Skip to content.

Secondary navigation

Get Your Demo
Two women sit at a desk with computers, smiling and looking at each other. One has curly hair and wears a black top, and the other has straight red hair and a yellow sweater. A man is in the background. An orange and a notepad are on the desk.

The Luxembourg Whistleblower Protection Law

Explore the Luxembourg Whistleblower Protection Law, including compliance requirements, scope, and how to support and protect reporting in your organization.

Get your guide to incident management
Abstract image featuring dynamic waves of blue lines and patterns on a dark background, creating a sense of movement and depth. The lines are tightly woven, resembling textiles or digital grids, with varying shades of blue highlighting texture.

Luxembourg Whistleblower Protection Law overview

Luxembourg amended its whistleblower protection laws in May 2023 to transpose the EU Whistleblower Protection Directive’s requirements into national law. The law defines whistleblower protections for anyone reporting violations of either EU law or Luxembourg national law, and imposes several obligations on organizations to protect internal whistleblowers. 

The new legislation covers all public and private organizations with at least 50 employees, requiring them to establish mechanisms to allow for whistleblower reports and to protect whistleblowers. Employers must also appoint someone to investigate whistleblower claims, and this can be an internal manager or an external third party. 

The law protects whistleblowers and those assisting them from retaliation for submitting a report. It also allows them to report their concerns externally to various Luxembourg regulatory agencies, such as the Inspectorate of Labor and Mines, the Commission de Surveillance du Secteur Financier (CSSF) or the Administration des Contributions Directes (Direct Tax Authority). The law also creates a new national Office of Whistleblowing that reporters will be able to use once the office is established.

A man with glasses and a gray shirt sits at a desk, focused on computer monitors in a modern office setting with shelves and large windows in the background.

What does the Luxembourg whistleblower protection law cover?

To start, the law adopts the minimum standards for whistleblower protection outlined in the EU Whistleblower Protection Directive. These requirements include: 

  • A secure and confidential channel for receiving whistleblower reports must be in place. 
  • Acknowledgment of the receipt of every whistleblowing report must be provided to the whistleblower within seven days. 
  • An impartial person or department must be appointed to follow up on the reports. 
  • Records must be kept of every report received in compliance with confidentiality requirements. 
  • There must be diligent follow-up of the report by the designated person or department. 
  • Feedback on the follow-up or investigation must be given to the whistleblower within three months of receiving the report. 
  • All processing of personal data must be done in accordance with GDPR.

If a whistleblower reports their concerns publicly (for example, to the press), protections only apply if the whistleblower has already tried to report internally or to regulators with no success, and the whistleblower believes the public interest is in imminent or irreparable harm.

A woman with curly hair and a green top is smiling while looking at her phone in an office setting. She is sitting at a desk with computer monitors. Another person in a brown jacket is in the background.

What are the rules outlined in the Luxembourg whistleblower protection law?

Formally known as Bill of Law No. 7945, Luxembourg adopted its new whistleblower protection law in May 2023 for all public or private organizations with at least 50 employees. The law went into immediate effect for large organizations; that is, organizations with 250 or more employees should have already implemented their whistleblower protections, or do so as quickly as possible. Organizations with 50 to 249 employees were required to do so by the end of 2023. Those with fewer than 250 employees are also allowed to establish a joint whistleblower program in coordination with other small businesses. Financial service firms need to establish an internal reporting system even if they have only one employee.

Woman in a blue sweater sitting at a desk, talking on the phone and smiling. She is working on a desktop computer with documents on the screen. The room is softly lit, with a framed picture on the wall and a potted plant by the window.

Anonymous report intake and management

The law requires all covered organizations to (1) set up a whistleblowing system with comprehensive whistleblower protections; and (2) adopt a policy on reporting legal violations and other misconduct. Businesses must also train employees on how to use the hotline and on the importance of non-retaliation. Companies are allowed to outsource the management of their hotline to a third-party service provider. Whistleblowers are allowed to submit reports in writing, verbally or in person; and the company must preserve a record of every report submitted.

A man in a green sweater sits at a desk in a dimly lit office, looking out the window. The office is filled with computers and office supplies. Sunlight streams through the window, casting a soft glow over the scene.

What are the risks of non-compliance?

Companies that violate Luxembourg’s whistleblower law by failing to implement a whistleblower program or by retaliating against a whistleblower can face regulatory fines of €1,500 to €250,000 for their first offense, and double that for repeat offenses. Individuals who retaliate against whistleblowers can face fines of €1,250 to €25,000.

Explore more resources on whistleblowing and regulatory compliance in the EU

Stay ahead of Luxembourg’s evolving compliance landscape

Luxembourg’s regulatory environment is complex and constantly evolving. Get the insights you need to strengthen your compliance program, reduce risk, and build a culture of transparency.

See our Luxembourg Compliance Guide