The three (3) Recommendations of the Independent Authority for the Protection of Whistleblowers (AIPI) on the implementation of the Internal Information System (SII).
Since the Independent Whistleblower Protection Authority (herein after referred to by its Spanish acronym AIPI) began operating in September 2025, it has received numerous enquiries confirming the existence of significant interpretative doubts regarding the practical application of Law 2/2023 of 20 February. Therefore, with the aim of providing clear and consistent criteria, on Thursday 15 January, the AIPI published three (3) Recommendations on the design, implementation and management of the Internal Information System (IIS), aimed at resolving general issues and addressing the specific characteristics of certain groups.
The published Recommendations are explained below.
Recommendation 1/2025/v2 of the AIPI aims to guide political parties in complying with the obligations established in Law 2/2023, taking into account the unique characteristics of these organisations.
One of the main differences with respect to the general regime applicable to other private entities is that Law 2/2023 imposes on political parties the obligation to have an internal reporting system regardless of the number of employees, since political parties are entities of constitutional importance that are exposed to unique risks and, therefore, require enhanced standards of integrity and exemplarity.
With regard to the role of the Internal Information System Officer (IISO), the Recommendation emphasises the need to preserve real and effective independence, as this role is incompatible with the exercise of political or executive management positions, as well as participation in strategic or disciplinary decisions. It also recommends prioritising profiles with proven training or experience in Compliance areas and, in order to reinforce their independence, advises establishing a defined term of office and specific grounds for dismissal.
On the other hand, in organisations with highly complex structures, such as political parties, the AIPI recommends that the IISO take the form of a collegiate body, as a mechanism to strengthen internal trust, distribute responsibilities and reduce the risk of interference or personal exploitation.
In short, the Recommendation establishes that the IIS of political parties should be designed as a robust system capable of identifying and managing risky behaviour at particularly sensitive times, without becoming a tool for internal activism or political confrontation.
Recommendation 1/2026 has a broad scope and serves as a technical reference manual for the design, implementation and operation of the Internal Information System (IIS), both in the public and private sectors.
This Recommendation is based on an essential premise: that the IIS should not be conceived as a mere complaints box, but as an integrity infrastructure integrated into the governance of the organisation. In this sense, it systematically develops the articles of Law 2/2023, incorporating practical criteria, operational examples and additional regulatory references that facilitate its correct application.
The Recommendation defines its objectives and target audience, emphasising that the IIS is a preventive and proactive tool aimed at detecting irregularities at an early stage, adopting corrective measures and reinforcing shared responsibility within organisations. The treatment of the IISO is also particularly relevant, as the AIPI identifies it as the key element in ensuring the independent management of communications, insisting on the principles of independence, functional autonomy and absence of instructions, as well as the need to provide the IISO with sufficient resources.
Finally, it includes a basic checklist to verify that the essential requirements for the correct and effective implementation of the SII have been met.
- Prior consultation with union representatives.
- Agreement by the Governing Body approving the System and Policy.
- Formal appointment of the Internal Information System Officer (IISO).
- Notification of the appointment to the AIPI/regional authority.
- Technical implementation of the Channel (Software/Secure mailbox).
- Approval of the Information Management Procedure.
- Publicity for the channel on the website (visible and easy access).
- Training for staff on the use of the channel.
Recommendation 2/2026 aims to guide compliance with the obligations contained in Law 2/2023 by entities that make up the Local Administration, without prejudice to the powers that may correspond to the regional whistleblower protection authorities.
In accordance with the provisions of Article 13.1 of Law 2/2023, all public sector entities are required to have an IIS regardless of their size, structure or number of inhabitants. In this context, the Recommendation emphasises that the IIS must be accessible within the professional sphere of the local entity, allowing infringements to be reported by persons functionally or professionally linked to the organisation, without extending legal protection to citizens without such links.
Likewise, one of the core aspects of the Recommendation is the regime for outsourcing and sharing the IIS, with the AIPI noting that the management of the system may only be outsourced when it is proven that the organisation’s own resources are insufficient and that such outsourcing must be limited to instrumental functions. Similarly, the Law allows municipalities with fewer than 10,000 inhabitants to share the IIS and associated resources with each other or with other regional public administrations, as well as local public sector entities with their own legal personality and fewer than fifty employees, which may share resources with the relevant Administration.
With regard to the IISO, it should be noted that, together with the appointment of a natural person employed in the public sector, the collegiate body model may be particularly suitable for strengthening confidence in the system and reducing the risk of interference. Finally, the AIPI recommends using the IIS as a tool for learning and continuous improvement, through periodic analysis of the patterns detected and the functioning of the channel.
In short, the aim of these Recommendations is to offer general and specific interpretative clarifications on the implementation and design of IIS. Furthermore, as interpretative criteria are consolidated within the AIPI, new recommendations or updated versions may be published to expand, clarify or modify the issues already addressed.
Finally, it should be noted that, despite the effective entry into operation of the AIPI, the form through which the appointments and dismissals of Internal Information System Officer must be notified is still pending, a circumstance that must be taken into account by the entities subject to this obligation.