EU Whistleblower Directive

Overview

The EU Whistleblower Directive (Directive 2019/1937) was passed in 2019 to provide legal protections for whistleblowers across the EU. It aims to protect individuals who report breaches of European Union law by setting minimum standards for whistleblower protection across Member States. It went into effect on December 17, 2021, with a compliance deadline for certain organizations in 2023. The Directive covers a wide range of areas, including public procurement, financial services, product safety, and more. It supports that whistleblowers have access to secure reporting channels and are protected against retaliation, encouraging individuals to report breaches that affect the public interest while keeping their identity and information confidential.

Regulation Summary

Timeline

23 October 2019 – Directive adopted by European Parliament and Council
17 December 2021 – Deadline for Member States to transpose the Directive
17 December 2023 – Extended deadline for private entities with 50–249 workers to establish reporting channels

What Businesses Are Affected

Private companies with 50 or more workers
Entities in regulated sectors (e.g. financial services, transport, environment) regardless of size
Public sector bodies (local, regional, and national)
All organizations managing or disbursing EU funds

Exemptions

Small private sector companies with fewer than 50 employees (unless covered by other EU acts)
Municipalities with fewer than 10,000 residents or under 50 staff (optional exemption by Member States)
National security-related reporting and classified information

Responsibilities for Businesses

Establish internal reporting channels for whistleblowers
Ensure channels are secure, confidential, and accessible
Designate an impartial person or department to follow up
Acknowledge reports within 7 days
Provide feedback to reporters within 3 months
Display clear, accessible procedures for both internal and external reporting

Specific Responsibilities for Website Owners

If a business uses its website to host or link to an internal reporting channel, that channel must ensure secure data transmission, protect the whistleblower’s identity, and clearly explain reporting procedures.
While the Directive does not require companies to include internal reporting tools on their public website, businesses—especially those operating online—may choose to offer secure access via footer links, login areas, or help sections to ensure easy access for employees and third parties.
External reporting options must also be clearly visible, with posted contact information or links to the appropriate competent authorities.

Additional Requirements

Public sector and larger private sector bodies must allow both written and oral reporting
Reports can be made internally, externally, or via public disclosure in certain cases
Protection applies even if the whistleblower is a former employee or applicant
Facilitators, colleagues, and relatives also enjoy protection from retaliation

Individual Rights

Whistleblowers must be protected from retaliation
Whistleblowers are not liable for disclosing confidential information if the disclosure was necessary to report a breach
Right to legal remedies, advice, and interim protection
Right to remain anonymous, where permitted by national law

Enforcement

Enforcing authority: Designated national competent authorities
Regulatory Mechanism:
- Mandatory internal and external reporting channels
- Investigation and enforcement by national authorities
- Obligation to protect whistleblower identity
Penalties:
- For retaliation or hindering reporting: Member States must impose "effective, proportionate, and dissuasive" penalties
- For knowingly false reports: Penalties and liability for damages apply