The Update To The CNMC’S Guidance On Competition Compliance Programmes: From Formal Compliance To A Standard Of Actual And Verifiable Effectiveness

I.   Introduction

The update to the Guidelines on Compliance Programmes in relation to competition law (hereinafter, the “New Guidelines”), approved by the Spanish Competition Authority (hereinafter, the “CNMC”) on 9 June 2026, represents a significant milestone in the consolidation of competition compliance in Spain. The original Guidelines of 10 June 2020 (hereinafter, the “2020 Guidelines”) were, at the time, a pioneering instrument in that the national authority offered companies a specific framework for designing, implementing and demonstrating the effectiveness of compliance programmes in the field of competition law.

Its significance lay not only in its guidance value, but also in the fact that it linked compliance with competition law to very specific legal consequences, such as the possible reduction of penalties, leniency and, most notably, the prohibition on contracting with the public sector.

Five years on, the New Guidelines do not represent a break with the 2020 model, but rather a refinement of its essential elements in the light of accumulated experience. The CNMC maintains the same assessment criteria set out in the 2020 Guidelines for determining the effectiveness of a compliance programme: (i) involvement of the company’s governing bodies and/or senior management; (ii) effective training; (iii) the existence of an internal whistleblowing system; (iv) the independence and autonomy of the person responsible for designing and monitoring compliance policies; (v) identification of risks and the design of protocols or control mechanisms; (vi) the design of internal procedures for managing information and handling the detection of breaches; and (vii) the design of a transparent and effective disciplinary system. However, the update introduces significant clarifications. Some of these respond to regulatory developments — particularly regarding the protection of whistleblowers — whilst others relate to how companies must demonstrate that their programmes are genuinely effective.

The main change lies in the reorganisation of the legal consequences arising from the implementation of an effective compliance programme. The 2020 Guidelines distinguished between ex ante and ex post programmes, that is, between those in place prior to the infringement or investigation and those implemented or improved subsequently. The New Guidelines abandon this approach and opt for a more precise distinction. On the one hand, the programme’s potential impact on mitigation; on the other, its relevance for the purposes of the non-imposition or the lifting of the ban on contracting.

The update must also be understood within a broader legal context. Since 2020, the ban on contracting resulting from competition infringements has ceased to be a merely contingent or marginal consequence and has become one of the main legal risks associated with breaches of the regulations. Communication 1/2023 from the CNMC1and recent case law from the Supreme Court2have made it necessary to clarify how a compliance programme should be assessed when a company seeks to avoid, limit or have that ban lifted.

II.    The involvement of senior management: from ‘tone from the top’ to demonstrable commitment

The first of the assessment criteria remains the involvement of the governing bodies and senior management. The New Guidelines maintain the view that a culture of compliance must be promoted and encouraged from the highest level of the organisation.

The most significant change in this regard is that the New Guidelines broaden the scope of situations where a compliance programme may be deemed ineffective when a senior executive is directly involved in a breach of Law 15/2007 of 3 July on the Defence of Competition (hereinafter, “LDC”). Whilst the 2020 Guidelines referred to very serious infringements, the New Guidelines cover serious or very serious infringements3, 4.

The involvement of a senior manager in a breach does not automatically render the programme ineffective. The CNMC maintains a case-by-case approach consistent with the principle of proportionality. However, such involvement may be a particularly significant indication that the programme has not permeated the organisation or that the message of compliance has not been taken on board by those with the power to direct or influence the company’s conduct.

The New Guidelines also update the approach to the concept of ‘senior manager’5. They emphasise a functional, rather than a purely formal notion. What matters is not the title of the position, but the person’s actual ability to make decisions on behalf of the company or to exercise powers of organisation and control. This is particularly important in complex corporate structures, international parent companies or companies with decentralised decision-making bodies.

Another significant development is the provision allowing the company to submit additional evidence of senior management’s effective involvement. The public declaration of zero tolerance remains relevant but can no longer be regarded as sufficient proof. This involvement must be demonstrated through decisions, resources, minutes, participation in committees, approval of policies, monitoring of incidents, etc.6. In short, the New Guidelines shift the focus from a purely declarative ‘tone from the top’ towards a verifiable and documented commitment.

III.    Effective training: specialisation, measurement and internalisation

Training remains one of the programme’s key pillars. The CNMC maintains that a standard, uniform training strategy limited to the basics of competition law can hardly be considered effective. Training must be tailored to the company’s field of activity, the specific roles of each group of staff, and the level of risk exposure.

The New Guidelines introduce some important nuances. Firstly, they highlight the possibility of viewing more intensive and specific training favourably for those employees or workers who have previously been involved in any form of anti-competitive conduct7.

Secondly, the New Guidelines specify that the training strategy must be accessible, adaptable, measurable and verifiable in terms of its impact and the extent to which the training content has been internalised. This requirement is more stringent than that of 2020. It is not sufficient merely to provide evidence that sessions have been delivered or that employees have formally attended a course. The company must be able to demonstrate that the training has been understood, that it has been tailored to the organisation’s actual risks, and that mechanisms are in place to measure its effectiveness8. Assessment tests, periodic evaluations, attendance indicators, comprehension surveys, business-specific case studies and the traceability of training activities all constitute evidence.

Thirdly, the New Guidelines require ad hoc training sessions to be arranged when there are significant changes in business or market circumstances. Training should not be updated automatically in response to every minor change, but it must be updated when events occur that alter the risk profile9: entry into new markets, changes in shareholding or control, acquisition of a business, appointment of a significant supplier, participation in new tenders, etc.10.

IV.    From the whistleblowing channel to the internal reporting system

One of the terminological changes in the New Guidelines concerns the criterion relating to the whistleblowing channel. The 2020 version referred to a “whistleblowing channel”, whilst the update refers to the “internal reporting system”. This change reflects the incorporation into Spanish law of Law 2/2023 of 20 February, regulating the protection of persons who report regulatory breaches and the fight against corruption (hereinafter, “Law 2/2023”).

The New Guidelines expressly link the assessment of this element of the programme to current legislation on the protection of whistleblowers and to the criteria published by the Independent Whistleblower Protection Authority (hereinafter, “AIPI”)11. In the 2020 Guidelines, the Whistleblowing Directive was considered a future reference, pending transposition. The New Guidelines integrate the internal reporting system into the current regulatory framework, with specific requirements regarding accessibility, confidentiality, protection against retaliation and data processing.

From a competition law perspective, the New Guidelines emphasise that the internal reporting system must specifically cover infringements of the LDC. This point is essential. Many companies have general internal reporting channels, designed to address criminal offences, corruption, harassment, etc. However, a competition compliance programme will only be effective if the channel allows for the proper reporting of conduct such as the exchange of sensitive information, coordination with competitors, and the allocation of customers, etc.

The New Guidelines also view favourably the internal communication of external channels, such as the CNMC’s Anonymous Competition Whistleblower System. This provision introduces an interesting approach: the company must not only promote its internal channels but also acknowledge the existence of external channels for reporting to the authority. Far from weakening the programme, this transparency can reinforce its credibility by demonstrating that the organisation does not seek to monopolise or obstruct the detection of infringements, but rather to facilitate their reporting through appropriate channels12.

Section C of the Annex to the New Guidelines also incorporates more precise indicators regarding the channel’s operation: compliance with AIPI requirements, the existence of channels for consultation and advice, accessibility for the supply chain and other stakeholders, and quantitative data on reports received.

V.    Independence of the compliance officer: from formal position to effective autonomy

The criteria relating to the compliance officer have also been strengthened in the update. The New Guidelines maintain the requirement to appoint an officer directly responsible for the design and implementation of the programme, with sufficient safeguards and resources. The new development is that the CNMC sets out in much greater detail how it will assess the officer’s independence and autonomy.

The CNMC will take into account the compliance officer’s actual position within the organisation, the resources at their disposal and their effective capacity to act autonomously. This includes, amongst other factors, the existence of a direct and independent reporting line to senior management, the ability to raise significant issues, protection against undue interference and job security, amongst others13.

The New Guidelines also expressly emphasise the importance of the compliance officer having sufficient knowledge to perform their duties14. This clarification is particularly relevant in the field of competition law, where risks can be technically complex. A compliance officer without adequate knowledge of competition law is unlikely to be able to identify risks of collusion within trade associations, assess exchanges of information or detect ‘hub and spoke’ practices.

Another notable new development is the regulation of cases involving the total or partial outsourcing of compliance functions. The New Guidelines allow for this possibility, particularly in smaller companies, but require it to be made clear who bears internal responsibility before the board of directors. Outsourcing must not become a mere delegation of responsibility. The external service provider must have effective access to the relevant information, and there must be adequate mechanisms in place to supervise the service15.

Furthermore, the Guidelines clarify that the assumption of these functions by the company’s legal department does not automatically imply a lack of independence16. However, the assessment will be on a case-by-case basis and will require an analysis of the existence of an appropriate reporting line and the management of potential conflicts of interest. The key issue is not whether the function is formally located within the legal, compliance or internal audit departments, but whether it can act with genuine autonomy vis-à-vis the business areas and the bodies that might be involved in risk-related decisions.

VI.    Risk map and control matrix: consolidating the dynamic approach

The criteria relating to risk identification and the design of controls are among those undergoing the most substantial changes. The 2020 Guidelines already required the programme to assess the company’s specific risks and design control protocols or mechanisms. The New Guidelines maintain this requirement, but develop it in greater depth and with a clearly operational focus.

The New Guidelines state that the risk map should not be viewed as a formal or static document, but rather as an operational and dynamic tool, tailored to the company’s activity, structure, market position and specific context17. This approach is particularly relevant because it addresses one of the main weaknesses of many compliance programmes: the existence of generic risk maps, disconnected from the business, drawn up once and never updated.

Risk identification must be carried out using a documented methodology that enables the identification of areas, processes, interactions and decisions that are particularly exposed to competition law infringements. This requires analysing, for example, participation in sectoral associations, contacts with competitors, public tenders, cooperation agreements, joint ventures, relationships with distributors, pricing policies, the use of external consultants or common technological tools.

The control matrix also takes on a more demanding dimension. The New Guidelines state that the control system must include, in a proportionate manner, warning signs, escalation mechanisms and internal validations that enable the identification of conduct, patterns or incentives potentially incompatible with competition law18. This implies that controls must not be limited to written policies, but must be integrated into decision-making processes. For example, prior controls on tenders, approval of contacts with competitors, review of attendance at sector-specific meetings, information-sharing protocols, assessment of cooperation agreements or legal review of pricing tools.

The New Guidelines also emphasise that controls must be measurable and verifiable, and that the programme must provide for mechanisms to periodically verify its design and effective operation19. It is not enough for a control to exist on paper; it must be verified whether it is applied, whether it genuinely mitigates risk and whether it generates sufficient evidence. This point aligns with a framework of auditing, monitoring and continuous improvement.

One of the most significant new developments is the explicit reference to emerging technological risks, such as algorithmic collusion or the indirect exchange of sensitive information via digital platforms – risks that may be exacerbated by advances in AI20. This reference is important insofar as competition law is increasingly confronted with scenarios in which coordination does not necessarily occur through direct contact between competitors, but rather through shared tools, technology providers, platforms, price-setting algorithms or recommendation systems.

VII.    Internal procedure for handling information and infringements

The guidance on internal procedures has also been updated in line with regulatory developments regarding the protection of whistleblowers. The 2020 Guidelines referred to the procedure for handling complaints and detecting infringements. The New Guidelines refer to the handling of information and the detection of infringements, in line with Law 2/2023.

The key change is that the procedure must be properly communicated within the organisation and enable the uniform, recordable and proportionate handling of the information received21. Uniform handling prevents arbitrary or inconsistent responses to similar reports. Recordable handling ensures traceability and enables the organisation to demonstrate to the authority what was received, how it was analysed, who was involved and what decisions were taken. Proportionate handling requires tailoring the response to the seriousness, plausibility and urgency of the information received.

Furthermore, the New Guidelines require that the procedure covers not only the receipt of information, but also its investigation, proper processing and the management of the documentation generated22. The internal investigation must ensure independence, confidentiality, protection of the whistleblower, respect for the rights of those affected, preservation of evidence, coordination with internal or external advisers and, where appropriate, an assessment of the advisability of approaching the CNMC through leniency or cooperation.

VIII.    Disciplinary system: transparency, effectiveness and compliance with applicable legislation

The update to the criteria relating to the disciplinary system is more limited. The New Guidelines maintain that the programme must include a transparent and effective disciplinary system. Measures must be foreseeable, proportionate and known to the organisation. However, they introduce a clarification: disciplinary measures must be compatible with applicable legislation23.

The 2020 Guidelines referred, to a more limited extent, to employment law. The new wording broadens the scope of reference. This is appropriate because the internal consequences of a competition law infringement may affect ordinary employees, managers, senior management, directors or contractually linked third parties.

The effectiveness of the disciplinary system should not be confused with an automatic punitive policy. Its purpose is twofold. On the one hand, to deter breaches through foreseeable consequences. On the other, to demonstrate that the organisation responds to infringements in a manner consistent with its culture of compliance. A programme that identifies an infringement but takes no internal action can hardly be regarded as effective.

IX.    The distinction between a reduction in the fine and a ban on contracting

In the New Guidelines, the CNMC expressly distinguishes between the programme’s impact on the quantification of the penalty and the effects linked to the ban on contracting with the public sector. This distinction seems appropriate because both mechanisms serve different purposes:

• The reduction of the fine falls within the scope of the sanctioning procedure and is linked to Article 64 LDC. An assessment is made as to whether the programme has had a real impact on the company’s response to the infringement under investigation, either because it has helped to put an end to the conduct or its effects, or because it has facilitated active and effective cooperation with the CNMC outside the leniency programme.

• The ban on contracting, by contrast, falls within the scope of the economic operator’s reliability when contracting with the public sector. The aim is to determine whether the company has adopted appropriate technical, organisational and personnel measures to prevent future infringements. The issue is not so much whether the programme causally contributed to cooperation in the specific case, but whether it demonstrates a genuine capacity for prevention, detection and response in the future.

In this regard, a company may not meet the requirements for a reduction in the fine and yet still present a programme that is sufficiently effective to prevent or lift a ban on contracting. Conversely, active cooperation in the proceedings should not, on its own, be sufficient to demonstrate the economic operator’s future reliability if the programme lacks effective design, implementation or operation.

1.      Reduction of the fine: cooperation and remedial measures

The compliance programme may have a positive impact on the assessment of mitigating circumstances, in particular those set out in Article 64(3)(a) LDC, relating to the implementation of measures to bring the infringement to an end, and Article 64(3)(d) LDC, relating to active and effective cooperation with the CNMC outside the scope of leniency.

However, the New Guidelines reject any automatic application. The mere existence of a programme, its formal implementation or its submission during the proceedings is not sufficient to obtain a reduction in the fine. The undertaking must demonstrate that the programme has had a real and verifiable impact on its cooperative conduct or on the adoption of specific remedial measures.

The CNMC also requires that the programme be brought to the authority’s attention at the start of the preliminary investigation phase24. In this regard, if the programme is submitted late, it becomes more difficult to assess its connection with the conduct under investigation and with the company’s response. The company must explain, in a clear and documented manner, which internal mechanisms were activated, which bodies and individuals were involved, what decisions were taken, what remedial measures were implemented, and how all of this relates to the design and operation of the programme.

2.      Ban on contracting: self-cleaning, future reliability and actual effectiveness

This refers to the non-imposition or lifting of the ban on contracting with the public sector. This issue has become increasingly important in recent years and, for many companies – particularly those whose business depends wholly or partly on public tenders – the ban on contracting can have an even greater impact than an administrative fine.

The rationale behind the ban on contracting is linked to Article 72.5 of Law 9/2017 of 8 November on Public Sector Contracts and to the ‘self-cleaning’ mechanism. The company must demonstrate that it has adopted appropriate technical, organisational and personnel measures to prevent future infringements. In this context, the compliance programme must demonstrate future reliability. The authority will assess whether the company has understood the causes of the non-compliance, whether it has rectified the deficiencies identified, whether it has implemented specific controls, and whether it has effective mechanisms in place to prevent, detect and respond to similar conduct.

The New Guidelines clarify that the assessment of the programme’s effectiveness for these purposes may be carried out at any time, either during the sanctioning proceedings or after they have concluded25. However, the CNMC recommends submitting the programme at an early stage of the proceedings. If the programme is submitted during the preliminary investigation, the investigating body and the Council may assess its effectiveness in the draft decision and in the final decision, thereby justifying the non-imposition of the prohibition, and not merely its possible subsequent lifting26.

From a substantive perspective, the assessment must focus on the programme’s actual effectiveness. The CNMC will consider its design, implementation and practical operation, not merely formal elements.

For companies participating in public tenders, the assessment must pay particular attention to the operational controls associated with public procurement. It will be necessary to have tender protocols, controls over joint ventures, rules on contact with suppliers, mechanisms for reviewing bids, and specific training for staff involved in tenders, amongst other measures27.

The difference with regard to the reduction of the fine is clear. In the context of the ban on contracting, the programme is not assessed primarily on the basis of its causal contribution to cooperation in the sanctioning procedure, but rather on its suitability for preventing future infringements and demonstrating that the company is once again a reliable operator for contracting with the public sector.

X.    Conclusions

The New Guidelines confirm that competition compliance cannot be merely documentary. It must be genuine, operational, proportionate, verifiable and tailored to the company’s specific risks. For organisations operating in markets exposed to competition risks, the update to the Guidelines requires them to review their programmes from a more rigorous perspective.

The New Guidelines therefore confirm the transition of competition compliance from a formal prevention approach towards a model of effective organisational accountability. Against a backdrop of increasing administrative, judicial and reputational scrutiny of competition infringements, compliance programmes are establishing themselves as an indispensable tool not only for avoiding sanctions, but also for safeguarding business continuity and preserving the ability to contract with the public sector.

• 1CNMC Communication 1/2023, of 13 June, on criteria for determining the prohibition on contracting due to distortion of competition.
• 2Supreme Court Ruling of 18 Dec. 2024 (appeal No. 7819/2024, ECLI:ES:TS:2024:15083A), in relation to the ruling on the prohibition on contracting, the Supreme Court adds that the prohibition on contracting does not in itself constitute a sanction, but is subject to the fulfilment of certain conditions, including the existence of a final administrative sanction; consequently, the prohibition is linked to the imposition of a final sanction.
• 3Supreme Court Judgment of 16 December 2025 (appeal No. 9091/2022, ECLI:ES:TS:2025:6103).
• 4Page 8, paragraph 21 of the New Guidelines.
• 5Page 8, paragraph 8 of the New Guidelines.
• 6Page 9, paragraph 23 of the New Guidelines.
• 7Page 9, paragraph 24 of the New Guidelines.
• 8Page 10, paragraph 25 of the New Guidelines.
• 9Page 10, paragraph 26 of the New Guidelines.
• 10Pages 20–21, Section B of the Annex to the New Guidelines.
• 11Page 11, paragraph 34 of the New Guidelines.
• 12Page 11, paragraph 35 of the New Guidelines.
• 13Page 12, paragraph 39 of the New Guidelines.
• 14Page 12, paragraph 39 of the New Guidelines.
• 15Page 12, paragraph 40 of the New Guidelines.
• 16Page 12, paragraph 41 of the New Guidelines.
• 17Page 13, paragraph 46 of the New Guidelines.
• 18Pages 13 and 14, paragraph 47 of the New Guidelines.
• 19Page 14, paragraph 48 of the New Guidelines.
• 20Page 14, paragraph 49 of the New Guidelines.
• 21Page 15, paragraph 52 of the New Guidelines.
• 22Page 15, paragraph 53 of the New Guidelines.
• 23Page 16, paragraph 57 of the New Guidelines.
• 24Page 17, paragraph 67 of the New Guidelines.
• 25Page 18, paragraph 70 of the New Guidelines.
• 26Page 18, paragraph 71 of the New Guidelines.
• 27Pages 18–19, paragraph 77 of the New Guidelines.