EU Whistleblower Directive: 2021 Deadline Looms For Large-Sized Companies

Almost one year after its adoption by the European Parliament, more than half of the EU’s 27 Member States have started transposing the EU Whistleblower Protection Directive into national law. Now, little over 14 months remain until the transposition deadline leaving the clock ticking loudly not just for lawmakers, but also for the organisations that will be required to follow the new rules. 

The Directive impacts hundreds of thousands of organisations and small- to medium-sized enterprises (SMEs) right across Europe that employ more than 50 people. But it is those with 250 employees or more that will be required to comply first.  

What the Directive means for affected organisations 

The Directive revolves around the explicit protection of a broad range of whistleblowers who report a violation of EU law. In turn, this places a number of legal obligations on organisations, with the adoption of safe reporting channels (such as whistleblower hotlines) chief among them. Alongside this, affected organisations are required to: 

  • Put in place “channels for receiving the reports which are designed, established and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members” 
  • Inform employees on the reporting options available to them 
  • Put measures in place to protect whistleblowers from dismissal, demotion and other forms of retaliation 
  • Assign a competent impartial person or team to receive and follow up on reports 
  • Respond to and follow up on reports within three months  

Public and private organisations and SMEs with 50 or more employees will be subject to the law, although only those with 250 or more employees will need to be compliant from December 2021. Those with 50-249 employees will have a further two years to comply. 

Learn: Read more about the EU Directive 

Slow national adoption limits awareness 

The Directive must be transposed individually by each Member State by December 2021. Each local version of legislation is likely to differ in detail, but should reflect the Directive’s overriding aim: to ensure a baseline level of protection of whistleblowers across the EU.  

However, as witnessed in the lead-up to the EU’s General Data Protection Regulation (GDPR) in 2018, widespread awareness of the law amongst those that need to comply is likely to remain relatively low until transposition is completed.  

In Sweden, progress has been notable. On 29th June 2020 an Exploratory Committee delivered its 802-page report, containing its proposal for transposition, one month later than planned. Its proposed date for entry into force is 1 December 2021.  

Our neighbours in Denmark, meanwhile, have seen their progress slowed by the coronavirus pandemic (as is the case in Portugal). The Danes expect to have an implementation proposal ready in Spring 2021, alongside their Nordic counterparts in Finland

The Republic of Ireland began its public consultation in June, while Latvia invited the public to propose improvements to its own Whistleblowing Law amendments in July. In the same month, Slovenia’s Ministry of Justice reiterated its desire to prioritise the transposition of the Directive and BulgariaEstonia and Greece have all taken steps towards transposition during 2020.  

Elsewhere in Europe, adoption remains a topic of fierce debate. In Germany, political infighting has delayed progress; Spain has seen various legislative alternatives proposed and at least one proposal has been rejected by Congress. Czech Republic’s draft proposal, meanwhile, has been roundly criticised by opposition parties and NGOs. 

Remaining Member States, including ItalyBelgium and Austria have made little or no progress in transcribing the law. Although France also falls into this group, its existing Sapin 2 law already requires companies with 50+ employees to have a whistleblowing channel in place.  

Key steps towards compliance with the Directive 

While many EU countries have hit “pause” on the transposition process, there is no reason why organisations cannot begin their path towards compliance now.  

The most obvious and pressing requirement – the implementation of a confidential reporting channel – is perhaps the easiest and most straightforward step for those who do not yet have a solution in place.  

For medium- to large-scale organisations, or those with more mature risk and compliance requirements, an Enterprise-level solution that ties your entire programme together within one platform is likely to be the best solution. This will help ensure that your Directive-related training, awareness and policy obligations interact seamlessly with your reporting process.  

For small- and medium-sized businesses who are just beginning their compliance journey, a secure solution that can be bought and implemented online in a matter of hours – like WhistleB’s new ‘Ready-to-launch’ service - will also guarantee compliance with the core requirement of the Directive. 

Compliance as a value-driver 

Whichever route organisations choose to go down, the implementation of a reporting system should be considered beyond a simple yet essential response to legislation.  

Independent research from George Washington University has highlighted a correlation between the increased use of reporting systems and improved business performance. Indeed, the most successful organisations recognise their whistleblowing system as an important tool for reducing risks and building trust with employees because they facilitate the detection of possible misconduct at an early stage. 

As the December 2021 deadline approaches, thousands of organisations will discover that compliance with the Directive will deliver many more benefits than a simple ‘tick’ in the box. 

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

The Element of Surprise Keeps Things Honest

Why You Should Prioritize Cybersecurity Risk with NIST CSF

It's not optional - organizations must prioritize cybersecurity risk. To do that, you need a framework. NIST CSF is a risk-based framework and common language for understanding, managing, and indicating cybersecurity risk. Here's why and how you should use it. 

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Time's Up: Why Colleges and Universities Should Update Their Codes of Conduct

Codes of conduct have been an element of effective ethics and compliance programs since the first programs were created in the late 1980s. Unfortunately, the structure, format, and design of codes for institutions of higher education have not kept pace with best practices. It’s time for colleges and universities to catch up.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!