How to Respond to a Corporate Criminal Investigation in Spain, Step‑by‑step (2026)

Knowing how to respond to a corporate criminal investigation in Spain can determine whether your company faces full criminal liability or secures meaningful mitigation. Spanish law permits the criminal prosecution of legal persons, companies, branches and subsidiaries, alongside the individual directors or employees suspected of wrongdoing. This guide sets out the precise corporate criminal investigation steps that in‑house legal teams, general counsel, CFOs, compliance officers and board members should follow from the moment an investigation is triggered, whether by a prosecutor’s notice, a police raid, a whistleblower report or a sectoral regulator inquiry.

The procedural landscape in 2026 places greater emphasis than ever on demonstrable evidence preservation, documented remediation and operational compliance programmes as the primary route to mitigation through compliance.

Overview of the Process and Who It Applies To

Spain’s criminal investigation architecture involves three core institutional actors. The Policía Judicial conducts the initial factual inquiry and evidence gathering. The Fiscalía General del Estado (Public Prosecutor’s Office) directs preliminary inquiries, decides whether to bring charges and leads the prosecution. The Juez Instructor (Investigating Judge) supervises the formal judicial investigation phase, known as the instrucción, during which evidence is secured under judicial authority, witnesses and suspects are summoned, and searches or seizures may be ordered.

A common question is whether judges lead investigations in Spain. The answer is nuanced: during the instrucción phase, the Juez Instructor holds supervisory authority over the investigation, as set out in the Ley de Enjuiciamiento Criminal (Criminal Procedure Act). However, the Fiscalía leads pre‑trial prosecutorial inquiries and may conduct its own preliminary investigations before referring a matter to the court. In practice, both institutions share investigatory functions at different stages.

The overarching mitigation thesis is straightforward: prompt evidence preservation, a credible internal investigation and documented remediation measures materially improve a company’s prospects. Prosecutors and courts assess whether the company had an effective compliance programme, the modelo de prevención de delitos, and whether it cooperated genuinely once the investigation commenced.

Who May Be Investigated: Legal Persons and Directors

Under the Código Penal (Criminal Code), legal persons may bear criminal liability for offences committed on their behalf or for their benefit by directors or employees, where the offence was made possible by a failure of supervision or control. This applies to domestic Spanish companies and to Spanish branches of foreign entities. Directors, officers and de facto administrators may be investigated in parallel, creating dual liability exposure.

Key Authorities and Their Roles

Beyond the Policía Judicial, Fiscalía and Juez Instructor, sectoral regulators may trigger or participate in investigations. The CNMV (Comisión Nacional del Mercado de Valores) has referral powers for market abuse and securities offences. The AEPD (Agencia Española de Protección de Datos) oversees data protection obligations that directly affect how personal data may be collected and produced during an investigation. Companies operating in regulated sectors, energy, health, financial services, may face parallel regulatory proceedings.

Eligibility and Prerequisites for the Corporate Criminal Investigation Process

This procedural guide applies whenever a company faces, or reasonably anticipates, a criminal investigation in Spain for offences where corporate liability is possible under the Código Penal. Common triggering offences include bribery and corruption, fraud, tax offences, accounting irregularities, money laundering, environmental offences, sanctions breaches and insider dealing.

Before activating a formal response, several prerequisites must be addressed in rapid sequence. The general counsel or chief compliance officer should confirm internal escalation authority, who in the organisation has the mandate to instruct external counsel, freeze communications and initiate a legal hold. A legal privilege assessment is essential: Spain does not recognise attorney‑client privilege in the same way as common‑law jurisdictions, and communications between in‑house counsel and the business may not always be protected from disclosure.

IT forensics readiness should be confirmed immediately. Can the company isolate and image relevant servers, email accounts and messaging platforms within hours? If internal IT lacks forensic capability, external forensic providers must be engaged under counsel direction before any data is altered or overwritten.

A decision tree should guide parallel actions: notify the board (or a designated committee) within the first 72 hours; contact the company’s D&O and professional indemnity insurers, because many policies require notice within days of a triggering event; and, for listed companies, assess whether a hecho relevante (material fact disclosure) to the CNMV or shareholders is required.

External counsel should be retained from the outset, ideally with specific experience in Spanish corporate criminal defence and internal investigations. Retaining independent counsel also supports the credibility of any subsequent internal investigation in the eyes of prosecutors and the court.

Step‑by‑Step: How to Respond to a Corporate Criminal Investigation in Spain

The following corporate criminal investigation steps move from the first hours after notification through to post‑resolution monitoring. The summary table below maps each step to the responsible party and a typical time frame.

Step 1, Issue a Legal Hold and Preserve Evidence Immediately

The single most important action in the first hours is evidence preservation in Spain. Issue a written legal hold notice to every custodian, employee, contractor or department, who may possess relevant documents, electronic data or physical records. The notice must instruct recipients to suspend all routine deletion, archiving or modification of potentially relevant material. Date‑stamp the notice, log recipients and retain proof of distribution.

Simultaneously, instruct IT to isolate and forensically image relevant servers, email accounts, shared drives, messaging platforms and mobile devices. Forensic images must include hash values to verify integrity. If the company lacks in‑house forensic capability, engage an external digital forensics provider under counsel direction within the first 24 hours.

Step 2, Establish Legal Privilege and Interview Protocols

Before any internal interviews begin, define the privilege framework. In Spain, communications with external lawyers (abogados) benefit from professional secrecy protections, but communications with in‑house counsel may receive less protection depending on context. All interview notes, legal memoranda and strategy documents should be clearly marked as privileged, prepared under counsel instruction, and stored separately from non‑privileged business records.

Establish a formal interview protocol: interviews should be conducted by or under the supervision of external counsel; each interviewee should receive a so‑called Upjohn‑style warning explaining that counsel represents the company (not the individual); notes should record the date, time, location, interviewer identity and whether counsel was present.

Step 3, Scope the Offence and Map the Corporate Structure

Identify which business units, legal entities and natural persons are potentially implicated. Map reporting lines, delegations of authority and the flow of decisions that may have enabled the alleged conduct. This corporate structure mapping feeds directly into the risk assessment and helps external counsel advise on whether liability attaches to the company, specific directors or both.

Step 4, Decide Whether to Self‑Report

The self‑reporting procedure in Spain is not codified in a single statutory pathway in the way some common‑law jurisdictions provide. However, the Fiscalía and courts have consistently treated voluntary disclosure and genuine cooperation with prosecutors in Spain as mitigating factors. Factors to weigh include the strength of existing evidence against the company, the credibility of remediation measures already taken, the risk that self‑reporting may waive privilege over internal investigation findings, and any insurance policy conditions.

This decision should be made by the board (or designated committee) on the advice of external counsel, documented in board minutes and recorded contemporaneously.

Step 5, Prepare a Cooperation and Voluntary Disclosure Plan

If the decision is to cooperate, prepare a structured cooperation plan. In 2026, early indications suggest prosecutors expect companies to present not merely a willingness to cooperate but a credible remediation plan, including restitution to victims where applicable, compliance programme upgrades, disciplinary action against responsible individuals and a timetable for implementation. The cooperation plan should be a written document, shared with prosecutors through counsel, and updated as the investigation develops.

Step 6, Secure and Produce Evidence While Preserving Chain of Custody

When producing documents to prosecutors or the Juez Instructor, maintain a complete chain‑of‑custody log. Every document produced should be catalogued with an item identifier, description, custodian name, collection date and time, collector identity, storage location, hash value (for electronic items) and any notes on redaction. Redaction for privilege or data protection (AEPD obligations) should be documented and justified in writing.

Step 7, Manage Internal and External Communications

Appoint a single communications lead. Internal communications should reassure employees that the company is cooperating with authorities and that the investigation does not presume guilt, while reminding all staff of their obligation to comply with the legal hold. External communications, press statements, regulator notifications, shareholder disclosures, should be reviewed by counsel before release. Premature or inaccurate public statements can prejudice the company’s position and may constitute separate regulatory breaches.

Step 8, Implement Post‑Investigation Remediation and Monitoring

Remediation is not an afterthought, it is central to how to respond to a corporate criminal investigation in Spain effectively. Document every remedial measure: updated compliance manuals, new or revised modelos de prevención de delitos, staff training records, enhanced internal controls, disciplinary actions taken and the appointment of any third‑party monitor. This evidence file becomes the company’s primary exhibit for mitigation through compliance when the matter reaches resolution.

Required Documents and Information for an Internal Investigation in Spain

The documents needed for an internal investigation fall into two categories: those the company must preserve from the outset, and those generated during the investigation itself. The table below provides a checklist.

Evidence Preservation and Chain‑of‑Custody Documentation

Every item collected during evidence preservation in Spain should be logged in a formal evidence register. Recommended columns include: item ID, description, custodian, collection date and time, collector name, storage location, hash value (for digital items) and notes (including any redactions applied and the reason). This register should be maintained by or under the supervision of external counsel and updated contemporaneously, not reconstructed after the fact.

Where personal data is involved, the AEPD’s guidance on data processing during internal investigations must be followed. Companies should conduct a proportionality assessment before collecting employee communications, and any data transferred outside Spain (for example, to a parent company’s legal team) must comply with applicable data transfer mechanisms under the GDPR.

Sectoral reporting obligations may run in parallel. For securities‑related conduct, the CNMV may require separate notifications. For data breaches forming part of the underlying offence, the AEPD’s 72‑hour breach notification window applies independently of the criminal investigation timeline.

Investigation Timeline and Key Deadlines in 2026

The investigation timeline for a corporate criminal investigation in Spain varies substantially depending on the complexity of the offence, the number of suspects, the volume of evidence and whether cross‑border elements are involved. The table below provides an illustrative timeline for a mid‑complexity domestic investigation.

Several statutory deadlines apply to specific investigatory actions under the Ley de Enjuiciamiento Criminal. Detention of individuals is subject to strict time limits, and judicial orders for searches or seizures must comply with procedural requirements that vary by offence category. Statute of limitations periods under the Código Penal differ by offence severity and can range from several years to more than a decade for the most serious crimes. Companies should verify applicable limitation periods with counsel at the earliest stage.

The practical drivers of duration are worth noting. Cross‑border elements, requests for mutual legal assistance, coordination with foreign prosecutors, evidence located in multiple jurisdictions, regularly extend timelines by months. Judicial backlog in certain Spanish courts adds further delay. Conversely, genuine cooperation with prosecutors in Spain and prompt production of well‑organised evidence can accelerate resolution, particularly where a conformidad (plea agreement) is reached.

Companies should not assume that the internal investigation can wait for the formal instrucción to conclude. Industry observers expect that running both tracks in parallel, and presenting investigation findings and remediation evidence proactively, delivers the strongest mitigation position.

Costs, Fees and Tax Considerations

The costs of responding to a corporate criminal investigation are substantial and largely variable. The table below provides illustrative ranges; actual costs depend on the complexity, duration and cross‑border scope of the matter.

Legal and professional fees incurred in defending a criminal investigation are generally deductible as professional expenses for corporate tax purposes, though confirmation with tax counsel is advisable. Insurers under D&O and professional indemnity policies should be notified immediately, many policies impose strict notification windows, and failure to notify promptly can void coverage.

What Changes in 2026: Updated Expectations for Corporate Criminal Investigations

The 2026 enforcement environment has sharpened expectations on companies facing criminal investigations in Spain in several material ways.

First, prosecutors and courts now place heightened emphasis on operational compliance evidence. It is no longer sufficient to produce a compliance manual adopted years ago. Companies must demonstrate that their modelos de prevención de delitos were actively tested, updated and supervised by a compliance body with genuine independence and resources. Training logs, internal audit results, risk assessment updates and incident‑response drill records are the documentary proof that matters.

Second, digital reporting and evidence preservation obligations have expanded. Sectoral transpositions, including measures derived from the NIS2 Directive for entities in critical sectors, impose specific incident reporting timelines and data retention requirements. Companies in regulated industries (energy, financial services, health, telecommunications) must confirm that their investigation response protocols align with these sectoral obligations, which run concurrently with the criminal procedure.

Third, the likely practical effect of recent enforcement trends is that cooperation with prosecutors in Spain is assessed more rigorously. Early indications suggest that the Fiscalía expects not merely passive cooperation but proactive disclosure, including a written remediation plan with milestones and evidence of implementation. Companies that can show chain‑of‑custody documentation, contemporaneous board minutes and independently verified compliance programme upgrades are better positioned for mitigation through compliance.

A 2026 tactical checklist for compliance officers should include: verifying that internal whistleblowing channels comply with current requirements; confirming digital evidence retention policies meet sectoral rules; updating the modelo de prevención risk assessment to reflect current threat landscapes; and ensuring the compliance body has documented its supervisory activities throughout the preceding year.

Common Pitfalls and How to Avoid Them

• Delaying the legal hold. Every hour without a formal legal hold increases the risk that routine deletion processes destroy relevant evidence. Issue the hold within hours of notification, not days.
• Failing to preserve metadata. Printing emails or saving documents outside their native format strips metadata that prosecutors and forensic examiners rely on. Always preserve original electronic formats alongside any printed copies.
• Mixing privileged and non‑privileged communications. Circulating legal advice to recipients who do not need it, or storing privileged memoranda alongside business documents, risks waiving privilege. Maintain separate storage and distribution tracks from day one.
• Poorly documented internal interviews. Interviews conducted without clear protocols, no record of who attended, no Upjohn‑style warning, no contemporaneous notes, undermine the credibility of the internal investigation in Spain. Follow a written interview protocol for every session.
• Inconsistent or cosmetic remediation. Announcing compliance upgrades without implementing and documenting them is worse than doing nothing, it signals bad faith. Every remedial action should be evidenced by completion records, test results and independent verification where possible.
• Premature public statements. Commenting publicly before the facts are established can create contradictions that prosecutors exploit and may trigger additional regulatory exposure. Route all external communications through counsel.

Sources

1. BOE, Boletín Oficial del Estado (Código Penal and amendments)
2. Ministerio de Justicia, Ley de Enjuiciamiento Criminal
3. Fiscalía General del Estado
4. Uría Menéndez, The Practitioner’s Guide to Global Investigations (Spain)
5. Pérez‑Llorca, White Collar Crime and Investigations
6. Letslaw, Prevention of Criminal Offences in Spain
7. Escura, Corporate Criminal Compliance in Spain
8. CNMV, Comisión Nacional del Mercado de Valores
9. AEPD, Agencia Española de Protección de Datos