Skip to content

Compliance plan for SMEs

What is a compliance plan and why is it relevant for an SME?

Tuesday, November 25, 2025

plan de compliance para PYMEs
Picture of Communications team

Communications team

A compliance plan is an internal system of rules, procedures, and controls designed to ensure that a company complies with current legislation and operates in line with ethical and good-governance standards. Its main function is to prevent legal risks, detect potential breaches, and establish measures to avoid or correct them in time.

Although these programs were traditionally associated with large corporations, SMEs today operate in an environment where regulatory control is increasingly complex: data protection, corporate criminal liability, money laundering, occupational risks, taxation, and third-party relations. This makes having a compliance system adapted to the size and reality of each business a key tool for reducing risks, avoiding penalties, and protecting the liability of company directors.

Is a compliance plan mandatory for an SME?

In Spain, there is no law that generally and automatically requires all SMEs to implement a compliance plan. However, this does not mean they can disregard regulatory compliance. Since the reform of Article 31 bis of the Criminal Code, companies —including small and medium-sized ones— can be held criminally liable for offenses committed by their directors, employees, or collaborators if they have not established adequate preventive measures.

The law does not explicitly require having a compliance plan, but only companies that have implemented effective organizational and management models can be exempt from or see their criminal liability reduced. In other words: it is not legally mandatory, but it is the only recognized way to avoid corporate criminal liability if an offense occurs within the company.

In addition, there are situations in which compliance becomes mandatory or “mandatory in practice”:

  • Access to public tenders: many tender documents require proof of compliance policies, crime-prevention measures, and internal reporting channels.
  • Regulated sectors (finance, insurance, energy, healthcare, cash-in-transit, etc.): sector-specific regulations require the implementation of specific controls.
  • Regulated sectors (finance, insurance, energy, healthcare, cash-in-transit, etc.): sector-specific regulations require the implementation of specific controls.
  • Specific areas such as data protection, anti–money laundering, occupational safety, or taxation: although they do not constitute a “global compliance system,” they do require mandatory policies that are typically integrated into the program.

For all these reasons, although the law does not universally require a compliance plan, the absence of internal controls leaves the SME completely exposed to both sanctions and the criminal liability of the legal entity.

Risks for an SME that does not have a compliance plan

The absence of a compliance plan not only means failing to follow good practices; it entails direct exposure to legal, economic, and reputational risks that can seriously threaten the continuity of an SME. The most significant risks include:

Criminal liability of the legal entity

Since the reform of the Criminal Code, a company can be convicted for offenses committed within it if it has not implemented adequate preventive measures. This liability can lead to very serious consequences, such as substantial fines, suspension of activities, closure of premises, or even judicial dissolution of the company.

Directors are required to supervise and establish control mechanisms. The lack of preventive measures may be considered a breach of their duties and result in personal liability, both criminal and civil. A compliance plan demonstrates due diligence and significantly reduces this risk.

Most SMEs are subject to regulations that require formal controls:

  • Data protection (GDPR and LOPDGDD)
  • Occupational risk prevention
  • Tax and fiscal regulations
  • Anti–money laundering requirements in obligated activities
  • Sector-specific regulations

Without adequate internal policies, the company is exposed to financial penalties that can seriously affect its stability.

More and more clients —especially large companies and public institutions— require suppliers and subcontractors to demonstrate compliance measures. Without a compliance system, an SME may be excluded from tenders or lose strategic business relationships.

A legal incident or an internal breach can directly impact the company’s reputation. In competitive markets, reputational damage can lead to loss of clients, investor distrust, and difficulties attracting talent.

Overall, the risks of not having a compliance plan are far greater than the cost and effort of implementing one, especially for SMEs seeking stability, growth, and legal protection.

What an effective compliance plan for an SME should include

A compliance plan for an SME must be proportional, practical, and tailored to its size, resources, and activity. It is not about replicating models designed for large corporations, but about establishing truly useful controls that effectively prevent legal risks. The essential elements it should include are the following:

1. Risk identification and assessment (risk map)

The first step is to analyze the areas where the company may be exposed to non-compliance: hiring, supplier relationships, payments, labor matters, taxation, data protection, criminal risk, etc. This analysis allows risks to be prioritized and proportional measures to be defined to mitigate them.

2. Code of ethics and internal policies

The plan must include a set of clear rules that guide the behavior of managers and employees. This includes ethical principles, rules of conduct, anti-corruption policies, appropriate use of resources, and criteria for relationships with third parties.

3. Operating procedures and internal controls

These are the mechanisms that regulate sensitive activities:

  • Approval of payments and contracts
  • Supplier management
  • Hiring and purchasing criteria
  • Security and data protection protocols
  • Financial and invoicing controls

These procedures help ensure that decisions are made in accordance with the law and internal standards.

4. Internal reporting channel (whistleblowing channel)

Mandatory for companies with more than 50 employees and recommended for any SME, it allows irregularities to be detected before they lead to consequences. It must be confidential, accessible, and managed in accordance with Law 2/2023 regulating whistleblower protection.

5. Staff training and awareness

A compliance plan is only effective if the people within the company understand their obligations. Regular training helps prevent risks and fosters a genuine culture of compliance.

6. Ongoing supervision and monitoring

The plan must include verification mechanisms that allow the company to confirm whether the policies are truly being followed and whether the controls are functioning correctly. This includes internal audits, periodic reviews, and monitoring by designated personnel.

7. Review and updating of the model

Compliance is not a static document. It must be updated whenever laws, the company’s structure, or its activities change. Periodic review ensures that the model remains effective and suitable for the SME’s needs.

A well-designed plan not only reduces risks but also improves internal organization, professionalizes management, and increases the confidence of clients and suppliers.

Advantages of implementing a compliance plan in an SME

Although not all SMEs are required to implement a compliance plan, having an adapted compliance system provides concrete and measurable benefits that strengthen the company on multiple levels: legal, operational, and reputational.

Reduction of criminal and administrative risk

The most significant benefit is protection against the criminal liability of the legal entity. An effective compliance plan is the only method recognized by the Criminal Code to reduce or even exempt the company’s liability in the event of a crime. It also helps prevent administrative penalties in areas such as data protection, taxation, occupational risk prevention, or sector-specific regulations.

Professionalization and internal organization

A good compliance system adds structure, clarity, and order to internal processes. This facilitates decision-making, reduces operational errors, improves internal communication, and increases transparency in sensitive areas such as payments, hiring, and supplier relationships.

Greater trust from clients, suppliers, and investors

Companies that demonstrate a strong culture of compliance generate greater credibility in their business environment. This is especially important for SMEs seeking to enter supply chains of large corporations, work with public institutions, or access financing.

Competitive advantage over other companies in the sector

More and more organizations value business partners that have compliance systems in place. For many SMEs, this can become a differentiating factor that opens the door to opportunities that would otherwise be inaccessible.

Prevention of legal and labor conflicts

Compliance helps prevent risk situations that could lead to litigation, employee claims, contractual issues with suppliers, or operational breaches. Anticipating these conflicts results in significant savings in time and costs.

Improvement of corporate reputation

A solid compliance policy projects the image of a responsible, serious company committed to good practices. In competitive sectors, this perception is key to building stable and long-lasting relationships.

When is it advisable to implement it even if it is not mandatory?

Although a compliance plan is not mandatory for all SMEs, there are numerous scenarios in which its implementation is especially advisable and, in practice, serves as a key element for business protection and competitiveness.

Companies seeking to grow or enter new markets

When an SME is in a phase of expansion, attracting new clients, or opening new business lines, demonstrating a culture of compliance provides stability and greater confidence to potential partners, suppliers, or investors.

SMEs that work with large companies or in demanding supply chains

Many companies require their partners to meet minimum compliance standards, anti-corruption policies, or internal control systems. Without a compliance plan, an SME may be excluded from strategic opportunities.

Businesses that participate in public tenders

Public institutions tend to value —and in some cases even require— the existence of compliance policies, internal reporting channels, and preventive controls. Having a compliance system can make the difference between winning or losing a tender.

Companies subject to specific regulations

Sectors such as finance, insurance, transportation, consulting, real estate, food, healthcare, or technology are often subject to additional obligations. In these activities, a compliance plan helps coordinate mandatory internal policies (data protection, labor, risk prevention, taxation, environmental matters, etc.) and significantly reduces the risk of penalties.

SMEs with a growing number of employees or internal activity

As the company grows, the likelihood of labor conflicts, operational errors, or irregular behavior increases. Compliance establishes clear rules and early-detection mechanisms that help maintain internal stability.

Family businesses or companies where management is concentrated in a few people

In these types of structures, a compliance system provides additional protection for directors and managers, reinforcing due diligence and safeguarding personal liability.

In all these situations, implementing a compliance plan is not only advisable, but also serves as an essential preventive measure to protect business continuity and improve competitiveness.

Compliance in an SME with GRÀCIACALBET

Implementing a compliance plan in an SME is not just a matter of regulatory compliance; it is a strategic tool to strengthen the company, reduce legal risks, and convey a professional and trustworthy image. Although the law does not generally require having a comprehensive compliance program, the business landscape and the demands of clients, suppliers, and public administrations make it increasingly necessary to have solid internal prevention and control mechanisms.

A good compliance system, adapted to the size and activity of the SME, allows the company to anticipate problems, avoid sanctions, protect the liability of directors, and ensure that the company operates in accordance with today’s market standards.

If your company needs to assess its legal risks, structure internal policies, or implement a reliable and proportionate compliance plan, the GRÀCIACALBET team can help you do so with legal rigor and full adaptation to your activity. Specialized advice is key to having an effective model aligned with current requirements.

GRÀCIACALBET logotipo en color blanco
Contact
GRÀCIACALBET logo
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.