Skip to content.

Since the launch of the EU Whistleblowing Protection Directive, 21st December 2021, EU countries and organisations have been scrambling to transpose the rules into their current national laws. The main guidelines of the directive include:

  • Companies must protect whistleblowers from any forms of negative relation and their confidentiality.
  • Companies must acknowledge they have received a whistleblowing report within seven days and confirm they will take appropriate action.
  • Companies must have a variety of reporting channels available to whistleblowers – telephone, online systems, writing and open-door verbal communication etc.
  • Companies have three months to provide feedback, including an update on the filed whistleblowing report.
  • Employees who want to make a report must be able to easily access company information on where and how to do so. They must also understand what the most effective reporting channel would be for their specific case type and to whom the report should be addressed to.

However, with these changes comes many challenges, which differ from company to company depending on industry size and type. Below, are answers to some of the most frequently asked questions surrounding the difficulties many companies now face whilst implementing the directive.

How should group entities deal with reporting at a group vs subsidiary level?

The Directive permits companies with 50 to 249 employees to share resources (i.e., global reporting channels), but the European Commission has made it clear in statements published on June 2, 2021, and June 29, 2021, that the Directive requires larger companies, including group subsidiaries, to also implement local reporting channels. 

Despite Directive rules, a recent NAVEX online seminar poll revealed over 50% of people would prefer to continue using only their central reporting channel for as long as possible.

Companies should openly discuss the benefits and challenges of reporting at both a subsidiary and group level. Group reporting allows general information in reports to be shared across multiple levels, such as sexual harassment cases. However, with many reports being shared between companies, training must be provided to educate people, who are given designated reports and reporting channels, on how to best deal with them. Outsourcing of reports is also another popular option to consider.

What approach is recommended when dealing with anonymous reports and should they be accepted/ invested in?

Companies should accept anonymous reports and not worry about the source that they came from. When reports are raised anonymously, companies should always show that they take each reported situation seriously to encourage others to speak up.

Personal details are not necessary when filing a report. It is far more important for the reports to have thorough and accurate information than details about the reporter. There are now many technology solutions available for those receiving the report to speak with whistleblowers online and anonymously.

Portugal originally prohibited anonymous reporting within the workplace, though now it is the first EU country to allow anonymous reporting in the public sector – a great development.

Guidance for entities in member states that have yet to complete the EU Whistleblower Protection Directive transposition

Companies that have yet to fully transpose the Directive, should take into consideration that the Directive only states the minimum protection standards required. As such, member states should feel empowered to expand rules surrounding whistleblowing further. Countries that have yet to transpose the Directive should look to those that have already done so for guidance, and demonstrate that they take whistleblowing seriously. Sweden has added a written obligation to facilitate providing both verbal and written reporting channels, which goes beyond the needs and requirements of the Directive.

By going for the strictest reporting systems, trust is gained, and entities will receive better quality and a higher number of reports.

To what degree should organisations communicate the Directive to employees? How detailed do those communications need to be?

The more detailed, the better. Employees want to know the organisation they work for takes the whistleblowing directive seriously.

Companies should openly communicate with employees that they have investigated, and are fully prepared, to support those who want to speak up against misconduct. One method of communicating this is for organisations to host a central internal hub or website employees can refer to whenever they need company policy guidance. Internal websites and central hubs should contain company policies, a code of conduct, feedback forms and whistleblowing information. That whistleblowing information should include where, how, and what channels employees can use to raise concerns.

If a company shows that it cares, understands whistleblowing, and takes the Directive seriously, employees will report internally rather than externally or publicly. Public reporting could lead to uncontrollable issues and the potential for reputational company damage.

The Directive outlines rule obligations based on number of employees – do these rules apply to all institutions?

A small number of institutions, such as financial services and credit institutions, are exceptions when it comes to the number of employees needed to follow the rules of the EU Directive. They must follow the rules no matter the size of their organisation.

To learn more about how NAVEX can help keep your business compliant with the EU Whistleblower Protection Directive, check out the NAVEX E&C solution