Thursday, December 18, 2025

Update of CNMC's antitrust compliance guidelines

Iratxe Gurpegui
Regulatory Updates & Insights
Update of CNMC's antitrust compliance guidelines

the Spanish competition authority (CNMC) has opened a public consultation to update its 2020 “Guide on competition compliance programs.” The CNMC is accepting submissions until 20 January 2026. For compliance officers and in‑house counsel at intermediate‑sized enterprises, this is a timely chance to shape how effective antitrust programs are assessed, how they influence sanctions and public procurement eligibility, and how digitization and AI should be embedded into day‑to‑day compliance.

A compliance team in Spain reviews an antitrust risk dashboard on large screens, showing bid patterns, pricing variance, and training completion by business unit. The scene includes a legal counsel, a compliance officer, and a data analyst collaborating, with Spanish legal references on a whiteboard: LDC art. 64.3, LCSP art. 72.5, UNE 19603.

The 2020 CNMC guide

In line with a broader trend among competition authorities, the CNMC published its first guidance on competition compliance programmes in 2020. The 2020 CNMC guide promotes a culture of compliance and sets practical criteria to evaluate program effectiveness, including top management involvement, training, a speak‑up channel, independence of the compliance function, risk mapping, case management, and a disciplinary system. Since then, relevant developments have accumulated that justify a refresh:

  • Transposition and implementation of EU rules, including ECN+ Directive, with changes to Spain’s Competition Act (LDC) that affect how leniency interacts with public procurement debarment.
  • The Whistleblowing Directive was transposed through Spain’s Law 2/2023, which calls for revisiting guidance on reporting channels and case handling.
  • Case law in the EU, for example the General Court’s 2 October 2024 judgment in T‑126/23 EU‑OSHA, which discusses the sufficiency of corrective measures as a condition to avoid debarment, a concept close to article 72.5 of Spain’s Public Sector Contracts Law (LCSP).
  • CNMC practice applying the 2020 guide in recent decisions, which informs where criteria may be too strict or too lax.
  • Rapid digitization, data analytics, and AI adoption. These create new antitrust risks, for example algorithmic collusion, and simultaneously open opportunities for earlier detection and continuous monitoring.

Why this matters for mid‑size companies

An updated guide will influence how the CNMC values your program during investigations and how Spanish contracting authorities judge your remediation when assessing debarment under LCSP article 72.5. It is also likely to set expectations for what a proportionate, effective program looks like for SMEs under UNE 19603, and how digital tools and AI can be used responsibly in competition compliance.

The consultation, at a glance

  • Scope: update of the CNMC’s 2020 guide on competition compliance programs.
  • Period: 9 December 2025 to 20 January 2026.
  • Participants: companies, business associations, legal advisors, consultants, and other stakeholders.
  • Publication policy: responses are published in full, with confidentiality exceptions on reasoned request. Names are published unless confidentiality is requested. Contact details are kept confidential.
  • Submissions: focus on the questions where you have relevant information, and keep open answers concise.

The CNMC’s key questions and what they imply for digital compliance

CNMC question

What it means for companies

Digital and AI angle

Link between effective compliance and the “technical, organizational, and personnel measures” that allow contracting authorities to lift debarment under LCSP 72.5

The guide may define what counts as credible remediation to avoid or shorten debarment

Documented risk assessment, automated evidence of controls, traceable remediation workflows, and audit‑ready logs help demonstrate sufficiency

When and how an effective program should influence fine quantification, and its relationship to the LDC article 64.3 attenuating factor of active cooperation

Expect clearer criteria for compliance credit

Data‑driven compliance assessment and verifiable training, case handling, and controls can substantiate claims of effectiveness

Recommendations for SMEs

Proportionality will be clarified

Lightweight digital tooling that automates evidence collection and training while minimizing overhead

Adapting the 2020 guide to Spain’s Law 2/2023 on whistleblower protection

Speak‑up channels, triage, confidentiality, and retaliation prevention must align with the new law

Integrated digital reporting, role‑based access, and workflow automation for investigations

Digitization, big data, and AI, and the risks and opportunities they pose

Guidance is likely on algorithmic collusion risks and the responsible use of analytics

Model governance, testing, and monitoring of pricing and bidding tools, plus explainability and documentation

How to frame your contribution.

The consultation invites practical recommendations. Consider addressing the following, with evidence from operations:

  • Program effectiveness criteria that are measurable, comparable, and proportionate. For example, evidence of board oversight, coverage and frequency of targeted training for sales and procurement, a live risk map aligned to UNE 19603, and closed‑loop remediation for incidents.
  • What “appropriate measures” under LCSP 72.5 should look like in practice. Suggest a baseline set of actions that can be verified within 90 days, such as a refreshed risk assessment, policy updates, targeted retraining of at‑risk teams, a forensic lookback on tenders or price changes, and a remediation plan with owners and deadlines.
  • A balanced view of compliance credit. For example, pre‑existing programs documented before the infringement should weigh more than rushed retrofits, and that cooperation factors be clearly separated from program quality, while allowing both to reduce fines where justified.
  • SME proportionality. Define clear requirement for effective compliance programs at SMEs.
  • Digitalization guardrails. Ask the CNMC to endorse programmatic safeguards for algorithmic tools, including written “do‑not‑collude” requirements for pricing systems, vendor contract clauses on compliance by design, pre‑deployment testing, and continuous monitoring of market outcomes.

Building a 2026‑ready antitrust digital toolkit

Intermediate‑sized enterprises often struggle to scale compliance with lean teams. A focused digital toolkit helps you satisfy the CNMC’s effectiveness criteria without adding headcount:

  • Regulatory risk assessment, updated quarterly, that quantifies exposure by business line and channel, and links risks to concrete controls and owners.
  • Tailor‑made policies that mirror your risk map, translated into practical do’s and don’ts for sales, procurement, and product teams, including guidance for pricing algorithms and third‑party platforms.
  • Automated data collection to centralize evidence from approvals, training completion, case management, and key commercial datasets like quotes and discounts, with immutable timestamps for auditability.
  • Compliance workflow automation to assign tasks, escalate exceptions, and track remediation to closure with metrics that the CNMC and contracting authorities can understand.

Naltilia’s platform was designed around these pillars, which helps teams accelerate compliance processes and boost capacity while maintaining a strong audit trail.

Managing algorithmic collusion risk, without slowing growth

Antitrust risk evolves as companies digitize pricing and sales. Practical steps include:

  • Adopt an algorithmic governance policy that defines acceptable data inputs, prohibited coordination signals, escalation if market behavior converges in unexplained ways, and mandatory involvement of legal and compliance in design reviews.
  • Test before and after deployment. Simulate price changes and bidding strategies in a sandbox, and monitor post‑deployment outcomes for suspicious synchrony or bid rigging patterns.
  • Build explainability and documentation. Keep a simple model card for each relevant tool, detailing inputs, objectives, and constraints, and keep change logs.
  • Vet vendors. Require warranties that vendor tools are not designed or trained to facilitate collusion, ensure the ability to audit or receive sufficient documentation, and bind vendors to cooperate in investigations.

Turning remediation into debarment relief under LCSP 72.5

Article 72.5 LCSP allows contracting authorities to lift or review a debarment if a company adopts suitable technical, organizational, and personnel measures to prevent future infringements. To make this credible:

  • Link each remedial action to a root cause identified in your internal review.
  • Demonstrate independence. Show the compliance officer’s authority and access to the board.
  • Evidence retraining and attestations for the teams closest to the risk, for example bid management and channel sales.
  • Show your monitoring cadence and thresholds for raising alerts, and how exceptions are investigated and closed with discipline applied where appropriate.
  • Keep all evidence, for example meeting minutes, updated policies, training logs, and case files, in a structured, immutable repository that is easy to share with authorities under confidentiality.

Whistleblowing alignment with Law 2/2023

Law 2/2023 sets the standard for internal reporting in Spain. To align your competition compliance with it:

  • Offer multiple intake channels, preserve confidentiality, allow anonymous reporting, protect from retaliation.
  • Define clear triage roles with conflict screens when competition issues are involved.
  • Timebox investigations, record decisions, and notify reporters as required by law, while protecting against retaliation.
  • Integrate antitrust categories in your case taxonomy to track patterns across tenders, pricing, and trade association conduct.

How Naltilia helps compliance teams respond now

Naltilia provides an AI‑powered platform that streamlines and automates regulatory compliance

  • Regulatory risk assessment to map competition risks by activity and geography, and keep them current.
  • Tailor‑made policies generated from your risk profile to turn principles into practical guardrails for sales, procurement, and product teams.
  • Automated data collection to centralize evidence of training, approvals, investigations, and control operation, which supports both sanction mitigation and LCSP 72.5 remediation narratives.
  • Compliance workflow automation to assign owners, track remediation actions, and produce board‑ready progress reports.
Back to blog