The Directive sets minimum standards across the EU. Despite its almost two-year implementation deadline – December 2021 – there are steps you should take now.

On 7 October 2019, the European Council adopted the Directive on the protection of persons reporting breaches of European Union law (colloquially referred to as “whistleblowers”). The Official Journal of the European Union published the Directive on 26 November 2019, and it came into force on 17 December 2019. The Directive is based on the assumption that people who work for a company or an organization or are in contact with it through their work-related activities are often the first to know about EU law breaches within it. Since they are in a position to inform those who can address the problem, it is essential to protect them.

In this regard, the Directive sets minimum common standards for protecting whistleblowers across the EU, and it aims to introduce effective, confidential, and secure reporting channels. The new law provides a high level of protection against retaliation, introducing safeguards against whistleblowers being suspended, demoted, or intimidated.

Entities affected

The Directive applies to any organization, whether private or public, big or small. Private sector legal entities with at least 50 workers will be required to adopt internal channels and procedures for whistleblower reporting. This also applies to all public sector legal entities. Member states may exempt from this obligation municipalities with fewer than 10,000 inhabitants or fewer than 50 workers, and other entities with fewer than 50 workers.


The Directive applies to workers who report or disclose any information about EU law breaches (including in the areas of public procurement, financial services, the protection of personal data, and fraud and corruption) that they come across within the context of their work. For these purposes, a worker includes, among others, any civil servant, the self-employed, shareholders, volunteers, paid or unpaid trainees, and suppliers. The Directive also applies to workers whose employment has ended, workers who acquired information about the breach while in the process of being recruited, and to people who assist whistleblowers, such as facilitators, colleagues, relatives, and investigative journalists.

Reporting persons qualify for protection under the Directive if they had reasonable grounds to believe that the information on breaches they reported was true at the time of reporting, and that such information fell within the scope of the Directive. Persons who make reports which they know to be false will not be protected. However, if a person made an inaccurate report in honest error, protection will apply.

With regard to anonymous reporting, it is up to member states to decide whether private or public companies and competent authorities should accept and follow up on such reports.

Obligatory elements of reporting systems

In addition to protection against retaliation, the Directive introduces various obligatory requirements that reporting systems have to fulfil. These include:

  • Ensuring the confidentiality of the reporting person and any third party mentioned in the report.
  • Providing channels to enable written and/or verbal reporting and, where requested, a physical meeting.
  • Confirming receipt of the report within seven days and providing feedback to the whistleblower within three months.

Penalties envisaged for companies

The Directive obliges member states to apply effective, proportionate, and dissuasive sanctions to natural or legal persons, who hinder or attempt to hinder such reports; who retaliate against whistleblowers or those who assist whistleblowers; who bring vexatious proceedings against whistleblowers or those who assist whistleblowers; or who breach the duty to keep whistleblowers’ identities confidential.

There are no express penalties foreseen in the Directive to be imposed on entities which do not implement the required internal channels. However, we might expect the consequences for such failure to be clarified by member states when transposing the Directive into their national law.

Transposition by member states

The Directive is a minimum standard, so EU member countries may extend its scope. Member states have until 17 December 2021 to bring into force the laws, regulations, and administrative provisions necessary to comply with the Directive. This period is extended to 17 December 2023 only for the obligation to establish internal reporting channels for private entities with 50 to 249 workers. Companies with more than 250 workers should therefore be working toward the 17 December 2021 deadline.

Steps your company should take now

Although there are almost two years before the deadline for member states to implement the Directive, firms should ensure that they start assessing the steps they need to take in order to prepare for its introduction.

Firms without whistleblowing frameworks in place will need to assess if they will be covered by the Directive (or subsequent implementing legislation), and if so, how they will set up new whistleblowing arrangements. A comprehensive whistleblowing framework would normally incorporate a number of different aspects, including:

  • A whistleblowing policy, which is available to staff. A comprehensive policy documentation suite should include the firm’s procedures for handling reports, carrying out investigations, and preventing retaliation. It is also helpful to make clear the roles and responsibilities of those involved in handling reports.
  • Implementation of the tools needed to enable reports to be made by whistleblowers in writing or orally, and on a confidential or anonymous basis, as appropriate.
  • Clear arrangements for the reporting of whistleblowing activity to the relevant internal governance bodies and/or boards. Whistleblowers’ identities should not be disclosed in the reporting process.
  • Training of all staff, and regular awareness campaigns, to ensure that staff are aware of the channels available to them to make reports, and that staff understand (and comply with) the ban on retaliation.
  • Data privacy compliance of the whistleblowing arrangements, in particular with regard to documentation, notification requirements, and anonymous reporting. Data privacy compliance includes compliance with EU data privacy laws as well as local data privacy laws.

Firms that already have a whistleblowing framework in place will need to:

  • Assess the provisions of the Directive against their current whistleblowing arrangements and decide how to approach the implementation of the new requirements. This could, for example, be on a country-by-country basis or, if the firm maintains a global whistleblowing framework, by incorporating updates to that global framework.
  • Address practical considerations, such as assessing whether they will be able to comply with the time frames provided for in the Directive and, if not, adjusting their procedures accordingly.
  • Reinforce the absolute ban on retaliation, with targeted – and ongoing – training for staff.
  • Monitor the effect of Brexit, in particular to see whether any of the provisions of the Directive will be incorporated into English law.
  • Monitor the implementation of the Directive by the EU member states, in particular to assess whether any of the member states implement measures that go above the provisions of the Directive.
  • Check and ensure data privacy compliance of the whistleblowing arrangements.