Establishing an EU-Compliant Internal Reporting System

Nearly one year has passed since European Union member states were supposed to have met the December 17, 2021 deadline for incorporating the EU Whistleblower Protection Directive into their national laws.

Yet, just 10 of the 27 EU member states have adopted implementing legislation, according to data from the EU Whistleblowing Monitor. To date, these countries are Croatia, Cyprus, Denmark, France, Ireland, Latvia, Lithuania, Malta, Portugal, and Sweden. All other EU member states are in a delayed state with draft legislation, except for Hungary, which remains the only one that has yet to initiate any steps toward implementation.

Even in this state of regulatory limbo, multinational companies with an EU presence that are already acclimated to the U.S. Sarbanes-Oxley (SOX) Whistleblower Protection Law can – and should – start to reevaluate their internal reporting systems and investigation procedures as each EU member state in which they operate gradually begins to implement the Directive.

This article recaps some of the key aspects of the Directive, explores some of the nuances between each member state (as they stand now), and discusses both the compliance challenges and solutions in line with the Directive for establishing a sound internal reporting system.

Accommodating for Non-Employee Reports

When the EU passed the Whistleblower Protection Directive in 2019, the intent was to establish common minimum standards to provide greater protection across EU member states for individuals in both the public and private sector who report ethical misconduct or violations of EU law obtained in the context of a work-related activity.

Whereas public-sector entities and private-sector companies with at least 250 employees were supposed to have already met the implementation deadline, private-sector companies with between 50 to 249 employees have until December 17, 2023 to establish internal reporting systems.

Implementation challenge: The Directive defines reporting persons quite broadly and well beyond the scope of the U.S. whistleblowing regime. Reporting persons can include, but are not limited to, current and former employees; shareholders; members of an administrative, management or supervisory body; contractors, subcontractors, and those who work under their direction; and volunteers, trainees, and new recruits.

Compliance solution: As stated in the Directive, those who are considering reporting breaches of EU law “should be able to make an informed decision on whether, how and when to report.” Thus, companies are obliged to broadly disseminate such instructions in a “clear and easily accessible” manner for reporters – for example, on the company’s website and in compliance training. Those with a large employee base with no online access may want to consider posting reporting instructions in common areas or plant facilities, for example. Additionally, consider including information about how to make a report in employee manuals and distribute them to existing volunteers, trainees, and new recruits during the orientation or onboarding process.

Keeping Abreast of Member States’ Defined Law Violations

Implementation challenge: The EU Directive protects disclosures concerning a wide array of EU law breaches, including those concerning money laundering, financial misconduct, public procurement, data privacy breaches, consumer protections, among many more. However, as more EU member states implement the Directive, the potential scope of breaches under their respective local laws continues to grow.

For example, Portugal has included “violent and highly organized crime” to the list of covered offenses, while in Denmark “serious offenses and other serious matters” of Danish law –including discrimination and sexual harassment – are included. And in Sweden, protections vaguely extend to reports of misconduct “for which there is a public interest.”

Comparatively, the U.S. whistleblower regime covers only conduct “reasonably” believed to have violated federal securities laws. This includes mail, wire, bank, or securities frauds; any rule or regulation of the U.S. Securities and Exchange Commission; and any federal law relating to fraud against shareholders.

Compliance solution: Multinational companies that are currently operating a variety of hotlines (e.g., one for compliance violation reports, another for HR matters, another for health and safety issues, etc.) may want to consider utilizing a centralized clearinghouse for all complaints, which serves a dual purpose of helping to more easily spot systemic areas of weakness.

Handling Anonymous Reports

Both the EU and U.S. whistleblowing regime require an internal reporting channel; allow for reports to be made in writing, orally, or both; and provide protections for external reports to authorities, whether or not an internal report was made first.

The Directive further requires the designation of an independent person or internal department to receive and follow up on reports. Alternatively, companies may consider using a third-party vendor, so long as they guarantee “respect for independence, confidentiality, data protection and secrecy,” as stated by the Directive.

The designated person or department must acknowledge receipt of a report within seven days and provide feedback to the whistleblower not later than three months from receipt of the report. Feedback must include information on any follow-up action taken or expected and the grounds for such follow-up.

Implementation challenge: A multinational company’s requirements for handling anonymous reports remain murky at best. Anonymous reports are allowed in the United States, while in the EU each member state must decide whether there is an obligation to accept and follow-up on such reports.

Compliance solution: Companies will have to defer to the EU member states in which they operate. To date, Cyprus, Croatia, France, and Portugal are among EU member states that allow anonymous reports. Draft legislation in Spain and the Netherlands suggest that they, too, are considering anonymous reports, while in Germany it has been proposed that the decision be left up to companies. EU member states that provide no obligation to follow up on anonymous whistleblower reports include Ireland and Denmark, for example.

Shared Reporting Channels and Investigations

Implementation challenge: While not encouraged by the Directive, some EU member states – France, Germany and Denmark – allow multinationals to use a centralized groupwide reporting channel, rather than having to implement internal reporting channels at the local level.

Other member state laws aren’t so clear. In Denmark, for example, companies with 50 or more employees may establish a groupwide whistleblower channel, but the Minister of Justice has authority to revoke such channels for private companies with 250 or more employees if they appear not to conform with the Directive.

Compliance solution: In this case, it’s best to refer to each member state’s requirements. In Germany, for example, reporting channels must be made available in the predominate language spoken locally, and responsibility for follow-up lies with the company in the local region.

Because reports can come from various countries – and simultaneously – multinationals may want to have a uniform process in place to investigate allegations and then decide from there whether as a best practice they want to adopt the most stringent requirements of a member state. 

GDPR Considerations

Implementation challenge: Under the EU’s General Data Protection Regulation (GDPR), anybody whose personal information will be processed in the context of a whistleblower report must be properly informed. “The personal information in a whistleblowing report can relate to whistleblowers, the person under investigation, witnesses or other individuals that are mentioned,” stated the European Data Protection Supervisor (EDPR).

Compliance solution: If informing an accused person of the processing of their personal information at an early stage potentially jeopardizes the investigation, “the sharing of specific information with the accused might need to be deferred,” the EDPR stated. “Deferral of information should be decided on a case-by-case basis, and the reasons for any restriction should be documented.”

Protections Against Retaliation

Both the EU and U.S. whistleblowing regimes provide for anti-retaliation protections. The Directive defines retaliation broadly to include suspension, lay-off, dismissal or equivalent measures; demotion or withholding of promotion; coercion, intimidation, harassment or ostracism; discrimination, disadvantageous or unfair treatment; and more.

Unlike the U.S. Whistleblowing regime, which makes financial incentives available for whistleblowers, the EU Directive leaves it up to each member state to establish “effective, proportionate and dissuasive penalties” against those who hinder reporting, engage in retaliatory acts, or breach the confidentiality of the reporter. What is important here is that companies faced with allegations of retaliation should be prepared to demonstrate that their actions were justified and were not connected in any way to the whistleblower report.

NAVEX is here to help your organization stay compliant with the EU Whistleblower Directive, SOX, and all other regulatory requirements. To learn more, visit:

NAVEX One Solutions Page

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

New Healthcare Compliance Guidance

How To Get Employee Onboarding and Compliance Right

This post discusses how to leverage onboarding programs and create a unified team-driven culture, with easily manageable and trackable compliance realities.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

6 Steps to Building a Vibrant Performance-Focused Risk Culture

This post, originally featured on the blog "ERM Insights by Carol" discusses six steps to build a performance-focused risk culture.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.