What is the EU Whistleblower Directive?​

On December 16th, 2019 the EU Whistleblower Directive on the protection of persons who report breaches of Union law entered into force. Member States are required to transpose the Directive into national laws until December 17, 2021.

The scope of the Directive is immense. It regulates the subject matter throughout the continent which is home to 450 million citizens and 22.5 million SMEs. Particularly many of which will be directly impacted by the Directive.

The Directive requires legal entities to establish internal reporting channels and internal procedures for receiving and following up on reports. Here are some of the main takeaways for practitioners.

Which Legal Entities Must Comply With Whistleblowing Law?

General thresholds to behold are 50 workers and/or 10.000 inhabitants. The EU Whistleblower Directive applies to legal entities in the private sector with at least 50 workers. In some sectors this threshold does not apply at all and internal channels are mandatory regardless of the workforce size.

In the public sector the internal reporting channel requirement applies to all legal entities. However, one will also need to refer to national law, as Member States are allowed to make exemptions. From this general rule. I.e. they may exempt municipalities with fewer than 10.000 inhabitants or 50 workers. As well as other public sector entities with fewer than 50 workers.

What Are the Whistleblowing Channel Requirements?

The reporting channel should allow reporting in writing or orally or both. Every received report must be recorded. The reporting person should be able to request a physical meeting with the staff members within a reasonable timeframe. The meeting may be documented either by making a recording of the conversation in a durable and retrievable form. Or through accurate minutes of the meeting prepared by the staff members responsible for handling the report.

The reporting person must be allowed the opportunity to check, rectify and agree. The minutes of the meeting by signing them. Similar provisions apply for recording other oral reports submitted via telephone or other voice messaging systems. The time period a report may be stored depends on what is required and proportionate to comply with the Directive. Or the Union law or national law.

Do Internal Whistleblower Channels Need to Be Accessible to the General Public?

The internal reporting channel is required to be made available to entity’s workers.
The EU Whistleblower Directive itself does not require the whistleblowing portal to be public also to other persons (e. g. suppliers, subcontractors…) to report information on breaches. However, the latter may at any time submit their reports through external reporting channels. The use of these is not conditioned upon the prior use of internal reporting channels.

What About Anonymous Whistleblowing?

There is no general requirement in the whistleblower law to accept and follow-up on anonymous reports of breaches. The Member States are free to decide whether to introduce such a requirement in their national laws or not. However, the decision to accept and follow-up only on reports with disclosed identities of reporting persons may prove challenging. Namely, the identification confirmation methods are limited and present an additional barrier for a whistleblower.

Moreover, such an approach is not in line with the best practice. Not accepting a report only because it was made anonymously and regardless of its contents makes little sense. Quite often remaining anonymous might be the best and in effect the only protection for the reporting person against retribution.

May the Identity of the Whistleblower Be Disclosed?

The identity of the reporting person may be disclosed only with this person’s explicit consent, or when such disclosure is necessary and proportionate under the Union or national law.

The reporting channel is required to ensure the protection of the confidentiality of the identity of the reporting person and of any third party mentioned in the report and to prevent access thereto by non-authorised staff members.

The identity of the reporting person may not be disclosed to anyone beyond the authorized staff without the explicit consent of this person, or when such disclosure is necessary and proportionate under the Union or national law. The reporting person needs to be informed of the latter prior to the disclosure unless such information would jeopardise the related investigations or judicial proceedings. The same duty of confidentiality also applies to any other information from which the identity of the reporting person may be directly or indirectly deduced.

What Are The Procedures Required Under the EU Whistleblower Directive?

Legal entities need to establish procedures for internal reporting and their diligent follow-up. The information must be clear and easily accessible.

The identity of the reporting person may be disclosed only with this person’s explicit consent, or when such disclosure is necessary and proportionate under the Union or national law.

The reporting channel is required to ensure the protection of the confidentiality of the identity of the reporting person and of any third party mentioned in the report and to prevent access thereto by non-authorised staff members.

The procedures hence need to regulate the reporting itself, as well as any action that will be taken by the recipient of a report to assess the accuracy of the allegations made in the report and, where relevant, to address the reported breach, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure.

Under Whistleblowing law, the information regarding the use of internal reporting channels and regarding the procedures for reporting externally to competent authorities are required to be clear and easily accessible.

Who should Handle Whistleblower Reports and What Qualifications Are Required?

According to the EU Whistleblower Directive, the reports can be handled internally or by a third-party provider. independence and absence of conflict of interest must be ensured. A person or a department is required to be designated for operating internal reporting channels.

The latter includes receiving the reports and maintaining communication with the reporting person. Additionally, there’s a responsibility of asking for further information from and providing feedback to that reporting person.

This task may be outsourced to third-party providers such as external counsel, external reporting-platform providers, law firms, auditors, employees‘ representatives and alike.

It’s essential that these third-party service providers have effective guarantees and safeguards concerning independence, confidentiality, data protection, and secrecy. The follow-up on the report is usually conducted by a designated, competent, and impartial person or department. This individual or department might be the same entity operating the reporting channel.

The specific designation depends on each organization’s size and structure. However, it’s crucial that this role ensures independence and an absence of conflicts of interest. Such tasks are often delegated to positions like a chief compliance or HR officer, integrity officer, legal or privacy officer, chief financial officer, chief audit executive, or a board member. Notably, private legal entities with 50 to 249 workers can share resources for receiving reports and for subsequent investigations.

When and What Is Required to Be Communicated to the Reporting Person, Under the EU Whistleblower Directive?

Under the EU Whistleblower Directive, the reporting person needs to be informed of the receipt of the report within 7 days and provided feedback no later than after 3 months. The receipt of the report needs to be acknowledged to the reporting person within seven days of receiving the report. There is no exemption to this obligation, whereas when reporting externally the competent authority can omit such an acknowledgment when the reporting person explicitly requested so or where it reasonably believes that that would jeopardise the protection of the reporting person’s identity.

The internal procedures need to define a reasonable timeframe for providing feedback to the reporting person. This may not exceed three months from the acknowledgment of the receipt or the expiry of the abovementioned seven-day period.

The feedback is required to inform the reporting person of the action envisaged or taken as follow-up and of the grounds for such follow-up. If no appropriate action is taken within this time period, the reporting person may publicly disclose the breach and still qualify for the protection against retaliation under the whistleblowing law. Of course, the appropriateness of the follow-up is a legal standard and its assessment will depend on the circumstances of each case and of the nature of the rules that have been reported breached.

There is no defined time limit within which the followup actions by the entity need to have been completed. However, the longer they take the more likely it is that the actions, if any, will be considered inappropriate, hence motivating the reporting person to use external reporting channels or go public with the disclosure of the breach.

In contrast to external reporting there is no explicit obligation to communicate to the reporting person the final outcome of investigations triggered by the report.


Trusty is a compliance platform built by leading experts to support companies on their compliance journey. It offers free whistleblowing solutions for SMEs and a broad range of instant and affordable compliance management solutions. 

example compliance policy Read More Free Solution

Trusty Free
Free whistleblower software

Reliable compliance with the EU Whistleblower Directive and U.S. whistleblower legislation.

Instant. Insurance. No complications.

GET Trusty Free!

You can also sign up for Trusty directly through WordPress:

wordpress whistleblower hotline