How to get compliant with the Whistleblowing Law
The EU Whistleblowing Directive (2019/1937) was introduced to protect individuals who report work-related misconduct. This regulation requires organisations to establish secure, confidential reporting systems that safeguard whistleblowers from retaliation.
Organisations with 50 or more employees and municipalities with over 10,000 inhabitants are required to implement secure and effective reporting channels. These systems must be designed to ensure the safety and confidentiality of whistleblowers while meeting legal obligations.
To comply with the directive, reporting channels must:
Be secure
Guarantee confidentiality
Have a designated owner
Adhere to defined timeframes
Meet GDPR guidelines
Allow for written and/or verbal reports
Any individual who becomes aware of work-related misconduct can submit a report. Protection extends beyond current employees to include former employees, job applicants, contractors and suppliers, and supporters of the whistleblower.
Whistleblowing reports can cover violations of EU law related to various issues, including but not limited to:
Money laundering and tax fraud
Product and transport safety
Data protection and privacy violations
Public health concerns
Animal welfare violations
Environmental protection breaches
Whistleblowers are legally protected from any form of retaliation when submitting a report through the designated reporting channel. To qualify for protection, the whistleblower must have reasonable belief that the information they are providing is true at the time of reporting.
While the EU Whistleblowing Directive does not establish specific minimum penalties, it requires member states to implement national laws that impose sanctions on organisations that:
Breach confidentiality by disclosing a whistleblower’s identity without consent.
Retaliate against whistleblowers through actions such as dismissal, harassment, or discrimination.
Failure to comply with national whistleblower protection laws can result in significant financial penalties, legal action, and reputational damage for organisations. Ensuring proper internal reporting channels and protective measures is essential for compliance and maintaining trust within your organisation.
Follow these steps to ensure your organisation complies with the EU Whistleblowing Directive.
Implement a procedure to acknowledge receipt of the report within seven days, and provide feedback to the whistleblower within three months.
Continue to comply with GDPR requirements by carefully managing personal data, and ensuring that data is stored securely within the EU.
Establish reporting channels that guarantee confidentiality and protect the identity of whistleblowers and any individuals named in reports. Secure your system against unauthorised access and maintain safe records.
Provide flexible reporting options. Accept written reports via an online platform, verbal reports through phone or voice messages, and offer personal meetings upon request.
Appoint a qualified person or department to handle incoming reports. Their responsibilities should include managing the reporting process, maintaining ongoing communication with the whistleblower, and providing timely feedback
Ensure your reporting channels are easily accessible to all employees and extend access to external stakeholders such as suppliers, contractors, shareholders, trainees, and job applicants.
Is your whistleblowing solution compliant?
When selecting a system, ensure it meets all legal requirements and complies with GDPR. It’s essential that your chosen solution includes the necessary functions to keep you compliant and protect whistleblower confidentiality.
We’ve compiled a checklist of key features to help you choose a provider that meets both whistleblower law and GDPR standards – use it as a guide during your procurement process.
Whistleblowing is the act of reporting illegal, unethical, or harmful behavior within an organization—whether public, private, or government. Common concerns include fraud, corruption, harassment, discrimination, safety violations, and environmental risks. Whistleblowing systems allow individuals to speak up safely and responsibly.
Under the EU Whistleblowing Directive (2019/1937), whistleblowers are protected from retaliation—including termination, demotion, harassment, or other forms of discrimination—when they report breaches of EU law.
Protected areas include:
Financial services, money laundering, and terrorist financing
Public procurement and health
Product, food, and transportation safety
Data privacy and consumer protection
Environmental and radiation safety
Animal welfare and public health
IT and cybersecurity (network and information systems)
To receive protection, whistleblowers must act in good faith and use internal or official reporting channels.
Companies operating in the EU with 50+ employees must establish secure and confidential internal reporting channels. These channels must:
Guarantee whistleblower confidentiality
Be accessible to both employees and external stakeholders (e.g. suppliers or contractors)
Be managed by a designated individual or team
Allow written and/or verbal reporting
Comply with EU data protection laws (GDPR)
The directive was enacted to strengthen protections for whistleblowers, prevent corruption, and promote transparency within organisations. It creates a uniform legal framework across EU member states, helping to ensure ethical business practices and public trust.
To comply, organisations must implement secure, confidential reporting channels that meet the directive’s requirements. These systems must:
The directive applies to:
All companies with operations in the EU employing 50 or more people
Municipalities with more than 10,000 residents
Certain high-risk sectors (e.g. financial services, public health, or defense) regardless of company size
While the directive does not set specific penalties, it requires member states to implement laws that penalise organisations for:
National penalties may include fines, legal action, and reputational damage for non-compliance.
No. In addition to all private organisations with more than 50 employees, it also applies to public sector entities, including municipalities and government departments, within EU member states.
Tuesday | 11:00 – 11:30
HAPPY TO MEET YOU!
Whistlelink values your privacy. We will only contact you about our solutions.
Nice to meet you!
HAPPY TO MEET YOU!
Whistlelink values your privacy. We will only contact you about our solutions.
You may unsubscribe at any time. For more info, please review our Privacy Policy
