Skip to content.

Secondary navigation

Get Your Demo
Three people stand around a table in a modern office, looking at a laptop and discussing something. There are coffee cups, a small plant, and city buildings visible through large windows in the background.

The Austria Whistleblower Protection Law

Explore the Austria Whistleblower Protection Law, including compliance requirements, scope, and how to support and protect reporting in your organization

Get your guide
Close-up of evenly spaced, diagonal blue paper sheets or slats creating a geometric, abstract pattern with varying shades of blue and teal, fading from light to dark.

Austria Whistleblower Protection Law overview

Austria enacted its whistleblower protection law in February 2023 to transpose the EU Whistleblower Protection Directive’s requirements into national law. The law defines whistleblower protections for anyone reporting violations of either EU law or Austrian national law, and imposes several obligations on organizations to protect internal whistleblowers. 

The new legislation covers all public and private organizations with at least 50 employees, requiring them to establish mechanisms to allow for whistleblower reports and to protect whistleblowers. Employers must also appoint someone to investigate whistleblower claims, and this can be an internal manager or an external third party. 

The law protects whistleblowers and those assisting them from retaliation for submitting a report. It also allows them to report their concerns externally to Austria’s Federal Bureau of Anti-Corruption, or to any of several other government agencies such as the Austrian Financial Intelligence Unit or the Federal Competition Authority, depending on the exact issue being reported.

A man sits on a gray sofa holding papers in one hand and a laptop on his lap. He wears a green shirt and jeans. Theres a yellow pillow beside him and a plant in the background, creating a cozy living room ambiance.

What does the Austrian whistleblower protection law cover?

The law adopts the minimum standards for whistleblower protection outlined in the EU Whistleblower Protection Directive. These requirements include:

  1. A secure and confidential channel for receiving whistleblower reports must be in place.
  2. Acknowledgment of the receipt of every whistleblowing report must be provided to the whistleblower within seven days. 
  3. An impartial person or department must be appointed to follow up on the reports.
  4. Records must be kept of every report received in compliance with confidentiality requirements.
  5. There must be diligent follow-up of the report by the designated person or department.
  6. Feedback on the follow-up or investigation must be given to the whistleblower within three months of receiving the report.
  7. All processing of personal data must be done in accordance with GDPR.
A group of medical professionals walking and smiling. Two women in white coats are in the foreground, one with curly hair and the other with short hair. In the background, a woman and a man in blue scrubs are partially visible.

What are the rules outlined in the Austrian whistleblower protection law?

Known in German as the HinweisgeberInnenschutzgesetz (“HSchG”), Austria’s whistleblower protection law covers all organizations with at least 50 employees. Organizations with 250 or more employees had to establish their whistleblower programs by the end of August 2023; smaller organizations had to do so by the end of 2023. Organizations with fewer than 250 employees are also allowed to establish a joint whistleblower program in coordination with other small businesses. Financial service firms need to establish an internal reporting system even if they have only one employee. 

The law requires all covered businesses to (1) set up a whistleblowing system with comprehensive whistleblower protections; and (2) adopt a policy on reporting legal violations and other misconduct. Businesses must also train employees on how to use the hotline and on the importance of non-retaliation. Companies are allowed to outsource the management of their hotline to a third-party service provider. 

Austria’s whistleblower protection law expressly encourages whistleblowers to report their concerns internally, and therefore businesses are also encouraged to make their whistleblower systems as easy to use as possible. Whistleblowers are allowed to submit reports in writing, verbally or in person; and the company must preserve a record of every report submitted. 

The law also prohibits retaliation of any kind against whistleblowers. That said, if whistleblowers do press claims in court that they have suffered retaliation for speaking up, Austria’s law places the burden of proof on them. This is a departure from the EU Whistleblower Directive and most other EU member states, where the burden of proof is on the organization to prove it did not retaliate against the whistleblower. 

The HSchG doesn’t expressly say that whistleblower systems must accept anonymous reports, or how companies should handle them. Still, if a company does receive an anonymous report, it must protect the whistleblower’s identity if the person’s name becomes known at a later point in time. 

Individuals who retaliate against whistleblowers or who otherwise violate the law can be subject to fines of up to €20,000 for their first offense, or €40,000 for repeated offenses. The HSchG does not contain any penalties for companies that fail to establish whistleblower systems (even though the EU Whistleblower Directive does say that member states must do so).

Explore more resources on whistleblowing and regulatory compliance in the EU

Your Definitive Guide to Whistleblowing & Incident Management

A strong incident management system is critical to meeting Austrian whistleblowing laws, building trust, and protecting your organization.

Get your guide