A guide to implementation of the EU Whistleblower Protection Directive
About this guide
The Whistleblower Protection Directive has changed the approach to whistleblowing in many EU countries, as well as altering the compliance landscape for businesses operating in the region.
Employers must understand implementing laws to ensure they have an approach that works for their business and achieves local compliance. Multinationals bound by the US Sarbanes-Oxley Act require programs that satisfy the extensive protections under the Directive, while meeting US requirements. Our guide provides information on local transposition laws as well as an overview of the Directive's key provisions, a comparison with the Sarbanes-Oxley regime and compliance actions for employers.
You can view content for a single country, or generate comparisons for multiple jurisdictions at a time. You can also choose whether to download a bespoke report. To get started, click on the map below, or select your countries and topic of interest from the dropdown menu.
Select a country below to start browsing whistleblowing content.
process in progress
The Whistleblower Protection Act came into force on 25 February 2023.
Companies with at least 250 employees had a transitional period of 6 months from the law coming into force to establish internal reporting channels.
Companies with 50 to 249 employees were required to implement an internal reporting channel by 17 December 2023.
The Whistleblowing Act came into force on 15 February 2023.
Organisations with 250 or more employees were required to have an internal reporting channel in place immediately from the date when the legislation came into effect.
Companies with 50 to 249 workers had until 17 December 2023 to provide an internal reporting channel.
The Whistleblowing Act came into effect on 1 August 2023 and affected entities were required to implement an internal reporting channel by this date. By way of exception, entities employing between 50 and 249 employees at 1 August 2023 had until 15 December 2023 to introduce a reporting channel.
The Whistleblower Protection Act was passed on 24 June 2021 to implement the provisions of the Whistleblower Directive. Companies with 250 or more employees were required to establish a whistleblower scheme by 17 December 2021.
For employers with between 50 and 249 employees, the obligation to establish an internal reporting channel took effect on 17 December 2023.
The Whistleblower Protection Act was adopted in December 2022 and entered into force on 1 January 2023.
Companies had 3 months to establish internal reporting channels other than companies with less than 250 employees which had until 17 December 2023.
A law implementing the Directive’s requirements came into effect on 1 September 2022. Application Decree No. 2022-1284 setting out details of the requirements for internal procedures was published on 4 October 2022.
All companies employing at least 50 employees were already required to have an internal whistleblowing procedure under existing laws.
The Whistleblower Protection Act was passed on 12 May 2023 and published on 2 June 2023. It came into effect on 2 July 2023.
Employers with 250 or more employees were required to implement internal reporting channels by the time the law came into force, on 2 July 2023.
Employers with 50 to 249 employees were required to implement internal reporting channels by 17 December 2023.
The whistleblowing legislation (T/3089) was passed on 24 May 2023 and the requirements, including for an internal reporting channel, came into force on 24 July 2023.
Employers who employ at least 50 but not more than 249 employees had until 17 December 2023 to implement an internal whistleblowing channel.
The Protected Disclosures (Amendment) Act was passed on 21 July 2022 to transpose the Directive into Irish law. The Act commenced in its entirety on 1 January 2023 and companies with 250 or more employees were required to have an internal reporting channel in place from that date.
Companies with 50 to 249 employees required an internal reporting channel by 17 December 2023.
Implementing legislation (Legislative Decree 24/2003) was published in the Official Gazette on 15 March 2023 and entered into force on 30 March 2023.
Employers with 250 or more employees required a reporting channel by 15 July 2023. Those with 249 or less had until 17 December 2023.
Bill n°7945 was adopted on 2 May 2023 and published in the Official Journal on 17 May 2023. The law came into effect on 21 May 2023.
Legal entities with 250 or more employees require an internal reporting channel from 21 May 2023.
Legal entities with 50 to 249 employees had until 17 December 2023.
On 24 January 2023, the Senate approved the Whistleblowers Protection Act. By Royal Decree of 17 February the Act entered into force on 20 February 2023, including the requirement for large employers with 250 or more employees to have an internal reporting channel.
Smaller employers (50-249 employees) had until 17 December 2023 to implement an internal reporting channel.
Work is currently underway on a law to provide for the protection of whistleblowers. The most recent draft bill was published on 12 January 2024.
It is expected that the law will come into force one month after publication in the official gazette. Employers will have one month from when the law enters into force to implement an internal reporting policy.
A law implementing the Directive was published on the 20 December 2021, and came into force 180 days after its publication, on 18 June 2022.
Employers covered by the legislation were required to have implemented an internal reporting channel by 18 June 2022.
The Romanian law implementing the Whistleblowing Directive came into force on 22 December 2022.
Companies with 250 or more employees were required to implement an internal reporting channel by 22 December 2022.
Legal entities with 50 to 249 employees had until 17 December 2023 to implement internal reporting channels.
Amendments to the existing Whistleblower Act to transpose the EU Directive came into force on 1 July 2023.
Employers who fulfilled certain criteria were already required to have internal reporting channel under existing legislation. However, the new legislation required these channels to be updated to comply with new requirements by 30 June 2023 and also obliged additional employers to establish internal reporting channels by 31 August 2023.
The Whistleblowing Act was published in the Official Gazette (BOE) on 21 February 2023. The Act entered into force 20 days later (13 March 2023).
Employers with 250 or more employees had until 13 June 2023 to implement a whistleblowing channel.
Entities with 50 to 249 employees had until 1 December 2023 to implement an internal reporting procedure.
Whistleblowing is regulated by the Swedish Act on the protection of persons reporting irregularities (the Whistleblower Act). The Act came into force on 17 December 2021 with compliance by 17 July 2022 for large companies (250+ employees) and 17 December 2023 for medium-sized companies (50 to 249 employees).
Whistleblower Protection Directive: Key Provisions
Introduction to the Whistleblower Protection Directive
Numerous recent global scandals have highlighted the important role that whistleblowers can play in exposing breaches of EU law. In particular, the workplace is often central to the identification of wrongdoing since individuals who work for, or have work-related contact with, a business are often the first to learn of alleged misconduct within the organisation. At the same time, fear of retaliation, and lack of legal protection against retaliation, can discourage them from reporting their concerns.
Previously, whistleblowing laws were implemented on a national basis across the EU, which meant that protections were fragmented, inconsistent, or even non-existent. To address this, the EU passed the Whistleblower Protection Directive, which had a deadline of 17 December 2021 for Member States to incorporate into their national laws.
The Directive reflects the European Commission’s view that Member States should have a legal and institutional framework to protect persons who, in the context of their industrial relations, draw attention to violations or to threats to the public interest or make information on them public. The Directive provides minimum standards that must be adopted at national level. This means that EU Member States have been able to adopt provisions that strengthen the regime set out in the Directive, but have not been able to implement rules that do not meet its minimum standards.
The EU whistleblower laws have heralded a significant change in approach to whistleblowing in many EU countries, as well as significantly altering the compliance landscape for companies operating in the EU. Employers must understand implementing laws to ensure they have an approach that works for their business and achieves local compliance. In addition, multinationals that have long adhered to the US “gold standard” Sarbanes-Oxley Act require programs that satisfy the extensive protections under the Directive, while continuing to meet US requirements.
While the EU framework requires many EU and multinational companies to adapt their approach to whistleblower programs, it also promises rewards. By ensuring that effective whistleblowing arrangements are in place, businesses have the opportunity to become aware of concerns at the earliest stages, helping to avoid or limit financial and reputational risks.
What can be reported?
The protection provided by the Directive applies to individuals who report a breach of EU law in any of the following areas:
- Public procurement
- Financial services, products and markets, and prevention of money laundering and terrorist financing
- Product safety and compliance
- Transport safety
- Protection of the environment
- Radiation protection and nuclear safety
- Food and feed safety, animal health and welfare
- Public health
- Consumer protection
- Protection of privacy and personal data, and security of network and information systems
- Breaches affecting the financial interests of the EU
- Breaches relating to the EU internal market.
The Directive permits Member States to extend their national provisions to cover areas beyond those listed above, with a view to promoting a comprehensive and coherent whistleblower protection framework at national level.
Who is protected?
The Directive applies protection to individuals working in the private or public sector who acquire information on suspected breaches in a work-related context. This definition specifically includes current and former:
- Workers – this is a wide definition that includes not only employees but any individual who performs services for and under the direction of another person, in return for remuneration. Protection will therefore cover workers in non-standard employment relationships, including fixed-term workers, agency workers and other atypical relationships;
- Self-employed individuals, including freelance workers, contractors and subcontractors;
- Members of an undertaking’s administrative, management or supervisory body;
- Trainees (paid or unpaid);
- Those working under the supervision / direction of contractors, sub-contractors and suppliers;
- New recruits who have not yet commenced work;
- Facilitators (someone who assists a person in the reporting process in a work-related context);
- Third persons connected with a reporting person who could suffer work-related retaliation (e.g. colleagues or relatives); and
- Legal entities that the reporting person is connected to in a work-related context.
What protection is provided?
An individual who meets the conditions for protection under the Directive is safeguarded from any form of retaliation and from threats of or attempt at retaliation. Member States must implement necessary measures to ensure this protection, including:
- It must be assumed that there has been retaliation and, in court proceedings, the burden of proof is on the organisation to show that it has not retaliated. Where there is an allegation of retaliation for making a report, it is for the person that has taken the detrimental measures to prove that this was, in fact, based on justified grounds.
- Effective remedies must be available, including the possibility of interim relief, as well as remedies and full compensation for any damage suffered by a person who makes a report.
- Penalties for those that hinder reporting or retaliate against, disclose the identity of, or bring vexatious proceedings against someone who has made a report must be effective, proportionate and dissuasive.
- The rights of someone who makes a report and the remedies available to them cannot be waived or limited by any form of agreement.
The Directive defines retaliation broadly to include:
- Suspension, lay-off, dismissal or equivalent measures
- Demotion or withholding of promotion
- Transfer of duties, change of location of place of work, reduction in wages or change in working hours
- Withholding of training
- A negative performance assessment or employment reference
- Imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty
- Coercion, intimidation, harassment or ostracism
- Discrimination, disadvantageous or unfair treatment
- Failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that they would be offered permanent employment
- Failure to renew, or early termination of, a temporary employment contract
- Harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income
- Blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry
- Early termination or cancellation of a contract for goods or services
- Cancellation of a license or permit
- Psychiatric or medical referrals.
Conditions for protection of a whistleblower
To enjoy protection under the Directive the reporting person must:
- Report either internally (within their employer’s organisation) or externally (to a competent authority) or make a public disclosure (place information in the public domain); and
- Have reasonable grounds to believe, given the circumstances and the information available to them at the time of reporting, that the matters they report are true. This requirement is intended to safeguard against malicious, frivolous or abusive reports as it withholds protection from individuals who deliberately report wrong or misleading information. At the same time, the requirement ensures that protection is not lost where someone reports inaccurate information because of an honest mistake. The motives of the person in reporting are irrelevant in deciding whether they should receive protection.
The Directive leaves it open to individual Member States to decide whether businesses and competent authorities are required to accept and follow up on anonymous whistleblowing reports. Whichever approach a Member State takes, an individual who makes an anonymous report must be given the protection of the Directive if they are subsequently identified and suffer retaliation.
Member States are to encourage internal, rather than external, reporting where a breach can be effectively addressed internally and where the individual reporting does not feel at risk of retaliation.
Entities, including private sector employers with 50 or more workers, must establish channels and procedures for internal reporting and for follow-up. Where required by national law, this should be done after consultation and agreement with social partners.
Reporting channels and procedures must:
- Enable individuals who fall within the scope of the Directive to report information on breaches;
- Provide for reports to be made either in writing, orally or both. Oral reporting should be possible by telephone or voice messaging system or in a physical meeting when requested by the reporting person;
- Be secure and ensure the confidentiality of the reporting person and anyone mentioned in the report;
- Provide for acknowledgement of receipt of a report within seven days;
- Designate an impartial person / department to diligently follow up on reports (including anonymous reports if provided for in national law). The designated person / department must maintain communication with the reporting person, ask for further information if necessary, and provide feedback to them;
- Provide for feedback to be given within a reasonable timeframe – not exceeding three months from receipt of the report. Feedback must include information on action taken or envisaged as follow-up and the grounds for such follow-up; and
- Provide information on procedures for reporting externally to competent authorities or EU entities.
Records of every report received must be kept, but for no longer than is necessary and proportionate to comply with the Directive and other legal requirements.
External reporting to competent authorities
Under the Directive, an individual may make an external report whether or not they have first made an internal report.
Member States must designate competent authorities to receive, follow up and give feedback on external reports. The Directive prescribes various requirements which Member States must implement in relation to reports to designated authorities. In particular, a designated authority must establish an independent and autonomous reporting channel which must, for example, provide for:
- Reports to be made either in writing, orally or both;
- Acknowledgement of receipt of a report within seven days in most circumstances;
- Confidentiality of the identity of the reporting person, with very limited exceptions;
- Reports to be diligently followed up and for feedback to be given within a reasonable timeframe – not exceeding three months or six months where this is justifiable;
- The final outcome to be communicated to the reporting person; and
- Reported information to be transmitted to other relevant EU bodies for further investigation in certain circumstances.
Records of every report received must be kept, but for no longer than is necessary and proportionate to comply with the Directive and other legal requirements.
The Directive provides protection for an individual who makes a public disclosure of information will only if:
- They first made a report internally or externally, but no appropriate action was taken in response to the report within the three / six-month timeframe; or
- They reasonably believe that:
- the breach they are reporting is a matter where there is imminent or manifest danger to the public interest; or
- if they reported externally there is a risk of retaliation or a low prospect of the breach being effectively addressed.
Comparison of the EU Directive and the US Sarbanes-Oxley regime
For several years, there has been a significant global variation in the extent to which different countries have developed national laws to provide for whistleblowing reporting channels, to ensure that reports are followed up, to protect whistleblowers against retaliation, and to strengthen accountability. For various reasons, including a cultural hostility towards whistleblowing, many European nations were among those countries that had not implemented rigorous whistleblowing protections. These variations can make it tricky for multinational employers, including those subject to the US Sarbanes-Oxley regime (SOX), to implement a global approach to whistleblowing and, in particular, to use whistleblowing hotlines that allow employees to report concerns confidentially and anonymously.
The arrival of the EU Whistleblower Protection Directive has changed the global whistleblowing dynamic given that, in many respects, its provisions are wider than those that apply under SOX (see comparison table below). Although the Directive has brought the EU in line with SOX by providing for the use of whistleblowing hotlines, one aspect where uncertainty remains is in relation to the handling of anonymous reports. SOX requires anonymous reports be accepted/addressed, but the decision as to whether this is required is left to each individual EU Member State. Global employers should consider this aspect of local country implementation and, more broadly, consider the scope of the Directive and any expanded Member State protections in any review of their global whistleblowing arrangments.
|Which organisations must comply?
|Legal entities in the public sector and legal entities in the private sector with 50 or more workers must establish internal reporting channels. All entities within the EU are prohibited from retaliating against an individual who qualifies as a “reporting person” under the Directive.
A covered company’s subsidiaries, contractors, subcontractors or agents may also be covered.
|Types of wrongdoing which can be reported
Breaches of EU laws on:
|Any conduct which the employee reasonably believes to be violation of: (1) mail, wire, bank, or securities fraud statutes; (2) any SEC rule or regulation; or (3) any provision of Federal law relating to fraud against shareholders.
|Internal reporting system required?
|Yes, for legal entities in the public sector and legal entities in the private sector with 50 or more workers.
|External reporting system required?
|Yes. Under the Directive, an individual may make an external report whether or not they have first made an internal report.
|Yes. Under SOX, an individual may report directly to the SEC whether or not they have made an internal report.
|Must anonymous reports be accepted / addressed?
|Each Member State to decide.
|Who is protected by the regime?
Reporting persons who acquire information on breaches in a work-related context including current and former:
An individual presently or formerly working for a covered person, an individual applying to work for a covered person, or an individual whose employment could be affected by a covered person. See above for covered persons.
In 2014, the U.S. Supreme Court held that employees of private contractors and subcontractors of public companies are protected by the whistleblower provision set forth in 18 U.S.C. § 1514A of the Act subject to “various limiting principles” (eg, the disclosures pertain to fraud perpetrated by a publicly-traded company, as opposed to wrongdoing by a private contractor).
|Protection against retaliation
|Application to foreign subsidiaries or overseas branch offices
SOX covers subsidiaries or affiliates whose financial information is included in the consolidated financial statements of a company registered under Section 12 or required to file 15(d) reports.
The DOL’s Administrative Review Board has held that SOX’s anti-retaliation provision does not apply extraterritorially. However, in some instances, conduct abroad may have a sufficient connection to the US to fall within SOX’s protections.
|Financial incentives available?
|Directive silent on the matter.
|*There are other federal, state and local statutes that prohibit private sector employers from retaliating against whistleblowers, many of which are industry or sector specific.
Recommended actions for employers
Recommended actions for businesses operating in the EU to take for workplace whistleblowing compliance include:
- Monitoring implementation laws and additional regulatory guidance in each EU country in which the company operates, taking particular note of any aspects where there is differentiation from the requirements set by the Directive.
- Reviewing current whistleblowing arrangements or introducing new arrangements to ensure clear reporting channels are available. This will be the best way to avoid the risks associated with external reporting or public disclosure. Particular aspects of the Directive which may not form part of existing whistleblowing policies and procedures and should be factored in, include:
- the requirement to provide a local entity reporting option which, according to the European Commission, is required for proper compliance;
- the obligation to provide information about procedures for reporting to external authorities;
- the wide scope of matters on which reports can be made;
- the extended scope of individuals who are protected against retaliation under the Directive;
- the specific timeframes for handling reports – seven days to acknowledge receipt and three months for providing feedback; and
- the need for demonstrable follow-up to a report and feedback to the individual who has made the report.
- Implementing / reviewing an escalation policy so it is clear throughout the organisation when a report should be escalated / shared with a central function. The policy must contain appropriate safeguards to ensure compliance with confidentiality and data privacy requirements.
- For businesses that provide a telephone / automated hotline as part of their whistleblowing procedures, ensuring these arrangements are configured to meet any particular jurisdictional requirements implemented by Member States. Local language considerations are likely to be important.
- Preparing for the “reverse burden of proof” included in the Directive, which requires the employer to prove that any alleged retaliatory actions were based on justified grounds.
- In addition to ensuring that all whistleblowing reports are diligently investigated and responded to by individuals who have been fully trained for the role, businesses should also ensure continued monitoring of, and record keeping as regards relationships with individuals who have made reports even after their matter is closed. This will enable a business to ensure there is no retaliation or that any adverse action subsequently taken is justifiable on legitimate grounds.