The EU Whistleblower Directive; what does it mean for you?


The EU Whistleblower Directive; what does it mean for you?

Highlighting legal requirements in a practical manner

In November 2019, the EU Whistleblower Directive (“the Directive”) came into force. The Directive requires EU Member States to implement rights and obligations concerning whistleblowers, private organizations and the Member States themselves in national law. This must be done by 17 December 2021. This deadline requires organizations to improve and further manage their whistleblower procedures. This begs the question; what does that mean for your organization and are you ready?

This blog is the first of three. In today’s blog we discuss the scope and practical (legal) aspects of the Directive. The second blog concerns designing and implementing a whistleblowing framework in your organization. The third blog addresses the follow-up on incoming reports and investigating the issue at hand.

Purpose of the Directive

Most national laws and regulations of European member states already address whistleblowing and the protection of the reporter. However, these laws and regulations differ significantly. The purpose of the Directive is to create a minimum level of protection in all member states and ‘even out’ the whistleblowing landscape. It should be noted that, given the fact minimum standards are provided, it is possible that certain member states decide to create more stringent legislation. This could result in different levels of protection, as well as different requirements or thresholds for such protection, throughout the European Union. Keep in mind that if your organization is active in multiple European jurisdictions, you may need to comply with different sets of rules.

The first step in providing a certain level of protection is addressing the target audience; the persons eligible for protection because of blowing the whistle. As one of the main steps taken, the Directive significantly increases this audience by expanding the scope of whistleblowers. As of 17 December 2021, in addition to workers, a wide variety of persons may report in a work-related context. Such work-related context must be interpreted broadly; it includes current and past work-related activities. This could range from parttime or self-employed ‘workers’ to (any person working under the supervision of) contractors and suppliers, as well as shareholders or job applicants. Furthermore, protection should be provided to others whom can experience (indirect) retaliatory measures due to a report. Such persons may include vis-à-vis facilitators, colleagues or relatives of the reporting person.

Designing and improving reporting channels

According the Directive, organizations must design and implement internal reporting channels. Also, a dedicated person or department should be appointed in order to handle incoming reports and follow-up thereon. Such reporting channels should allow reports to be made orally or in writing. The internal reporting channel has to be designed, established and operated in such a manner that it:

  1. provides for anonymous reporting if this is allowed under national legislation;
  2. protects the identity of the reporter and parties mentioned in a report;
  3. is not accessible for non-authorised staff members; and
  4. provides for diligent follow-up on the report by a designated person or department.

Furthermore, organizations must provide potential reporters with clear and accessible information on how to report externally to the competent national authorities. This might lead to the situation in which organizations must provide whistleblowers with assistance in reporting externally to a competent body. This might be a currently non-existing practice in most organizations.

Follow-up on reports

In addition to implementing and/or improving an internal reporting channel, the Directive requires an acknowledgement of the receipt of a report towards the person reporting within 7 days. Also, further feedback to the reporter must be provided within a reasonable timeframe (at least within 3 months) after the receipt of the report. Note that Member States can implement even stricter measures with shorter timeframes.

Furthermore, organizations are required to register incoming reports adequately and in a secure manner. All report-related data must be handled in compliance with data privacy regulations. Registration of orally made reports has even stricter requirements. In many cases this means that organizations will have to step up the administrative aspects of whistleblowing.


Finally, the Directive sets requirements regarding protective measures concerning the reporter and other individuals involved in the report, such as the accused. In order to be entitled to such protective measures, the reporter must have had reasonable grounds to believe that the disclosure of the information was necessary for revealing a breach (of Union law). The Directive includes a prohibition of retaliation, and imposes an obligation to implement measures and safeguards against such retaliation. These measures are extensive and will significantly restrict organizations’ actions towards a whistleblower.

Organizations and their management need to be aware of such restrictions and make sure the requirements are not (accidently) breached. For example; not prolonging a temporary contract could result in a breach of such measures.

The way forward

As noted earlier, it is possible that your organization faces multiple European jurisdictions in which the Directive will be implemented differently. Compliance in one member state therefore does not necessarily result in compliance in all other member states as well. It is recommended to consider which requirements are applicable and adhere to the most stringent requirements if possible or opt for a more decentralised system with different approaches tailored to applicable legal frameworks.

In any case, please consider the following considerations do determine whether your organization is ready for the upcoming deadline. Thus;

  • Did you already appoint a dedicated individual or department to handle incoming reports?
  • How does your triage on incoming reports looks like?
  • Does your reporting system process reports from individuals not being employees?
  •  Did you already consider how to deal with oral reports of Union Law breaches?
  •  Does your reporting system allow for automatic receipt confirmations?
  •  Is your staff aware of the implications of the anti-retaliation requirements?
Did you find this useful?