The EU Whistleblower Directive will impact every employer in Europe. Is your business ready for it?

Every employer with more than 50 employees in the European Union will soon need to comply with the European Union’s Directive for the protection of persons reporting on breaches of Union law, otherwise known as the EU Whistleblower Protection Directive. 

 The Directive was approved in October 2019 to grant greater protection for those who seek to expose corporate wrongdoing. EU member states were given two years to implement it into national law and adoption by enterprises will take a staggered approach. Organisations with more than 250 employees must comply with this legislation from December 2021, and those with between 50 and 249 employees by the end of 2023.

We have a preparation checklist ready to download here:


Or register to download our full report on the impact of whistleblower protections and what this means for your internal reporting program:


What’s new?

Escalation and multiple reporting channels

Under the Directive, a three-tier reporting structure is being introduced. While whistleblowers are encouraged to use internal channels first, there is no obligation to do so, and they will still qualify for protection when reporting internally and externally. While this means that whistleblowers fearing retaliation from internal sources can use an external channel without fear, it raises the risk for companies with ineffective or inefficient internal reporting mechanisms that whistleblowers will immediately opt for more public disclosure. 

Whistleblowers can report their concerns through:

  • Internal reporting channels: facilitated by the organisation
  • External reporting channels: facilitated by the relevant national authorities or the appropriate EU institutions
  • Public reporting channels: such as going directly to the media, or a public forum such as Twitter

Optimising internal reporting

From both a business benefits and organisational culture perspective, having prospective whistleblowers use an internal reporting channel first is by far the most desirable approach. Not only does this minimise the risk of financial and reputational damage of an incident going public, it also strengthens trust between the employee and employer even to the point of encouraging more people to Speak Up before concerns boil over. This also sets an example that misbehaviour will not be tolerated and employees will report it, making potential corruption or ethical breaches less attractive to perpetrators.

Many companies tick a compliance box by buying a hotline but then failing to make it accessible. The ineffectiveness of hotlines is actually highlighted by the hotline providers themselves, with many of the established players reporting a steady decrease in hotline usage, forcing them to rethink their offerings for a world that has moved on. The shift away from telephone hotlines was highlighted as far back as 2012 in the National Business Ethics Survey of Fortune 500 Companies, which revealed hotlines as the least popular channel (used only by 11% or reporters) among the small number of people that do go ahead and report misconduct.

With a multigenerational workforce that largely favours digital communications, the idea of telephoning a call centre somewhere to report misconduct might seem alien. It’s also inconvenient and unengaging, two significant modern trends that legacy reporting solutions have failed to address. Ultimately, hotlines are seen as outdated legacy offerings that really do little to solve a persistent problem and the public financial exposés post 2008, the interpersonal misconduct revelations of 2017, and employee activism of 2020 all support this.

Who needs to comply?

In short, all legal entities with more than 50 employees operating within the EU member states are required to comply with the Directive. This includes European operations of organisations headquartered outside of the EU. The purpose of the Directive is “to enhance the enforcement of EU law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting on breaches”. At the time of the Directive’s adoption, the EU warned that the majority of EU countries did not have effective laws in place, suggesting a significant liability for organisations across the EU Member States. In fact, the EU identified only 10 Member States with a ‘comprehensive law’ protecting whistleblowers: France, Hungary, Ireland, Italy, Lithuania, Malta, The Netherlands, Slovakia, Sweden and the UK. The Directive however, goes beyond these ‘comprehensive’ laws and will likely see adoption as countries seek to retain their pioneering position.

What do I need to know?

Legislation and provisions for employers includes reporting for all people having “Worker Status” plus: Self-employed, Trainees, Volunteers, Shareholders & NEDs; Former & Future employees (such as those who have gone through recruitment/pre-contract); and “Natural Persons” eg. Suppliers, Consultants, Freelancers, Contractors & Subcontractors.

Whistleblowers should be able to submit reports and these reports should be received and acted upon by a “most suitable” person, such as Compliance officer; Head of HR; Legal counsel; Chief Financial Officer (CFO) or other executive manager; or an appropriate external ombudsman.

The identity of the whistleblower must be kept confidential whether the report is submitted anonymously or not and all personal data, both that of the whistleblower and any accused persons, must be handled in accordance with the GDPR.

The company is obliged to confirm receipt of the report to the whistleblower within seven days. The whistleblower must be informed of any action taken within three months, as well as the ongoing status of the internal investigation and its outcome.

The internal reporting system must allow for a physical meeting to be requested and must outline external reporting procedures available to the reporter.

Companies that obstruct or attempt to obstruct the reporting of concerns will face penalties. Retaliatory measures against whistleblowers will also be punished, including a failure to keep the identity of the whistleblower confidential.

What breaches fall under the remit of the EU Whistleblower Protection Directive?

  • Public Procurement Rules
  • Financial Services Rules
  • Product Safety Rules
  • Transport Safety Rules
  • Environmental Protection Rules
  • Nuclear Safety Rules
  • Food Safety Rules
  • Animal Health & Welfare Rules
  • Public Health Rules
  • Consumer Protection Rules
  • GDPR/Data Privacy Rules
  • Breaches affecting the financial interest of the Union
  • Breaches relating to the internal market

It should be noted that this list is effectively extended under provisions for protection against retaliation.

What could be considered retaliation under the legislation?

  • Suspension, lay-off, dismissal etc.
  • Demotion or withholding of promotion
  • Transfer of duties
  • Negative performance assessment
  • Disciplinary measures, reprimands, financial penalty
  • Coercion
  • Intimidation
  • Harassment
  • Discrimination
  • Failure to convert temporary/fixed term employment or to renew

Although not mandatory, forward-thinking employers are ensuring their whistleblowing solution is also able to capture incidents of retaliation. This makes reporting, attribution, and resolution much easier, as well as reducing the number of separate tools performing similar tasks.