State of Whistleblowing in the EU 2023: What Happens After the Directive Deadline?

As we close in on the EU Whistleblowing Directive’s latest deadline of December 17, 2023, all but two EU Member States have adopted the key requirements into local law. Only Estonia and Poland are the holdouts at this time.  

In this article, we provide a timely EU whistleblowing law status update, explore the reasons behind the delays, and explain what company leaders must do to prepare for life “post-Directive”. 

EU Whistleblowing Directive Status Update [2023]

First, a quick refresher: The EU Whistleblowing Directive (2019/1937) was introduced to protect whistleblowers across the European Union. By allowing employees to raise concerns anonymously about perceived misconduct, they can confidently blow the whistle on corruption without fear of retaliation.

As a “Directive” (not a “Regulation”, which is applied uniformly across the EU), it sets a minimum standard that must be implemented within national laws. However, there may be significant differences across the Member States in how these laws are enforced and interpreted (more on that later).

Below, you’ll find an up-to-date table outlining the status of the whistleblowing laws in each EU Member State, with links to official announcements and updates. 

#Member StateLaw StatusLinks & Further Reading
1.🇦🇹 AustriaAdopted Link to announcement
2.🇧🇪 BelgiumAdopted Link to announcement
3.🇧🇬 BulgariaAdopted Link to announcement
4.🇭🇷 CroatiaAdopted Link to announcement
5.🇨🇾 CyprusAdopted Link to announcement
6.🇨🇿 CzechiaAdopted Link to announcement
7.🇩🇰 DenmarkAdopted Link to announcement
8.🇪🇪 EstoniaDelayed  ❌Skip to our update
9.🇫🇮 FinlandAdopted Link to announcement
10.🇫🇷 FranceAdopted Link to announcement
11.🇩🇪 GermanyAdopted Link to announcement
12.🇬🇷 GreeceAdopted Link to announcement
13.🇭🇺 HungaryAdopted Link to announcement
14.🇮🇪 IrelandAdopted Link to announcement
15.🇮🇹 ItalyAdopted Link to announcement
16.🇱🇻 LatviaAdopted Link to announcement
17.🇱🇹 LithuaniaAdopted Link to announcement
18.🇱🇺 LuxembourgAdopted Link to announcement
19.🇲🇹 MaltaAdopted Link to announcement
20.🇵🇱 PolandDelayed  ❌Skip to our update
21.🇵🇹 PortugalAdopted Link to announcement
22.🇷🇴 RomaniaAdopted Link to announcement
23.🇸🇰 SlovakiaAdopted Link to announcement
24.🇸🇮 SloveniaAdopted Link to announcement
25.🇪🇸 SpainAdopted Link to announcement
26.🇸🇪 SwedenAdopted Link to announcement
27.🇳🇱 The NetherlandsAdopted Link to announcement

Why the ongoing delays?

Several EU Member States took the long way around to adopting the Directive’s requirements into local law. Over the past 12 months, the likes of Germany, Czechia, Hungary, and Slovenia endured tense negotiations between stakeholders before eventually passing their laws. 

For example, in Germany, the federal council ‘Bundesrat’ and the Parliament ‘Bundestag’ batted drafts back and forth, arguing the fine print of the proposed legislation. With the help of a mediator, they finally agreed in June 2023 that organisations in the country no longer have to process anonymous reports internally. Meanwhile, the financial penalties businesses and organisations face for violations have been reduced from €100,000 to €50,000.

This sort of impasse wasn’t unusual across the 27 Member States, but thankfully, 25 have now settled their negotiations and adopted the Directive’s requirements. Only Estonia and Poland remain locked in talks. Here’s the latest:

Estonia’s Whistleblowing Law

Although delayed, Estonia’s adoption of the Directive into law isn’t too far off. After being approved by the Government in August 2023, it’s expected to enter into law on January 1, 2024.

The draft proposal ‘Act on the Protection of Whistleblowers of Work-related Violations of European Union Law’ (link here) encountered some challenges, with several contentious amendments requiring consideration. 

This led to it being blocked in Parliament, and as a result, Estonia may be fined by the European Court of Justice for failure to transpose the Directive on time.

Poland’s Whistleblowing Law

Unlike Estonia, Poland does not have a date for its delayed whistleblowing act to come into force. The last bill, drafted on July 12, 2023, was the ninth version; however, it has yet to make it to Parliament. 

The issue appears to be that Poland has no existing whistleblower protection framework and is essentially starting from scratch.

As a result of this delay, the Republic of Poland has been fined by the European Commission, with penalty payments set to be charged until Poland fulfils its obligations and adopts the Directive into law. 

What happens after December 17, 2023? 

At the stroke of midnight on the 17th of December, 2023, the EU Whistleblowing Directive will apply to municipalities with more than 10,000 residents, all public or private sector organisations with more than 50 employees, organisations working in finance regardless of size, and organisations subject to Anti-Money Laundering (AML) and Combating Terror Finance (CTF) legislation, such as law firms, accountants, notaries, and casinos.

Whistleblowers are given protection by the Directive when they report wrongdoings in the following areas: 

  • animal health and welfare
  • anti-money laundering and financial services
  • consumer protection
  • environmental protection
  • food safety
  • nuclear safety
  • privacy and personal data
  • product safety
  • public health
  • public procurement
  • terrorist financing
  • transport safety

The Directive also applies to breaches of union competition rules, potential harm to the EU’s financial interests, and arrangements that lead to tax advantages and contravene existing corporate tax laws.  

Note: Compliance may require companies to work with local labour councils or unions to develop internal whistleblower procedures and to collaborate with external whistleblower channels.

What do company leaders need to know?

As a company leader, your organisation must be prepared to comply with the Directive by ensuring that the following obligations are fulfilled:

  • Whistleblowers must be able to submit reports in writing via an online whistleblowing platform or a secure email address. They must also have the option to submit a report via a telephone system or answering machine. 
  • Staff should be made aware of their whistleblower rights, available protection, and any anti-retaliation rules. 
  • All personal data (including that of the whistleblower and any accused parties) must be handled in accordance with the EU’s General Data Protection Regulation (GDPR).
  • All reports must be stored in a secure manner so that they can be accessed and used as evidence at a later date if required. Reports should not be accessible to non-authorised staff.
  • A designated person must confirm receipt of a report to the whistleblower within seven days.
  • A designated person must inform the whistleblower of any action taken within three months, including the status of an internal investigation and the outcome.

It’s also important to note that while the above broadly applies across the EU, other elements, including penalties and scope of application, vary among Member States.

How do things differ between EU member states?

As we mentioned earlier, the Directive is a minimum requirement. Respective governing bodies may have more in-depth guidelines. It’s, therefore, up to company leaders to educate themselves on these differences and prepare accordingly.

For example, a handful of Member States (including Germany, Spain, and Sweden) have introduced a more stringent list of reportable matters, covering more than we’ve outlined above. This could mean that if your business operates across various countries, you may have additional risks and responsibilities to consider depending on jurisdiction. 

And while the Directive also includes details on sanctions for companies that obstruct reporting, fail to keep a whistleblower’s identity confidential, or retaliate against whistleblowers, it’s up to each Member State to decide the severity of these penalties. As a result, you could face heftier sanctions depending on where an incident occurs. 

NorthWhistle: Helping you comply with the EU Directive from day one

Following the adoption of the Directive, whistleblowers must have the option of reporting wrongdoing internally, externally, or publicly. However, the Directive requires that Member States encourage the use of internal reporting channels, first and foremost.

Ultimately, this is in your best interests as an employer. By setting up an easy-to-use, secure, and anonymous internal reporting system, you can identify and address problems early, spend less time trying to fix issues, champion transparency, and improve trust among employees.

You can also reduce the possibility of employees going to the authorities with their concerns (or even going public) as their first action. This lowers your company’s exposure to the risk of penalties, litigation, reputational damage, or the leakage of trade secrets. 
NorthWhistle can help you comply with the Directive’s requirements and encourage internal reporting with our user-friendly online whistleblowing platform. Compare our plans & pricing here, or book a consultation with one of our experts to find out how we can help.