Back to overview

What Companies Need to Know about the EU Whistleblowing Directive

Key points on whistleblower rights, company obligations and next steps.

Moritz Homann Moritz Homann

    In order to guarantee a EU-wide standard for the protection of whistleblowers, the European Union adopted a regulation for whistleblower protection in December 2019. In a two-year implementation period EU member states will be obliged to implement the directive into their own national laws until 2021.

    We have summarized the key aspects of the new law and what companies should do now to prepare.

    The road to the EU whistleblower protection

    • Before April 2018: Whistleblowers were sufficiently protected in only a few EU member states. The lack of clear protective mechanisms has meant that only a few employees have been prepared to report misconduct in companies.
    • April 2018: EU Commission launches a proposal for a directive aimed at providing uniform protection for whistleblower
    • March 2019: “Provisional agreement” was reached between the EU states and the European Parliament
    • April 16, 2019: European Parliament adopted regulations for EU-wide whistleblower protection
    • October 2019: Official adoption of the directive by the EU Council
    • December 16, 2019: Entry into force as Directive 2019/1937
    • December 2021: Deadline for implementation of the directive by EU member states into national law

    Protective Measures for Whistleblowers Are the Focus of the EU Directive

    The core feature of this directive is protection for whistleblowers. The essential points are:

    • Protection not only exists for employees who report their concerns, but also for job applicants, former employees, supporters of the whistleblower and journalists.
    • These persons are protected from dismissal, degradation and other discrimination.
    • Protection applies only to reports of wrongdoing relating to EU law, such as tax fraud, money laundering or public procurement offences, product and road safety, environmental protection, public health and consumer and data protection (the EU is encouraging national legislators to extend this to also covering wrongdoing relating to national laws).
    • The whistleblower can initially choose whether to report a concern internally within the company or directly to the competent supervisory authority. If nothing happens in response to such a report, or if the whistleblower has reason to believe that it is in the public interest, they can also go directly to the public. They are protected in both cases.

    With these safeguards the EU is signaling to whistleblowers that they have nothing to fear while encouraging individuals to report on company infringements.

    Whistleblowing Report 2019

    Comprehensive study on whistleblowing in European companies

    Free download

    EU Directive Obligations on Businesses

    The EU Directive also imposes a number of obligations on businesses:

    Companies with more than 50 employees or more than €10 million Euros in annual turnover will be obliged to set up suitable internal reporting channels. Companies with 250 or more employees will be expected to comply within two years of adoption, companies with between 50 and 250 employees have a further two years after transposition to comply.

    Whistleblowers should be able to submit reports either in writing via an online system, a mailbox or by post and/or orally via a telephone hotline or answering machine system. Companies are also obliged to offer a personal meeting should the whistleblower request it. Companies must ensure that the identity of the whistleblower is kept confidential regardless of which reporting channel is used.

    All personal data, both that of the whistleblower and any accused persons, must be handled in accordance with the GDPR.

    Companies must determine the “most suitable” person to receive and follow up on reports internally. According to the EU, this could be a:

    • Compliance officer
    • Head of HR
    • Legal counsel
    • Chief Financial Officer (CFO)
    • Executive board member or management
    • Companies can also outsource the processing of reports, for example to an external ombudsman.

    The company is obliged to confirm receipt of the report to the whistleblower within seven days. The whistleblower must be informed of any action taken within three months, the status of the internal investigation and its outcome.

    Companies are required to provide information on the internal reporting process as well as on the reporting channel(s) to the competent authority. This information must be easily understandable and accessible, not only to employees, but also to suppliers, service providers and business partners.

    All reports received must be kept in a secure place so that they can be used as evidence where appropriate.

    Companies with between 50 and 250 employees may use a shared reporting channel to obtain and identify evidence, provided that all obligations outlined are met.

    The EU directive also includes details on sanctions. Companies that obstruct the reporting of concerns or attempt to obstruct them will face penalties. The same applies if companies fail to keep the identity of the whistleblower confidential. Retaliatory measures against whistleblowers will also be punished. It is the job of national legislators to determine the severity of these sanctions.

    While the Directive clearly benefits whistleblowers we also believe there are significant benefits for organizations. Most importantly, by ensuring that effective whistleblowing arrangements are in place, employees and other stakeholders are encouraged to raise concerns internally. By doing so, organizations have an opportunity to identify and manage risk at an early stage, helping to avoid or limit financial and reputational damage.

    Guide to the Introduction of Whistleblowing Systems

    How to successfully implement a whistleblowing system in your organisation.

    Free download

    Next Steps & Tips

    The Whistleblower Protection Directive entered into force on December 16, 2019. This marks the start of the two-year period during which EU member states must transpose the requirements into their own national legislation. First companies with more than 250 employees must fulfill their obligations and two years later this will also apply to companies with 50 to 250 employees.

    Our tips

    Companies are advised not to wait until the last minute and to take action at an early stage

    The Whistleblowing Report 2019 shows that many companies have already proactively set up hotlines and received reports that have enabled them to better manage risk within their organizations.

    Implement internal whistleblowing systems and set up processes

    The freedom of choice aspect for whistleblowers is something companies need to note in particular. If the whistleblower cannot find suitable internal reporting channels, he or she can contact the relevant authority or even go public – the worst outcome for companies. It is therefore essential that suitable internal reporting channels are available and known about within the company. To ensure that employees feel comfortable reporting internally, the channels should be available 24/7, offer anonymity, be available in the relevant languages, have comprehensible explanatory texts and be accompanied by an effective internal communication strategy.

    Checklist: Get your company ready for the EU Whistleblower Directive

    Simplify the implementation of your EU-compliant whistleblower system.

    Our digital whistleblowing system EQS Integrity Line helps you to reduce risks in your company.

    Moritz Homann
    Moritz Homann

    Managing Director Corporate Compliance – EQS Group | Moritz Homann is responsible for the department of Corporate Compliance products at EQS Group. In this function, he oversees the strategic development of digital workflow solutions tailored to meet the needs of Compliance Officers around the world.

    Contact