Key governance, compliance and work-related issues in the Internal Information Systems Recommendation 1/2026

Reports9 February 2026

The Independent Authority for Whistleblower Protection activates the reporting form of the Internal Reporting Officer and publishes its first general Recommendation, reinforcing the requirements on governance, compliance and labour management of internal channels.

Launch of the form

In compliance with the provisions of art. 8 of Law 2/2023 of 20 February, the Independent Authority for the Protection of the Informant has launched the form for the communication of the Persons Responsible for Internal Information Systems.

Thus, as provided for in Royal Decree 1101/2024, of 29 October, which approved the Statute of the Authority, obliged private and public sector entities now have a period of two months to notify the Authority of the person responsible for each internal information system.

Link to the form: https: //sede.proteccioninformante.gob.es/login/index/idp/1

Together with the form, the Authority also provides interested parties with a Manual for completing the RSII communication form, as well as an e-mail address for reporting possible incidents in the communication of the Data Controller.

Link to the Manual: https: //sede.proteccioninformante.gob.es/procedimientos/index/categoria/1
Incident e-mail address: incidenciasformulario@proteccioninformante.es

Recommendations of the Independent Authority for Whistleblower Protection

On 16 January 2026, the Independent Authority for the Protection of Whistleblowers (AINPI) also recently published its first three Recommendations on the internal information systems regulated by Law 2/2023 of 20 February, one of a general nature, applicable to all internal information systems in the private and public sector, and two specific ones for Political Parties and Local Administration.

Below, we set out the main key aspects of the general Recommendation, i.e. Recommendation 1/2026 of the AINPI, from the perspectives of governance, compliance and labour.

Main key points of Recommendation 1/2026 in terms of governance

Firstly, it is worth highlighting the AINPI's contextualisation of the Internal Information System, defining it as a basic infrastructure on which modern ethical governance is based. In this sense, it stresses on several occasions the importance of the final approval and ultimate responsibility for the implementation of the system resting, in any case, with the entity's management body.

From this perspective, the Recommendation also stresses three fundamental ideas:

The definition of the Internal Information System as an integrity infrastructure that must be approved by the entity's Governing Body or equivalent.
The need for autonomy and independence of the person in charge of the system in relation to the governing body or other executives, thus reinforcing the requirements of leadership and responsibility of this function.
The exercise of his or her function with autonomy and independence, which also implies the need to guarantee the absence of conflicts of interest.

In the case of groups of companies, although the possibility of establishing a common internal reporting system for the entities of the group is maintained, the Recommendation stresses that the existence of a single system does not transform the group into a single obliged entity, nor does it alter the individual nature of the obligation provided for in Article 10.

In the same vein, it stresses the importance of adapting the system to the requirements of Spanish law, regardless of whether it is unique for an international group: if the system used by the parent company is not configured to meet these requirements, or if its design prevents it from guaranteeing the operational autonomy of the subsidiary, then the Spanish entity cannot use it as a valid IIS for the purposes of compliance with Article 10. It should be recalled that, in addition to those companies with a presence or permanent establishment in Spain, the obliged private sector companies also include branches, agents or even those that provide services in Spain without a permanent establishment.

Furthermore, in relation to the figure of the single person responsible for the SII for the group of companies, the Recommendation stresses that this should not be understood as an abstract subject, but that the same personal or organisational structure is allowed to assume the status of person responsible for several companies, designated and communicated in accordance with the terms of the law. Each company has its own person in charge, but, in this case, it would be the same person for the various companies in the group. An express agreement of the obliged entity designating the RSII is required.

Main keys to Recommendation 1/2026 from a compliance perspective

From a compliance perspective, the following essential ideas stand out:

It develops the requirement to have a policy or strategy that sets out the general principles of the system, now requiring the approval of a specific and formal document (a policy), adequately disseminated, which includes a list of guarantees that ensure that no negative consequences or reprisals will be suffered for having communicated in good faith.
The Recommendation expands the content of the Management Procedure to include, beyond what is stipulated in Article 9 of the Law, the regulation of each of its operational phases.
Continuing with the figure of the person in charge of the SII, the Recommendation, in relation to the collegiate bodies, indicates that, in order to be operational, the number of members should not exceed five, and the powers of management and processing of investigation files should always be delegated to one of them. It will not be required that all of them form part of the organisation, but in any case, the body must have at least one internal member from the obliged entity. The collegiate body shall be responsible for the system of said entity, regardless of the origin of its members.
With regard to the receipt of other categories of communications not provided for in the Law, the Recommendation introduces the following clarification: "The channel may be authorised to receive other communications, e.g. breaches of the code of conduct, actions which, without being a crime or serious or very serious administrative offences, involve or cover fraudulent actions, etc., but it should be clearly stated that these are outside the scope of protection of the Law".
It includes the obligation for the system to operate through a secure and end-to-end encrypted platform that prevents the direct or indirect identification of the informant, with strictly restricted access and controlled traceability, extending confidentiality not only to the identity of the persons involved, but also to the content of the communications and any data that could be inferred, and actively preventing misuse of the system or reprisals of any kind.
One point that is controversial, due to its difference with respect to the provisions of the Law itself, is that relating to the dual means of receiving communications (verbal and written). In this regard, as a good practice to maximise the effectiveness of the channel, it is recommended that it should support both methods of entry.

Main keys to Recommendation 1/2026 from the labour perspective

Finally, from an employment perspective, the following aspects stand out:

The determination of the criteria for the computation of the threshold of fifty or more employees is established. In these cases, the Recommendation mentions Article 3 of Royal Decree 901/2020, of 13 February, which regulates the Equality Plans (regardless of the number of work centres or the type of employment contract; calculation of one temporary worker for every 100 days; calculation, at least, on the last day of June and December, etc.), with teleworkers providing services from abroad and workers posted abroad also being counted for these purposes.
Another aspect of special interest for the obliged entities is that relating to the channels for preventing harassment. In this respect, the Recommendation indicates that "If the entity has multiple mailboxes or sectoral complaint channels that receive communications under Article 2 of Law 2/2023 (e.g., workplace harassment, sexual harassment, etc.), they should all converge under the supervision of the RSII" with the aim of offering a "single window" for the receipt of such information and the uniform application of legal guarantees (confidentiality, security, information to the informant, deadlines, etc.). In addition, the management procedure must provide for the express reference to all the channels that make up the internal information system, including the channel that may be regulated in the harassment prevention protocol.
In the same way, the implementation of the requirements and novelties already referred to in this Note brings with it, as a consequence or additional recommendation, the need for staff training on the use of the channel, as a fundamental element of basic verification for the design and implementation of an internal information system.

Basic checklist for the design and implementation of the Internal Information System

In conclusion, Recommendation 1/2026 provides a basic checklist for the design and implementation of an internal information system consisting of the following essential elements:

Prior consultation with trade union representation.
Agreement of the Governing Body approving the System and the Policy.
Formal designation of the System Manager (RSII).
Notification of the appointment to the AIPI/Autonomous Authority.
Technical implementation of the Channel (Software/Secure Mailbox).
Approval of the Information Management Procedure.
Publicity of the channel on the website (visible and easy access).
Staff training on the use of the channel.

Link to the aforementioned Recommendations: https://www.proteccioninformante.gob.es/circulares-recomendaciones-y-guias

Information note written by ECIJA Madrid's Governance and Compliance and Labour area.

Una vista vertical de un rascacielos moderno entre edificios de cristal.

What are you looking for?