Skip to content
A
Alonso Sala
CRIMINAL LAWYERS
ES
Legal Analysis

Who Must Prove Compliance Works: The 2025 Shift

calendar_todayJune 12, 2026

Last updated:

listIn this article

lightbulbKey Takeaways

  • check_circleProsecution proves the organisational defect
  • check_circleNo presumption of company guilt
  • check_circleFormal compliance gains nothing from the shift
  • check_circleNo programme: the easiest target

Quick answer

The debate over the burden of proof in compliance concerns who must establish that a crime-prevention model was working: the company (proving its effectiveness to obtain an exemption) or the prosecution (proving its absence or ineffectiveness as part of the offence). The most recent Supreme Court case law, consolidated through 2025, leans towards requiring the prosecution to prove the organisational defect — that is, the absence or ineffectiveness of the model — as an element of the offence under Article 31 bis of the Criminal Code (CP), rather than presuming the company's guilt until it exculpates itself. The shift does not remove the need for a sound programme: a company with no compliance, or with merely cosmetic compliance, remains the easiest target for that proof.

Ever since the 2010 reform opened the door to corporate criminal liability, one question has hovered over every case: if a company can be exempted for having an effective prevention programme, who must prove that the programme was working? The company, which invokes it to clear itself, or the prosecution, which argues the organisation failed? This is no procedural technicality: it determines who bears the risk of doubt and, in practice, shapes the defence strategy of any company under investigation. Over the course of 2025, Supreme Court case law has settled in a particular direction, and it is worth understanding what that shift means for companies with and without a programme.

The Debate: Burden of Proof and Art. 31 bis CP

Article 31 bis of the Criminal Code (CP) builds corporate liability around the idea of an organisational defect: the legal entity is liable, in essence, because it failed to put in place suitable supervision and control measures to prevent the offence. The same provision states that the company will be exempted if, before the offence was committed, it had adopted and effectively implemented a suitable organisation and management model.

The debate flows from that structure. Two readings are possible:

  • Reading A — compliance as an exculpatory defence the company must prove: the offence is treated as established by the conduct of the natural person acting for the company's benefit, and it falls to the company, if it wishes to exculpate itself, to demonstrate that its programme was effective. On this logic, doubt works against the company.
  • Reading B — the organisational defect as an element of the offence the prosecution must prove: the ineffectiveness or absence of the prevention model is part of what defines the legal entity's offence. If it is an element of the offence, the party making the accusation must prove it, and doubt benefits the company.

The difference is enormous. On the first reading, a company without clear proof of its programme starts at a disadvantage. On the second, the weight falls on the prosecution, which must establish the organisational failure beyond reasonable doubt, like any other element of the offence.

The Shift in Recent Case Law (Autumn 2025)

Supreme Court case law had produced rulings that, read in isolation, fed both readings. The line that has been taking hold through 2025, and which can be seen clearly in the autumn rulings, leans towards the second reading: the organisational defect is an element of the legal entity's wrongdoing, and proving it is for the prosecution.

In practical terms, this translates into several points the defence can rely on:

  • There is no presumption of guilt against the company merely because a director or employee committed an offence for its benefit.
  • The prosecution must positively prove that the prevention model did not exist or that, where it did, it was ineffective at preventing offences of that nature.
  • The presumption of innocence fully protects the legal entity: reasonable doubt as to the suitability of the programme must be resolved in its favour.

💡 Why the nuance matters

The burden falling on the prosecution does not make compliance optional. It means the company is not defeated by default; but the natural way to generate the reasonable doubt that case law requires to be resolved in its favour is, precisely, to produce solid evidence that the programme was in place and operating. The formal burden sits with the prosecution; the evidential initiative still serves the company.

The Key Distinction: Formal and Material Burden

It is important not to confuse two planes. One thing is who formally bears the burden of proof — and recent case law places it on the prosecution — and another is who is best placed to produce the evidence. The evidence that a programme works (minutes, records, training, whistleblowing-channel metrics) is, by its very nature, in the company's hands.

Hence a conclusion that qualifies the scope of the shift: the company that folds its arms trusting that "the prosecution has to prove everything" is making a mistake. If the prosecution puts forward signs of an organisational defect — a whistleblowing channel that never received or handled anything despite evidence of irregularities, non-existent training, an oversight body with no resources — and the company does not counter with its own evidence of effective implementation, the outcome may be just as adverse. The shift rebalances the starting point; it does not remove the need to defend actively.

What It Means for Companies Without a Prevention Programme

For an organisation that has no compliance, the doctrinal shift offers relief that is more theoretical than real. True, the prosecution must establish the organisational defect; but the very absence of a prevention model is the most direct way to prove that defect. With no programme there is nothing to counter, no evidence to generate, no exemption to claim.

The result is that these companies remain the most vulnerable target. The defence will have to rely on other fronts — disputing that the offence was really committed for the entity's benefit, challenging the attribution of the conduct, or seeking mitigation through cooperation and repair of the harm after the events — but it loses the system's most powerful tool: the exemption under Article 31 bis CP.

What It Means for Companies With a Programme

For a company that does have a programme, recent case law reinforces a favourable starting position, provided the compliance is not cosmetic. The keys to making the most of the shift:

  1. Evidence, not documents. The Supreme Court has been consistent that purely formal compliance does not exempt. What matters is not the manual but the trail of its application: minutes of the oversight body, training actually delivered, reports handled, internal sanctions imposed, risk-map reviews.
  2. Time traceability. The model must be shown to have been in force and operating before the events. Improvements adopted afterwards help to mitigate, but do not establish the prior exemption.
  3. Autonomy of the oversight body. Effectiveness is also measured by the real independence and resources of the Compliance Officer or the body charged with monitoring the programme.
  4. The individual deviation. The strongest defence is to show that the offence was conduct committed against the programme, circumventing controls that worked, rather than sheltered by a non-existent system.

⚖️ Cosmetic compliance does not benefit from the shift

The prosecution having to prove the model's ineffectiveness is bad news for whoever has a real programme and a poor excuse for whoever has a piece of paper. A whistleblowing channel nobody attends to, training that is never delivered or an oversight body with no resources are, in themselves, the proof of the organisational defect the prosecution needs.

What To Do Now

The doctrinal shift is an opportunity for companies that take it seriously and a warning for those that do not. We recommend:

  • Audit the actual implementation of the programme: it is not enough for it to exist; it must be possible to show that it operates.
  • Organise and keep the evidence that proves it works, so it can be produced quickly if an investigation arrives.
  • Review the risk map and update it when the activity, the organisation or the regulations change.
  • Strengthen the autonomy and resources of the oversight body, a feature case law examines in detail.

As criminal lawyers specialising in compliance and corporate liability, we help design programmes that withstand judicial scrutiny and prepare the legal entity's defence once an investigation is already under way.

Does your company have a programme that withstands judicial scrutiny?

We review how your prevention model is actually implemented and prepare the evidence that proves its effectiveness. A firm dedicated exclusively to criminal law, at Velázquez 27, Madrid.

→ Contact the firm

📞 Call us: 91 078 65 74

Frequently asked questions

Who has to prove that my company's compliance was working?expand_more

Under the line the Supreme Court has been reinforcing through 2025, it is for the prosecution to establish the organisational defect — that the prevention model did not exist or was ineffective. The company does not start from a presumption of guilt that it must dismantle. That said, it cannot sit back: the best defence is still to produce the evidence that the programme was in place and operating, because that is what neutralises the charge.

If the burden is on the prosecution, do I still need compliance?expand_more

Yes. The shift concerns who must prove what, not whether it is worth having a programme. A company with no prevention model, or with a purely documentary one, makes it far easier for the prosecution to establish the organisational defect. Effective compliance remains the tool that secures the exemption under Article 31 bis CP and, failing that, a meaningful mitigation.

What is the difference between effective compliance and merely formal compliance?expand_more

Formal compliance is the signed manual gathering dust in a drawer: policies nobody applies, an inactive whistleblowing channel or training that is never delivered. Effective compliance is a living system, with an up-to-date risk map, controls that work, autonomous oversight and records proving it is actually applied. The Supreme Court has been consistent that a purely formal programme does not exempt: what counts is implementation, not paper.

My company has been named as a suspect — what should I do first?expand_more

The priority is to preserve and organise the evidence that the programme was in place and operating at the time of the events: minutes of the oversight body, whistleblowing-channel records, training delivered, internal sanctions and risk-map reviews. In parallel, it is wise to document that the conduct was an individual deviation against the programme rather than a failure of the system, and to appoint the legal entity's specific representative with care.

Related Articles

View allarrow_forward
calendar_todayMay 17, 2026

ESG Compliance and Criminal Liability in Spain (2026)

The arrival of the CSRD and CSDDD Directives has turned ESG obligations into a direct source of corporate criminal liability.

ComplianceESG+3
calendar_todayDecember 14, 2025

Criminal Compliance: the Corporate Shield Against Liability

Why your company needs an up-to-date, effective crime-prevention model to avoid convictions, severe fines and irreversible reputational damage.

ComplianceCorporate Criminal Liability+1
calendar_todayMay 21, 2026

Autonomous AI Agents: Who Is Criminally Liable? (2026)

When an autonomous AI agent causes harm or carries out criminal acts, who is liable? The principle of culpability and the attribution of liability to…

AICriminal Liability+2

Knowledge is power, but strategy is key.

What you read here is just the beginning. Transform information into active defense by contacting our team of experts.

Contact Alonso Sala
Call: +34 91 078 65 74
call