These are the key topics covered in this guide:
- What is FUNDAE and how does it work?
- Who is eligible?
- What types of training can be subsidised?
- How much can your company recover?
- Why this matters for compliance
- How the process works step by step
- Common mistakes companies make with FUNDAE
- How PrivaLex can help
If your company operates in Spain and is training employees in privacy, cybersecurity or regulatory compliance, you are almost certainly entitled to recover part or all of that training cost through FUNDAE, Spain’s state employment training fund. Many startups and SMEs are unaware of this, or find the administrative process too complex to manage alongside everything else. This guide explains how it works, what qualifies, and how PrivaLex handles the entire process on your behalf.
What Is FUNDAE and How Does It Work?
FUNDAE (Fundación Estatal para la Formación en el Empleo) is a state foundation that administers Spain’s system of bonified training for employed workers. Every company with employees registered in the Spanish Social Security system contributes to a training fund through their Social Security contributions. FUNDAE gives that credit back to companies that invest in eligible training for their employees.
The mechanism works through Social Security contribution discounts: when you organise qualifying training for your employees, the cost is applied as a deduction against your next Social Security payment. The training is not reimbursed directly, it is offset against what you already owe. This means the money has already been set aside through your regular contributions; FUNDAE is the mechanism to use it.
Who Is Eligible?
Any company with employees registered in the Spanish Social Security system is eligible to access FUNDAE credits. There are no minimum size requirements. Sole traders (autónomos) with employees registered in Social Security are also eligible.
The training credit assigned to each company is calculated based on annual Social Security contributions and company size. Larger companies receive a larger absolute credit, but smaller companies benefit from higher subsidy percentages, companies with fewer than 50 employees can typically recover up to 100% of eligible training costs within their annual credit limit.
What Types of Training Can Be Subsidised?
Privacy, cybersecurity and compliance training qualifies under FUNDAE provided it is professionally delivered, documented and meets the administrative requirements. Eligible topics include:
- GDPR fundamentals and data protection compliance
- ISO 27001 awareness, control implementation and audit preparation
- NIS2 and its obligations for security teams and management
- DORA and operational resilience requirements for financial sector organisations
- EU AI Act and AI literacy programmes (required by the Act from February 2025)
- Cybersecurity awareness: phishing prevention, social engineering, secure password practices
- Secure software development practices for engineering teams
- Role-specific training: HR data handling, IT incident response, customer support data practices
- ISO 42001 AI management system training
Training can be delivered online, live (virtual or in-person), or as a combination. The key requirements are that attendance is tracked, there is some form of evaluation or assessment, and the training provider meets FUNDAE’s accreditation requirements.
How Much Can Your Company Recover?
The annual training credit available to each company is set by FUNDAE based on the previous year’s Social Security contributions and the number of employees. As a general guide:
- 1–9 employees: credit of approximately €420 per year, with up to 100% subsidy on eligible costs
- 10–49 employees: credit of approximately €1,500–2,000 per year, with up to 100% subsidy
- 50–249 employees: credit grows with headcount; subsidy percentage is 75%
- 250+ employees: larger absolute credit; subsidy percentage is 60%
Important: the credit is calculated annually and does not carry over. If you do not use it in a given year, it is lost. It can be allocated across multiple trainings and multiple teams within the same year.
Why This Matters for Compliance
Privacy and cybersecurity training is not optional under several frameworks that apply to Spanish companies. The GDPR requires it under Articles 39(1)(b) and 5(2). ISO 27001 requires documented training and awareness under Clauses 7.2 and 7.3 and Control A.6.3. NIS2 requires security training for staff and management. The EU AI Act requires AI literacy for all staff using or deploying AI systems, in force from February 2025.
These are audit requirements. Supervisory authorities and certification bodies will ask for training records, who was trained, when, on what topics, and what evidence exists. FUNDAE does not change the obligation; it changes whether you have to pay out of pocket to meet it.
How the Process Works Step by Step
The FUNDAE process has several administrative steps that are easy to manage with the right support but time-consuming to navigate alone:
- Step 1: Check your available credit: verify the training credit available to your company for the current year through the FUNDAE portal or with the support of an accredited training provider.
- Step 2: Define your training plan: identify which teams need training, on which topics, and which delivery format works for your organisation.
- Step 3: Notify FUNDAE before training begins: the training must be communicated to FUNDAE before it starts. Retroactive notification is not permitted.
- Step 4: Deliver the training: training is delivered according to the agreed plan, with attendance tracked and evaluation completed.
- Step 5: Submit the documentation: after training is completed, the relevant documentation is submitted to FUNDAE.
- Step 6: Apply the discount: the training cost is deducted from the company’s next Social Security contribution payment.
PrivaLex manages steps 1 through 6 on your behalf. You focus on getting your team trained; we handle the administration.
Common Mistakes Companies Make with FUNDAE
Not notifying FUNDAE before training starts
This is the most common mistake. FUNDAE requires prior notification before the training begins. If you organise training without notifying FUNDAE first, the cost cannot be subsidised. There are no exceptions.
Letting the annual credit expire
FUNDAE credit is annual and non-cumulative. Companies that do not plan their training calendar at the start of the year routinely lose their credit. A simple training plan mapped against your compliance calendar prevents this.
Using a non-accredited provider
Not all training providers are eligible to deliver FUNDAE-subsidised training. The provider must meet specific accreditation requirements. Using an unaccredited provider means the training cannot be subsidised, regardless of its quality.
Not keeping proper attendance and evaluation records
FUNDAE requires evidence of attendance and some form of evaluation or assessment. Without these records, the subsidy can be challenged or revoked during an inspection.
How PrivaLex Can Help
At PrivaLex Partners, we deliver accredited privacy and cybersecurity training for employees and management teams, and we manage the complete FUNDAE administrative process from notification through to the Social Security deduction. You do not need to navigate the FUNDAE portal, track deadlines or manage documentation, we do that for you.
Our training catalogue covers GDPR, ISO 27001, NIS2, DORA, the EU AI Act, phishing awareness and role-specific compliance. Sessions are available as live virtual workshops, in-person sessions or structured self-paced modules, adapted to the level and role of your team.
If you are preparing for an ISO 27001 or NIS2 audit, or simply need to document that your team has been trained in line with your compliance obligations, contact PrivaLex and we will map out a training plan that meets your requirements and maximises your available FUNDAE credit.
Frequently Asked Questions (FAQs)
Do I need to apply for FUNDAE or is it automatic?
It is not automatic. You need to notify FUNDAE before training begins, organise the training with an accredited provider, document attendance and evaluation, and apply the deduction against your Social Security contributions. PrivaLex manages this entire process on behalf of clients.
Can I use FUNDAE for training that has already taken place?
No. FUNDAE requires prior notification before training begins. Training that has already been delivered cannot be retrospectively subsidised.
Can FUNDAE cover training for managers and senior leadership?
Yes, provided they are registered employees of the company in the Spanish Social Security system. Training for directors, C-suite and senior management qualifies in the same way as training for other employees.
What happens if we have more training needs than our annual credit covers?
Your annual credit is a cap on the subsidy available. You can still organise training beyond that amount, you simply pay for the excess at normal cost. PrivaLex can help you prioritise training topics to make the most of your available credit.
Is online training eligible for FUNDAE?
Yes. Online and virtual training qualifies under FUNDAE, provided attendance is tracked, there is an evaluation component, and the provider meets the accreditation requirements. PrivaLex’s online training programmes are structured to meet these requirements.
Next Step
If your company is based in Spain and has employees, your FUNDAE training credit is already accumulating. The only question is whether you will use it. Book a call with PrivaLex and we will check your available credit, map it against your compliance training requirements and design a programme that meets both your obligations and your calendar.
