Polly small logo


Back arrowThe Polly Blog
Group 176

A Guide to the EU Whistleblowing Directive

Learn more about the EU whistleblowing directive and how it applies to your organization.

People Ops

Team meeting ideas: various team members at a virtual meeting

Whistleblowers are an important part of maintaining a transparent society as they reveal corrupt practices and uncover threats to wellbeing. The EU Whistleblower Directive 2019/1937, first introduced in 2019, is an important regulation that protects anyone who reports misconduct or malpractice in the workplace. 

This regulation is mandatory for business based in the European Union with over 50 employees and municipalities with over 10,000 inhabitants. Failure to comply with this legislation may result in hefty fines, making it mandatory for organizations to implement safe and effective reporting channels to meet the Directive’s requirements.

Whistleblowing can take many forms and include reporting a criminal offense, miscarriage of justice or a breach of legal obligation. It can also include exposing an imminent danger to health and safety or a risk of environmental damage as well.

According to Transparency International, only 47% of EU citizens feel protected to report misconduct and corruption while 45% are concerned about retaliation against those who expose wrongdoing in an organization. But the importance of whistleblowing extends far beyond regulatory compliance. A webinar by KPMG contends that whistleblowing is the primary method of detecting fraud and the prevention of non-compliance in an organization.

✏️ Need a fully managed whistleblowing solution? Click here.

The following is a summary of the regulation and its key components to help organizations implement the directive:


What are the Directive’s goals?

The EU Whistleblower Directive is an effort to uncover and prevent breaches of laws and regulations in EU member states. This directive aims to strengthen law enforcement through the establishment of effective and secure reporting channels that provide utmost confidentiality to those who report wrongdoing. By ensuring anonymity of the whistleblower, this directive aspires to prevent fear of retaliation.


Who is protected under the directive?

The regulation guards anyone who reports wrongdoing against dismissal, employment blacklisting and blackmail. This includes current and former employees, freelance workers, contractors/subcontractors, suppliers and even shareholders. The directive also protects interns and volunteers (paid or unpaid) from any retaliation by the organization.


What protections are offered?

The directive protects informants and their families, as well as their colleagues who support the reporting of the misconduct. According to Chapter 6 of the directive, whistleblowers are safeguarded from retaliatory actions such as:

  • Dismissal from employment
  • Suspension
  • Change of job duties
  • Salary cuts or penalties
  • Disciplinary action or negative appraisals
  • Harassment, intimidation or coercion
  • Causing harm to the whistleblower’s reputation

Most importantly, the directive guarantees the whistleblower’s protection against legal recourse if any non-disclosure agreement, confidentiality clause or copyright material is breached while making the report. This protection begins the moment a whistleblower first reports the misconduct either internally within the organization, through Government authorities or via the public domain such as media outlets.


What is the Directive’s scope of application?

The EU Whistleblower Directive covers violations of EU law in the following areas:

  • Financial services including money-laundering and terrorism financing
  • Public procurement
  • Environmental damage
  • Consumer protection and safe product compliance
  • Transportation safety
  • Public healthcare
  • Nuclear safety and protection against radiation
  • Animal health and welfare
  • Data privacy and security of information systems
  • EU market regulations such as competition laws and corporate tax

EU member states are permitted to further extend the protection laws to any other areas they wish to include. Therefore, it is important to follow the whistleblower protection regulations for each specific member state where the business is registered.

Organizations may face multiple European jurisdictions, with the possibility of different standards of compliance depending on the EU member state. In such cases, Deloitte recommends organizations study each member state's requirements and adopt the strictest of all the standards in order to be congruent across multiple jurisdictions. Alternatively, organizations have the option to decentralize reporting standards according to each member state’s legal framework.


What are the internal reporting process specifications?

Both public and private sector organizations that are legally registered are required to establish an internal process to manage whistleblower reports. This includes:

  • Providing a confidential system (either oral or written) to file reports of misconduct. This system must be secured to prevent unauthorized persons from accessing reports.
  • Acknowledging the report within seven days of being filed.
  • Creating an impartial individual or department to communicate with the whistleblower and to diligently follow-up on the progress of the report.
  • Presenting feedback within three months of acknowledging the report.
  • Offering clear details on how the whistleblower can escalate the issue nationally or at the EU forum, if it is required.

It is also important to note that the internal reporting process should also include any wrongdoing by subsidiaries and sister concerns within an organization. 


What are important deadlines to keep in mind?

Private Sector: Businesses with over 250 employees must have established internal channels for whistleblowing by 17th December 2021. Businesses with an employee headcount between 50 to 249 have until 17th December 2023 to implement their internal reporting channels. Other organizations may also be subject to this directive, based on their specific industry and the member states’ discretion. 

Public Sector: similar to the private sector, public sector entities who have more than 250 employees, and all municipalities with over 10,000 inhabitants, should have established internal reporting channels as of 17th December 2021. Those entities with between 50 to 249 employees must establish their internal reporting channels by 17th December 2023.


Can whistleblowers use external channels?

Whistleblowers who lack confidence in the internal reporting process of an organization, are unhappy with the outcome of an internal investigation, or want to report on an organization with less than 50 employees, can choose to use public channels to report misconduct. According to the directive, whistleblowers have the option to use any third party that can ensure confidentiality. Examples of third parties used for external reporting include: auditors, union representatives or external legal counsel. However, these channels must adhere to the following:

  • Acknowledgement of the report within seven days, unless the reporting person requests otherwise, or if it interferes with confidentiality.
  • Response within three months (or six months if necessary) after a meticulous investigation.
  • Deliver results of the investigation to the whistleblower and inform authorities if further investigation is required.


Are public disclosures allowed?

In certain cases, the whistleblower may approach a particular media outlet to expose wrongdoing and remain protected under the directive. These circumstances may include:

  • Insufficient response to an internal or external report.
  • Hazard to the public interest.
  • Possible retaliation due to external reporting or improper addressal of the report.


How is retaliation addressed?

All 27 EU member states are required to establish laws preventing any retaliation against people who file a report. This includes any action taken within the workplace or those that cause harm to the reputation of the whistleblower.

The directive requires member states to protect whistleblowers from any punishment for breaching confidentiality agreements, copyright infringements, data disclosures or trade secrets – as long as the reporting person believes that the disclosure is necessary to prevent misconduct. Organizations are not allowed to pursue legal avenues against the reporting person nor can they be held liable for acquiring the information unless a criminal act has been performed. 

If there is any loss suffered by the whistleblower, the directive requires authorities to assume it is the direct result of the report and it is their responsibility to prove otherwise. Furthermore, the whistleblower may be compensated for any retaliation that causes financial or non-financial losses.


What are the penalties?

The directive provides guidelines for member states to implement penalties for any retaliation, obstruction or efforts to expose the whistleblower’s identity. There are penalties also imposed on any false reporting as well.


Can protection standards be extended?

The EU Directive is a set of minimum guidelines that organizations must adhere to. Member states are allowed to expand whistleblowing rules as they deem necessary. By validating the seriousness of the whistleblowing process, through stricter reporting processes, organizations shall be able to create more trust and confidence for whistleblowers to report misconduct.

A detailed communication of an organization’s whistleblowing standards, and how reports are investigated, will allow those who expose misconduct to feel supported. It is recommended for organizations to maintain a central resource, website or communication channel where employees can refer to company policies, guidelines and provide feedback to raise their concerns.


How can Polly help?

With a focus on security and anonymity, Polly enables organizations to establish an effective communication channel to implement the EU Whistleblower Directive. Using Polly’s features, an organization can effectively communicate and manage internal reporting processes as well as gain real-time feedback on its effectiveness. 

Click here to learn more about how Polly can enable a fully managed whistleblowing solution for your organization.


Compliance made simple, learn more about Polly's fully managed whistleblowing solution

Learn more



polly small logo
Polly small logo

Add Polly now to: