What is the Whistleblowing Directive and how does it impact your business? 

There’s a good chance that you’ve already heard of the much-talked-about EU Whistleblowing Directive. The Whistleblowing directive, more formally known as Directive EU 2019/1937 “on the protection of persons who report breaches of Union law” is a piece of legislation that is intended to enhance the enforcement of EU law by laying down common minimum standards for a high level of protection for whistleblowers who report breaches of the law.

What type of companies does the Whistleblowing Directive impact? 

The Whistleblowing Directive applies to:

  • all companies that have more than 50 employees
  • all public sector institutions
  • municipalities that have 10 000 or more inhabitants

All entities for whom the directive is applicable, are obliged to set up suitable internal reporting channels. 

When does the Whistleblowing Directive become applicable? 

The Whistleblowing directive must be implemented on the national level by 17.12.2021. Currently, while writing this article in March 2022, among the Nordic countries, Sweden and Denmark have implemented the directive, and out of the Baltics, Latvia and Lithuania have implemented the directive. Finland and Estonia have prepared drafts for implementing the directive, but both have experienced delays in executing its implementation.

Memento Media / Unsplash

Occasionally Directives are capable of having a bearing, even before they’ve been implemented into the national law. Usually, this happens when a case is brought against a state entity (but not against private legal persons). So in brief, based on EU law, the law is already directly applicable for state entities and municipalities in Finland and Estonia even before its implementation. However, private organizations registered in these countries still have a period of time before they are expected to have set up these systems. 

Once the directive is implemented on the national level, organizations with over 250 employees are immediately expected to comply with it. As a concession, private sector legal entities with 50-249 employees have an extra transition period of 2 years, and they are expected to have Whistleblowing channels compliant with the directive set up by 17.12.2023. 

Who is a whistleblower? 

A whistleblower, also called a “reporting person” is a natural person who either reports or publicly discloses information on breaches of law, that have come to their knowledge in the context of their work-related activities. 

Whistleblowers can be from the private or the public sector. For example, the following people can be whistleblowers: 

  • Employees
  • Civil servants
  • Self-employed persons
  • Shareholders, company management, and board members
  • Volunteers
  • Paid and unpaid trainees
  • Ex-employees
  • Anyone working for a company or public sector entity under supervision of contractors, subcontractors and suppliers
  • People who are not yet employed by a company, if they have discovered a breach of law during the recruitment process 

The law also provides guarantees of safety for facilitators, who are natural persons assisting the whistleblower during the reporting process in a work-related context, as well as for people connected with the whistleblower who could experience retaliation, for example, colleagues and relatives of a whistleblower. Also, legal entities owned by the whistleblower, or for which the whistleblower works, or with which the whistleblower is otherwise in a work-related connection, are guaranteed safety under the Whistleblowing directive.

What areas of operations are covered under the Whistleblowing Directive ?

The new Whistleblowing directive applies to whistleblowing regarding breaches of European Union law in the following fields: 

  • Public procurement
  • Financial services, products and markets, as well as prevention of money laundering and terrorist financing
  • Product safety and compliance
  • Transport safety
  • Protection of environment
  • Radiation protection and nuclear safety
  • Food and feed safety, animal health and welfare
  • Public health
  • Consumer protection 
  • Protection of privacy, personal data, security of network and information systems
  • Breaches of law that affect the financial interests of the Union as referred to in Art 325 TFEU
  • Breaches related to internal market as referred to in Art 26(2) TFEU, incl. EU competition and state aid rules, as well as breach of corporate tax rules and tax arrangements with the purpose to defeat the objective of the corporate tax law

How are whistleblowers protected under the Whistleblowing Directive? 

Etienne Boulanger / Unsplash

Duty of confidentiality 

The identity of the whistleblower shall not be disclosed to anyone, apart from the authorized staff members competent to receive and to follow up on reports, unless the whistleblower gives explicit consent to disclose their identity. This duty of confidentiality also means that it is prohibited to give out any pieces of information from which the identity of the whistleblower could be directly or indirectly deduced. 

Processing of personal data 

All processing of personal data related to the whistleblowing process must be done in accordance with the GDPR, EU 2016/679, as well as with the Data Protection Directive, EU 2016/680. All the personal data that is not relevant (or that has been collected accidentally) should be deleted.  

Prohibition of retaliation 

One way to protect whistleblowers included in the Whistleblowing directive is the prohibition of retaliation. Simply put, this means, that there should be no negative consequences for the whistleblower, whether such consequences happen through action or by omission, directly or indirectly, by threatening the whistleblower with retaliation, or by an attempt at retaliating. 

Whistleblowing training
Dylan Gillis  / Unsplash

Examples of prohibited forms of retaliation: 

  • Suspension from duties, lay-off, dismissal from duties, and similar measures
  • Demotion, or withholding a promotion
  • Transfer of duties
  • Change of location of work
  • Salary reduction
  • Change in working hours
  • Withholding training
  • Negative performance assessment or employment reference
  • Imposing any disciplinary measure, reprimand or other penalty 
  • Coercion, intimidation, harassment, or ostracism
  • Discrimination, disadvantageous or unfair treatment
  • Not converting a temporary employment contract into a permanent one, where the worker had legitimate expectations of it
  • Failure to renew, or early termination of, a temporary employment contract
  • Harming a person’s reputation, especially on social media
  • Financial loss, including loss of business and loss of income
  • Blacklisting, which may lead to the whistleblower not being able to find future employment in their professional field or industry
  • Early termination or cancellation of a contract for goods or services
  • Cancellation of a license or a permit
  • Psychiatric or medical referrals

The procedure for an internal reporting channel 

Internal reporting means an oral or a written report being submitted by a whistleblower within the legal entity they work in. Companies are able to choose whether they want to have their internal department maintain the whistleblower’s internal reporting channel, or whether the company wishes to hire an outside service provider to perform duties of the internal reporting channel for them. 

Luis Villasmil / Unsplash

What are the requirements for internal reporting channels? 

  • An internal reporting channel should be designed, established and operated in a secure manner, so that it ensures the confidentiality of the identity of the whistleblower and any third parties mentioned in the report, and prevents the access of any non-authorised personnel to the information. 
  • The whistleblower should receive a confirmation of receiving the report within 7 days of submitting the report. 
  • The Internal reporting channel should have a designated impartial person or a department, that is competent to follow-up on the reports, and that will maintain the communication between the whistleblower and if needed, ask for further information or clarifications regarding the report, and to give feedback to the whistleblower. The designated person or department should also diligently do follow-ups in cases of anonymous reporting. 
  • The organisation should provide the whistleblower feedback within 3 months of the acknowledge of receipt of the report. 
  • The internal reporting channels should also provide clear and easily accessible information on how to make an external report to competent authorities, or relevant state or EU institutions, bodies, offices or agencies.  
  • The whistleblower’s internal reporting channel must allow for reporting both in writing and orally. Oral reporting must be possible either by phone or by voice message, and if requested, by a physical meeting that should be organised within a reasonable time frame. 

External reporting and public disclosure 

External reporting means making a report of the breaches of the law to the competent authorities. A whistleblower has the possibility to choose: they can make an external report after they have made an internal report of a breach, or optionally, if they so wish, they can also report directly through external reporting channels. 

Why would a whistleblower make an external report directly? 

It is understandable, that if the whistleblower does not trust the internal reporting channel to carry out the duty of confidentiality, data processing in accordance with GDPR, or the company or public sector entity to abide by the prohibition of non-retaliation, they would rather go directly to the competent authority, instead of risking jeopardizing their standing inside an organization by blowing the whistle through an unreliable internal whistleblowing reporting channel. 

When can a whistleblower make a public disclosure? 

Adeolu Eletu  / Unsplash

A whistleblower who makes a public disclosure will be protected under the Whistleblowing Directive when going public if any of the following conditions applies in their case: 

  • They’ve previously made an internal and/or external report, but no appropriate action was taken within 3 months of reciept confirmation of the report. 


The whistleblower has reasonable grounds to believe, that: 

  • the breach of law may constitute an imminent or manifest danger to the public interest. For example, there is an emergency situation, or a risk of permanent damage.


In case of an external report being made to the competent authority: 

  • There is a risk of retaliation
  • It is unlikely that the breach would be effectively addressed, due to particular circumstances of the case. For example, there could exist a risk of evidence being destroyed or concealed, or the authority could be in collusion with the perpetrator, or be involved in the breach of law itself. 

Based on national legislation, it is also possible for the whistleblower to go directly to the press and disclose their information, and receive protection under national law, in order to secure freedom of expression and freedom of information. 

Setting up an internal whistleblowing channel

If a company does not have an internal whistleblowing channel, the only option for the whistleblower is to directly make an external report to the relevant authorities, without enabling the company to first try to solve the breach in-house. 

From the point of view of a business, regardless of its size, it is beneficial that there should exist a way for it to improve its operations and to have an internal warning system concerning potential breaches so that it would be able to solve those problems without the involvement of authorities, or the press. 

Companies are able to choose, whether they wish to set up an internal department or person in the responsibility of whistleblowing, or if they wish to hire a third-party organization to maintain the whistleblower’s reporting channel. 

The first option is usually convenient, and in many cases, the required know-how might already exist in-house. The reason why the second option is more popular is, that a whistleblower is usually concerned for potential retaliation regardless of the existing legal formalities prohibiting it, and thus many people would rather only bring a matter to an actually independent body, such as a third-party whistleblowing channel or directly to the authorities through external whistleblowing channels. 

By having set up an internal reporting channel that the people reporting actually find usable, a company has a chance of protecting itself against legal and reputational risks having to do with external reporting and public disclosure. 

 Andrew Neel / Unsplash

Confidentiality is essential for an internal whistleblowing channel to work

The key element of setting up an internal whistleblowing channel is, that the employees must really be able to trust the confidentiality of the channel, otherwise, they will reach out to the authorities via external reporting channels, and it is not a pleasant situation for any business to be informed of a breach of law by an authority, instead of being able to fix the matter in-house before further proceedings. 

Most reliable channels are the ones where the reporting is done via an independent whistleblowing channel, that notifies the company of a breach, but keeps the identity of the whistleblower a secret. The security and confidentiality that such a solution provides have led to its soaring popularity in the form of third-party whistleblowing services and platforms in use among corporations of all sizes. 

How to ensure that the internal channel is actually usable?

In addition to fulfilling the bare minimum requirements of the legislation:

  • receiving the reports either in writing or orally, 
  • giving a confirmation of receipt within 7 days, 
  • keeping the whistleblower’s identity confidential, and 
  • providing the whistleblower feedback within 3 months, that the reported issue has been resolved, and 
  • not to retaliate against the whistleblower…

Additionally, there are ways that increase the likelihood of the whistleblowers using the internal reporting channels, such as having 24/7 availability, providing anonymity, being available in the languages used in the organization, providing explanatory texts that can be easily and clearly understood by the potential whistleblowers, and to have an effective strategy for communicating about the breaches, so that the whistleblower knows what to expect regarding the matter being inspected further. 

Christina / Unsplash

Non-retaliation policy as a tool for increasing trust 

In addition to having an independent third-party whistleblowing channel, one effective way for a company to ensure that the employees and contractors, and other potential whistleblowers use the internal whistleblowing channel, is to create a non-retaliation policy and to make it publicly available for everyone to access. A whistleblower who is aware of their opportunities regarding internal and external channels, and who can trust that the organization is not going to persecute them for pointing out a need for development before the authorities do, is more likely to use the internal whistleblowing channel available.