The EU Whistleblowing Directive

Everything companies need to know on implementation and whistleblowing system requirements

6 minutes05/28/2021

The European Parliament passed the Whistleblowing Directive (Directive (EU) 2019/1937) in December 2019. It aims to protect whistleblowers who uncover and report breaches of the law more effectively against reprisals. All EU member states must transpose this Directive into corresponding national laws by the end of 2021. Companies will then face the challenge of fulfilling the new requirements and obligations. It is therefore vital that companies engage in this issue at an early stage and develop an internal strategy to implement the new regulations. This article provides key information on legislation to protect whistleblowers, plus useful tips to help you introduce and implement a whistleblowing system.

Background to the legislation

Whistleblowers are courageous: they reveal unlawful practices, fully aware that they will more than likely face negative consequences. The act of whistleblowing is important for preserving an open society. Until now, only a handful of EU member states have given whistleblowers sufficient protection. There has been a lack of transparent safeguards. New regulations aim to develop suitable mechanisms in relation to EU law.

What is the purpose of the Whistleblower Directive?

The Whistleblower Directive aims to detect and prevent breaches of EU law, strengthen legal enforcement systems, and protect whistleblowers against any kind of liability, whether civil, criminal, administrative of employment-related. It serves to protect whistleblowers from negative consequences, such as dismissal, transfer or intimidation. 

The Directive provides protection in numerous key areas of EU law, including: 

  • Combating money laundering

  • Data protection 

  • Protecting the European Union’s financial interests 

  • Food safety and product safety 

  • Public health 

  • Environmental protection 

  • Nuclear safety

When will the new directive come into effect?

There are two different dates for legal implications. First, authorities and companies with over 250 employees must have a whistleblowing system in place by December 17, 2021 – the date by which EU member states must bring national laws and regulations into force. The same rules will also apply to companies with 50 to 250 employees, but only from 2023. Of course, companies can also proactively implement whistleblowing systems before the deadline. 

Whistleblowing system requirements

If employees have no recourse to a secure whistleblowing system, they may be forced to involve the authorities. Companies can avoid this by introducing effective and confidential internal reporting channels. Such whistleblowing systems must be available at all times, offer the option of anonymity, feature an interface translated into all relevant languages, and provide clear explanations and instructions for employees. These are all crucial elements and lay's a stable foundation for reliable internal communications. 

Who does the Whistleblower Directive protect?

The EU Whistleblower Directive includes certain groups who can invoke the legislation and thus claim protection when reporting breaches:

  • Employees (both current and former, plus applicants)

  • Civil servants and other public sector employees

  • Self-employed people and contractors

  • Trainees

  • Shareholders

  • Members of the administrative, management or supervisory body of a company

  • Supporters and relatives of whistleblowers

  • New employers of whistleblowers or persons otherwise connected to whistleblowers in a work-related context

The Directive therefore protects salaried employees as well as people otherwise related to the company in question. An exception applies to doctors and lawyers, who are not covered by the safeguards as reporting a breach, would violate their duty of confidentiality. 

In addition, whistleblowers can still be prosecuted if they commit crimes such as trespassing or engage in cyber criminality (e.g. hacking computer systems and accessing data without authorization). This does not apply to breaches of other standards or contractual agreements. If, for example, an employee enters their manager’s office to make copies of documents – even though they would not usually be allowed to do so – this breach is protected by the Whistleblower Directive. Whistleblowers can file reports using internal reporting systems or by contacting the relevant authorities. For instance, where there is significant public interest, whistleblowers are protected if they decide to go public straight away.

  • Whistleblowers are vital for maintaining a transparent and open society. Your courage to speak up is to be protected by the EU Whistleblower Act. | © iStock Geber86

What do companies need to consider when implementing a whistleblowing system?

If companies want to integrate legislation to protect whistleblowers in their internal processes, there are certain aspects they need to keep in mind. Here is an overview of the key points:

Scope of validity

  • The EU Whistleblower Directive affects: companies with 50 or more employees or with an annual turnover of €10 million or higher; public institutions; public authorities, and councils of municipalities with a population of 10,000 or more.

Reporting channels

  • Companies must establish a whistleblowing system. Reports can be submitted in writing (either online or by post) and/or verbally (to a telephone hotline or answering machine)

  • Companies should facilitate in-person meetings upon request.

  • The whistleblower’s identity must be kept confidential at all times.

  • Exception: Companies with 50-250 employees can use “shared resources”, i.e. a shared whistleblowing channel.

Information obligation

  • Companies must inform their employees, suppliers, service providers and business partners of their internal reporting process and alternative reporting channels (i.e. relevant authorities).

  • Information must be easy to understand and access.

Handling reports / data protection

  • All personal data pertaining to whistleblowers and accused persons must be handled in accordance with the GDPR.

  • Each company must appoint the “most appropriate persons” to receiving and monitoring whistleblowing cases, such as compliance officers, HR managers, in-house lawyers, finance directors, board members or other members of management. Companies can also choose to outsource this position.

  • Data must be stored securely so that it can be used as evidence, if required.


  • Companies must send whistleblowers confirmation of receipt within 7 days of their report being submitted.

  • Companies must inform whistleblowers of measures taken, the state of internal investigations and their outcomes within 3 months of a report being submitted.


The EU Whistleblower Directive will come into effect for companies with 250 or more employees in December 2021. It is highly advisable for companies of this size to explore different options for internal whistleblowing systems and to implement them within their operations before the deadline.