Apr 08 2026

What is the AIPI and what recommendations does it set for Whistleblowing Channels?

With the entry into force of Law 2/2023, whistleblowing channels have come to occupy a prominent place in the compliance programs of many companies. It is no longer simply a matter of having a mailbox in place to receive internal reports, but of implementing a system that genuinely works, protects the whistleblower, and makes it possible to handle misconduct with due safeguards.

Within this new framework, the AIPI has become a key figure. But what exactly is the AIPI, and what kind of recommendations does it issue?

What the AIPI is and why it is so important

The Independent Whistleblower Protection Authority (Autoridad Independiente de Protección del Informante – AIPI) is the body created in Spain to protect individuals who report wrongdoing and to strengthen public integrity, fraud prevention, and anti-corruption efforts. It also acts in coordination with other supervisory authorities and helps to consolidate a culture of transparency in the public sector.

Within the framework of Law 2/2023, the AIPI not only plays a role through the external reporting channel but also serves as a benchmark for the design and operation of internal whistleblowing channels, particularly regarding confidentiality, independence, and whistleblower protection.

Main functions of the AIPI

Handling reports submitted through the external channel
Adopting protective measures for whistleblowers
Issuing recommendations
Conducting sanctioning proceedings
Cooperating with other bodies
Preparing reports and statistical summaries

The importance of the AIPI does not lie solely in its role as a public authority; its real value lies in the clear criteria it establishes on how reporting systems should operate. For entities required to implement these systems, following those criteria not only contributes to regulatory compliance, but also helps to avoid significant risks — a poorly designed channel may lead to serious issues such as the disclosure of the whistleblower’s identity, inadequate investigations, lack of response, or disputes arising from improper information handling.

AIPI recommendations

The AIPI stresses that a whistleblowing channel should not be limited to a mere reporting mailbox but should instead be integrated into a comprehensive Internal Information System, with its own procedure, an appointed person in charge, and real operational safeguards.

Confidentiality

Among its key recommendations, the AIPI highlights the need for the channel to guarantee confidentiality not only of the reporting person’s identity, but also of the content of the report and of any data that could enable their identification.

Accessibility of the channel

Another important aspect is the accessibility of the channel. The AIPI reminds entities that reports must be capable of being submitted both in writing and verbally, including by telephone call, voice messaging system, or even in-person meeting if so requested by the reporting person.

The role of the Internal Information System Officer

The AIPI reinforces the role of the Internal Information System Officer (IISO), whom it considers a key figure in ensuring the independence and credibility of the channel. Law 2/2023 requires entities obliged to have an internal reporting channel to formally designate a natural person responsible for its management; therefore, the role of the IISO is not optional.

This designation is not exhausted by an internal resolution: it is mandatory to notify both the appointment and the dismissal of the IISO to the competent authority — either the AIPI or, where applicable, the relevant regional authority — within a maximum period of 10 working days from the appointment or dismissal.

In practice, this requirement confirms that the IISO is a central component of the system and that, accordingly, it is not merely a matter of good organisational practice, but a legal obligation intrinsically linked to the proper functioning of the whistleblowing channel.