On a rainy Thursday in Madrid, Clara, the sole compliance officer of a 250-employee aeronautics supplier, opened her inbox to find an urgent request from the CEO: “Are we ready for UNE 19601 certification before the end of the quarter? A client is asking for this.” Clara’s mind immediately jumped to the Spanish Criminal Code’s catalogue of corporate offences and the many control activities they trigger. She knew that a certifiable, effective system could help the company avoid or mitigate corporate criminal liability under Article 31 bis of the Spanish Penal Code, but only if every risk was identified, documented, and monitored. For one person armed with spreadsheets, the task felt impossible.
UNE 19601 in a nutshell
UNE 19601 is Spain’s standard for criminal compliance management systems. Published in 2017 and updated in 2025, it adapts international compliance best practices to Spain’s corporate criminal liability regime set out in Article 31 bis of the Penal Code. Its purpose is to help organisations establish, implement, maintain, and continually improve a system aimed at preventing crime or reducing its risk and impact.
What it enables organisations to do, when properly implemented and operating effectively:
- Demonstrate a robust model for crime prevention and mitigation aligned with Article 31 bis.
- Strengthen their legal position if a corporate crime is prosecuted, because an effective system can be considered an exonerating or mitigating circumstance as provided by law.
- Build market trust and meet client expectations through independent certification audits.
Independent conformity bodies can certify UNE 19601, but the real work happens inside the organisation long before any audit.
Why Spanish SMEs cannot ignore it
- Legal exposure. Since Organic Law 1/2015, companies can be held criminally liable for offences committed within their organisation by employees, managers, or third parties acting on their behalf.
- Reputational and commercial risk. A single indictment for bribery, fraud, or tax offences can derail public tender eligibility, financing, and strategic partnerships.
- Client and supply-chain pressure. Large customers increasingly request UNE 19601 certification or equivalent evidence of effective criminal compliance.
The criminal risk universe you must address
UNE 19601 requires a risk assessment that maps relevant Criminal Code offences to preventive and detective controls, proportionate to the organisation’s activities. Below is a condensed view of common offence clusters and examples of controls auditors frequently expect to see. This is a non-exhaustive list of criminal offences of Spanish Criminal Code:
Crime | Article(s) of the Criminal Code | Examples of controls |
|---|---|---|
Sexual harassment offence | 184.1, 184.2, 184.3, 184.4 | Prevention and management protocol for sexual harassment. Mandatory training for all staff and managers. Confidential whistleblowing channel and investigation procedure. |
Offences against privacy and unlawful access to IT systems | 197, 197.7, 197 bis, 197 ter | Information security and data protection policy. Access management (roles, strong passwords, activity logs). Incident response procedure and breach analysis. |
Fraud and swindling | 248, 249, 250, 251 | Segregation of duties in procurement, sales, treasury and accounting. Authorisation controls and limits for payments and discounts. Periodic reconciliations and investigation of unusual transactions. |
Insolvency offences | 259, 259 bis, 260, 261 | Procedure for acting in financial distress or pre-insolvency. Reliable financial information, periodic closings and reporting to the board. Independent external advice on restructuring decisions. |
IT damage | 264, 264 bis, 264 ter | Cybersecurity controls (firewalls, backups, antivirus, patching). Acceptable use policy for systems and devices. Change management and testing in non-production environments. |
Offences against intellectual and industrial property, market and consumers, and private corruption | 270, 271, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 282 bis, 283, 284, 285, 285 bis, 285 quarter, 286, 286 bis, 286 ter, 286 quarter | Policy on use of intellectual and industrial property and software licences. Procedures to review marketing, advertising and commercial practices. Competition and private corruption compliance programme (commissions, discounts, incentives). |
Handling and money laundering | 301 | Anti-money-laundering policy and procedures. Customer identification (KYC) and monitoring of suspicious transactions. Periodic AML training for high-risk areas. |
Illegal financing of political parties | 304 bis | Policy on donations, sponsorships and political contributions. Centralised approval and detailed register of all contributions. Prior legal review and transparency towards authorities and stakeholders. |
Offences against the Public Treasury and Social Security | 305, 306, 307, 307 ter, 308, 310 | Documented tax and Social Security compliance programme. Periodic tax review, internal or external. Controls over invoicing, payroll, social security contributions and use of subsidies. |
Environmental offences | 325, 326, 326 bis, 330 | Environmental management system (e.g. ISO 14001). Operational controls over discharges, emissions, noise and waste. Environmental impact assessments and preventive maintenance. |
Bribery | 424, 247 | Anti-corruption, gifts and hospitality policy. Register of interactions with public officials and public procurement decisions. Due diligence on intermediaries, consultants and commercial agents. |
Influence peddling | 429, 430 | Specific policy on relations with authorities and public decision-makers. Register of lobbying activities and meetings with public officials. Review of intermediation contracts and success-fee arrangements. |
Embezzlement of public funds | 432–434 | Authorisation and justification controls over public funds managed. Segregation of duties between authorisation, execution and accounting. Internal and external audits of publicly funded programmes. |
Even a modestly sized company can flag dozens of individual risks across these categories and attach multiple controls, policies, and pieces of evidence to each.
The six pillars of a UNE 19601 compliance management system
- Governance. The board approves a crime prevention policy, sets tone from the top, and appoints a compliance function with autonomy and resources.
- Risk assessment. Identify inherent likelihood and impact for every relevant Penal Code offence, considering business model, jurisdictions, products, and third parties.
- Controls and procedures. Design preventive and detective measures proportionate to each risk and embed them into operations.
- Training and communication. Deliver role-based training, keep attendance evidence, and make policies accessible and current.
- Reporting channels and investigations. Provide confidential reporting mechanisms, ensure non-retaliation, and document impartial investigations.
- Monitoring, review, and continuous improvement. Use KPIs, internal audit, and management review to evaluate effectiveness and implement corrective actions.
Certification audits typically test each pillar through documentation reviews, sampling, and personnel interviews. Missing evidence, outdated risk scoring, or controls that do not operate as designed can derail certification.
Where most organisations stumble
- Manual evidence gathering. Invoices, inspection photos, and minutes spread across shared drives or email threads.
- Policy version control. Auditors discover obsolete templates in circulation or employees unaware of updates.
- Static risk maps. Annual refreshes fail to capture new products, jurisdictions, or updated controls.
- Remediation tracking. Spreadsheets become outdated when multiple departments own corrective actions.
How Naltilia automates UNE 19601 compliance
Naltilia’s AI-powered platform is built to tame exactly this type of control jungle:
- Automated risk mapping. The solution analyses your organisational chart, revenue streams, activity, context, incidents and vendor list, then surfaces Penal Code risks in minutes instead of weeks.
- Control library with smart suggestions. Based on UNE 19601 good practice, Naltilia proposes tailored controls and assigns them to process owners.
- Evidence gathering: As you upload evidence, Naltilia test controls existence and effectiveness and updates residual risks connected to controls.
- Real-time dashboards and KPIs. Heat maps display residual risk after controls, while overdue remediation actions trigger alerts.
- Audit-ready reporting. With one click, generate the compliance manual, risk assessments, monitoring logs, and evidence registers certifiers commonly request.
Explore in person how these capabilities work. Book a demo.
Getting certified, a pragmatic 90-day roadmap
- Week 1–2: Executive endorsement, scope definition, and project kickoff.
- Week 3–4: Import organisational data into Naltilia, generate preliminary risk map, validate with process owners.
- Week 5–6: Deploy control library, integrate evidence sources, launch reporting channel and investigation SOPs.
- Week 7–8: Perform gap analysis, assign remediation actions, roll out role-based training.
- Week 9–10: Run internal audit with sampling, remediate residual findings, update KPIs.
- Week 11–12: Invite an external certifier, provide audit workspace and evidence, address any nonconformities.
Actual timelines vary by maturity and scope, but SMEs that leverage automation often reach audit readiness within one quarter.
Ready to turn compliance chaos into clarity?
Clara’s team achieved certification ahead of schedule after adopting automated controls and real-time dashboards. If you want the same peace of mind, and a defensible position before regulators, schedule a personalised demo. Let our AI handle the complexity so your team can focus on strategic risk management.
