Internal Information System 2026: new AIPI criteria, active deadlines and real risks
During the first years following the entry into force of Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements, many organisations treated compliance with the whistleblowing channel as a formality: publishing a platform, drafting a policy and designating a responsible officer. That approach is no longer sufficient, and in 2026 it has become untenable.
The Independent Authority for the Protection of Whistleblowers (AIPI) has been fully operational since 1 September 2025 (the date established by Ministerial Order PJC/908/2025) and has already published its first interpretive criteria, activated its electronic registry and opened the notification procedures for the Responsible Officer of the Internal Information System (RSII). This comes alongside the emergence of the first significant public sanctions, confirming that the risk is no longer theoretical. The landscape has changed in a structural way.
What the AIPI now requires that was previously unclear
Until the AIPI became operational, Law 2/2023 was in force but lacked an effectively active supervisor to give concrete shape to its requirements. That gap was closed on 15 January 2026, when the Authority published three recommendations on the design, management and implementation of the Internal Information System (IIS). The most significant, Recommendation 1/2026, has cross-cutting scope and establishes, for the first time, a public reference standard.
The starting point of that recommendation is clear: the IIS cannot be conceived as a mere reporting inbox, but as a genuine integrity infrastructure that must be formally approved by the organisation’s governing body or equivalent. From there, the criteria the AIPI regards as determinative are the following:
- The RSII must act with genuine independence, without receiving instructions from the rest of the organisation and with access to sufficient personal and material resources to carry out its functions. The law already required this, but the recommendation clarifies what it means in practice: formal designation is not enough if the appointed person lacks functional autonomy or is in a position of structural conflict of interest.
- Confidentiality must be guaranteed by design, not merely as a statement of intent in an internal policy. The identity of the whistleblower, the persons concerned and the content of the communication must be protected through restricted access, technical security and controlled traceability. This has direct implications for the architecture of the platform used and for who has access to the case files.
- The management procedure must be documented in such a way that the organisation can demonstrate, in the event of an inspection, how it receives, registers, analyses, admits, investigates and closes each communication. Acknowledgement of receipt must be issued within seven calendar days; the standard maximum response period is three months, extendable to six in cases of particular complexity; and verbal communications must be documented in the same way.
- The case log is an obligation, not a recommendation. The system must maintain a secure register that allows the sequence of actions to be reconstructed from receipt of the communication through to its closure, with sufficient evidence of each decision taken.
- Finally, the organisation must incorporate express internal guarantees against retaliation: not just a formal prohibition, but mechanisms for detecting and responding to dismissals, disciplinary measures, changes of duties or any other adverse reaction linked to a communication.
Although the AIPI’s recommendations do not have normative status or binding force, they function in practice as the first technical standard issued by the supervisory authority. Disregarding them is no longer a prudent option.
How to determine whether your whistleblowing channel complies with current criteria
The right question is no longer whether the organisation “has a channel”, but whether its Internal Information System is in a position to withstand a review by the AIPI. There are concrete indicators that allow identification of relevant deficiencies in the system.
A first indicator is the status of the RSII. If there is no formal appointment agreement, if the designated person reports organisationally to someone who could be the subject of an internal investigation, or if that person lacks the time or resources to manage the system in practice, the system has a structural problem that no internal policy can remedy.
A second indicator is the absence of notification of the appointment to the competent authority. Article 8.3 of Law 2/2023 requires notification of both the appointment and the removal of the RSII to the AIPI (or, where applicable, the competent regional authority) within ten working days. The AIPI activated the initial notification form through its electronic registry on 10 February 2026, setting a two-month transitional period to regularise prior appointments. That deadline expired on 10 April 2026. Organisations that have not submitted the notification in time are already in a position of formal non-compliance.
A third indicator is the inability to demonstrate the real functioning of the system. If the organisation cannot produce records of communications received (even if none were filed), formalised procedures, controlled timelines and documented decisions, its defensive position in enforcement proceedings will be very weak. Evidential capacity is not a minor detail: in whistleblowing matters, it is the core of compliance.
The most common sanctions for having a deficient or non-existent system
Title IX of Law 2/2023 establishes a specific sanctioning regime. For legal entities, fines range from up to 100,000 euros for minor infringements, between 100,001 and 600,000 euros for serious infringements, and between 600,001 and 1,000,000 euros for very serious infringements.
The most serious infringements expressly typified include the adoption of retaliation arising from a communication and the failure to comply with the obligation to have an IIS in the terms required by law. In the most serious cases, the AIPI may also impose additional measures alongside the fine: a public reprimand, a prohibition on receiving public subsidies or tax benefits for up to four years, and a prohibition on contracting with the public sector for up to three years. These are consequences that go well beyond the direct economic impact of the fine.
In this context, the case publicly known as the “Nora SA case” is particularly relevant. In that case, the Catalan Anti-Fraud Office (Oficina Antifrau de Catalunya) imposed a sanction of 600,000 euros for retaliation against a whistleblowing employee. Whatever the ultimate procedural outcome of that file, the regulatory message is unambiguous: the authorities are not merely checking whether a channel exists, but how the organisation responds to those who report.
Checklist for reviewing your system before an inspection
The review of the IIS must cover the system as a whole, not merely verify whether a technological platform exists. The minimum aspects to validate before a possible inspection are the following:
- RSII designation: confirm that a formal appointment agreement exists, that the designated person meets the legally required profile (as a general rule, a senior manager of the entity) and that they have genuine independence and sufficient resources.
- Notification to the competent authority: verify whether the notification of the appointment was submitted before 10 April 2026. If not, submit it as soon as possible, since the omission already constitutes formal non-compliance. Also confirm that an internal procedure exists for notifying future appointments or removals within the standard ten-working-day deadline.
- Internal policy and procedure: verify that the organisation has a whistleblower protection policy and a management procedure that are up to date and aligned with both Law 2/2023 and the AIPI’s published criteria.
- Accessible and properly configured channel: ensure the channel is easy to locate, supports the available communication methods (written, verbal, in-person) and provides adequate information about the AIPI’s external channel and about the processing of personal data.
- Case log and file management: verify that a case log exists, that all actions are documented and that critical deadlines are monitored, including the seven-day acknowledgement of receipt and the three-month response to the whistleblower.
- Confidentiality and data protection: review access controls, permissions and technical measures, as well as the duty of secrecy, data retention and deletion arrangements, and coordination with the Data Protection Officer where applicable.
- Prevention of retaliation: verify that specific internal mechanisms exist for detecting and handling adverse decisions against whistleblowers, including indicators of indirect retaliation.
- Training and awareness: provide specific guidance to the RSII, the system management team, Human Resources, Compliance and potential recipients of communications.
- Periodic review and evidence: establish a continuous review framework that enables the organisation to demonstrate, in an orderly and auditable manner, that the system operates in practice and not merely on paper.
The effective entry into operation of the AIPI, the publication of its first technical criteria and the actual activation of the RSII notification deadlines represent an inflection point. The whistleblowing channel has ceased to be a predominantly documentary compliance element and has become a regulated system, formally identified before the authority and potentially subject to inspection.
Organisations that implemented the channel in previous years from a purely formal standpoint should promptly review the RSII’s independence, the documentation of the procedure, the system’s traceability and the protection against retaliation. Those that have not notified the RSII’s appointment to the AIPI before the expiry of the transitional deadline must regularise that situation immediately.
At Letslaw we support organisations in the comprehensive review of their Internal Information Systems: designation and notification of the RSII, update of internal procedures, review of confidentiality and data protection measures, and implementation of effective anti-retaliation mechanisms. If you have any questions about the current status of your system, contact us.
IP/IT Lawyer
Graduado en Derecho y diplomado en Derecho Económico por la Universidad de Navarra, comenzó su contacto con el derecho digital al realizar el Máster en Derecho Digital, Telecomunicaciones y Energía impartido por la Universidad CEU San Pablo. Desde el año 2021, ha desarrollado su trayectoria profesional en las áreas de Propiedad Intelectual e Industrial, Derecho de la Competencia, Protección de Datos, Derecho Digital y Corporate en general.
More from my site
Aspectos Mercantiles de la nueva ley de startups
CNMV greenlights Spain’s first tokenization-enabled PFP
Aspectos legales a la hora de crear una plataforma online
Shareholders’ agreements from an investor’s perspective: guarantees for a secure business environment
Organic Law 1/2025: the new requirement for out-of-court dispute resolution before going to court
La AEPD sanciona a Mercadona por el uso del reconocimiento facial, ¿cómo evitar este tipo de sanciones?