Skip to content.

On 7th October 2019, the European Council formally adopted new rules that will provide better protection for whistleblowers across EU Member States.

Under The Directive on the Protection of Persons Reporting on Breaches of European Law, companies with 50+ employees and municipalities with 10,000 inhabitants or more will be required to implement a range of measures.

These include protecting whistleblowers from retaliation, and the creation of effective and efficient reporting channels (such as a whistleblowing hotline).

Member States will be required to write the new rules into national law by October 2021.

Read the Legislative Text

How did the Directive come about?

The Directive on the Protection of Persons Reporting on Breaches of European Law was first proposed in April 2018.

Aimed at overhauling the rights and legal protections of whistleblowers in Europe, it followed a series of high-profile disclosures relating to scandals such as Cambridge Analytica, the Panama Papers and LuxLeaks.

The murder of journalists Daphne Galizia (Malta) and Jàn Kuciak (Slovakia), who were attempting to expose corruption in their respective countries, only strengthened the drive to protect whistleblowers.

The Directive provides significant improvement in protecting whistleblowers and moves member states towards a unified legal framework.


What protections does the Directive offer?

The new rules will require the creation of safe channels for reporting both within an organization - private or public - and to public authorities. These should be designed and implemented in a way that ensures confidentiality for the whistleblower, the person named in the report, and any third parties referred to in the report.

Upon receiving a report, organizations will be expected to acknowledge receipt of it within seven days and “provide feedback to the reporting person within a reasonable timeframe not exceeding three months”.

The Directive will protect whistleblowers against dismissal, demotion and other forms of retaliation and require national authorities to inform citizens, and require national authorities to inform citizens and train public officials on how to deal with whistleblowing.

The Directive also outlines the grounds upon which protection will be granted. Unlike whistleblower protections in other countries, under the EU Directive a worker must simply have “reasonable grounds” to believe that the information they report is true (provided it falls within the scope of the Directive). 


Who will be affected by the Directive?

Protected parties

The Directive covers workers in the public and private sector, including:

• civil servants
• the self-employed
• shareholders
• management
• administrative or supervisory bodies
• volunteers
• paid or unpaid trainees
• contractors, subcontractors and suppliers
• individuals disclosing breaches during a recruitment process
• former workers

Affected organizations

Companies with 50+ employees and municipalities with 10,000 inhabitants or more will be required to comply with the Directive.

Is your organization affected? Talk to us about establishing compliant reporting channels


Timescales and deadlines

Member States will be required to write the new rules into law by October 2021.

Organizations of 250 employees or more must be ready to comply with the law immediately from that point. Smaller organizations (50-249 employees) will be given two further years to comply.


Organizations: What you need to do

The Directive applies both in the private and public sector, including to local authorities. Here’s a summary of the key actions organizations should take.

1. Establish a compliant reporting mechanism

The Directive states that whistleblowers are encouraged to use internal reporting channels before turning to external channels (such as public authorities or regulators) or, as a last resort, going public.

Affected organizations are therefore required to offer internal reporting channels that:

“enable persons to report in writing…or to report orally, by telephone hotline or other voice messaging system”.

These reporting channels should be operated in a secure manner that protects the confidentiality of the reporter, as well as any accused or third parties mentioned in the report.

Under the Directive, companies must also be ready to handle reports from non-employees (shareholders, interns, volunteers and the self-employed) - this should be taken into account when implementing internal reporting channels.

Talk to us about our compliant, multilingual reporting channels.

2. Implement policies and procedures to protect against retaliation

The Directive highlights a number of actions that might be classed as retaliation. These include obvious financial penalties such as demotion or dismissal; change in duties, working location, contractual status, salary or hours; and disciplinary or financial penalties/loss.

However, it also highlights instances of discrimination and damage to reputation, with social media cited as a possible source of retaliatory behavior.

As a result, organizations will need to develop, implement and maintain effective policies and processes that will protect employees – and the wider organization – from such risks.

Need help managing your workplace policies and procedures? Get in touch

3. Put a secure, auditable case management process in place

Under the new rules, authorities and affected organizations must keep a record of every report received (in line with relevant data protection rules, like GDPR).

They are also required to maintain the confidentiality of people submitting to or mentioned in the report, and be able to meet the Directive’s rules on responding to reports.

As such, organizations will be required to establish a process for storing, managing and responding to reports that meets the new law.

Under the new rules, the burden of proof will be on the employer to demonstrate that any actions taken against an employee were not retaliatory. Deploying a process that incorporates a clear, tamper-proof audit trail will therefore be equally important.

Simplify case administration with our GDPR compliant tools

4. Develop an internal role/team to manage reports

The Directive obliges organizations to designate:

“an impartial person or department competent for following-up on the reports which may be the same person or department as the one that receives the reports and which will maintain communication with the reporting person”

It is therefore essential that every affected organization identifies a person or team, with appropriate competence and impartiality, to manage reports.

Supported by a capable system that enables teams to process reports compliantly and consistently, organizations will be better able to meet the demands of the new law.

Discover how our software can automate tasks and save you time