EU Whistleblowing Directive – Everything You Need To Know

The EU Whistleblowing Directive is the biggest shake-up
to company compliance in years.

Updated in June 2021

Not since the EU introduced the now-infamous GDPR law back in 2016 has there been a more important change for companies to be aware of, and implement.

As you’ll see from our infographic, and this article, the EU Whistleblowing Directive is:

  • Broad – Encompassing millions of companies operating in the EU that have 50 or more "workers".
  • Important – It will be mandatory to comply, and enforceable by law. Amongst other things, failure to comply could lead to legal ramifications, fines, and serious reputational damage.
  • Helpful – On the flip side, successful implementation can protect your company, and help to instill a better company culture.

Most companies are now starting to make changes ahead of compliance becoming mandatory from late 2021. So how will it impact your business? And what do you need to do?

To help you understand your company’s responsibilities, we’ve decoded the full 40 page EU Whistleblowing Directive into a simple infographic and FAQ.

Click here to download High-Resolution Version

Infographic EU Whistleblowing-Directive

Which organizations need to comply?

The short answer, as can be found in Paragraph 48 of the Directive, is that any enterprise in an EU member state that has 50 or more workers should be subject to the obligation to establish internal reporting channels, irrespective of the nature of their activities, based on their obligation to collect VAT.

However, there are a few important points that need to be taken into account:

  1. A ‘worker’ is not just someone that’s directly employed by your company.

    In fact, the Directive states that “protection should, thus, also be granted to workers in non-standard employment relationships, including part-time workers, fixed-term contract workers, as well as persons with a contract of employment or employment relationship with a temporary agency…”. In other words, if someone is being remunerated for their contribution towards the company, regardless of their formal employment status, they’re likely to be classified as a ‘worker’.

  2. This is the minimum that is required, but individual EU Member States can go further.

    As the EU published this as a directive and not as a regulation, it’s up to EU Member States to transpose it into their national laws. The EU Whistleblowing Directive specifically lays out that EU Member States may choose to go further, for instance, requiring companies with under 50 workers to comply, if there are “significant risks that may result from their activities”.

  3. Some EU Member States will provide further time for small and medium-sized companies to comply.

    Article 26 of the Directive says that each Member State must bring it into force by 17 December 2021 at the latest. However, it also says that Member States don’t have to make it mandatory for private sector companies with between 50-249 workers until 17 December 2023. Given this leeway is optional, you’ll need to check the specific national law to find out if it applies.

    In addition, some Member States already have whistleblowing laws in force that cover similar requirements as set out in the EU Whistleblowing Directive. For example, in France the Soi Sapin II has applied to companies of at least 50 workers since January 2018 and has wide-ranging protections for whistleblowers.

Is your business covered by a country’s whistleblowing rules?

If your business is based in the EU and has over 50 ‘workers’, then you will almost certainly be covered by these new whistleblowing rules.

Even if this isn’t the case, you may still be covered as there is ambiguity within the EU Whistleblowing Directive on how it applies to non-EU companies.

For example, if you are a non-EU company, but still have 50+ workers and a presence in the EU, or have 50+ EU-based workers, it’s likely the Directive could still apply.

What allegations can be submitted?

The EU Whistleblowing Directive empowers whistleblowers to report any breach of EU law. Article 2 of the Directive specifically lists the following categories as examples:

  • Public procurement
  • Financial services
  • Products and markets
  • Prevention of money laundering and terrorist financing
  • Product safety and compliance
  • Transport safety
  • Protection of the environment
  • Radiation protection and nuclear safety
  • Food and feed safety
  • Animal health and welfare
  • Public health
  • Consumer protection
  • Protection of privacy and personal data
  • Security of network and information systems
  • Corporate tax avoidance/evasion
  • State aid

Very importantly, the Directive also says that this is the minimum required and that Member States may extend protection further under national law. This means more common company concerns, such as those connected with HR and recruitment could also be included.

Who will be protected by the EU Whistleblowing Directive?

The EU Whistleblowing Directive does not just protect workers.

Instead, as set out in Article 4, it encompasses a very broad range of public and private sector stakeholders – from job applicants, all the way to the relatives or colleagues of a ‘reporting person’.

The Directive specifically lists the following people as protected:

  • Workers (employed or otherwise), including civil servants.
  • Self-employed workers.
  • Shareholders and persons belonging to the administrative, management, or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees.
  • Anyone working under the supervision and direction of contractors, subcontractors, and suppliers.
  • Reporting persons where they report or publicly disclose information on breaches acquired in a work-based relationship that has since ended.
  • Anyone whose work-based relationship is yet to begin in cases where information on breaches has been acquired during the recruitment process or other pre-contractual negotiations.
  • Whistleblowing facilitators.
  • Third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context, such as colleagues or relatives of the reporting persons.
  • Legal entities that the reporting persons own, work for, or are otherwise connected within a work-related context.

What types of protection will whistleblowers get?

The Directive places a large emphasis on protecting whistleblowers from any forms of workplace retaliation. In Chapter 6, Article 19 of the Directive, there is an extensive list of specific retaliation measures that are included such as; demotions, reputational harm, negative performance assessments, etc.

It’s also stated that the identity of whistleblowers should be protected for as long as investigations are ongoing – i.e. the right of anonymity.

In terms of support, Article 20 of the Directive instructs Member States (not necessarily companies) to provide help to whistleblowers in the form of:

  • Comprehensive and independent information and advice, which should be easily accessible to the public and free of charge, on procedures and remedies available, on protection against retaliation, and on the rights of the person concerned.
  • Legal aid in criminal and cross-border civil proceedings.
  • The option to provide financial assistance and support measures, including psychological support, for reporting persons in the framework of legal proceedings.

When will these protections apply?

According to Article 6 of the EU Whistleblowing Directive, these protections apply to anyone reporting a potential breach, providing that they:

(a) had reasonable grounds to believe that the information they reported was true at the time and that it fell within the scope of the Directive.

And, (b) reported it internally, externally, or via a public disclosure (including to any relevant institutions, bodies, offices, or agencies)

Protections still apply to whistleblowers whose identities are leaked and who suffer retaliation.

How should reports be handled by organizations?

According to Article 9 of the EU Whistleblowing Directive, there are a few principles that organizations should be aware of when handling internal reports:

  • Security – Internal channels for receiving the reports should be designed, established, and operated in a secure manner.
  • Confidentiality – Confidentiality of the identity of the reporting person and any third party mentioned in the report should be protected, with access prevented to non-authorized staff members.
  • Acknowledgment – An acknowledgment of receipt of the report should be made to the reporting person within seven days.
  • Impartiality – An impartial person or department should be designated as competent for following-up on the reports. They will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to that reporting person.
  • Diligence – Investigations and follow-ups should be conducted diligently with reasonable care and effort.
  • Timely – There should be a reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt or, if no acknowledgment was sent to the reporting person, three months from the expiry of the seven-day period after the report was made.
  • Clarity – Clear and easily accessible information regarding the procedures for reporting externally should be given.
  • Accessibility – Reporting should be enabled in writing or orally, or both. Oral reporting should be possible by telephone or through other voice messaging systems, and, upon request by the reporting person, by means of a physical meeting within a reasonable timeframe.
  • Data Protection – Reports should be stored for no longer than it is necessary and proportionate in order to comply with the requirements imposed by the Directive, or is otherwise legally required.

Do whistleblowers need to use internal channels for reporting?

No. The EU Whistleblowing Directive is clear that whistleblowers can report concerns internally, externally, or via public disclosure.

The following definitions for each of them are given within the Directive:

  • Internal reporting means the oral or written communication of information on breaches within a legal entity in the private or public sector.
  • External reporting means the oral or written communication of information on breaches to the competent authorities.
  • Public disclosure or ‘to publicly disclose’ means the making of information on breaches available in the public domain.

How to comply with the EU Whistleblowing Directive

At first glance, the requirements of the new EU Whistleblowing Directive are incredibly complex and overwhelming – particularly for businesses without dedicated compliance departments.

Furthermore, for millions of companies with more than 50 workers, compliance will be mandatory. So whether you like it or not, this is something that can’t be ignored. The risks of fines, legal issues, unreported wrongdoing, and reputational issues will weigh heavily on non-compliant companies.

So the question most companies are now asking themselves is:

What’s the quickest, easiest, best, and most cost-effective way to comply?

We believe the answer is Vispato.

Vispato is a modern, secure, and anonymous whistleblowing system. It works by creating a dedicated online portal for employees and stakeholders to make anonymous reports. All you do as a company is share the URL (e.g. via a company intranet, internal emails, on your website, etc), and respond to reports if they come in.

As you will have seen in our infographic and this article, there are numerous requirements of the EU Whistleblowing Directive to comply with. Here are some of the ways Vispato is designed to help your company do just that:

  • Anonymous – Whistleblowers are completely anonymous. There’s no registration required, end-to-end encryption, and advice provided to whistleblowers to reassure them.
  • Accessible for all stakeholders – The reporting portal can easily be used by any company stakeholder – even suppliers, shareholders, contractors, and individuals covered by the Directive.
  • Secure – There are multiple layers of security against internal and external threats. In fact, we dedicated a whole page of our website about this here.
  • Data protection – Whistleblower data is protected with user access controls that restrict who can view whistleblowing reports.
  • 24/7 Availability – Whistleblowers can report concerns and wrongdoing at anytime of the day.
  • Anonymous follow-ups – Your company can follow-up with whistleblowers for further information, without breaching their anonymity.
  • Flexibility – You can set any type of case category, depending on the type of company you are.
  • Cost-effective – At just €99/mo – regardless of users, usage, or company size, Vispato is highly cost effective for any business.
  • Setup in minutes, rollout in minutes – Regardless of company size, everything can be setup and rolled-out across your organization incredibly quickly.

Have any questions or need more information? We’re always happy to talk.


Please be aware that nothing in this article should be construed as legal advice. Full access to the EU Whistleblowing Directive is available here.

Select your language

English Deutsch