Reading time: 5 minutes
Blog
How to build the whistleblower channel training module required by Spain's Law 2/2023
Beñat Arrizabalaga
Co-founder & Business Development
Scalability
How to build the whistleblower channel training module required by Spain's Law 2/2023
Having the whistleblower channel up and running isn't enough. The law requires employees to have been informed about it. If you can't prove that happened, the channel protects the company on paper, not in law.
Most companies with more than 50 employees have had their whistleblower channel active for some time now. They have the form, the mailbox, the designated responsible person. What many don't have is evidence that they communicated its existence and operation to each employee individually.
That's the gap that turns a solid technical implementation into a real legal risk. Law 2/2023 doesn't just require having the channel: it requires informing the entire workforce about how it works, what it covers, and what protections apply to those who use it. And that communication obligation must be demonstrable.
This article covers what the training module needs to include, for which profiles, and what format generates the evidence that protects the company before the Independent Whistleblower Protection Authority (A.A.I.).
Law 2/2023 establishes communication and information obligations for two clearly differentiated groups within the company.
The workforce as a whole needs to know the channel exists, how to access it, what conduct can be reported, and what protections apply to someone who reports in good faith. Employees don't need to know how to manage a complaint. They do need to know the channel is there, what it's for, and that they can use it without fear of retaliation.
The system responsible (or the team that manages reports) needs additional, differentiated training: how to receive and handle communications, the legal deadlines (7 days to acknowledge receipt, 3 months to communicate the measures taken), confidentiality obligations, and procedures for protecting the whistleblower. This role carries its own responsibilities that go beyond general awareness.
Designing a single module for both profiles is the most common mistake. The result is usually a module that's too technical for the general workforce or too surface-level for whoever has to handle real reports.
The awareness module for the broader employee population needs to cover at minimum five blocks:
What the channel is and what it's for. Not a legal explanation, but a practical one: it's the official mechanism for reporting conduct to the company that violates regulations or could harm the public interest. Concrete examples of the types of situations that can be reported.
The address, the procedure, the option to report anonymously or identified. When to expect a response and what happens next.
What conduct is covered. The law covers violations of European Union law and national law in specific areas: public procurement, financial services, product safety, environmental protection, among others. The module must make this concrete so the employee understands when it's relevant.
What protection applies to those who report. The confidentiality guarantee, the prohibition of retaliation, and the protection mechanisms for good-faith whistleblowers. This is the part that matters most for the channel to actually get used.
What happens when it isn't used in good faith. The protection framework has limits. Reporting falsely or in bad faith isn't covered. Including this reinforces the channel's credibility.
The channel manager needs a separate module covering the operational and legal dimensions of the role:
The deadlines and procedures set by law: acknowledgment of receipt within a maximum of seven business days, a maximum period of three months to communicate the measures taken.
Confidentiality obligations: the whistleblower's identity cannot be disclosed without their explicit consent. This also applies to third parties named in the report.
The internal investigation process: how to document receipt, the actions taken, and the conclusions, so the company can demonstrate it acted with due diligence.
Anti-retaliation protection measures and how to identify whether they are occurring, regardless of whether the employer or a third party is taking them.
This module typically requires legal review of the content, especially in companies where the system responsible doesn't have a prior legal background.
The company having prepared the module is not the same as being able to prove that each employee received and completed it. The difference matters because Law 2/2023 establishes its own penalty framework — with sanctions that in their maximum degree reach one million euros for legal entities¹ — and what the A.A.I. evaluates in an inspection is not intent but documented evidence.
The record format has minimum requirements to be useful: it must be individualized (which employee), dated (when they completed it), and exportable without relying on the memory of whoever coordinated the activity. An email without open-tracking doesn't meet this bar. A group session with an undated attendance sheet doesn't either, in most cases.
In practice, companies that already manage other training obligations (workplace health and safety, GDPR) tend to solve this with the same architecture: a module published in an LMS via SCORM or xAPI, which automatically generates the per-employee completion record. The training platform guide for SMEs covers which tools include SCORM on accessible plans and which reserve it for Enterprise contracts.
For companies managing several regulatory obligations at once, the article on scaling compliance training describes how to connect production, distribution, and record-keeping into a system that holds up in audits without turning every new regulation into a new project.
The whistleblower channel that fulfills its legal purpose isn't the one with the operational form. It's the one that can demonstrate each employee knows it exists, how to use it, and under what protections. That demonstration requires a profile-differentiated module, with legally verified content and a record-keeping system that generates accreditable evidence.
If you have the channel active but the training module is still pending, request a demo and we'll work through how to resolve it with your existing documentation.
The law refers to an obligation to "inform" employees about the channel, not to provide regulated training. In practice, the difference is operational: a training module is the most efficient mechanism to fulfill that information obligation in a traceable, individualized, and documented way. An email without read-tracking or a group session without an individual record doesn't generate equivalent evidence.
There's no specific legal deadline for periodic renewal. What practice does require is updating the module when internal procedures change, when new employees join (onboarding), and when relevant regulatory changes occur. A reasonable approach is to include it as a mandatory onboarding module for new hires and review the content annually.
Generally yes, if it meets the requirements for an eligible training activity (content related to professional activity, minimum duration, an evaluation system, and a completion record). Compliance and regulatory training is typically eligible. Check with your FUNDAE consultant for the exact criteria that apply to the type of training activity you're planning.
The legal obligation isn't just to have the channel — it's to be able to demonstrate the workforce was informed about its existence and operation. If an inspection finds the company cannot provide individualized documentation of that communication, a technically operational channel does not cover the legal non-compliance. Law 2/2023 establishes its own penalty framework — with sanctions that can reach one million euros at the maximum level for legal entities — and the absence of documented records can be a determining factor in how the case is assessed.
The general workforce module covers awareness: what the channel is, how to use it, what protections exist. The system responsible's module covers operational procedures and legal obligations: response timelines, confidentiality management, documentation of actions taken, and active whistleblower protection. These are different content sets for different responsibilities — merging them into a single module typically means neither one does its job well.
@ 2026 Vidext Inc.
Newsletter
Discover all news and updates from Vidext
@ 2026 Vidext Inc.
