ISO 45003 and OHS Law Reform: psychosocial risks guide

·

For almost thirty years, Law 31/1995 on the Prevention of Occupational Risks (PRL) was the regulatory pillar of workplace safety in Spain. Solid, but conceived in a very different context from today: without mass remote work, without permanent hyperconnectivity and without the scientific evidence on the impact of chronic stress on people's health. On 28 April 2026, the Council of Ministers approved the Draft Bill amending Law 31/1995, the Workers' Statute and the Prevention Services Regulation. The most significant change for most companies is a single one: psychosocial risks become an express legal obligation, not a recommendation or a best practice.

This article explains what the reform requires, what ISO 45003 is and how both frameworks complement each other to help organisations manage mental health at work in an orderly and auditable way.

What Changes with the OHS Law Reform

The reform does not start from scratch: the Spanish Strategy for Safety and Health at Work 2023–2027 had already placed psychosocial risks as a priority. The draft bill now elevates them to a legal obligation with these specific consequences:

What ISO 45003 Is and Why It Is Relevant Now

ISO 45003:2021 (adopted in Spain as UNE-ISO 45003) is the first international standard that provides specific guidelines for managing psychosocial risks within an occupational health and safety management system. It is designed to be used alongside ISO 45001 — the certifiable occupational health and safety standard — and acts as its development guide in the psychosocial domain.

An important nuance worth clarifying: ISO 45003 in its current version is not independently certifiable; it is a good practices guide. Certification is issued by an accredited body (AENOR, Bureau Veritas, SGS, TÜV…) under the ISO 45001 umbrella. What ISO 45003 does offer is a structured, auditable and internationally recognised framework to demonstrate that the organisation manages these risks systematically. On the horizon of 2027, the revision of ISO 45001 plans to incorporate the contents of 45003 as normative requirements of the certified system itself.

What ISO 45003 Covers

The standard structures psychosocial management around four blocks:

  1. Identification of psychosocial hazards: working conditions (workload, pace, shifts), work content (monotony, complexity), labour relations (toxic leadership, violence, harassment), and organisational factors (communication, culture, job insecurity).
  2. Risk assessment and prioritisation: validated methodologies (CoPsoQ/ISTAS21, FPSICO from the INSST) to measure exposure and health impact.
  3. Control and preventive measures: intervention at source (task redesign, organisational measures) before individual measures (training, psychological support).
  4. Monitoring, review and continual improvement: outcome indicators (absenteeism, turnover, accident rates) and process indicators (participation, implementation of measures).

Comparison: What the PRL Reform Requires vs. What ISO 45003 Contributes

Aspect Reform of Law 31/1995 (2026 draft bill) ISO 45003:2021
Nature Legal obligation (non-compliance = penalty) Voluntary standard (good practices guide)
Psychosocial risk assessment Mandatory for all companies Detailed methodological framework for doing it well
Mental health as an occupational risk Expressly recognised in the legal text Core axis of the entire standard
Gender perspective Required in the assessment Considered in hazard identification
Remote work and digitalisation Mandatory to assess its risks Included as a specific risk factor
Management involvement Required in an active way Leadership and commitment requirement
Development regulation Expected within 12 months of the law Already provides detailed guidance
Certification Not applicable (it is law) Not autonomous; yes as part of ISO 45001
Future revision Specific regulation ~2027 Integration into ISO 45001:2027 as a requirement

The practical conclusion is clear: the legal reform defines the «what» (minimum obligations), while ISO 45003 provides the «how» (methodology, structure and evidence). Organisations that implement ISO 45003 not only comply with the new law; they also have an auditable system that demonstrates due diligence before the Labour Inspectorate and that facilitates the transition to the future ISO 45001:2027.

Concrete Use Cases by Sector

Psychosocial risks do not affect all sectors equally. According to data from the National Institute of Safety and Health at Work (INSST), a significant proportion of Spanish workers are exposed to high levels of psychosocial risks. These are the most frequent scenarios we encounter in implementation projects:

Healthcare and Social Care Sector

Extreme emotional load, exposure to situations of pain and death, 12-hour shifts and low autonomy in decision-making. In centres with more than 50 employees, this is where the Labour Inspectorate is focusing most of its 2026 visits. Assessment using CoPsoQ-ISTAS21 (medium or long version) is the standard recommended by the INSST for this sector.

Customer Service and Call Centres

Surface-level emotional labour (showing emotions that are not felt), constant performance monitoring, high work pace and low control over tasks. These are conditions of maximum psychosocial risk. Preventive action plans typically include job rotation, regulated breaks and quality supervision with a preventive rather than punitive approach.

Industrial SMEs with Partial Remote Work

Hybridisation has created a new source of risk: production workers without access to remote work who perceive inequity compared to office colleagues who do enjoy it. This perception of organisational injustice is a psychosocial hazard that the new law requires to be assessed. ISO 45003 provides criteria to measure and manage this factor.

Professional Firms and Consultancies

High cognitive demand, tight deadlines, extended availability via email and messaging, and frequent role conflicts (technical vs. commercial). Digital disconnection — already regulated by Article 88 of the LOPDGDD — gains preventive weight with the OHS reform. Implementation of ISO 45003 in these environments usually begins with a disconnection policy and clarification of roles.

Steps to Implement a Psychosocial Management System Aligned with ISO 45003 and the New OHS Law

At Summum Calidad we have been supporting companies throughout Spain in this process since 2007, with around 200 ISO management systems implemented. The roadmap we follow in ISO 45003 implementation projects has four phases:

  1. Initial diagnosis. Documentary review of the existing OHS system, analysis of accident rates (accidents, occupational diseases, absenteeism for psychological reasons) and interviews with line managers and HR managers to map the most likely risk factors.
  2. Psychosocial risk assessment. Application of the validated methodology that best suits the organisation (CoPsoQ-ISTAS21 or FPSICO from the INSST). Analysis of results by work unit, position and group (with gender and age perspective). Identification of priority risks.
  3. Preventive action plan. Design of interventions at source (organisational redesign, leadership improvement, role clarification, workload management) and individual support measures (access to psychologist, employee assistance programme). Definition of responsibilities, timelines and monitoring indicators.
  4. Integration into the ISO 45001 system. Documentation of the process in the existing or pending OHS management system. Preparation of auditable evidence to demonstrate compliance before the Labour Inspectorate and, where applicable, before the certification body.

If your organisation already has ISO 45001 occupational health and safety implemented, adding psychosocial management according to ISO 45003 is a natural extension of the system, not a parallel project. You reuse the structure for hazard identification, risk assessment, objectives and management review.

Frequently Asked Questions

Is ISO 45003 mandatory in Spain?

Not directly. ISO 45003 is a voluntary international standard. What is — or will be — mandatory is complying with the reformed Law 31/1995, which requires the assessment and management of psychosocial risks. ISO 45003 is the most recognised and structured tool for doing so correctly, but a company can comply with the law using other validated methodologies such as FPSICO or CoPsoQ-ISTAS21 without obtaining certification under any ISO standard.

Can my company obtain ISO 45003 certification?

ISO 45003 in its current version (2021) is not an independently certifiable standard: it is a guidelines guide. Certification of occupational health and safety management systems is obtained under ISO 45001. However, certification bodies such as SGS, AENOR or Bureau Veritas verify during ISO 45001 audits that the organisation adequately manages psychosocial risks in accordance with the 45003 criteria. In the revision scheduled for 2027, ISO 45001 will incorporate these contents as auditable normative requirements.

How long does it take to implement psychosocial management?

It depends on the size and complexity of the organisation. In an SME with 20–50 employees and an operational external prevention service, the complete process — from diagnosis to the action plan with documentary evidence — typically requires between three and five months. In larger organisations, with several workplaces and assessments by functional units, the project may extend between six and twelve months. The important thing is not to wait for the development regulation: the obligation to assess psychosocial risks is already in the law.

What happens if the Labour Inspectorate visits my company and I do not have a psychosocial assessment?

The absence of a psychosocial risk assessment can be classified as a serious infringement of OHS regulations, with penalties ranging — under Article 40 of the LISOS (Royal Legislative Decree 5/2000), as amended in October 2021 — between 2,451 and 49,180 euros for a serious infringement, or between 49,181 and 983,736 euros if considered very serious. In 2026, the Labour Inspectorate is prioritising this point in its actions targeting SMEs. Evidence of having started the assessment process and having an action plan under way is a mitigating factor in the event of an inspection.