New CNMC Guidance for Competition Risks Compliance programs

Iratxe Gurpegui
Written by
Iratxe Gurpegui
8 min read
A wide landscape scene in a competition compliance review room, with one central wall board showing a company’s high-risk commercial touchpoints mapped across pricing, tenders, distributor management, trade association meetings, and competitor contact; in the foreground are printed risk assessment pages, agenda review notes, a tender control checklist, and a remediation tracker arranged in clear order; no screens visible and no people present, eye-level view, serious and practical mood, clean office environment focused on proving where antitrust risk is controlled.

A sales director can sign the antitrust policy on Monday and still walk into a meeting with a competitor on Thursday with no script, no guardrails, and no record.

That gap is exactly what the CNMC's updated guidance on competition compliance targets.

On 9 June 2026 the CNMC approved a new version of its guide on competition compliance programs, replacing the reference text it published on 10 June 2020. The update kept most of the 2020 structure and evaluation criteria, so this is an evolution of the old guide rather than a fresh start. The changes that matter sit in the details, and those details change what a compliance program has to deliver.

For legal and compliance teams in midsize companies, the update should trigger one review. If the CNMC assessed the program tomorrow, could the company show working evidence that it prevents or detects anticompetitive conduct, and could it show that evidence at the right moment in a proceeding?

What changed between the 2020 and 2026 guidance

The 2020 guide established the criteria the CNMC uses to judge whether a competition compliance program is effective. The 2026 update keeps those foundations and sharpens the parts that decide real outcomes

Since 2020, both the CNMC and the courts have added detail on how compliance programs and the procurement ban actually work. The CNMC published Communication 1/2023, which sets out the criteria for determining the ban on contracting with the public sector when a company distorts competition. The Supreme Court then issued recent case law clarifying the scope of that ban and how far it reaches. The 2026 guide folds these developments in, so its treatment of sanctions and public procurement rests on rules and rulings that did not exist when the earlier version was written. The guidance focuses not only on whether a company has a program but also on whether it can prove on time that the program worked.

A compliance officer and in-house lawyer review printed competition risk controls, meeting protocols, and a risk map spread across a conference table in a meeting room before an audit discussion.

The two effects a program can now have

The headline change is that the 2026 guide separates two consequences that a credible program can produce inside a CNMC proceeding.

The first is a lighter fine. Under Article 64.3 of Ley 15/2007 de Defensa de la Competencia, an effective program can support a mitigating circumstance that reduces the sanction. The second is relief from the public procurement ban. Under Article 72.5 of Ley 9/2017 de Contratos del Sector Público, a company facing exclusion from public tenders can have its program assessed toward an exemption, either inside the sanctioning procedure or later while the ban is in force.

The 2020 guide spoke about the value of a program in general terms. The 2026 update pulls these two effects apart and explains each one, so a company can see precisely where a strong program pays off. For businesses that sell to the public sector, the procurement track matters as much as the fine, because exclusion can cost more than the penalty itself.

Timing is now part of the test

The 2026 guide adds a demand the 2020 text left open: when the company hands over its program.

The guidance advises companies to provide the program in the early phase of the procedure. Communicating it during the instruction phase becomes a determining element for the mitigating circumstance. A program presented late in the process can lose its weight, and the mitigation may become hard to obtain.

The practical lesson is direct. A program only helps if it already exists, already works, and reaches the file early. A company that scrambles to assemble evidence after an investigation starts arrives too late to earn the benefit.

A stricter guardrail against cosmetic compliance

The 2026 update sets a clear condition to stop companies from using compliance programs as decoration. The mitigating circumstance applies only when there is a sufficient material connection between the program, the company's active and collaborative reaction to the infringement, and the conduct itself.

Alongside that condition, the guide lists behaviors that can count in the company's favor, such as acting to end the infringement, keeping it from taking effect, cooperating actively with the CNMC, and repairing the harm caused. Repair carries extra weight when it happens before the final resolution.

The direction is consistent with the CNMC's wider message. A program earns credit through its design, its implementation, and its practical functioning, backed by verifiable evidence. Formal policies, codes, and procedures form the starting point, and their real value shows when they operate inside daily decisions.

The risk assessment does the heavy lifting

A useful risk assessment begins with conduct. It maps the company's actual exposure: who meets competitors, who sets prices, who exchanges market data, who runs tenders, who manages resellers, who attends industry associations, and who approves exclusivity or distribution terms.

This lines up with the broader European enforcement view that responsibility for compliance begins inside the company. The European Commission makes the same point in its material on competition compliance.

Companies can handle this without heavy bureaucracy. A competition risk map should identify the activities that carry the most risk, rank them, assign owners, attach controls, and set review dates. One question does most of the work: where could a reasonable commercial employee cross the line by accident, or feel tempted to do so? That question produces sharper controls than a generic training slide ever will.

Take a concrete example. If the company attends trade association meetings, the program should define the review before each meeting, agenda checks, attendance rules, exit language, minutes review, and escalation steps. Naltilia's separate guide on competition compliance for business associations goes deeper here, because association settings remain a classic source of information exchange risk.

If the company works through distributors, the program should separate legitimate recommended resale prices from resale price maintenance. If the company bids in tenders, it should control competitor contact, subcontracting discussions, and repeated bidding patterns. If pricing teams use market intelligence, the program should define which data sources are permitted and when legal review becomes mandatory.

From policy to evidence

Many programs break at this stage. The policy says the right things. The code of conduct prohibits cartels. The training completion rate looks high. Then the CNMC asks for evidence of how the policy worked inside the business, and the file turns thin.

The 2026 guide even offers help here. Its updated annex lists example indicators of effectiveness that a company can use to test its own program before a regulator does. The table below shows the practical gap the CNMC now looks for.

CNMC expectation

Weak program

Credible program

Risk assessment

Annual template with generic antitrust risks

Risk map tied to products, channels, tenders, associations, and pricing processes

Governance

Compliance named in a policy, with unclear authority

Named owners, escalation paths, board or senior management reporting, and independence where needed

Controls

Training alone

Approval workflows, meeting protocols, pricing review triggers, tender controls, and distributor communication rules

Reporting

Hotline mentioned in the code

Clear internal reporting system, protection against retaliation, triage rules, and investigation records

Remediation

Action taken after a crisis

Root cause analysis, corrective actions, deadlines, owners, and follow up testing

The difference is substantive. It decides whether the company can demonstrate prevention and detection, or only good intentions.

Automation helps when it sits in the right place. Legal judgment still decides whether a pricing clause is lawful. Around that judgment, AI can help compliance teams collect evidence from owners, map obligations to controls, track remediation actions, flag missing documentation, and keep policies aligned with the risk assessment.

That is the practical role of a platform like Naltilia. It makes the compliance system easier to run, test, and evidence, so accountability becomes visible to anyone who reviews it, and available early when a proceeding starts.

A realistic audit moment

Picture a Spanish manufacturing company with €80 million in revenue. It has a sales team, regional distributors, and a trade association presence. It has never been fined. The compliance officer is capable yet stretched across data protection, whistleblowing, sanctions, and health and safety.

A competition issue surfaces after a competitor reports suspicious tender behavior. The legal team opens an internal review.

The company had an antitrust policy. The harder questions come next.

Were tender teams trained on the bid rigging scenarios relevant to their market? Were competitor contacts logged and reviewed? Did trade association attendees know when to leave a meeting? Did anyone test the controls after the last market expansion? And could all of this be handed to the instructing body early enough to count?

In this scenario, the alleged conduct is only part of the risk. The larger exposure is the difficulty of showing that the program had reached the people and processes where the conduct could happen, and showing it in time to influence both the fine and the procurement ban.

What the company needs is a compliance operating system for competition risk, one that connects legal obligations, risk scoring, controls, and evidence. For teams building that foundation, Naltilia's UNE 19603 antitrust playbook lays out a practical way to make those connections.

The decision for compliance teams

The 2026 guidance is a demand for proof, delivered on time.

A company that treats competition compliance as a document exercise discovers the weakness at the worst possible moment: after an investigation has started, when explanations sound defensive, evidence is hard to reconstruct, and the window for early submission has closed.A company that treats competition risk infrastructure as a strategic asset makes different choices now. It maps real risks, places controls where commercial pressure lives, trains by role, documents decisions, tests effectiveness against the CNMC's indicators, and keeps everything ready before a regulator forces the issue.

That is the shift the update rewards: better evidence, better timing, better judgment, and a program that stands up when someone finally says, "Show me how this actually works."

Frequently Asked Questions

What is the single biggest change in the 2026 CNMC guidance?

It separates two effects of an effective program inside a proceeding: a possible reduction of the fine under Article 64.3 LDC, and an exemption or lifting of the public procurement ban under Article 72.5 LCSP. The 2020 guide treated the value of a program in broader terms.



Does the update change the core criteria from 2020?

No. The CNMC kept the structure, categories, and evaluation criteria of 2020, since most of them remain valid. The update refines the consequences, the timing, and the evidence expected.


Why does the timing of the program now matter?

The guide treats early submission during the instruction phase as a determining element for a reduced fine. A program presented late can lose its mitigating weight.


Does the CNMC expect every company to have the same program?

No. The program should stay proportionate to the company's risk profile. A business built on distributors, a company driven by tenders, and a digital platform will each need different controls.


Where should legal and compliance teams start?

Start with the commercial processes that carry the most risk. Map who makes decisions, where competitor contact can happen, what approvals exist, and what evidence the company could produce, and hand over, if questioned.


About the Author

Iratxe Gurpegui

Iratxe Gurpegui

I've spent 20 years as a compliance and competition lawyer across Europe and Latin America, and throughout my career, I've seen firsthand how complex and costly regulations can hold companies back. But I've also learned that compliance doesn't have to be a burden, it can be a strategic advantage. My mission is to help companies harness the power of AI, transforming compliance into something faster, simpler, and most importantly, a real driver of growth for businesses.