Changes in the updated Dutch Whistleblower Protection Act


Changes in the updated Dutch Whistleblower Protection Act

What are the key requirements for your organisation?

Whistleblowers play a vital role in safeguarding and maintaining a transparent society and in exposing wrongdoing. Taking the lead in protecting whistleblowers and investigating their reports demonstrates a commitment to integrity and corporate responsible behaviour. It sends a strong message to employees, shareholders, and the public and helps establish trust and credibility in the marketplace.

More than 3 years after the European Union has adopted the new EU Whistleblower Directive (hereinafter: ‘WB Directive’) on further safeguarding whistleblower rights, the Dutch legislator has implemented this directive.

In our previous blogposts [1] and [2] regarding the WB Directive, we have described the requirements and made some suggestions on how you and your company can proceed improving your speak-up procedures. At that point it was not clear yet what local implementation would look like. In this blogpost we will zoom in on the Dutch implementation of the WB Directive. How does it change the Dutch speak up landscape? And what are the corresponding consequences for organisations’ operation in the Netherlands?

In the Netherlands, whistleblowers already enjoyed protection via the Whistleblower Authority Act (‘Wet Huis voor Klokkenluiders’, hereinafter: ‘WAA’). However, on 18 February 2023 the Whistleblower Protection Act (‘Wet bescherming Klokkenluiders’, hereinafter: ‘WPA’) came into effect. This act has extended the protection of whistleblowers even further and increased the obligations of organisations regarding speak-up programs.


Earlier, we described the emphasis the WB Directive has on the importance of proper reporting channels, the quality of the follow-up of reports and the protection of whistleblowers. This has resulted in key changes in the WPA compared to the WAA. The extended scope of protection, the level of protection and the accessibility of reporting are all extended or improved. All with the objective to protect more whistleblowers and lower the thresholds to report. Let’s discuss some of these extensions and improvements:

The scope of protection is extended.
The personal and material scope is extended under the WPA. First, organisations must broaden the scope of protected persons. Whereas previously only employees with an employment contract had to be protected. Now, organisations must protect persons or legal entities who speak up in the context of work-related activities. This is not limited to the type of contract or work someone performs. It could be for example self-employed workers, temporary workers, volunteers, contractors, interns, job applicants or shareholders. Are you already able to enable these groups to act as whistleblowers?

Second, organisations must extend the concept of reportable wrongdoing. Previously, reportable wrongdoing only considered reports in which the whistleblowers had reasonable suspicion of a wrongdoing and the wrongdoing (under national law) was against the public’s interest. Now, organisations should also consider reports about (potential) breaches of EU legislation. Simply put, more people can report more types of wrongdoing.

The required level of protection has increased.
Organisations have to consider new protective measures. One of the measures is the reversed burden of proof if a whistleblower claims to have suffered retaliative measures resulting from a report. Another measure is the protection against retaliation. In addition, existing protective measures must be more rigorous. For example, the prohibition to retaliate used to only protect whistleblowers, but now also protects people who support whistleblowers and concerned third parties. Moreover, the requirements for the internal reporting procedure are now stricter than before. For example, organisations need to register internal reports and provide feedback about the report to the whistleblower. Do you already have a system in place that can handle all these obligations?

The required accessibility of reporting must improve.
The key is to lower the threshold for reporting by providing whistleblowers with easily accessible reporting channels. Organisations therefore must create a more accessible internal reporting channel. Think about active promotion of reporting possibilities by leadership, digital solutions to report and publicised case studies to enhance confidence with potential whistleblowers. Furthermore, be aware that whistleblowers can now report externally before or without reporting via an internal reporting channel. A hard-to-reach internal channel therefore may lead to whistleblowers choosing channels outside the organisation to report.

Key requirements

As was already stated in the WB Directive, organisations with at least fifty ‘employees’ are required to comply with several obligations. These include:

  • .. establishing an internal reporting procedure. Organisations must establish and document their internal reporting procedure, outlining how they handle internal reports. This involves registering such reports and offering multiple reporting channels, such as written, oral (via phone or voice messaging), and in-person options. Additionally, organisations need to appoint an independent officer to whom protected individuals can report. Also, the concept of reportable wrongdoing should be clearly defined, considering its definition in the WPA.
  • .. communicating the internal reporting procedure. Organisations must clearly communicate the procedure, ensuring that protected persons are aware of their rights, legal protection, and reporting opportunities. This includes the option to report anonymously. Organisations also must appoint a trusted advisor who can provide guidance to protected persons.
  • .. refraining from retaliation. Retaliatory measures, such as demotion or dismissal, against whistleblowers, their supporters, or concerned third parties are strictly prohibited.
  • .. ensuring confidentiality. Personal information and details related to internal reports must be treated with utmost confidentiality. Organisations are responsible for safeguarding the whistleblower's identity.
  • .. following up on internal reports. Organisations are obliged to promptly follow up on internal reports. They must acknowledge receipt of the report within seven days and effectively address the issue within a reasonable timeframe, typically no later than three months after the initial acknowledgement. Furthermore, organisations need to communicate the progress of the internal report and provide feedback to the whistleblower.
  • .. communicating the opportunity to report externally. Organisations must inform protected persons that they have the option to report externally. Specifically, they should be made aware that they can report directly to external authorities without the requirement to report internally first.

The WPA makes it clearer that Dutch organisations need to introduce new protective measures that improve whistleblower protection. Even though these changes and requirements in itself can appear simple, implementing them can be a complex and costly task for organisations. Deloitte can add value by helping organisations in becoming compliant with whistleblower regulations, resulting in a quicker and higher detection rate of fraud or misconduct and reduced regulatory and reputational risks. We can advise and assist on the design and implementation of a whistleblowing / internal reporting policy and procedure, execute investigations and follow-ups, and quickly address potential challenges with our specific and wide-scale expertise.

More information?

If you have any questions regarding whistleblowing, the impact of new regulations on your organisation, or how we can assist you in adapting to these changes, please feel free to contact us using the contact details provided below. We are here to support you in addressing any concerns or inquiries you may have.

Did you find this useful?