Ethics and Regulatory Compliance Management System

Home

ENAIRE

Ethical culture and regulatory compliance

At ENAIRE, fostering a strong ethical culture and a clear commitment to regulatory compliance is a shared responsibility across its governing and management bodies. The Governing Board, the Director General, the wider management team and the Regulatory Compliance Function — comprising the Head of the Internal Reporting System and the Ethics and Compliance Committee — are responsible for promoting and embedding ENAIRE’s ethical and compliance culture throughout the organisation.

These bodies and functions act with an active, visible, consistent and long-term commitment to the Code of Ethics, corporate policies and the Ethics and Regulatory Compliance Management System. Their actions are guided by a zero-tolerance approach to unlawful conduct or regulatory breaches, and seek to promote an environment of integrity, transparency and accountability.

By setting a clear example, they encourage adherence to institutional ethical values at every level of the organisation, inspiring teams to act with integrity and rigour in the performance of their duties. This commitment underpins the consolidation of an organisational culture aligned with the principles of Good Governance, Ethics and Regulatory Compliance.

ENAIRE’s own regulatory compliance assurance model

ENAIRE has adapted the IIA’s 2020 Three Lines Model to the organisation’s specific structure, resulting in a Four Lines Model.

ENAIRE’s Four Lines Model is characterised by:

Separating the role of the Director General from the other directors, in line with ENAIRE’s Statute, with the Director General acting as the coordination hub between the first and second lines and the Governing Board.
Establishing the Compliance Function — carried out by the Ethics and Compliance Committee (CECN) and the Head of the Internal Reporting System — as a distinct line (the third), owing to its independence and direct access to the Governing Board.

Show image description

ENAIRE’s own Four Lines Model is an organisational diagram that outlines the Entity’s oversight and control structure for risk management and regulatory compliance.

In the lower right-hand corner, a note indicates that this Four Lines Model is based on the IIA’s 2020 Three Lines Model, UNE-ISO 37000 Governance of organisations, ISO 37301 Compliance Management Systems, and ENAIRE’s Statute.

From an accessibility standpoint, this horizontal model clearly organises responsibilities, with the Governing Board as the governing body that must ensure that appropriate mechanisms are in place for reviewing and monitoring the Entity’s regulatory compliance and risks.

General structure and leadership: Governing Board and Senior Management

The diagram is arranged horizontally in columns, with ENAIRE’s governing body, the Governing Board, shown at the top as a horizontal block that spans and sits above the Directorate General and the columns representing the third and fourth lines:

Governing Body: at the top of the structure is ENAIRE's governing body: the Governing Board.
- Delegation and oversight: The solid downward dark-blue arrows from the Governing Board to the Directorate General, the CECN/RSII and Internal Audit show how the Governing Board sets policies and strategies, delegates authority, allocates resources and exercises its supervisory responsibilities.
Directorate General: the Director General coordinates the Management Committee and receives authority directly delegated by the Governing Board. Below the Director General are the two columns representing the roles of the first and second line.
- Delegation and oversight: the solid downward mid-blue arrows from the Directorate General to the first- and second-line columns illustrate how the Directorate General conveys and applies the policies and strategies set by the Governing Board, delegates authority, allocates resources and performs its supervisory role.
- Reporting and accountability: The solid upward dark-blue arrow from the Directorate General towards the Governing Board represents the Director General’s reporting and accountability to the Governing Board.

The Four Internal Assurance Lines

ENAIRE’s internal model is composed of four lines of regulatory-compliance assurance, arranged from left to right in the diagram:

1. First-line roles (first medium-blue column)

Operational function: These consist of the operational client-service and support functions that are responsible for managing the risks inherent to their own activity while complying with the applicable regulations.
First-line roles at ENAIRE include the central-services directorates and the regional directorates, as well as all their subordinate units.
Reporting and accountability: They report directly to the Director General, represented by the medium-blue upward vertical arrow.

2. Second-line roles (second medium-blue column)

Specialised risk-supervision and support function: these functions have the knowledge, experience and authority in specific areas of risk. Their role is to support, supervise and challenge risk management and regulatory compliance in order to achieve objectives and continuous improvement in their respective areas.
Second-line roles at ENAIRE include the specialised units and committees in areas such as safety, quality, environment, occupational health and safety, data protection and legal advisory services.
Reporting and accountability: They report directly to the Director General, represented by the medium-blue upward vertical arrow.

3. Third-line roles (third light-blue column)

Regulatory Compliance Function: this line is composed of the Ethics and Regulatory Compliance Committee (CECN) and the Head of the Internal Reporting System (RSII).
Independence: these are independent bodies with direct access to the Governing Board, ensuring their objectivity.
Role: they provide expertise and authority in risk management, ethics and regulatory compliance (criminal and competition); they support, supervise and challenge risk management and regulatory compliance to drive continuous improvement. The RSII reports on the management of the information received through the Internal Reporting System, guaranteeing confidentiality.
Reporting and accountability: It reports directly to the Governing Board, represented by the dark-blue upward vertical arrow.

4. Fourth-line roles (fourth orange column)

Internal-assurance function performed by Internal Audit.
Independence: Internal Audit exercises an independent and objective function. Its direct access to the Governing Board ensures its independence.
Role: it provides assurance and guidance on the adequacy and effectiveness of governance and risk management, and governance and regulatory-compliance management, promoting the achievement of objectives and continuous improvement.
Reporting and accountability: It reports directly to the Governing Board, represented by the dark-blue upward vertical arrow.

Alignment and collaboration (side lines)

The diagram shows grey dashed lateral arrows representing alignment, communication, coordination and collaboration between the Directorate General and the various assurance lines.

External assurance providers

Outside the four internal lines, there is a lateral column on the right representing External Assurance Providers. These providers deliver assurance through external audits, certification audits and inspections.

This model represents ENAIRE’s regulatory-compliance assurance model, based on the IIA 2020 Three Lines Model.

ENAIRE’s own model has four internal lines of regulatory-compliance assurance:

The first line of assurance is carried out by all directorates with operational client-service functions and support functions. This first line is responsible for understanding the regulations applicable to it and carrying out an initial self-check of compliance. At ENAIRE, first-line roles include the central-services directorates and the regional directorates.
The second line of assurance is performed by all directorates that have knowledge, experience and authority in specific risk areas and that support, supervise and challenge the management of risks and regulatory compliance in these areas. At ENAIRE, second-line roles include the units and committees in areas such as safety, quality, environment, data protection and legal advisory services.

The first and second lines report directly to the Director General and may also report to the Governing Board.

The third line of assurance is carried out by the Ethics and Regulatory Compliance Committee (CECN) and the Head of the Internal Reporting System (RSII), which are independent bodies with direct access to the Governing Board, ensuring their independence.
- The CECN oversees the operation of the Ethics and Regulatory Compliance Management System with respect to ethics, criminal compliance and competition-law compliance, and the management of risks in these areas, performed by all those departments that provide direct services to clients, or support functions for them. This first line is responsible for understanding the regulations applicable to it and carrying out an initial self-check of compliance.
- The RSII reports on the information received through the Internal Reporting System and its management, ensuring confidentiality and protection of the whistleblower.
The fourth and final line of internal assurance is carried out by Internal Audit, with direct access to the Governing Board, which guarantees its independence. Internal Audit supervises and advises on the adequacy and effectiveness of governance and risk management for areas in which it does not operate.

The solid vertical downward arrows from the Governing Board:

to the Directorate General, as the organisation’s senior-management representative and coordinator of the Management Committee,
to the Ethics and Regulatory Compliance Committee (CECN) and the Head of the Internal Reporting System (RSII)
and to Internal Audit

show how the Governing Board sets the organisation’s policies and strategies, delegates authority to management, allocates resources and exercises its oversight responsibilities.

Similarly, the Directorate General passes these directives, delegations, resources and the outcomes of the Governing Board’s oversight to the first and second lines.

The solid vertical upward arrows show the lines of accountability:

from the directorates to the Director General, and from the Director General to the Governing Board:
from the CECN and the RSII, which report directly and independently to the Governing Board.
from Internal Audit, which reports directly and independently to the Governing Board

The grey dashed arrow shows alignment, communication, coordination and collaboration between the Directorate General and the various assurance lines.

Externally, ENAIRE also works with external assurance providers and bodies for internal audits, certification audits and inspections.

Ethics and Regulatory Compliance Management System

ENAIRE’s Ethics and Regulatory Compliance Management System includes the policies, processes and procedures needed to ensure behavioural ethics and corporate integrity across the organisation.

Behavioural ethics and business integrity are the backbone for the conduct of ENAIRE’s professionals in the performance of their duties and in representing the organisation, as well as an essential factor in day-to-day decision-making. ENAIRE views ethics and regulatory compliance not only as legal requirements, but as elements that must be woven into its identity as a Public Business Entity under the Ministry of Transport and Sustainable Mobility and as a key player in the aviation sector.

ENAIRE’s Ethics and Regulatory Compliance Management System has a threefold scope covering: ethics, criminal risks and competition-law risks.

ENAIRE has defined and implemented its own methodology for assessing compliance risks, aligned with the strategic-risk methodology. This enables risks to be assessed and managed through effective controls and, where necessary, additional mitigation measures.