EU Whistleblower Directive: Employer Implementation Guide

Quick Answer: What Does the EU Whistleblower Directive Require?

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law was adopted on 23 October 2019. It establishes EU-wide minimum standards for whistleblower protection and requires organisations to set up secure reporting channels.

Requirement	Detail
Scope	Organisations with 50+ employees (public and private)
Internal channels	Secure reporting channels for receiving and following up on reports
3-tier system	Internal reporting, external reporting to authorities, public disclosure
Acknowledgment	Within 7 calendar days of receiving a report
Follow-up	Feedback to the reporter within 3 months
Confidentiality	Identity of the reporter must be protected
Anti-retaliation	Comprehensive protection against any form of retaliation
Transposition	Deadline was 17 December 2021 (50+ employees: 17 December 2023)

Scope: Who Is Protected?

Reporting Persons

The directive protects a broad range of individuals, not just employees:

Employees (including civil servants)
Self-employed persons
Shareholders and board members
Volunteers and trainees (including unpaid)
Job applicants (who obtained information during the recruitment process)
Former employees
Persons assisting the reporter (facilitators)
Third persons connected to the reporter (colleagues, relatives who could suffer retaliation)
Legal entities connected to the reporter

Subject Matter: What Can Be Reported?

The directive covers breaches of EU law in specific areas listed in the Annex, including:

Public procurement (Directives 2014/24/EU, 2014/25/EU)
Financial services and anti-money laundering (MiFID II, AMLD)
Product safety and compliance
Transport safety
Environmental protection
Radiation protection and nuclear safety
Food and feed safety, animal health and welfare
Public health (cross-border health threats, medicinal products)
Consumer protection
Privacy and data protection (GDPR)
Corporate tax (arrangements designed to obtain a tax advantage)
Competition law

Member states may extend the scope beyond EU law to include breaches of national law as well. Many have done so:

Country	Extended to National Law?
France (Sapin II + 2022 update)	Yes -- all crimes, offences, and threats to the public interest
Germany (HinSchG)	Yes -- criminal offences and certain administrative violations
Netherlands (Wet bescherming klokkenluiders)	Yes -- all breaches of EU and national law
Ireland (Protected Disclosures Act 2022)	Yes -- broad definition of "relevant wrongdoing"
Italy (D.Lgs. 24/2023)	Yes -- breaches of national law implementing EU directives
Sweden (Lag om skydd for personer som rapporterar om missforhallanden)	Yes -- serious wrongdoing in the public interest

The 3-Tier Reporting System

Tier 1: Internal Reporting Channels

Article 8 requires all legal entities in the private sector with 50 or more workers and all public sector entities (member states may exempt municipalities with fewer than 10,000 inhabitants) to establish internal reporting channels.

Timeline:

Entities with 250+ workers: Channels must have been operational by 17 December 2021
Entities with 50-249 workers: Deadline was 17 December 2023

Requirements for internal channels:

Channels must allow reporting in writing and/or orally (e.g., secure online platform, telephone hotline, postal address)
If orally, through a telephone line or voice messaging system, or upon request through a physical meeting within a reasonable timeframe
Confidentiality of the reporter's identity must be guaranteed
A designated impartial person or department must manage reports (this can be outsourced to a third party)
Reports must be acknowledged within 7 calendar days
Diligent follow-up must be provided by the designated person
Feedback must be given to the reporter within 3 months of acknowledgment (or 6 months in duly justified cases)
Clear and accessible information about how to use internal channels and how to report externally must be provided

Shared channels: Entities with 50-249 workers may share resources for receiving and investigating reports, as long as all obligations (confidentiality, follow-up, feedback) are met.

Tier 2: External Reporting to Competent Authorities

Article 10 requires member states to designate competent authorities to receive external reports. Reporting persons may go directly to external channels without first using internal channels (Article 10).

Competent authorities must:

Establish independent and autonomous external reporting channels
Acknowledge receipt within 7 days
Provide feedback within 3 months (extendable to 6 months in duly justified cases)
Follow up diligently on reports

Tier 3: Public Disclosure

Article 15 protects public disclosure (e.g., to the media) only where:

The person first reported internally and/or externally but no appropriate action was taken within the prescribed timeframe, OR
The person has reasonable grounds to believe there is an imminent or manifest danger to the public interest, OR
There is a risk of retaliation or a low prospect of the breach being effectively addressed through external reporting (e.g., due to risk of evidence destruction or collusion between the authority and the perpetrator)

Confidentiality Protections

Identity Protection

Article 16 establishes strict confidentiality requirements:

The identity of the reporting person must not be disclosed to anyone beyond the authorised staff members receiving or following up on reports without the explicit consent of the person
This applies equally to any information from which the identity could be directly or indirectly deduced
The identity may only be disclosed where necessary and proportionate under EU or national law in the context of investigations or judicial proceedings (and the person must be informed before disclosure)

Anonymous Reporting

The directive does not require member states to accept anonymous reports. However, member states may choose to do so, and many have:

Country	Anonymous Reporting
France	Accepted (Sapin II, as amended 2022)
Germany	Not required but recommended (HinSchG allows it)
Netherlands	Accepted
Italy	Accepted (D.Lgs. 24/2023)
Sweden	Accepted if follow-up is feasible

Anti-Retaliation Protections

Prohibited Retaliation

Article 19 provides a comprehensive, non-exhaustive list of prohibited retaliatory acts:

Suspension, lay-off, dismissal
Demotion or withholding of promotion
Transfer of duties, change of workplace, reduction in wages
Negative performance assessment or employment reference
Imposition of any disciplinary measure, reprimand, or financial penalty
Coercion, intimidation, harassment, or ostracism
Discrimination or unfavourable treatment
Failure to convert a fixed-term contract to permanent (where legitimate expectation existed)
Non-renewal of a fixed-term contract
Harm including reputation damage (particularly on social media), financial loss, blacklisting
Early termination or cancellation of a contract for goods or services
Cancellation of a licence or permit
Psychiatric or medical referral

Burden of Proof

Article 21(5): In proceedings relating to retaliation, where the person establishes that they made a report and suffered a detriment, the burden of proof shifts to the person who took the detrimental measure to demonstrate it was based on duly justified grounds unrelated to the report.

Support Measures

Article 20 requires member states to ensure reporting persons have access to:

Free legal aid in criminal and cross-border civil proceedings
Legal advice and other forms of assistance
Financial assistance and support, including psychological, in the framework of legal proceedings
Interim relief pending resolution of proceedings

Country Implementation Status

Country	Transposition Status	National Law
France	Completed (March 2022)	Loi Waserman (2022-401), amending Sapin II
Germany	Completed (June 2023)	Hinweisgeberschutzgesetz (HinSchG)
Netherlands	Completed (February 2023)	Wet bescherming klokkenluiders (Whistleblower Protection Act)
Ireland	Completed (January 2023)	Protected Disclosures (Amendment) Act 2022
Italy	Completed (March 2023)	Decreto Legislativo 24/2023
Sweden	Completed (December 2021)	Lag (2021:890) om skydd for rapporterande personer
Spain	Completed (February 2023)	Ley 2/2023 reguladora de la proteccion de informantes
Denmark	Completed (December 2021)	Lov om beskyttelse af whistleblowere
Belgium	Completed (November 2022)	Loi du 28 novembre 2022 sur la protection des personnes signalant des violations
Poland	Completed (June 2024)	Ustawa o ochronie sygnalistow
Austria	Completed (February 2023)	HinweisgeberInnenschutzgesetz (HSchG)
Portugal	Completed (June 2022)	Lei 93/2021

Penalties for Non-Compliance

The directive requires member states to establish effective, proportionate, and dissuasive penalties for:

Persons who hinder or attempt to hinder reporting
Persons who retaliate against reporting persons
Persons who bring vexatious proceedings against reporting persons
Persons who breach the duty of maintaining confidentiality

Country-specific penalties:

Country	Key Penalties
Germany	Fines up to EUR 50,000 for hindering reports or retaliating; up to EUR 20,000 for failing to set up channels
France	2 years imprisonment and EUR 30,000 fine for hindering reporting; 3 years and EUR 45,000 for retaliation
Italy	Fines EUR 10,000-50,000 for retaliation; EUR 10,000-50,000 for failure to establish channels
Netherlands	Administrative orders, fines, and criminal prosecution for retaliation
Spain	Fines up to EUR 300,000 (very serious) for natural persons; up to EUR 1,000,000 for legal persons

How Grove HR Supports Whistleblower Compliance

Grove HR helps employers implement and manage whistleblower reporting:

Secure internal reporting channel accessible via web and mobile, supporting written and oral reports
Case management workflow with acknowledgment tracking (7-day deadline) and follow-up reminders (3-month deadline)
Confidentiality controls restricting access to report details to designated handlers only
Anonymous reporting option where permitted by national law
Audit trail documenting all actions taken on each report
Multi-jurisdiction configuration adapting to country-specific transposition requirements

Tags:

whistleblowerwhistleblowingEU directivecompliancereporting channelsanti-retaliation

Rachel Richardson

Head of Growth & Marketing, Grove HR

Rachel leads growth and marketing at Grove HR, with over a decade of experience in UK HR technology. She writes practical guides to help small businesses navigate employment law and build better workplaces.

Frequently Asked Questions

Which organisations must set up whistleblower reporting channels under EU law?

All private sector organisations with 50 or more employees and all public sector entities must establish internal reporting channels under Directive (EU) 2019/1937. Organisations with 250+ workers should have had channels operational by December 2021; those with 50-249 workers by December 2023.

How quickly must an employer respond to a whistleblower report?

The employer must acknowledge receipt of the report within 7 calendar days. Diligent follow-up must be provided, and feedback must be given to the reporter within 3 months of the acknowledgment date. In duly justified cases, the feedback period may be extended to 6 months.

Can a whistleblower go directly to a regulator without reporting internally first?

Yes. The directive allows reporting persons to report directly to competent external authorities without first using internal channels. Public disclosure (e.g., to the media) is protected only if internal/external reporting did not result in appropriate action, or there is imminent danger or risk of retaliation.

What protection do whistleblowers have against retaliation under EU law?

The directive prohibits all forms of retaliation including dismissal, demotion, pay reduction, harassment, blacklisting, and negative references. The burden of proof shifts to the employer to demonstrate any detrimental action was unrelated to the report. Penalties for retaliation include significant fines and in some countries imprisonment.

Does the EU Whistleblower Directive require anonymous reporting?

No. The directive does not require member states to accept anonymous reports. However, many countries (France, Netherlands, Italy, Sweden) have chosen to allow anonymous reporting in their national transposition. Where anonymous reports are accepted, they must be handled with the same diligence.