Whistleblowing Directive 2023 Summary - Need to Know

Yulia Landbo

Yulia Landbo

Last updated: Nov 24, 2023 4 min read

Whistleblowing, a vital mechanism for ensuring transparency and accountability in both public and private sectors, has gained significant prominence across Europe in recent years. 

This practice, which involves the disclosure of information by an individual regarding wrongdoing, corruption, or unethical behavior within an organization, has emerged as a powerful tool in the battle against corporate fraud, governmental misconduct, and abuse of power. To ensure the protection of whistleblowers from retaliation and persecution, the European Union enacted the Whistleblowing Directive that mandates all member states to implement corresponding national legal frameworks.

What is the EU Whistleblowing Directive?

The EU Whistleblowing Directive, formally known as Directive (EU) 2019/1937, is a legal act enacted by the EU with the aim of enhancing protection for whistleblowers across its member states. Adopted on the 23rd of October, 2019, the directive seeks to create a safe and uniform environment for individuals to report breaches at the workplace without fear of retaliation.

The subject of the Directive: All EU-based public and private companies with 50+ employees, as well as municipalities with 10,000+ inhabitants.

EU Whistleblowing Directive Summary

What is a whistleblower's status?

The whistleblower's status refers to the recognition and protection granted to individuals who disclose information about illegal, unethical, or fraudulent activities within an organization. This status aims to shield whistleblowers from potential retaliation, such as harassment, demotion, or termination while encouraging them to come forward and report wrongdoing. The whistleblower status plays a critical role in promoting transparency and accountability, as it empowers individuals to act as counselors against corruption and abuse of power.

Scope of EU Directive: which wrongdoings are covered?

Aiming to ensure comprehensive protection for whistleblowers, the EU Whistleblowing Directive 2021 covers a broad range of aspects in different areas, including:

Who is affected by the EU Whistleblowing Directive?

The EU Whistleblower Directive 2021 affects various stakeholders, including individuals, organizations, and national authorities across the EU. The main parties include:

Overall, the EU Whistleblowing Directive indirectly affects all employees and the general public. The goal behind the directive is to foster a culture of transparency, accountability, and ethical conduct within organizations and public institutions.

Who does the Directive (EU) 2019/1937 cover?

The EU Whistleblower Directive covers a wide range of individuals who report or disclose information about breaches of EU law. Thus, the directive's coverage is not limited to employees but it extends to various categories of people who may come across wrongdoings in their professional daily life, including:

Key requirements of the EU Whistleblowing Directive and what they mean for companies

Protection from retaliation by employers or colleagues

The directive aims to protect employees, contractors and subcontractors, suppliers, shareholders and top managers, volunteers and trainees, as well as job applicants. This holds true for both ongoing and ended working relationships. This requirement is designed to encourage employees to come forward with information without fear of reprisals, and to ensure you take allegations of wrongdoing seriously and investigate them thoroughly.

What does this mean for companies?

Companies are prohibited from taking any adverse action against employees who report illegal activities or other serious breaches, including demoting or dismissing them, withholding pay or benefits, or subjecting them to harassment or other forms of intimidation.

Confidentiality and anonymity

Whistleblowers must be able to report information confidentially and, depending on their choice, anonymously or not. The Directive  (EU) 2019/1937 prohibits organizations from imposing sanctions or otherwise discriminating against whistleblowers who choose to remain anonymous.

What does this mean for companies?

Companies must establish secure channels for reporting and ensure that only authorized personnel has access to the information shared by the whistleblower. Additionally, they must ensure that their information is taken seriously and investigated thoroughly without any subsequent negative consequences. 

Learn more about the difference between confidential and anonymous reporting.

Secure and confidential reporting channels

To ensure that whistleblowers are able to report information effectively, the directive requires companies to establish clear, accessible, secure, and confidential reporting channels. 

What does this mean for companies?

Companies must provide clear specifications on how to report efficiently, including contact details for designated persons or channels. They must also ensure that these channels are monitored and accessible to all employees. 

Timely and effective response

The directive  (EU) 2019/1937 requires companies to respond in a timely and effective manner by:

What does this mean for companies?

Companies need to meet the established national legislation deadlines and keep whistleblowers informed about the progress of the investigation throughout the process.

Additionally, companies also need to set up mechanisms for follow-up and appoint a person, a department, or a third-party provider to receive and handle whistleblowing reports. Last but not least, all report-related data must be handled in compliance with data privacy regulations. 

Training and awareness

Finally, the EU Whistleblowing Directive requires companies to provide training and awareness-raising to all employees about the importance of whistleblowing and the protections that are available to whistleblowers. 

What does this mean for companies?

Companies must ensure that all employees are aware of their rights and the reporting channels available to them. Also, they understand the importance of reporting any illegal activities or other serious breaches, thus ensuring transparency and integrity within your organization.

How whistleblowers can submit reports according to the EU Directive

According to the EU Whistleblowing Directive, whistleblowers can submit reports through three types of channels:

Internal reporting channels. Informants submit reports directly to the company, or to the appointed case handlers, if to be more precise. In this way, reported issues can be investigated and solved internally in the company. For internal reporting, companies can provide a variety of different ways to submit reports: dedicated hotlines, email addresses, online platforms, or designated staff members to which internal reports must be communicated. Internal reporting should be available both for employees and all third-parties companies have working relations. 

External reporting channels. External reporting implies sending reports to external government agencies established by each of the EU member state authorities. Informants can choose to use external reporting channels if they believe internal channels are insufficient, or compromised, or if they fear retaliation. 

Public disclosure. Alternatively, whistleblowers may disclose information to the public or the media. In practice, people do it only in exceptional cases:

It is important to remember that even though all national legislation among the EU member states should align with the EU Directive recommendations, there might be slight changes. Therefore, you should always check local rules of the national legislation, e.g., HinSchG in Germany, Ley Whistleblowing in Spain, etc.

Establishing an internal whistleblowing system in the company

Establishing an internal whistleblowing system in a company involves creating a safe, confidential, and user-friendly channel that encourages employees and other stakeholders to report wrongdoings or breaches of the law. To set up an internal whistleblowing system in compliance with the EU Whistleblower Directive, organizations are advised to implement the following steps:

How does the EU Whistleblowing Directive protect whistleblowers?

The key protections the EU Whistleblower Directive aims to ensure are the following:

What is the EU Whistleblowing Directive to me as an employee? 

The EU Whistleblowing Directive is a comprehensive law that aims to protect whistleblowers who report unlawful or unethical activities within organizations. It establishes mechanisms to encourage individuals to come forward with information, ensures their confidentiality, and safeguards them from retaliation. The Directive's goal is to promote transparency, and accountability, and fight against irregularities or offenses at workplaces.

What does the Directive protect me against? 

Retaliation protection

The Whistleblowing Directive is there to ensure all EU members have proper legislation to protect all who report possible violations within the workplace  It's against the principle of the EU Whistleblowing Directive for companies to take certain actions like suspending, firing, or keeping you from getting promoted because you blew the whistle. In this way, the Directive and all further national laws ensure whistleblowers’ protection from retaliation.

Retaliation refers to the adverse actions taken by an employer or colleagues against a person who has disclosed or reported wrongdoing at the workplace. It can include various forms of negative treatment, such as termination, demotion, harassment, discrimination, or other actions that aim to intimidate, silence, or harm the whistleblower. Retaliation is considered unlawful and unethical, as it undermines the principle of corporate ethics and a “Speak-up” culture, which is crucial for exposing wrongdoing and promoting accountability.

Besides, the key protections the EU Whistleblower Directive aims to ensure are the following:

When should the Whistleblowing law protect me according to the EU Directive? 

1. Whistleblowers are protected as long as they have reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of this Directive.

2. To get protection, you must report either internally, via the company’s internal channel, or externally, via the governmental agency or institution set for this reason. 

3. To rely on whistleblower protection, you can also make a public disclosure, but certain requirements must be met for this.

4. It is up to every country to decide whether legal entities in the private or public sector are required to accept and follow up on anonymous reports of breaches. That’s why it is important to read the local law or/and the company’s policy.

Where can I read more about the Directive or the local law?

You can read the EU Directive here.

However, it is extremely important that you check your national law if you feel that the information provided by companies or public institutions is not enough. 
Not sure about the law status in your country? Check it out here.


Which countries already comply? 

The state of implementation of the Whistleblowing Directive in 2023.

By March 2023, 20 Member States have adopted a transposing law. Check the EU Whistleblowing Monitor to see the current status of implementation among EU countries.

Shall my company implement it now? 

If your company is based in the EU and falls within the scope of the Directive (EU) 2019/1937, it is important to ensure compliance as soon as possible. The deadline for EU member states to transpose the directive into their national laws was December 17, 2021.

Is EU Whistleblowing Directive anonymous?

Does EU Whistleblowing Directive require anonymity? The EU Whistleblowing Directive does not explicitly require that whistleblowers be allowed to report anonymously, but it does emphasize the importance of confidentiality and encourages member states to provide the option of anonymous reporting.

The directive mandates that the identity of whistleblowers must be kept confidential throughout the entire reporting process, and any unauthorized disclosure of the whistleblower's identity is strictly prohibited.

Does Whistleblowing Directive cover Financial Services?

Yes, the EU Whistleblowing Directive covers financial services. The Directive (EU) 2019/1937 requires Member States to establish comprehensive and effective whistleblower protection mechanisms in both the public and private sectors, including in the financial sector.

Under the Directive, financial service providers with more than 50 employees are required to establish internal reporting channels for whistleblowers and to appoint a person or department responsible for receiving and handling reports. 

What is the GDPR and Whistleblowing Directive? 

The GDPR (General Data Protection Regulation) and the Whistleblowing Directive are two separate regulations that both address data protection in the EU, but they have different focuses and objectives.

The GDPR is a comprehensive data protection regulation that became effective in May 2018. It establishes rules for the processing of personal data by organizations operating within the EU, as well as by organizations outside the EU that offer goods or services to EU citizens or monitor their behavior. The GDPR sets out requirements for data controllers and processors, including the collection, storage, and processing of personal data, and provides individuals with certain rights, such as the right to access and control their personal data.

The Whistleblowing Directive, which was adopted in December 2019 and became effective in December 2021, is a directive that establishes rules for the protection of whistleblowers across the EU. It requires Member States to establish comprehensive and effective whistleblower protection mechanisms in both the public and private sectors, including in the financial sector. The Directive sets out requirements for internal reporting channels, external reporting options, protection against retaliation, and confidentiality, among others.

Whistleblowers may disclose personal data when reporting misconduct or wrongdoing, and organizations that receive reports under the EU Whistleblowing Directive must ensure that they comply with the GDPR's requirements when handling and processing personal data. 

Who shall deal with reports?

The responsibility for dealing with whistleblower reports falls on both organizations (through internal reporting channels) and competent national authorities (through external reporting channels), depending on the chosen reporting channel.

How long does it take to implement a whistleblowing system?

The time it takes to implement a whistleblowing system can vary depending on the size, complexity, and resources of the organization, as well as the scope and features of the system. 

Considering all necessary steps, implementing a whistleblowing system could take anywhere from 45 minutes to 6 months. The implementation process may be faster for smaller organizations or those using external service providers that offer pre-built whistleblowing solutions.

Book a demo

5/5 stars on G2