What is the EU Whistleblowing Directive?
Breaking down the EU Whistleblowing Directive and what you need to do about it
The EU Whistleblowing Directive in short
The EU Whistleblowing Directive is an official instruction to member nations that prohibits retaliation against whistleblowers and must be enforced through national laws. The directive draws from best practices based on a broad definition of the whistleblower, and a range of policies in several areas intended for the private and public sectors. It fills the gaps created by a fragmented system with inconsistent protection across the EU by requiring member states to adopt minimum standards. Nations are expected to adjust their law to meet these standards.
The purpose of the EU Whistleblowing Directive is to enhance the enforcement of union law and policies in specific areas affecting employees, shareholders, management, and administrative bodies. It applies not only to employees, but also to volunteers, trainees, contractors, subcontractors and supplies, former employees, and individuals who disclose reaches during the recruitment process. A threshold must be met in order for the whistleblower to receive complete protection against harassment. The person must have reasonable grounds to believe the information they report is true and that the information on breaches falls within the directive’s scope. The directive prohibits retaliation such as including dismissal, demotion, poor evaluations, and suspensions. It also offers advice and psychological support to people who disclose information and experience retaliation as a result.
“Effective whistleblower protection has at least two main components: what happens to the whistleblower after he/she blows the whistle and what measures are taken to address the wrongdoing reported by the whistleblower.” – Assistant Professor of European Law, Vigjilenca Abazi

The history of the Whistleblowing Directive
In the 2000s, whistleblowing procedures began to appear in Europe. Each country was facing different challenges such as data privacy laws and restrictions on making anonymous reports. After the global financial crisis in 2008, there was a strong need to work together and ensure new laws would be put in place to protect consumers from harmful banking practices. Since 2009, the European Parliament had repeatedly called for a law that would protect whistleblowers from reprisal when they disclose wrongdoing.
Between 2015 and 2020, public opinion began to shift, and new laws and directives were introduced in the Netherlands (2016), Lithuania (2017), Ireland (2018), France (2018), Italy (2018), Slovakia (2019), and Germany and Spain began to allow anonymous reporting. After a series of high-profile leaks like the Panama Papers, the Swiss Leaks, and the LuxLeaks, a more serious effort was made by the European Commission to consult the public and develop a stronger whistleblowing law. On October 23rd, 2019, the European Union adopted the directive on the protection of persons who report breaches of union law (also known as the protection of whistleblowers law). The EU Whistleblower Directive reflects decades of gradual change in Europe urged by advocates and boosted by increasing public awareness and pressure to act.
What companies should know
Whistleblowers can report through a 3-tiered model
There are three channels available to whistleblowers for reporting wrongdoings: internal, external, and public. Internal reporting refers to the workplace and requires companies and public institutions to establish a process or provide a third-party option such as a whistleblowing system for employees to report wrongdoings. The report can be submitted in writing, orally, in an in-person meeting, or by voice messaging system. External reporting refers to reports made to law enforcement agencies, judicial authorities, ombudsmen, and authorities that provide administrative oversight such as anticorruption or regulatory bodies. Article 11(2)(b) of the directive gives companies the option not to formally acknowledge the report if protecting the identity of the person is not possible. Public reporting refers to reports made to the media. If whistleblowers choose to use a public channel, they must first have made attempts to report the incident through internal and external channels to qualify for protection.


The importance of establishing an effective internal reporting channel
Companies are obligated to designate a person or department to acknowledge receiving the report within one week and follow up on disclosures in less than three months. They must establish an internal reporting channel and procedures for receiving whistleblowing reports and ensure follow-up reports. Anonymous reports should be allowed and the necessary steps to protect the identities of the reporter and the parties mentioned must be made. Reports should not be accessible to non-authorized staff. A reporting system should be developed to process incoming reports from employees and other individuals, and staff should be made aware of any anti-retaliation rules.
Corporate ethics and compliance rely on a good governance model, putting controls in place to combat fraud and corruption, and developing an organisational culture with a good speak-up system. This can help you identify and address problems early, spend less time trying to fix problems, stimulate the sharing of ideas and knowledge, and improve creativity among employees. It can also reduce your risk of receiving fines and having to deal with costly litigation.
We offer a solution for all such problems with multiple plans to choose from. Feel free to book a consultation with one of our experts or to learn more about NorthWhistle and how we can help.
Top 10 FAQ
EU directive 2019/1937
What is the main purpose of the EU whistleblowing directive?
Most member nations already have laws that address whistleblowing and protect the person who discloses information. However, these laws often differ from each other in terms of effectiveness, creating challenges for dealing with international businesses and making sure nations continue to work together efficiently. The purpose of the directive is to protect and enable whistleblowers from all EU nations to raise concerns anonymously without the fear of retaliation.
Why is whistleblower protection needed at the EU level?
Whistleblower protection at the EU level can help identify, prevent, and deter corruption, fraud, and other criminal activities that affect the financial interest of the EU. The protection offered to whistleblowers can be vastly different from country to country. Some EU members have comprehensive laws while others have fewer or less robust rules, which can negatively impact the functioning of other EU policies and undermine the market. For example, while many countries already have whistleblower protection, some states only cover sectors such as corruption and the public sector, making protections across the EU inadequate.
What sort of wrongdoings can whistleblowers report on?
Whistleblowers are given protection by the directive when they report wrongdoings in the following areas: public health, food safety, animal health and welfare, consumer protection, transport safety, product safety, environmental protection, nuclear safety, terrorist financing, public procurement, anti-money laundering and financial services, and privacy and personal data. The directive also applies to breaches of union competition rules, potential harm to the EU’s financial interests, and arrangements that lead to tax advantages and go against existing corporate tax laws.
Other channels have become less viable. Using a call centre means speaking to a person who will likely ask in-depth questions, which can reduce the whistleblower’s confidence in disclosing information. Reports made by phone are steadily decreasing and make it difficult to provide support after the disclosure is made. Using an ombudsperson allows you to have a legal expert on hand, but there may be a lack of trust or assurance of anonymity, which can stop potential whistleblowers from disclosing. An anonymous mailbox makes following up with the whistleblower nearly impossible and does not comply with the EU directive.
Feel free to explore our whistleblower blog where we look at other such examples and discuss the ins and outs of everything whistleblowing.
What is a ‘qualifying’ disclosure?
Some disclosures are known as ‘qualifying disclosures’. Qualifying disclosures are any disclosed wrongdoings where the employee believes that they are acting in the public’s best interest and a failure is currently happening, took place in the past, or is likely to happen if nothing is done. These failures can include damage to the environment, a breach of a legal obligation, a criminal offence a danger to the health or safety of a person or a group of people, or a deliberate cover-up of information which indicates any of these failures.
What type of protection can whistleblowers receive?
The EU whistleblowing directive provides protection to whistleblowers during legal proceedings about the disclosure of information. The rules are meant to protect whistleblowers from retaliation and charges when they disclose information that is legally protected. The directive provides financial assistance such as covering legal fees and costs for whistleblowers who win their cases. Whistleblowers are also given remedial measures against retaliation such as workplace harassment or firing.
Are the rights of the accused person or organisation protected?
The directive is intended to protect whistleblowers and safeguard the public interest. Malicious whistleblowing is discouraged, and the person or organisation accused of wrongdoing is presumed innocent until proven otherwise. Accused persons and organisations have the right to receive a fair trial and defend themselves. Some EU members have introduced dissuasive penalties for making malicious or abusive disclosures.
Are confidentiality clauses protected under the EU Directive?
No. The whistleblower who meets the threshold for protection is no longer bound by a confidentiality clause. You cannot bind employees to confidentiality clauses or legally pursue them for breaching such agreements if they have disclosed wrongdoing through official channels such as a whistleblowing tool.
What is the difference between a regulation and a directive?
A regulation applies to each of the EU member states and is carried out the same way across the EU, although there may be some small differences in the way nations interpret the legislation. On the other hand, a directive sets a minimum standard that must be implemented within national laws. There may be significant differences across EU member states in the way these laws are implemented and interpreted.
What’s new and what does it mean for my company?
As of December 17th, 2021, the directive has broadened its reach. It now applies to local communities with more than 10,000 residents, all public or private organizations with more than 250 employees, organizations working in finance regardless of size, and organisations subject to AML/TF legislation such as law firms, accountants, notaries, and casinos. As of December 17th, 2022, any organization with more than 50 employees will also be required to implement a whistleblower program and ensure whistleblowing data protection. Companies may need to work with local labour councils or unions to develop internal whistleblower procedures to ensure collaboration with external whistleblower channels to ensure they are compliant.
What are the economic benefits of whistleblower protection?
A study conducted by the EU commission in 2017 estimated whistleblower protection can save member nations between 5.6 and 9.6 billion euros annually. Results show that the cost of setting up and maintaining whistleblower protection is much lower in comparison with the potential benefits. For example, in the Netherlands for every euro invested there is a potential gain of 22 to 37 euros. Ireland and Romania also have very high favourable ratios. While the economic benefits vary from state to state, all nations see economic benefits when they implement whistleblower protection. That said, stakeholder consultations and more elaborate reporting channels can increase the cost, but also lead to a more effective system.