EU Whistleblower Directive | Is Your Company Compliant?

How do you need to act to comply with the new whistleblowing directive? Did you know that if you are a company with over 250 employees in the European Union, the EU Whistleblowing Directive applies to you, and you need to be compliant by December 2021?


The EU Whistleblower Directive was passed in December 2019 and its purpose is to provide and promote a safe and secure way for people to voice concerns and speak up about unethical behavior or misconduct in their workplace. 

What does the directive say?

The directive is explicit in specifying a whistleblowing channel should be: 

“designed, established and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members” 


Affected organisations are also required to: 

  1. Assign a competent impartial person or team to receive and follow up on reports
  2. Inform employees on the reporting options available to them 
  3. Put measures in place to protect whistleblowers from dismissal, demotion and other forms of retaliation 
  4. Respond to and follow up on reports within three months 

250+ or 50+ employees? 

Any company in the EU with more than 250 employees will need to be compliant with the directive by the end of this year. Each of the 27 EU states will transcribe the directives into it’s own national law. For companies with 50+ employees the deadline to comply is 2023

Who is a whistleblower and who is protected?

Under Article 4 of the Directive a whistleblower is a “worker”, as well as “self-employed people, shareholders, trainees and volunteers.” In Article 6 of the Directive, it states that to receive protection, the person reporting a complaint had to have had ‘reasonable grounds to believe the information available to him or her at the time was true, and had to report the information through the available reporting channels according to the rules and exceptions established by the Whistleblower Directive.

3 ways to report
Reporting should be conducted in a hierarchal manner and is to follow this order of prioritisation

  1. Internal channels – whistleblowers are first encouraged to file a report through an internal channel. This channel should be safe and anonymous and can be self-hosted or provided by a third party. Once a report has been filed, a receipt, or proof of the report, should be provided within seven days with a response to the report within three months.
  2. External reporting – If the whistleblower, for any reason, feels that an internal reporting channel ‘does not function properly, or they aren’t seeing the result they need, they can then go to an external reporting.
  3. Public Disclosure – If all else fails the last resort is a public disclosure for a whistleblower who does not feel safe and secure within their own company culture. As well, if a whistleblower feels their concern constitutes an imminent danger to the public, the whistleblower can speak up publicly to disclose their concern, and still qualify for protections under the Whistleblower Directive.

Protection agains retaliation
Under the Directive, the whistleblower will have certain protection against retaliation, including dismissal or a demotion of their role by their employer. The Directive also ensures that whistleblowers have access to information and advice relating to legal action taken against them – this is provided free. Whistleblowers will also receive free legal aid, financial and psychological support during legal proceedings.

What happens next?

The Directive must be transposed individually by each Member State by December 2021. Each local version of legislation is likely to differ in detail but should reflect the Directive’s overriding aim: to ensure a baseline level of protection for whistleblowers across the EU. 

Talk to our experts! 

Want to learn more, discuss ideas or share opinions?