AIPI recommendations for the design and implementation of an IIMS

Reports20 January 2026
The Recommendations 1/2025, 1/2026 and 2/2026 clarify the key criteria of Law 2/2023 and reinforce the technical, organisational and governance requirements of the internal channel.

On January 15, the Independent Authority for the Protection of Whistleblowers (AIPI) published three key recommendations on the design, management and implementation of the Internal Information System (IIMS), aimed at providing interpretative criteria and addressing frequently asked questions identified in the practical application of Law 2/2023.


The three published recommendations are:

  • Recommendation 1/2025, regarding the management of the internal whistleblowing system in political parties.
  • Recommendation 1/2026, addressing the design and implementation of the Internal Information System, with general scope.
  • Recommendation 2/2026, specific for the design and implementation of the Internal Information System in Local Administration.

All recommendations aim to establish interpretative criteria and practical guidelines for the design and implementation of the Internal Information System (IIMS), in accordance with Article 51 of Law 2/2023.


Notwithstanding the above, in this Note we will focus on Recommendation 1/2026 (hereinafter, the "Recommendation"), which is configured as a structural guide for public and private sector entities, specifying operational aspects where the Law allows for interpretation or raises doubts. The most relevant aspects of the Recommendation are summarized as follows:


1. Obligated entities

In the private sector, it should be noted that the Law applies to entities with more than 50 employees or those operating in regulated sectors, according to Article 10 of Law 2/2023.


Moreover, the AIPI indicates that for the calculation of the threshold of 50 employees, applicable to the private sector:


  • The model established in RD 901/2020 (Equality Plan) is taken as a guide.
  • The entire workforce is counted, regardless of the type of contract or job position.
  • Part-time staff are counted as one person.
  • Employees who have left in the last six months (temporary contracts) are included.
  • 100 days worked count as one additional person.
  • Teleworkers and personnel stationed abroad are included.
  • The calculation should be made at least on the last day of June and December.
  • Teleworkers providing services from abroad and workers stationed abroad (expatriates) are counted in Spain.

In the public sector, the scope of application described in Article 13 of Law 2/2023 is mentioned.


2. Key elements of the system

The Recommendation analyses the various minimum elements, characteristics, and principles of the IIMS, offering practical implications. The following are highlighted:

  • Open scope for third parties.
  • Security and confidentiality. It is worth mentioning the statement that the IIS "must operate through a secure platform with end-to-end encryption," which in practice implies the implementation of software or a tool, either developed internally or supported by a software provider.
  • Accessibility principle and omnichannel communication. Possibility of verbal and written communication.
  • Unification and centralised management principle. Convergence of existing boxes or channels (harassment, employment, etc.) to the IIMS, which acts as a "single desk."
  • Effectiveness and proactiveness. That is, agility and efficiency in terms of time.
  • Functional independence. Principle applicable in cases where sharing resources of the IIMS is allowed for public or private entities, hence it should be configured as a separate and clearly identifiable system.
  • Leadership and responsibility. This implies the independence and condition of the Responsible for the Internal Information System.
  • Transparency and disclosure. Approval of a public document that establishes the general principles governing the operation and guarantees of the IIMS.
  • Right to due process, with a formalised and written information management procedure.
  • Protection against reprisals. The internal regulations of the IIMS or its policy must include a commitment and a list of guarantees against reprisals for whistleblowers acting in good faith.


3. Head of the Internal Information System (HIIS)

The AIPI insists on the characteristics that must be met by the HIIS, namely, real independence, autonomy, and hierarchy within the organization.


In the case of the private sector, the designated person cannot be an executive, unless the nature or size of the entity's activities justifies it. In the public sector, however, it is indicated that a public official should be appointed, as it offers more guarantees.


Similarly, the AIPI recommends that to ensure the effectiveness of the collegiate bodies acting as HIIS, the maximum number of members should be five, and in any case, there should always be one internal member of the obligated entity, without specifying whether this internal member must be the individual to whom the management and treatment powers are delegated.


4. Checklist

In the last section of the Recommendation, the AIPI lists issues that must be verified when implementing an Internal Information System:

  • Prior consultation with union representatives.
  • Agreement of the governing body that approves the system and the policy.
  • Formal appointment of the System Manager (HIIS).
  • Notification of the appointment to the AIPI/regional authority.
  • Technical implementation of the channel (software/secure box).
  • Approval of the information management procedure.
  • Publicity of the channel on the website (visible and easily accessible).
  • Training of staff on the use of the channel.

It is also remarkable the reference to software concerning the technical implementation of the IIMS, a term also used in sections II1.3 Minimum elements, characteristics, and principles of the IIMS, which indicates, in its practical implications related to security and confidentiality, that "it must operate via a secure platform with end-to-end encryption..." II.3.2 Communication channels, which, although not strictly recommended, does imply the convenience of having this type of tool to comply with all the requirements of Law 2/2023 regarding traceability, confidentiality, anonymity, and the ability to communicate with the informant, including anonymous informants, among others.


5. Other matters of interest

a. Verbal communications

The Recommendation emphasizes the need for verbal communications (telephone, voice, or in-person) to be documented through a recording or a transcription, giving the whistleblower the opportunity, in the case of the transcription, to rectify it and accept it through their signature.


b. Communication to the affected person

Article 9.2 of Law 2/2023 states the obligation to communicate to the interested person the actions or omissions attributed to them, a fact that the AIPI itself insists on including within the minimum obligations of the management procedure that entities must develop, describing it as "an essential procedural guarantee that the HIIS must manage impartially".


6. Conclusions

Although the recommendations are not binding, they provide useful practical guidance on the implementation and management of the IIMS.

It should be noted that this is the first step taken by the AIPI regarding the interpretation of Law 2/2023, a regulation that, it must be remembered, is sometimes ambiguous and lacks clarity. Therefore, in the interest of greater legal certainty in this matter, it is to be hoped that the AIPI will continue its interpretative work by expanding these recommendations or issuing new ones.


These are the first recommendations prepared by the AIPI. However, they may be updated over time as the AIPI's own interpretative criteria consolidate.


Informative note prepared by the Compliance Department of ECIJA Madrid.

Un pasillo iluminado con luces brillantes y reflejos en un entorno moderno.

Related partners

LATEST FROM #ECIJA