Published: July 8 , 2026
I. Being a manager in 2026: a personal management risk
Serving as a director of a Spanish company no longer exposes one to liability only in cases of obvious fraud. Liability arises more frequently when the director cannot demonstrate that he or she monitored the relevant risks, made decisions based on adequate information, and took action within the legal timeframes. Due diligence in 2026 takes on an evidentiary dimension: it must be objectively and verifiably demonstrated.
The Capital Companies Act (hereinafter,“LSC”) bases the liability of directors on two duties: (i) the duty of care, which requires dedication to the position, adequate disclosure, and an organizational structure suitable for management, [1] and (ii) the duty of loyalty, which requires acting in good faith and in the best interests of the company.[2]
Since the reform introduced by Law 31/2014, business decisions made in good faith, without personal interest, based on sufficient information[3], and in accordance with an appropriate procedure are protected by thebusiness judgment rule.[4] In this context, it should be emphasized that documentation is key evidence for establishing these requirements. Anyone who makes a sound decision but fails to document how they reached it effectively forgoes their best defense.
II. The Key Distinction: Liability for Damages vs. Liability for Debts
On that basis, we must distinguish between two systems that are often confused in practice because they require very different types of evidence.
Liability for damages requires proof of unlawful conduct, negligence or willful misconduct, damage, and a causal link.[5] Therefore, mere nonpayment resulting from the company’s insolvency does not automatically constitute direct damage attributable to the director: a link to the director’s conduct must be proven.
Liability for debts is based on essentially objective criteria: if a legal ground for dissolution exists and the manager fails to act within the prescribed time limit, the manager is jointly and severally liable for subsequent corporate obligations, without the need to prove intent, specific fault, or actual damage.[6]
Both legal frameworks can be applied concurrently, although they do not result in double punishment for the same offense. This distinction determines what each party must prove and explains why the first risk on this list occurs almost automatically.
III. Common Risks
- Proceeding with a dissolution case without activating the corporate protocol
If a legal ground for dissolution exists,[7] the manager must call a General Meeting within two (2) months so that the meeting may approve the dissolution or remedy the cause by increasing or reducing the capital or through contributions from members. If the administrator fails to do so, he or she is jointly and severally liable for the company’s obligations arising after the cause occurred. [8]
Two nuances that often go unnoticed: what matters is when the obligation arises, not when it expires, and liability is limited to the period of service, not extending to obligations that arise after leaving office.
To determine whether a company is subject to dissolution due to losses—net worth below half of its share capital— the so-called “corporate moratorium” allows, on an exceptional basis, for the losses from 2020 and 2021 not to be taken into account until the end of the fiscal year beginning in 2026.[9] For companies whose fiscal year coincides with the calendar year, this exclusion applies to financial statements closed as of December 31, 2026; starting with the fiscal year beginning in 2027, those losses will be included again, unless the provision is extended once more. As a result, a company that is currently considered financially sound—precisely because it is not carrying forward losses from 2020 and 2021—may become subject to dissolution from one fiscal year to the next—without any recent deterioration in its business—simply because the moratorium has ended.
- Insolvency, Restructuring, and Bankruptcy Proceedings
A second area of liability is delayed handling of insolvency. The administrator must have an internal system—even if it is basic—to detect current or imminent illiquidity and to document when it is detected and what measures are being considered. The law presumes willful misconduct or gross negligence when the duty to file for insolvency proceedings is breached within two (2) months of the date on which the insolvency was known or should have been known; evidence to the contrary is admissible, but the burden of proof is initially unfavorable to the administrator. [10]
A finding of culpability does not automatically result in an order to cover the bankruptcy deficit:[11] the conduct must have caused or exacerbated the insolvency, and case law allocates liability among the various directors based on their respective roles in the omission. When the position of director is held by another corporation, the Supreme Court (hereinafter, the“SC”) clarified in its ruling 114/2026 this year that the natural person representing the corporate director may be subject to the finding of culpability and be jointly and severally liable for the deficit, although not all consequences are transferred identically from the represented entity to the representative.[12]
At the European level, Directive (EU) 2026/799 harmonizes, for the first time, the obligation to file for the opening of insolvency proceedings within a maximum of three months. Its transposition is not due until January 2029, so it is not yet enforceable in Spain, but it serves as an indicator of the direction European law is taking in this area.
- De facto manager and de jure manager
The existence of a de facto administrator—that is, someone who performs management functions without formally holding the position—does not exonerate the de jure administrator: tolerating such a functional substitution is typically interpreted as a dereliction of duty or a lack of oversight. During the insolvency classification hearing—the phase of the insolvency proceedings in which it is determined whether the conduct was accidental or culpable, with personal consequences for the legal administrator—the legal administrator is held liable unless he or she can prove a genuine lack of autonomy vis-à-vis the de facto manager, and is liable for legal violations specific to the position even if there is a hidden de facto administrator.
- Conflicts of Interest and the Duty of Loyalty
After insolvency, conflicts of interest are likely the most common source of litigation and, at the same time, one of the most underestimated risks because they do not herald their arrival with a visible financial crisis. Article 229 of the Spanish Companies Act (LSC) specifies the duty of loyalty in terms of specific obligations: (i) not to engage in transactions with the company except under market conditions, (ii) not to use company assets for private purposes, (iii) not to take advantage of the company’s business opportunities, (iv) not to obtain benefits from third parties in connection with one’s position, and (v) not to compete with the company. This regime also extends to indirect conflicts involving persons related to the director. [13]
A fact that may surprise those coming from other jurisdictions: this regime is mandatory and cannot be limited by statute, except for the exemptions permitted by the law itself.[14] A violation of this regime allows for the joinder of a claim for damages and a claim for restitution of unjust enrichment.
- Accounting and the filing of financial statements as evidence
Its significance lies not in its legal complexity, but in how easily it can be committed due to administrative negligence. In insolvency proceedings, fraud or gross negligence is presumed—unless proven otherwise—when the annual financial statements for any of the three fiscal years preceding the declaration of insolvency have not been prepared, audited, or filed.[15] Outside of insolvency proceedings, failure to file the financial statements is treated in judicial practice as an indication of “qualified losses” and may shift the burden of proof to the administrator. A low-cost formal obligation with a disproportionate evidentiary effect.
- Tax Liability of the Administrator
Article 43.1.a) of the General Tax Law provides for the subsidiary liability[16] of directors, whether de facto or de jure, of companies that have committed tax violations, when they failed to perform the acts within their purview, condoned noncompliance by their subordinates, or adopted resolutions that enabled the violation. This liability has a punitive component: it cannot be imposed merely by virtue of holding the position; the burden of proving culpable conduct rests with the Administration; and the imposition of liability must be individually justified by specifying which specific omissions warrant it.
- Criminal Liability and Compliance
The criminal liability of a director operates on two levels: for their own acts and, more controversially, for omissions regarding the acts of third parties within the organization, which is triggered only when there is a position of guarantor—a genuine legal duty of oversight—and the actual ability to prevent the outcome. In the case of board members, mere membership on the board of directors is not usually sufficient to establish liability by omission for a crime committed by another director, unless there was a specific duty of oversight or clear indications of wrongdoing.
The criminal liability of the company itself is a different matter,[17] which requires proof not only of a crime committed for the benefit of the entity but also of a serious organizational failure in its prevention and oversight mechanisms. The absence of an adequate compliance program does not in itself give rise to criminal liability, but it eliminates the company’s primary defense—and, indirectly, that of the director who should have implemented it.
- Cross-Cutting Risks in 2026: Cybersecurity, AI, and ESG as Organizational Responsibilities
Cybersecurity. Directive (EU) 2022/2555 (hereinafter, the“NIS2 Directive”) entered into force at the European level in January 2023, and Spain has not yet completed its transposition across the board: the bill remains under consideration in the Spanish Parliament, and the European Commission, following its reasoned opinion in 2025, issued a second formal notice in May 2026—a preliminary step toward a potential lawsuit before the Court of Justice of the EU.
The fact that the law has not been enacted does not put the risk on hold: although the directive does not, on its own, impose enforceable obligations on companies until it is transposed, it provides a framework from which to define the cybersecurity standard that incorporates the duty of care expected of responsible business owners in the affected sectors.[18] The bill under consideration also provides for personal sanctions against directors—including temporary disqualification—for gross negligence in supervising these measures, along with specific and documented training for the board of directors.
Artificial intelligence. The duty of care hardly justifies uncritical reliance on AI tools: it can be argued that it requires understanding and overseeing these systems, not delegating management, risk, and compliance decisions to them without oversight.
ESG. Directive (EU) 2026/470, part of the Omnibus Package, has significantly narrowed the scope of sustainability reporting: the new thresholds (more than 1,000 employees and 450 million euros in revenue) exclude most of the companies initially affected. For those that remain within the scope, the bar has been raised: the board of directors bears ultimate responsibility for the published sustainability information, in a manner analogous to annual financial statements.
IV. Three Defensive Management Checkpoints
None of these risks can be controlled in and of themselves. What is within the administrator’s control, however, is the level of preparedness with which they are addressed:
- Financial and Corporate Checkpoint: Regular monitoring of net worth, accumulated losses, cash flow, and maturities, with a clear protocol for convening a shareholders’ meeting, restructuring, or filing for bankruptcy within the prescribed timeframe.
- Corporate governance checklist: minutes and supporting documentation for each relevant decision; identification, disclosure, and recusal in conflicts of interest; documented prior consultation before high-risk strategic decisions.
- Compliance checklist: criminal and tax compliance programs reviewed; documented training on cybersecurity, AI, and ESG; D&O[19] policies updated in light of these risks.
In 2026, the best defense for a manager is not to prove that he or she always made the right decision, but to demonstrate that he or she made decisions based on sufficient information, adequately monitored the relevant risks, and acted with due diligence within the legally prescribed timeframes.
If you are a director or board member and wish to assess your personal exposure to these risks—grounds for dissolution, insolvency, conflicts of interest, or tax and criminal liability—at Gentile Law, we have a team that can help you develop a defensive management strategy and document it.
This publication is for informational purposes only and should not be construed as legal advice.
Contact us:
Álvaro Díaz Hotz
Corporate Paralegal at Gentile Law
Marta Gavín Hermosilla
Corporate Legal Advisor at Gentile Law
martagavin@gentile.law
+34 604 510 566
Miguel Espinosa García
Associate at Gentile Law
+34 604 510 566
[1] Art. 225 of the LSC.
[2] Articles 227 through 232 of the LSC.
[3] Sufficient information can be obtained through external or internal consultation, and this goes hand in hand with the fourth requirement of an appropriate decision-making process [Judgment of the 28th Chamber of the Provincial Court of Madrid dated June 12, 2020 (Case No.: SAP M 6860/2020)].
[4] Art. 226 of the LSC.
[5] Articles 236 and 241 of the LSC.
[6] Art. 367 of the LSC.
[7] The most common: net equity less than half of the share capital, Art. 363.1.e) of the LSC.
[8] Articles 365 and 367 of the LSC.
[9] This provision is set forth in Article 13 of Law 3/2020 and has been extended on several occasions. The current provision is Article 30.1 of Royal Decree-Law 7/2026, dated March 20, ratified by the Congress of Deputies on March 26, 2026, which extends it until the end of the fiscal year beginning in 2026.
[10] Article 444 of the Consolidated Text of the Insolvency Law (hereinafter“TRLC”).
[11] Insolvency shortfall: The portion of liabilities that remains unpaid after the company’s assets have been liquidated. In a case of culpable insolvency, the judge may order the directors involved to cover the shortfall, in whole or in part, with their personal assets (Art. 456 TRLC).
[12] When the position of director is held by a corporation, the corporation must appoint an individual to serve in that capacity. That representative is subject to the same duties as any director and is jointly and severally liable with the corporation it represents (Art. 236.5 of the LSC).
[13] Related Persons: A group of individuals close to the administrator whom the law treats as equivalent to the administrator in order to address indirect conflicts of interest.
[14] Art. 230.1 of the LSC.
[15] Art. 444 TRLC.
[16] Unlike joint and several liability, subsidiary liability can only be enforced once the principal debtor—in this case, the company—has been declared bankrupt due to insufficient assets (Art. 41.5, Law 58/2003, of December 17, General Tax Law).
[17] Article 31 bis of the Penal Code.
[18] Prudent businessperson: A standard of conduct imposed by law on directors: the duty of care of a “prudent businessperson” (Art. 225 of the LSC). It is an objective standard that is determined based on the company’s industry, size, and circumstances.
[19] Directors and Officers (D&O) liability insurance, which covers, within its limits and exclusions, claims arising from management decisions.