For almost thirty years, Law 31/1995 on the Prevention of Occupational Risks (PRL) was the regulatory pillar of workplace safety in Spain. Solid, but conceived in a very different context from today: without mass remote work, without permanent hyperconnectivity and without the scientific evidence on the impact of chronic stress on people's health. On 28 April 2026, the Council of Ministers approved the Draft Bill amending Law 31/1995, the Workers' Statute and the Prevention Services Regulation. The most significant change for most companies is a single one: psychosocial risks become an express legal obligation, not a recommendation or a best practice.
This article explains what the reform requires, what ISO 45003 is and how both frameworks complement each other to help organisations manage mental health at work in an orderly and auditable way.
What Changes with the OHS Law Reform
The reform does not start from scratch: the Spanish Strategy for Safety and Health at Work 2023–2027 had already placed psychosocial risks as a priority. The draft bill now elevates them to a legal obligation with these specific consequences:
- New definition of occupational harm. The text broadens the concept of «harm arising from work» to include not only physical injuries or classic illnesses, but also cognitive, emotional, behavioural and social effects. In other words: burnout, sustained anxiety or harassment are occupational harms in legal terms.
- Mandatory psychosocial risk assessment. Every company must systematically assess psychosocial risk factors: workload, role clarity, autonomy, interpersonal relationships, leadership, remote work and environmental conditions. The Labour Inspectorate is already requiring this point during 2026 visits.
- Specific regulation within one year. The law provides that, within twelve months of its entry into force, a development regulation on protection against psychosocial risks will be approved. That regulation will address, among other things, the prevention of suicidal behaviour and the promotion of healthy environments.
- Active management involvement. Prevention can no longer be entirely delegated to an external prevention service. The reform requires that management, middle managers and team leaders actively participate in identifying and controlling these risks.
- Gender and age perspective. The assessment must incorporate a gender perspective and take into account the age of workers as a modulating risk factor.
What ISO 45003 Is and Why It Is Relevant Now
ISO 45003:2021 (adopted in Spain as UNE-ISO 45003) is the first international standard that provides specific guidelines for managing psychosocial risks within an occupational health and safety management system. It is designed to be used alongside ISO 45001 — the certifiable occupational health and safety standard — and acts as its development guide in the psychosocial domain.
An important nuance worth clarifying: ISO 45003 in its current version is not independently certifiable; it is a good practices guide. Certification is issued by an accredited body (AENOR, Bureau Veritas, SGS, TÜV…) under the ISO 45001 umbrella. What ISO 45003 does offer is a structured, auditable and internationally recognised framework to demonstrate that the organisation manages these risks systematically. On the horizon of 2027, the revision of ISO 45001 plans to incorporate the contents of 45003 as normative requirements of the certified system itself.
What ISO 45003 Covers
The standard structures psychosocial management around four blocks:
- Identification of psychosocial hazards: working conditions (workload, pace, shifts), work content (monotony, complexity), labour relations (toxic leadership, violence, harassment), and organisational factors (communication, culture, job insecurity).
- Risk assessment and prioritisation: validated methodologies (CoPsoQ/ISTAS21, FPSICO from the INSST) to measure exposure and health impact.
- Control and preventive measures: intervention at source (task redesign, organisational measures) before individual measures (training, psychological support).
- Monitoring, review and continual improvement: outcome indicators (absenteeism, turnover, accident rates) and process indicators (participation, implementation of measures).
Comparison: What the PRL Reform Requires vs. What ISO 45003 Contributes
| Aspect | Reform of Law 31/1995 (2026 draft bill) | ISO 45003:2021 |
|---|---|---|
| Nature | Legal obligation (non-compliance = penalty) | Voluntary standard (good practices guide) |
| Psychosocial risk assessment | Mandatory for all companies | Detailed methodological framework for doing it well |
| Mental health as an occupational risk | Expressly recognised in the legal text | Core axis of the entire standard |
| Gender perspective | Required in the assessment | Considered in hazard identification |
| Remote work and digitalisation | Mandatory to assess its risks | Included as a specific risk factor |
| Management involvement | Required in an active way | Leadership and commitment requirement |
| Development regulation | Expected within 12 months of the law | Already provides detailed guidance |
| Certification | Not applicable (it is law) | Not autonomous; yes as part of ISO 45001 |
| Future revision | Specific regulation ~2027 | Integration into ISO 45001:2027 as a requirement |
The practical conclusion is clear: the legal reform defines the «what» (minimum obligations), while ISO 45003 provides the «how» (methodology, structure and evidence). Organisations that implement ISO 45003 not only comply with the new law; they also have an auditable system that demonstrates due diligence before the Labour Inspectorate and that facilitates the transition to the future ISO 45001:2027.
Concrete Use Cases by Sector
Psychosocial risks do not affect all sectors equally. According to data from the National Institute of Safety and Health at Work (INSST), a significant proportion of Spanish workers are exposed to high levels of psychosocial risks. These are the most frequent scenarios we encounter in implementation projects:
Healthcare and Social Care Sector
Extreme emotional load, exposure to situations of pain and death, 12-hour shifts and low autonomy in decision-making. In centres with more than 50 employees, this is where the Labour Inspectorate is focusing most of its 2026 visits. Assessment using CoPsoQ-ISTAS21 (medium or long version) is the standard recommended by the INSST for this sector.
Customer Service and Call Centres
Surface-level emotional labour (showing emotions that are not felt), constant performance monitoring, high work pace and low control over tasks. These are conditions of maximum psychosocial risk. Preventive action plans typically include job rotation, regulated breaks and quality supervision with a preventive rather than punitive approach.
Industrial SMEs with Partial Remote Work
Hybridisation has created a new source of risk: production workers without access to remote work who perceive inequity compared to office colleagues who do enjoy it. This perception of organisational injustice is a psychosocial hazard that the new law requires to be assessed. ISO 45003 provides criteria to measure and manage this factor.
Professional Firms and Consultancies
High cognitive demand, tight deadlines, extended availability via email and messaging, and frequent role conflicts (technical vs. commercial). Digital disconnection — already regulated by Article 88 of the LOPDGDD — gains preventive weight with the OHS reform. Implementation of ISO 45003 in these environments usually begins with a disconnection policy and clarification of roles.
Steps to Implement a Psychosocial Management System Aligned with ISO 45003 and the New OHS Law
At Summum Calidad we have been supporting companies throughout Spain in this process since 2007, with around 200 ISO management systems implemented. The roadmap we follow in ISO 45003 implementation projects has four phases:
- Initial diagnosis. Documentary review of the existing OHS system, analysis of accident rates (accidents, occupational diseases, absenteeism for psychological reasons) and interviews with line managers and HR managers to map the most likely risk factors.
- Psychosocial risk assessment. Application of the validated methodology that best suits the organisation (CoPsoQ-ISTAS21 or FPSICO from the INSST). Analysis of results by work unit, position and group (with gender and age perspective). Identification of priority risks.
- Preventive action plan. Design of interventions at source (organisational redesign, leadership improvement, role clarification, workload management) and individual support measures (access to psychologist, employee assistance programme). Definition of responsibilities, timelines and monitoring indicators.
- Integration into the ISO 45001 system. Documentation of the process in the existing or pending OHS management system. Preparation of auditable evidence to demonstrate compliance before the Labour Inspectorate and, where applicable, before the certification body.
If your organisation already has ISO 45001 occupational health and safety implemented, adding psychosocial management according to ISO 45003 is a natural extension of the system, not a parallel project. You reuse the structure for hazard identification, risk assessment, objectives and management review.
Frequently Asked Questions
Is ISO 45003 mandatory in Spain?
Not directly. ISO 45003 is a voluntary international standard. What is — or will be — mandatory is complying with the reformed Law 31/1995, which requires the assessment and management of psychosocial risks. ISO 45003 is the most recognised and structured tool for doing so correctly, but a company can comply with the law using other validated methodologies such as FPSICO or CoPsoQ-ISTAS21 without obtaining certification under any ISO standard.
Can my company obtain ISO 45003 certification?
ISO 45003 in its current version (2021) is not an independently certifiable standard: it is a guidelines guide. Certification of occupational health and safety management systems is obtained under ISO 45001. However, certification bodies such as SGS, AENOR or Bureau Veritas verify during ISO 45001 audits that the organisation adequately manages psychosocial risks in accordance with the 45003 criteria. In the revision scheduled for 2027, ISO 45001 will incorporate these contents as auditable normative requirements.
How long does it take to implement psychosocial management?
It depends on the size and complexity of the organisation. In an SME with 20–50 employees and an operational external prevention service, the complete process — from diagnosis to the action plan with documentary evidence — typically requires between three and five months. In larger organisations, with several workplaces and assessments by functional units, the project may extend between six and twelve months. The important thing is not to wait for the development regulation: the obligation to assess psychosocial risks is already in the law.
What happens if the Labour Inspectorate visits my company and I do not have a psychosocial assessment?
The absence of a psychosocial risk assessment can be classified as a serious infringement of OHS regulations, with penalties ranging — under Article 40 of the LISOS (Royal Legislative Decree 5/2000), as amended in October 2021 — between 2,451 and 49,180 euros for a serious infringement, or between 49,181 and 983,736 euros if considered very serious. In 2026, the Labour Inspectorate is prioritising this point in its actions targeting SMEs. Evidence of having started the assessment process and having an action plan under way is a mitigating factor in the event of an inspection.