Regulatory Compliance in Spain: What foreign companies must do before Day 1

The most expensive compliance mistakes in Spain are not made by careless companies. They are made by careful ones — companies that assumed their home-country practices would translate across borders. They do not.

This guide covers what you need to have in place before you hire your first employee, sign your first contract, or invoice your first Spanish client. It is not exhaustive — Spanish regulatory law is complex and sector-specific. But it is honest, practical, and written from direct experience working with foreign companies entering Spain.

What is regulatory compliance in Spain?

Regulatory compliance in Spain refers to the set of legal, fiscal, and administrative obligations that any company operating in Spain must fulfil — regardless of where its parent company is headquartered. These obligations exist at multiple levels: national law, European Union directives, sectoral regulations, and in some cases autonomous community (regional) requirements.

For a foreign company entering Spain, compliance covers five core areas:

• Tax registration and ongoing tax obligations (Agencia Tributaria)

• Social Security registration for the employer and employees (TGSS — Tesorería General de la Seguridad Social)

• Labour law compliance (Estatuto de los Trabajadores, Convenios Colectivos)

• Data protection obligations under GDPR and Spanish national law (AEPD — Agencia Española de Protección de Datos)

• Industry-specific licences and sector regulations (variable by activity)

  
  

Missing any of these can result in significant penalties, operational disruption, or reputational damage in your first months on the market.

The 6 compliance pillars for foreign companies in Spain

1. Tax Registration — Agencia Tributaria

Before your Spanish entity can legally invoice or conduct business in Spain, it must be registered with the Agencia Tributaria, Spain's national tax authority.

The primary registration form is the Modelo 036 (or Modelo 037 for simpler cases). This declares the company's tax obligations and triggers the allocation of a CIF (Código de Identificación Fiscal) — the Spanish tax identification number for legal entities.

Key tax registrations typically include:

• IVA (VAT) registration — Spanish VAT is currently 21% for most goods and services (general rate, confirmed 2026), with reduced rates of 10% and 4% for specific categories

• Impuesto de Sociedades (Corporate Income Tax) — the standard rate is 25%, with a reduced rate of 15% for newly created companies in their first two profitable years (confirmed 2026 under Ley de Startups/LISMEI)

• Declaraciones informativas — periodic reporting obligations (monthly, quarterly, or annual depending on turnover)

⚠ Rates confirmed as of February 2026. VAT and corporate tax rates are set annually. For the latest updates, consult the Agencia Tributaria website (www.agenciatributaria.es).

NeoRetos note: Tax registration is the first step in any Spain market entry engagement. NeoRetos coordinates with qualified gestorías and tax advisors to ensure this is completed accurately before any commercial activity begins.

2. Social Security — TGSS registration

The Tesorería General de la Seguridad Social (TGSS) is the public body responsible for managing Social Security contributions in Spain. Employer registration with the TGSS is mandatory before you hire your first employee.

Obligations include:

• Employer account registration (Cuenta de Cotización) — opened with the TGSS before the employment start date

• Employee affiliation (afiliación) — registering each employee in the Social Security system

• Monthly contribution payments — Spanish employer contributions represent a significant labour cost

As a general reference: total employer Social Security contributions typically range from 29% to 33% of gross salary, depending on the employee's professional category and applicable Convenio Colectivo. Note: the exact cost also depends on the company's CNAE activity code, as accident-at-work insurance rates vary according to the sector's risk profile. Additionally, employers must contribute 0.75% for the MEI (Mecanismo de Equidad Intergeneracional), effective 2026. Rates are set annually by the TGSS.

⚠ For an accurate breakdown of current contribution rates, consult the TGSS website (www.seg-social.es) or a qualified gestoría. Our article on gross-to-net salary in Spain provides further context.

3. Labour Law — Estatuto de los Trabajadores and Convenios Colectivos

Spain's labour framework is governed by the Estatuto de los Trabajadores (ET) — the statutory labour code — supplemented by sector-specific Convenios Colectivos (collective agreements). Both apply to all companies operating in Spain, regardless of the parent company's country of origin.

Critical obligations include:

• Written employment contracts — required in most cases; specific clauses are mandatory

• Adherence to the applicable Convenio Colectivo — this sets minimum salaries, working hours, leave entitlements and other conditions for your sector. It is not optional.

• Compliance with the Salario Mínimo Interprofesional (SMI) — Spain's national minimum wage, set at 1,221 €/month (14 payments) or 17,094 €/year as of 2026 (Real Decreto 126/2026)

• Digital time tracking (registro de jornada) — mandatory since 2019, and reinforced by updated guidance in 2025. All companies must record daily working hours for each employee.

• Probation periods — regulated by the ET and applicable Convenio; maximum durations vary by contract type

Labour law in Spain is heavily weighted towards employee protection. Non-compliance, even unintentional, can trigger inspections by the Inspección de Trabajo and result in financial penalties.

4. Data Protection — GDPR and the AEPD

Spain applies the General Data Protection Regulation (GDPR) in full, implemented nationally through the LOPDGDD (Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales). The supervisory authority in Spain is the AEPD (Agencia Española de Protección de Datos).

Key obligations for foreign companies operating in Spain:

• Maintain a Record of Processing Activities (RoPA) — mandatory for most organisations

• Appoint a Data Protection Officer (DPO) if required by GDPR Article 37 (public bodies, large-scale systematic monitoring, or sensitive data processing at scale)

• Implement appropriate technical and organisational measures (TOMs) — documented and demonstrable

• Establish a lawful basis for each processing activity

• Ensure data subject rights procedures are operational (access, erasure, portability, etc.)

• Report data breaches to the AEPD within 72 hours if likely to result in risk to individuals

  
  

GDPR applies to any company processing personal data of individuals located in Spain or the EU — regardless of where the company is based. A UK or US company with Spanish customers must comply.

⚠ GDPR penalties under Spanish enforcement can reach up to 20 million euros or 4% of global annual turnover, whichever is higher, for serious infringements (GDPR Article 83). Spanish enforcement by the AEPD has intensified in recent years; SMEs and subsidiaries are not exempt. For sector-specific data obligations (healthcare, financial services, HR data), consult a specialist privacy lawyer.

5. Industry-Specific Licences and Sector Regulations

Depending on your business activity, you may need authorisations, licences or registrations from sector-specific regulators in addition to the general obligations above. This area varies considerably.

Examples of sector-specific regulatory bodies in Spain:

• CNMV (Comisión Nacional del Mercado de Valores) — financial services, investment firms, and capital markets

• AEMPS (Agencia Española de Medicamentos y Productos Sanitarios) — pharmaceuticals, medical devices, healthcare products

• DGOJ (Dirección General de Ordenación del Juego) — online gambling and gaming

• CNMC (Comisión Nacional de los Mercados y la Competencia) — regulated utilities, telecommunications, and energy markets

• Registro de Agencias de Viajes — tourism and travel operators

Obtaining sector-specific authorisation before starting operations is not optional. Operating without the required licence in a regulated sector can result in immediate closure and significant penalties.

Practical recommendation: Identify your sector's regulatory requirements before choosing a legal structure or hiring staff. NeoRetos can help you map the regulatory landscape for your specific activity as part of the Awareness and Assessment phases of the 5A Method.

6. Corporate Governance — Registro Mercantil and Annual Obligations

Once your Spanish entity (typically an S.L. — Sociedad de Responsabilidad Limitada) is incorporated, ongoing corporate governance obligations apply:

• Annual accounts (cuentas anuales) — must be approved by shareholders within 6 months of the financial year-end, then filed with the Registro Mercantil within 1 month of approval (in practice, no later than 7 months after year-end)

• Annual accounts approval — requires a formal shareholder or board resolution

• Statutory audit — required if the company exceeds two of three thresholds for two consecutive years: assets over 3,565,000 €, turnover over 7,125,000 €, or more than 50 employees (thresholds updated by a major 2026 reform — these figures supersede the previous limits of 2.85M and 5.7M)

• Board of directors documentation — minutes, resolutions, and powers of attorney must be maintained and available for inspection

• Titular Real (beneficial owner) declaration — since incorporation, the identity of the company's ultimate beneficial owners must be declared and kept up to date in the Registro Mercantil. This requirement is now subject to increased scrutiny under Spanish anti-money laundering legislation and should be addressed at the time of constitution, not treated as an afterthought

  
  

Failure to file accounts with the Registro Mercantil results in automatic closure of the company's entries (cierre registral), which prevents any further corporate acts — including hiring, opening bank accounts, or signing contracts — until the filing is completed.

The compliance timeline: When to do what

⚠ All deadlines and timelines are indicative based on general Spanish law as of February 2026. Filing deadlines may change and vary by entity type. Confirm with your gestoría.

What happens if you get it wrong? Penalties and risks

Spanish compliance penalties are not symbolic. They are real, enforceable, and accumulate quickly. Below are the main risk areas, with penalty ranges where verifiable from primary law.

Tax Non-Compliance — Agencia Tributaria

Under the Ley General Tributaria (Law 58/2003), penalties for tax infringements are classified as minor, serious, or very serious:

• Minor infringements (infracciones leves): 50% of the unpaid amount, with reductions for prompt payment and cooperation

• Serious infringements: 50–100% of the unpaid amount

• Very serious infringements (fraud, concealment): 100–150% of the unpaid amount

Late payment interest (interés de demora) also applies on any unpaid amount: the fiscal rate (Agencia Tributaria) is 4.0625% for 2026; the commercial late payment rate is 10.15% (1st semester 2026, per BOE).

Labour Law — Inspección de Trabajo

The Inspección de Trabajo y Seguridad Social (ITSS) enforces compliance with the Estatuto de los Trabajadores and related regulations. Penalties under the Ley sobre Infracciones y Sanciones en el Orden Social (LISOS) range from:

• Minor infringements: 70 € to 2,244 € per infringement

• Serious infringements: 2,246 € to 7,500 €

• Very serious infringements: 7,501 € to 225,018 €

Misclassification of workers (autónomos vs employed) or breach of time tracking obligations are commonly inspected areas and classified as serious or very serious infringements.

Social Security — TGSS

Failure to register employees or pay contributions on time generates automatic surcharges (recargos) on unpaid contributions, typically ranging from 10% to 35% depending on the delay, in addition to late interest.

GDPR — AEPD

Penalties for GDPR infringements are tiered under GDPR Article 83:

• Less serious infringements: up to 10 million euros or 2% of global annual turnover

• Most serious infringements: up to 20 million euros or 4% of global annual turnover

Spanish enforcement by the AEPD has increased in recent years. SMEs and subsidiaries are not exempt.

4 costly compliance mistakes foreign companies make in Spain

These are patterns NeoRetos observes regularly when working with foreign companies entering Spain — not invented scenarios.

Mistake 1: Invoicing before completing tax registration

A common scenario: a foreign company secures its first Spanish client before the legal structure and tax registration are complete. Under pressure to start the commercial relationship, they issue invoices from the parent entity or delay registration. This creates a retroactive compliance problem with the Agencia Tributaria, can trigger IVA reclaim issues for the Spanish client, and risks the relationship before it has started.

Practical recommendation: Complete Modelo 036 registration before issuing any invoices from a Spanish entity. If you need to invoice from your home entity during setup, confirm this is legally correct for your structure with a tax advisor.

Mistake 2: Misclassifying employees as autónomos

Spanish labour law applies an economic dependence test to employment relationships. If an individual works exclusively or predominantly for your company, is integrated into your work structure, and has no real entrepreneurial autonomy, they will likely be classified as an employee — regardless of the contract label. The Inspección de Trabajo actively investigates this.

Practical recommendation: Before engaging any worker in Spain as an autónomo, have the arrangement reviewed by a Spanish labour lawyer. The risk of reclassification — including back-payment of Social Security contributions and penalties — is significant. The Ley Rider (originally targeting platform workers, now applied broadly across sectors since 2024–2025) has further intensified labour inspections for worker misclassification; it is no longer a risk limited to logistics or gig-economy companies.

Mistake 3: Ignoring the Applicable Convenio Colectivo

Many foreign companies set salaries based on their internal compensation benchmarks without checking whether the applicable Convenio Colectivo requires higher minimums. In sectors such as consulting, technology, hospitality, and logistics, the Convenio establishes binding salary floors, working hours limits, and additional entitlements (meal allowances, transport, etc.). Ignorance of the applicable agreement is not a defence.

Practical recommendation: Identify the Convenio Colectivo applicable to your sector and employee categories before setting compensation. Our article on salary benchmarks in Spain provides context on market rates.

Mistake 4: Treating GDPR as a one-time checkbox

Some companies complete a privacy notice and a cookie banner before launch and consider their GDPR obligations fulfilled. GDPR is a living compliance programme, not a one-time exercise. It requires ongoing documentation, regular reviews, vendor management, training records, and breach response procedures. The AEPD has the authority to audit companies proactively — not only in response to complaints.

Practical recommendation: Assign ownership of GDPR compliance to a specific individual or team from day one. Engage a privacy specialist to build your compliance programme, particularly if you process HR data, customer data, or sensitive categories.

Regulatory compliance vs Legal Structure: The difference that trips people up

These two questions are related but distinct, and confusing them is a common error.

Choosing your legal structure (S.L., branch office, sales representative, etc.) is a strategic and legal decision that determines how your entity is constituted, how it is taxed, and how liability is allocated. It is a one-time decision with long-term implications.

Regulatory compliance is an ongoing operational obligation that applies once your structure is in place. The compliance requirements vary depending on which structure you choose — for example, a branch office (sucursal) has different registration and reporting obligations compared to an S.L.

The practical recommendation: choose your structure first, understand its compliance implications, then build your compliance roadmap accordingly.

For a detailed comparison of legal structures available to foreign companies in Spain, see: Which legal structure for Spain? (NeoRetos, December 2025) and S.L. vs S.A. in Spain: complete guide (NeoRetos, November 2025).

For the full picture on hiring, see: Hiring employees in Spain 2026: complete practical guide (NeoRetos, January 2026).

How NeoRetos supports regulatory compliance

NeoRetos is a consulting firm, not a law firm or tax advisory practice. This distinction matters — and it is one we communicate clearly to every client.

What NeoRetos does:

• Maps the compliance obligations relevant to your specific situation in Spain — legal structure, sector, headcount, and activity

• Coordinates with qualified local specialists — gestorías, Spanish labour lawyers, tax advisors, and privacy consultants — to ensure nothing is missed

• Manages the sequencing and timeline of compliance actions, so that each step happens in the right order before operations begin

• Acts as the single point of accountability during the market entry process, so you are not managing multiple disconnected specialists

• Advises on what to prioritise and what can be phased — a practical perspective that large advisory firms often overlook

What NeoRetos does not do: provide direct legal or tax advice, sign off on regulatory filings, or act as your legal representative before Spanish authorities.

If you are unsure which compliance obligations apply to your specific situation in Spain, NeoRetos can help you map the landscape and connect you with the right specialists.

Disclaimer: This article is for informational purposes only and does not constitute legal, tax or financial advice. Spanish regulations change frequently. Always verify current figures and requirements with official sources (Agencia Tributaria, TGSS, BOE) or consult a qualified Spanish lawyer or gestoría before making decisions.

Frequently Asked Questions

1. What are the main regulatory compliance requirements for foreign companies in Spain?

Regulatory compliance in Spain for foreign companies covers five core areas: tax registration with the Agencia Tributaria (including IVA and corporate tax), Social Security registration with the TGSS, compliance with labour law under the Estatuto de los Trabajadores and applicable Convenio Colectivo, GDPR data protection obligations supervised by the AEPD, and — depending on sector — industry-specific licences or authorisations.

2. How do I register for VAT (IVA) in Spain as a foreign company?

IVA registration in Spain is completed through the Modelo 036 declaration submitted to the Agencia Tributaria. This form also covers corporate tax registration and is the main document for obtaining your Spanish CIF (tax identification number). Registration can be completed by a gestoría on your behalf and should be done before any invoicing activity begins.

3. What is the TGSS and why do I need to register with it?

The Tesorería General de la Seguridad Social (TGSS) is the public body responsible for managing Social Security in Spain. Employers must register a Cuenta de Cotización (employer account) with the TGSS before hiring their first employee. Each employee must also be individually affiliated. Monthly contributions covering pension, unemployment, healthcare and other benefits are then payable to the TGSS throughout the employment relationship.

4. What are the penalties for non-compliance with labour law in Spain?

Penalties for labour law infringements in Spain are set by the LISOS (Ley sobre Infracciones y Sanciones en el Orden Social) and enforced by the Inspección de Trabajo y Seguridad Social. Fines range from 70–2,244 € (minor), to 2,246–7,500 € (serious), to 7,501–225,018 € (very serious). Since the enforcement intensification linked to the Ley Rider (applicable beyond logistics sectors), worker misclassification and time tracking violations are priority inspection targets. Common trigger areas include failure to use written contracts, non-compliance with Convenio Colectivo minimums, and inadequate time tracking records.

5. Do I need to comply with GDPR in Spain if my company is based abroad?

Yes. GDPR applies to any organisation that processes personal data of individuals located in the EU — regardless of where the organisation itself is based. A French, German, UK or US company that has Spanish customers, employees, or contacts is subject to GDPR. In Spain, the supervisory authority is the AEPD (Agencia Española de Protección de Datos), which has the power to investigate and sanction non-compliant organisations.

6. What is a Convenio Colectivo and does it apply to my foreign company?

A Convenio Colectivo is a sector-specific collective agreement negotiated between employer associations and trade unions. It sets binding minimum conditions for employment — including salary floors, working hours, leave entitlements, and additional benefits — for all companies operating in that sector in Spain. It applies to your Spanish subsidiary or branch regardless of your parent company's country of origin. The applicable Convenio depends on your economic activity and, in some cases, your geographic location. Identifying the correct Convenio before setting employment terms is essential.

7. How long does it typically take to become fully compliant in Spain?

The core compliance setup — tax registration, Social Security registration, employment contracts, and basic GDPR documentation — typically takes between 4 and 10 weeks from the decision to incorporate, depending on the speed of Spanish administrative processes and the completeness of your documentation. Sector-specific licensing can take significantly longer. NeoRetos typically advises clients to begin compliance planning at least 3 months before their target operational start date to allow adequate time for each step.

8. Who provides regulatory compliance consulting in Spain for foreign companies?

NeoRetos provides regulatory compliance advisory as part of its Spain market entry engagements. Working from Madrid with 15+ years of direct market experience, NeoRetos helps foreign companies understand which compliance obligations apply to their specific situation and coordinates with qualified local specialists — gestorías, Spanish lawyers, and accountants — to ensure nothing is missed. Contact NeoRetos at info@neoretos.com or visit www.neoretos.com to book a free discovery call.

Not sure which compliance obligations apply to your specific situation in Spain?

NeoRetos offers a free 30-minute discovery call to help you map the compliance landscape for your industry and legal structure. We will tell you what applies to you, in what order, and who you need on your side.

Contact: info@neoretos.com | www.neoretos.com