Crime committed by a legal entity: new change in criteria by the Supreme Court (Ruling 768/2025 of 25 September) on proving the ineffectiveness of Compliance programmes.
The Supreme Court acquits a legal entity convicted of fraud and takes the opportunity to change the criteria regarding who bears the burden of proof for breach of supervisory duties. At the same time, it provides an overview of the state of the issue through a profuse obiter dictum.
1.- The acquittal of the legal entity is simply a strictly legal matter, since ‘criminal law requires a set of additional typical elements that the judgment does not mention.’ In fact, the previous convictions merely state that the convicted natural person was the majority shareholder and sole administrator of the company and acted in the company’s interest. For the Supreme Court, this succinct factual content is ‘woefully insufficient to establish the criminal liability of that legal entity for its own actions. It is not enough to convict the legal entity by proving the crime of the natural person. No organisational defect is alleged or proven.’
The second of the aforementioned Rulings is based on similar grounds: ‘With regard to the appellant legal entity, the proven fact does not declare any fact attributable to the legal entity, and therefore its challenge must be upheld, since the proven fact does not refer to anything that can be attributed to this entity, and it must therefore be acquitted.’
2.- With regard to who is responsible for proving the effectiveness of the crime prevention model (criminal Compliance), the recent Supreme Court Ruling once again places the burden of proof for non-compliance with prevention models on the accuser, contradicting the latest criterion expressed in Supreme Court Ruling 298/2024… which in turn changed the existing criterion until then, and which now returns. Last year’s Ruling stated that: ‘the burden of proving this factor that excludes liability lies, in principle, with the defence’.
The Ruling 768/2025 of 25 September, now under discussion, states: “Insofar as the structural defect in the management, monitoring and supervision models constitutes the basis for corporate criminal liability, the validity of the right to the presumption of innocence requires that the prosecutor not consider himself exempt from the need to prove the existence of a serious breach of supervisory duties.
The subsequent resolution 836/2025 of 14 October: “In short, insofar as the structural defect in management, monitoring and supervision models constitutes the basis for corporate criminal liability, the right to the presumption of innocence requires that the prosecutor not consider himself exempt from the need to prove the existence of a serious breach of supervisory duties. This is without prejudice to the legal entity under investigation using the evidence it deems appropriate—expert, documentary, testimonial—to demonstrate its proper functioning from the perspective of compliance with the law,” as already stated in Supreme Court Ruling 221/2016 of 16 March.
Furthermore, in addition to this issue regarding the burden of proof, which we lawyers find perplexing and which requires a decision by the Second Chamber in plenary session in order to avoid undesirable legal uncertainty, the recent Ruling reminds us of certain assumptions:
a) The natural person must commit their own crime
“In order to impose a penalty on a legal entity, it is necessary for another person (a natural person, manager or employee) to commit a crime. In doctrinal terms, this is a form of involvement by the legal entity in the crime committed by a natural person, based on its organisational defect (where the injustice would derive from conduct by the legal entity that in some way favours or cooperates with the crime committed by the natural person); the legal entity collaborates with the future agent, facilitating the scenario of a defective organisation, situation or state of injustice that will be exploited at some point by the perpetrator of the crime to commit a crime, evading the few or non-existent controls of the legal entity.
b) Liability for the company’s own actions
The Ruling recalls that ‘the Chamber rejects a regime of strict liability in this matter and sets forth “the principle of culpability in matters of criminal liability of legal entities”; expressly rejecting the thesis that, once the connection has been proven, that is, the specific crime committed by the natural person, there would be a rebuttable presumption that there has been an organisational defect.’
c) The ‘structural defect’ in prevention mechanisms
The Ruling confirms that: ‘It must also be proven that the offence committed by the natural person and the basis for their individual liability has been caused by a corporate offence, due to a structural defect in the prevention mechanisms required of all legal entities, more precisely, since the 2015 reform.’
In any case, the Ruling reminds us of the importance of having an effective crime prevention model—Compliance—that complies with the requirements imposed by our Criminal Code since the reform ten years ago.
Jorge Navarro Massip