Back to blog

Tuesday, December 23, 2025

Regulatory risk analysis: UNE 19603 antitrust playbook

Practical Guides & Best Practices
Iratxe Gurpegui
Written by
Iratxe Gurpegui
9 min read
Regulatory risk analysis: UNE 19603 antitrust playbook

Antitrust compliance is not only for Big Tech or large corporations. If you sell through distributors, join trade associations, bid for public tenders, or use dynamic pricing, you carry competition risk that regulators can and do prosecute. Spain’s UNE 19603 gives mid‑market companies a practical structure to prevent and detect violations. The heart of that structure is a rigorous, repeatable regulatory risk analysis. This playbook shows how to build it, test it, and keep it audit ready.

A simple circular flow diagram showing the UNE 19603 competition compliance cycle with seven nodes: context and scope, risk identification, risk analysis and scoring, control design, implementation and training, monitoring and testing, review and improvement. Each node is connected sequentially around the circle, with a central label reading “Regulatory risk analysis”.

Why une 19603 is a smart way to structure antitrust risk analysis

UNE 19603 is Spain’s standard for competition law compliance management systems. It follows modern compliance principles, risk based, documented, and demonstrably effective. For intermediate‑sized enterprises, it turns abstract antitrust duties into a concrete operating model. The standard expects you to identify where antitrust risks arise in your business, evaluate their likelihood and impact, mitigate them with proportionate controls, and evidence that the system works in practice.

Regulators reward this approach. For example, in Spain the CNMC considers the existence and effectiveness of compliance programs when assessing infringements and sanctions, although there is no safe harbor. CNMC has adopted practical guidelines on how competition compliance programs should be designed and implemented. Other EU competition authorities have adopte a similar approach.

At EU level, the competition rules are established under Articles 101 and 102 TFEU, implementing Regulations, Directives and guidelines.

Having a documented, risk based program helps you navigate these frameworks and defend your decisions.

What auditors and regulators expect to see

A UNE 19603‑aligned system should show five things clearly:

  • Governance and independence, a designated competition compliance owner with access to leadership, clear roles and escalation paths.
  • Regulatory risk analysis that is business specific, documented scenarios by function and market, inherent and residual scoring, assumptions and data sources.
  • Tailored controls and policies, proportionate measures mapped to risks, training by audience, third‑party clauses and guidance for frontline decisions.
  • Monitoring and remediation, periodic testing, corrective actions with owners and due dates, disciplinary measures where needed.
  • Evidence trail, versioned documents, immutable logs of training, attestations and approvals, and a single risk register approved by management.

Build your antitrust risk universe

Your risk universe should reflect how your company actually competes and sells. For mid‑market firms, the following scenarios usually cover 80 percent of exposure. Select the ones that match your profile and add sector specifics.

  • Horizontal collusion, price fixing, output limitation, market allocation, customer allocation, bid rigging, no‑poach and wage‑fixing agreements.
  • Information exchange with competitors, direct or via hubs, sensitive pricing or volume data in benchmarking or trade associations.
  • Vertical restraints, resale price maintenance, online sales restrictions, platform bans, exclusivity or non compete, MFN or parity clauses.
  • Distribution and e‑commerce design, selective distribution, dual distribution with own channel competing with distributors, geo‑blocking and marketplace rules.
  • Abuse of dominance, only where market power is plausible, exclusivity with foreclosure, refusal to supply, margin squeeze, discrimination.
  • Merger control and gun jumping, pre‑closing coordination, clean team failures, early implementation of integration steps.
  • Public procurement risks, coordinating bids or cover bidding, subcontracting structures that mask collusion, shared consultants.
  • Trade association participation, agendas and minutes that drift into pricing or strategic plans, informal side meetings.
  • Algorithms and pricing tools, unintended parallelism or signaling through software vendors or third‑party pricing platforms.
A heat map view of an antitrust risk universe for a mid‑sized manufacturer, with rows for risk scenarios like horizontal collusion, information exchange, RPM, distribution, procurement, trade associations, algorithms, and columns for geographies and business units; cells shaded from green to red based on residual risk.

A step by step regulatory risk analysis under une 19603

Use this field tested sequence to produce a defensible analysis in weeks, not months.

  1. Set scope and context. Define business units, brands, channels, geographies, and counterparties. Record external context that changes exposure, market concentration, strong buyer power, public procurement dependency, high seasonal tenders. Define stakeholders (internal and exteranl)
  2. Build a scenario library. For each function sales, marketing, procurement, product, HR, list concrete behaviors that could breach competition law. Keep them observable, for example, “sales shares next quarter price increases with competitor at trade fair” rather than “collusion”.
  3. Inventory data sources. Identify systems and artifacts that will inform likelihood and control strength, pricing approval logs, discount matrices, contract templates, distributor agreements, tender files, travel and events logs, trade association memberships, training records.
  4. Score inherent risk. Use historical exposure or external indicators to anchor probability and impact, market structure, contact opportunities with competitors, incentives. Impact should consider financial penalties, director disqualification risk, procurement debarment, and operational disruption from dawn raids.
  5. Map existing controls. Policies and playbooks, contract clauses, approval workflows for discounts and exclusivity, meeting protocols for associations, clean teams in M and A, training coverage and cadence, speak‑up channels and triage.
  6. Calculate residual risk. Consider both design and operating effectiveness of controls. Note gaps explicitly. High residual risk requires immediate treatment.
  7. Define treatments and owners. Replace or fix templates, insert no‑RPM clauses, introduce guidance for lawful benchmarking, deploy association protocols, launch targeted training, configure price approval thresholds, add clean team procedures.
  8. Approve and communicate. Present the register to management, record decisions and risk appetite thresholds, publish practical do’s and don’ts to frontline teams.
  9. Monitor continuously. Test a small set of indicators monthly and run targeted file reviews each quarter. Refresh the risk analysis at least annually or when business models change.

Scoring that is meaningful and defensible

A simple 1 to 5 scale works if your anchors are explicit. Keep the model consistent across functions. Some examples below:

Dimension

1, low

3, medium

5, high

Probability

Rare contacts with competitors, low incentives to coordinate

Regular industry contacts, medium incentives, some history of sensitive exchanges

Frequent competitor contact, high incentives, prior investigations or red flags

Impact, financial

Minimal fine potential, low affected turnover

Material fine possible, moderate affected turnover

Significant fine exposure based on affected turnover

Impact, business

No public tenders or strategic contracts at risk

Some key tenders or distribution contracts at risk

High dependency on tenders or large distributors, debarment risk

Control strength

Policy exists but generic, training below 50 percent coverage

Tailored policy, training above 70 percent, approvals exist but weak evidence

Robust policy and protocols, training above 90 percent, strong approvals with evidence logs

Document the rationale for each scenario. In UNE 19603, the narrative matters as much as the number.Monitoring and testing that prove effectiveness

For UNE 19603, effectiveness is more than policy existence. Test a small set of indicators at a regular cadence and keep the evidence.

  • Training coverage and completion time, target above 90 percent for exposed roles within 30 days of assignment.
  • Association meeting hygiene, percentage of meetings with approved agenda and minutes, target 100 percent.
  • Approval discipline, percentage of distributor or rebate agreements that used approved templates and had legal sign off when required.
  • Speak up health, number of reports related to competition each quarter and resolution rate.

Run focused file reviews each quarter. For example, sample 10 recent distributor contracts for RPM risks or 10 trade association meetings for proper minutes. Keep a short memo for each test, scope, sample, findings, remediation.

Handling vertical restraints without killing sales, a complex area

Vertical rules allow many efficient arrangements when designed correctly. Your goal is to give the sales team a lawful toolbox, not only prohibitions.

  • Make recommended resale prices clearly non binding and train on what pressure looks like in practice.
  • Use objective criteria in selective distribution to protect brand quality without excluding lawful online channels.
  • Define approval thresholds for exclusivity, with specific justifications.
  • Document pro competitive efficiencies where applicable and keep that file with the contract record.

The EU’s updated vertical rules explain safe harbors and risk zones for these practices.

Algorithms and pricing tools, a 2025 reality check

Automated pricing and third‑party pricing vendors create real exposure if they facilitate alignment. OECD guidance highlights the risk of tacit coordination amplified by algorithms. You do not need to ban tools, but you should:

  • Map where algorithms set or recommend prices and who can override them.
  • Require contractual assurances from pricing vendors that models do not use competitor sensitive data and that guardrails exist against signaling.
  • Log significant pricing rule changes and rationale to evidence independent decision making.

See the OECD report on algorithmic collusion for guidance.

What good documentation looks like under une 19603

  • A single, versioned risk register that links each scenario to inherent score, controls, residual score, owner and actions.
  • A compact control library, the what, who, when, how to evidence for each control.
  • Practical playbooks, one to two pages each, for the highest risk scenarios, for example RPM, information exchange, tenders, M and A, trade associations.
  • A monitoring log that shows tests performed, samples, results and remediation follow up.

If you aim for certification, keep an approvals trail. Record when leadership reviewed and endorsed the program and when the board was briefed on material risks.

How AI can accelerate UNE 19603 implementation without losing control

Compliance teams are stretched. Using AI to automate repetitive steps does not remove human judgment, it frees it. Naltilia provides an AI powered platform that focuses on exactly the tasks UNE 19603 requires in practice.

  • Regulatory risk assessment. Centralize your antitrust scenarios, score them consistently, and maintain a living register as the business changes.
  • Remediation actions. Assign owners and deadlines, track closure, and generate a clear audit trail.
  • Tailor made policies. Produce audience specific guidance and playbooks for sales, procurement, HR and executives.
  • Automated data collection. Pull evidence for training, approvals and contract reviews into one place so you are audit ready on demand.
  • Compliance workflow automation. Orchestrate approvals, attestations and reminders so controls operate reliably with less manual chasing.

The result is a faster cycle from risk identification to control in place, with better documentation in case of CNMC enquiries, internal audits or certification bodies.

Board level metrics that keep attention where it matters

  • Residual risk index for antitrust, weighted by affected turnover and market sensitivity.
  • Appetite breaches, number of scenarios above threshold and time to remediate.
  • Control effectiveness score, percent of key controls that passed last test window.
  • Third party coverage, percent of active distributors and key suppliers on approved templates and with recent training acknowledgments.
  • Incident pipeline, speak up cases, investigations and corrective actions closed this quarter.

Present these on one page with traffic lights and trend arrows. If a metric trends the wrong way, attach a short plan and owner.

Final takeaways

  • Regulatory risk analysis is the engine of UNE 19603. Keep it concrete, quantified and refreshed.
  • Controls must be practical for sales and procurement to use every day. Provide lawful alternatives, not only prohibitions.
  • Evidence is a deliverable. If you did not document it, regulators will assume it did not happen.
  • Automation helps you go faster and be more reliable without expanding headcount.

If you want a ready to use workspace for UNE 19603 that consolidates risk analysis, actions, policies, evidence and workflows, see how Naltilia can help. Request a walkthrough at Naltilia.

Back to blog