for Organizations: How does it affect companies?

As of December 1, 2023, companies with more than 50 employees are under the obligation to comply with the provisions established in the Law . This regulation requires the creation of reporting channels, providing informants who work in the private or public sector and who have obtained information about violations in a work or professional context the possibility of reporting irregularities or violations under protection under the Law if it meets the protection conditions regulated therein.

Essential requirements for internal information systems

The effectiveness of an internal information system lies not only in its existence, but in meeting specific requirements. Among them:

  • Allow the communication of information on infringements.
  • Set up and managed securely, ensuring confidentiality and data protection.
  • Enable the presentation of communications in writing or verbally.
  • Integrate different internal information channels within the entity.
  • Guarantee the effective treatment of communications within the entity or body.
  • Be independent and differentiated from other internal information systems.
  • Have someone responsible for the system. In accordance with the provisions of the Law, the administrative or governing body of each entity or body bound by the Law will be competent to designate the natural person responsible for the management of said system.
  • Have a policy or strategy that states general principles and is publicized internally.
  • Have a procedure for managing information received.
  • Establish guarantees for the protection of informants.

Management of the internal information system by an external third party

The management of the internal information system may be carried out within the entity or body itself or by turning to an external third party, in the terms provided in the Law and as long as it offers adequate guarantees of respect for independence, confidentiality, data protection and the secrecy of communications.

Consequences for non-compliance: sanctions and responsibilities

In the coming days, the Inspection will begin to fine companies that do not have a reporting channel. The regulations contemplate significant economic sanctions for organizations that do not comply with the stipulated obligations, which can reach up to €1,000,000 .

Additionally, in the case of very serious infractions, the Independent Whistleblower Protection Authority may also agree to other additional measures such as:

  1. Public reprimand.
  2. Prohibition of obtaining subsidies or other tax benefits for a maximum period of four years.
  3. Prohibition of contracting with the public sector for a maximum period of three years.

In this sense, it is essential that these companies put into practice the reporting channels provided for in the Law, thus avoiding possible sanctions.

This publication does not constitute legal advice.


How can LAW4DIGITAL help you?

At LAW4DIGITAL we are lawyers specialized in digital business. We provide comprehensive legal advice to digital companies. We help you with online legal advice. 

We will keep you updated about digital business. In any case, you can contact us by sending an email to, calling (+34) 931 444 820 or filling out our contact form at 

We look forward to seeing you in the next post! 

Law4Digital Team. 

Subscribe to our Newsletter!