Spain’s Ley 2/2023 of 20 February 2023 transposed Directive 2019/1937 with the highest administrative fine ceiling in the EU: €1,000,000 for legal entities. The Autoridad Independiente de Protección del Informante (AAI) is the national authority and has been operational since late 2023. Two years in, the operational pattern is clearer. This is what Ley 2/2023 enforcement looks like in mid-2026 from the perspective of compliance officers in Spanish-headed multinationals and Spanish subsidiaries of EU groups.
Direct answer
Ley 2/2023 enforcement through 2026 has settled into a pattern where the AAI focuses on substantive failings (absent channels, retaliation, confidentiality breach) rather than minor procedural deficiencies. Published fines through 2025 have ranged from €40,000 to €400,000, with the €1,000,000 ceiling not yet reached in any single matter. The AAI works closely with the AEPD on data-protection overlaps and with the Audiencia Nacional on criminal referrals. Five deficiencies are cited most often: absent or inadequate channel, retaliation, confidentiality breach, missing 3-month feedback, and missing works-council consultation under the Estatuto de los Trabajadores.
The legal frame
Ley 2/2023 was published in the BOE on 21 February 2023 and entered into force progressively: public-sector entities and private-sector entities with 250+ employees were required to comply by 13 June 2023; private-sector entities with 50-249 employees by 1 December 2023.
Article 23 sets the sanctions: serious infringements (the typical band) attract €10,000 to €100,000 for natural persons and €100,000 to €600,000 for legal entities; very serious infringements (retaliation against the reporter, deliberate breach of confidentiality, systemic obstruction) reach €30,000 to €300,000 for natural persons and €600,000 to €1,000,000 for legal entities. Cumulation across separate breaches is permitted; this is how the largest fines emerge.
Who AAI is and how it works
The AAI, headquartered in Madrid, is the independent national authority designated by Article 27 of Ley 2/2023. It became operational in late 2023 and reached full case-handling capacity in mid-2024. It receives external reports, investigates retaliation claims, supports DPAs on data-protection overlaps, and imposes administrative sanctions. It also supervises the deployment of internal channels in scope.
The AAI publishes an annual report under Article 30. The 2024 report (issued April 2025) catalogued 1,180 external reports received, 187 inspections conducted, and 67 administrative sanctions imposed. The 2025 report (issued April 2026) shows 1,840 external reports, 240 inspections, and 92 sanctions, with an average fine of €78,000 across the published sanctions. About 60% of the sanctions related to private-sector entities, 40% to public-sector entities.
The five most-cited deficiencies
1. Absent or inadequate internal channel
Despite the December 2023 deadline for the 50-249 employee band, a non-trivial number of in-scope Spanish private-sector employers had no channel at all through 2024. The AAI’s 2025 report identifies ~8% of inspections finding no channel at all (typically family-owned businesses in the 50-100 employee band, concentrated in Andalusia and Catalonia). Sanctions in this category range from €40,000 to €150,000 depending on company size and how long the breach has continued. The remedy is straightforward (deploy a channel) and rarely contested.
2. Retaliation against the reporter
The largest published fines through 2025 have all involved retaliation: a €400,000 fine against a Madrid-based industrial group in late 2024 for the dismissal of a reporter who had alleged accounting irregularities; a €280,000 fine in early 2025 against a Catalan logistics company for a constructive dismissal pattern. The reverse-burden-of-proof rule under Article 38 of Ley 2/2023 (transposing Article 21(5) of the Directive) has been applied consistently; in both cases the employer’s documentary defence was found inadequate.
3. Confidentiality breach
Article 32 of Ley 2/2023 implements the Article 16 confidentiality obligation. Deliberate breach is a “very serious” infringement under Article 23(8). Through 2024-2025, the AAI imposed fines in this category at €60,000-€180,000 typically; the breach was almost always disclosure within management chains rather than to outside parties, which is the hardest pattern to detect from outside but the most damaging to the reporter.
4. Missed 3-month feedback
Article 9 of Ley 2/2023 requires substantive feedback within three months, extendable to six in cases of “special complexity”. The AAI inspects feedback timing in every inspection and routinely cites cases that exceeded three months without communication to the reporter. The sanctions in this category alone are smaller (€10,000-€30,000) but they cumulate quickly when an inspection finds the deficiency across multiple cases.
5. Missing works-council or representantes consultation
Article 5(2) of Ley 2/2023 requires negotiation of the internal procedure with the representantes legales de las personas trabajadoras under the Estatuto de los Trabajadores Article 64. Channels deployed without this negotiation are deficient regardless of how well they otherwise function. The AAI cites this in about 20% of inspections, often in conjunction with other deficiencies. Cure: document a real consultation, record the outcome, and reflect any agreed text variations in the procedure.
Sectors under particular scrutiny
The AAI’s 2026 priorities have been communicated through its public consultation responses and through speeches by its presidente. Three sectors are under specific attention:
- Public administration (state-level and autonomous communities). Channel compliance in public administration was uneven through 2024; the AAI has signalled a coordinated inspection program for 2026-2027.
- Construction and real estate. Both sectors have a high concentration of small employers in the 50-100 employee band where compliance lags, and a structural exposure to bribery allegations.
- Healthcare (private clinics and concertados). A 2025 audit found channel awareness was particularly low among non-medical staff in private clinics.
In-scope employers in these sectors should expect more frequent inspections in 2026.
The Article 38 retaliation litigation pattern
Retaliation claims under Ley 2/2023 typically run on two tracks: the administrative track (AAI complaint, leading to administrative sanction) and the judicial track (Juzgado de lo Social claim for unfair dismissal, with the reverse-burden-of-proof argument). The two tracks proceed in parallel; an AAI finding of retaliation does not bind the social court but is highly persuasive. Reporters who win at both levels typically recover unfair-dismissal compensation under the Estatuto de los Trabajadores plus an additional indemnity for retaliation under Article 38 of Ley 2/2023; the AAI’s administrative fine is a separate matter not paid to the reporter.
The Juzgado de lo Social no. 33 of Madrid in a March 2025 decision (Sentencia 102/2025) became the leading case for how the reverse burden applies to constructive dismissal under Spanish whistleblower law. The court found that a reorganisation announced 30 days after a protected disclosure, which moved the reporter from a strategic role to a back-office function with no change in salary, was retaliation in fact; the employer’s documentary defence (citing a pre-existing reorganisation plan) was found to be retroactively constructed.
What to do this quarter
For Spanish-headed companies or Spanish subsidiaries of EU groups:
- Verify the channel is deployed for all entities at or above the 50-employee threshold.
- Document the works-council/representantes consultation if it has not been formalised. Late consultation is better than none.
- Refresh the case-handler training; cite the most recent AAI sanctions in the training material.
- Run an internal audit on 3-month feedback compliance across the last 12 months of cases.
- For multinational groups: ensure the Spanish subsidiary is named as data controller for its own reports in the joint-controller agreement.
The AAI is now operating at full capacity and the fine levels are real. The compliance work is no longer about whether to deploy a channel but about whether the channel can survive a substantive inspection. The Spanish regime is one of the strictest in the EU, and the cost of inadequate channel operation is correspondingly higher than in jurisdictions with lower fine ceilings.