EU Whistleblowing Directive Compliance

What is the EU Whistleblowing Directive?

The EU Whistleblowing Directive (Directive 2019/1937) came into force on 17 December 2019, establishing minimum standards for whistleblower protection across all EU Member States.

The Directive aims to improve the detection and prevention of breaches of EU law by creating safe, confidential channels for employees and other workers to report misconduct without fear of retaliation.

Whilst the directive set a transposition deadline of 17 December 2021 for Member States to implement national legislation, the reality has been fragmented. As of 2025, all 27 Member States have now transposed the Directive into national law, though implementation quality varies significantly. Some countries, such as Denmark and Portugal, have expanded protections beyond the Directive’s minimum requirements, whilst others have faced criticism from the European Commission for incomplete transposition.

The Directive represents a fundamental shift in how organisations across Europe must approach whistleblowing. Unlike guidance or best practice recommendations, the Directive creates legal obligations that organisations must meet, with financial and reputational consequences for non-compliance.

Who Must Comply?

The Directive applies to both private and public sector organisations operating within the European Union:

Private Sector Requirements

• Organisations with 250 or more employees: Must establish internal reporting channels (deadline passed in December 2021)
• Organisations with 50-249 employees: Must establish internal reporting channels (deadline passed in December 2023)
• Financial services organisations of any size: Must comply regardless of employee count due to money laundering and terrorist financing risks
• High-risk sectors: Some Member States have extended requirements to smaller organisations in sectors including healthcare, transport safety, and environmental protection

Public Sector Requirements

• All public sector institutions must establish internal reporting channels
• Municipalities with 10,000 or more inhabitants must comply
• Some Member States have extended requirements to smaller municipalities

UK Companies with EU Operations

Although the UK is no longer required to implement the Directive following Brexit, UK-based organisations with operations, subsidiaries, or employees in EU Member States must comply with the Directive for those entities. This creates a dual compliance requirement: PIDA (Public Interest Disclosure Act 1998) for UK operations and the EU Directive for European entities.

For guidance on navigating both frameworks, see our resource on what are the legal obligations for whistleblowing in the UK.

Key Requirements for Organisations

The Directive mandates several specific obligations that organisations must fulfil:

Internal Reporting Channels

Organisations must establish secure, confidential internal reporting channels that enable both written and oral reports. How do whistleblowing solutions support public sector requirements? explores the specific needs of public bodies in meeting these obligations.

Reporting channels must be accessible to:

• Current employees and workers
• Former employees
• Job applicants
• Volunteers
• Contractors and suppliers
• Shareholders (in some Member States)

Response Timelines

Strict deadlines govern how organisations must handle reports:

• Seven days: Maximum time to acknowledge receipt of a report to the whistleblower
• Three months: Maximum time to provide feedback on actions taken and investigation outcomes

These timelines apply across all Member States, though some countries have implemented even tighter deadlines.

Confidentiality and Data Protection

All personal data must be handled in strict compliance with the General Data Protection Regulation (GDPR). This includes protecting the identity of both the whistleblower and any individuals mentioned in reports. Organisations must implement appropriate data retention policies for whistleblowing systems that balance legal requirements with data minimisation principles.

Protection from Retaliation

The Directive prohibits all forms of retaliation against whistleblowers, including:

• Dismissal, suspension, or demotion
• Withholding training or promotion opportunities
• Negative performance reviews
• Intimidation or harassment
• Discrimination or unfavourable treatment

Significantly, the burden of proof rests with the organisation to demonstrate that any adverse action taken against a whistleblower was not motivated by their disclosure. How can businesses protect whistleblowers from retaliation? provides detailed guidance on establishing effective protection measures.

Designated Personnel

Organisations must appoint an impartial person or department to:

• Receive and investigate reports
• Maintain confidential two-way communication with whistleblowers
• Provide feedback within required timelines
• Maintain accurate records

This role could be filled by compliance officers, legal counsel, HR managers, or external providers such as Safecall. In our experience handling whistleblowing cases across Europe for over 25 years, organisations benefit significantly from ensuring that those receiving reports have professional investigative expertise to recognise serious concerns and conduct appropriate follow-up.

Timeline and Implementation

Understanding the implementation timeline helps organisations assess their current compliance status:

• 16 December 2019: Directive enters into force
• 17 December 2021: Member States must transpose into national law; organisations with 250+ employees must comply
• 17 December 2023: Organisations with 50-249 employees must comply
• 2024-2025: European Commission reviews implementation quality across Member States
• Ongoing: National competent authorities enforce compliance and issue penalties

The staged approach has created complexity for multinational organisations, as different Member States have varied implementation dates and requirements beyond the Directive’s minimum standards.

UK Organisations and the EU Directive

UK organisations face unique considerations. Whilst the UK has its own whistleblowing framework under PIDA, which has been in place since 1998, this does not satisfy EU Directive requirements for EU-based operations.

Key differences between UK and EU requirements include:

Aspect	UK (PIDA)	EU Directive
Mandatory channels	No general requirement	Required for 50+ employees
Protected persons	Employees and workers	Broader: includes volunteers, job applicants, shareholders
Response timelines	No specific requirement	7 days acknowledgement, 3 months feedback
Scope	Any public interest wrongdoing	Specific breaches of EU law

UK organisations with EU subsidiaries cannot rely on PIDA compliance alone. Each EU entity with 50 or more employees must establish its own internal reporting channel, though entities with 50-249 employees may share resources within a single Member State. The European Commission has made clear that subsidiaries should have the option to report locally rather than solely through a centralised group system.

Penalties for Non-Compliance

Penalties vary significantly by Member State, as the Directive delegates enforcement to national authorities:

• Portugal: Fines up to €44,891.81 for organisations, €3,740.98 for individuals
• Germany: Administrative fines for failing to establish reporting channels or breaching confidentiality
• France: Enhanced requirements under Sapin II anti-corruption law, with substantial penalties for non-compliance
• Spain: Registration requirements with the Independent Authority for Whistleblower Protection

Beyond financial penalties, organisations risk:

• Regulatory enforcement action
• Reputational damage from public disclosure of non-compliance
• Increased vulnerability to external whistleblowing (to authorities or media) when internal channels are absent
• Civil claims from whistleblowers who experience retaliation

How can whistleblowing services help reduce workplace liability? examines the risk management benefits of establishing robust whistleblowing arrangements.

Building an Effective Whistleblowing Programme

Compliance with the Directive requires more than implementing technology. Effective programmes integrate several elements:

Multiple Reporting Channels

Organisations should offer various ways to report:

• Online reporting systems accessible 24/7
• Telephone hotlines staffed by trained professionals
• Written reporting via secure email or postal systems

At Safecall, all telephone reports are handled by former UK police officers, each with more than 25 years’ interview experience. This expertise ensures that serious concerns are recognised immediately and appropriate follow-up questions are asked to gather complete information.

Clear Communication

Employees and stakeholders must know:

• How to access reporting channels
• What can be reported
• What protection they will receive
• How reports will be handled
• What timelines to expect

Proper Investigation Capability

Establishing reporting channels is only the first step. Organisations must have the capacity to investigate reports thoroughly and fairly. This may involve independent workplace investigations conducted by experienced professionals who understand regulatory requirements and can maintain objectivity.

Integration with Compliance Culture

Whistleblowing arrangements work best when embedded within a broader compliance and ethics programme. This includes:

• Regular training for managers and employees
• Clear policies on acceptable conduct
• Leadership commitment to speak-up culture
• Consistent enforcement of standards

What is the role of whistleblowing in corporate compliance? explores how effective whistleblowing supports broader governance objectives.

Specialist Considerations for Regulated Industries

Some sectors face additional requirements. What makes a whistleblowing solution suitable for regulated industries? addresses the specific needs of financial services, healthcare, and other highly regulated sectors.

Organisations in financial services, for example, must comply not only with the EU Directive but also with sector-specific requirements from regulators such as the Financial Conduct Authority in the UK. How do whistleblowing systems help meet anti-corruption requirements? and how can whistleblowing hotlines support anti-fraud initiatives? explore these overlapping obligations.

How Safecall Supports EU Directive Compliance

Since 1999, Safecall has helped organisations establish and maintain compliant whistleblowing arrangements across Europe. Our approach combines secure technology with professional expertise:

Compliant Reporting Channels

Our whistleblowing solutions meet all EU Directive requirements:

• 24/7 telephone hotlines operated by former UK police officers
• Secure online reporting in 175+ languages
• GDPR-compliant case management software
• Automated acknowledgement within seven days
• Confidential two-way communication with whistleblowers

Expert Case Handling

Every report received through Safecall is quality assured by experienced operations managers before being forwarded to clients. This ensures that serious concerns are properly documented and that clients receive complete, actionable information.

For complex cases, organisations can access our independent investigation services, conducted by professionals with decades of investigative experience.

Implementation Support

Our account management team helps organisations navigate the complexities of multi-jurisdictional compliance, ensuring that arrangements work effectively across different Member States whilst meeting varying national requirements.

Training and Policy Development

We provide training programmes for employees and managers to support speak-up culture, as well as guidance on policy development and communication strategies.

Next Steps

Organisations subject to the EU Whistleblowing Directive should:

1. Assess current compliance status across all EU entities
2. Implement or enhance reporting channels to meet Directive requirements
3. Establish clear procedures for handling reports within required timelines
4. Ensure appropriate expertise in those receiving and investigating reports
5. Communicate arrangements clearly to all employees and stakeholders
6. Review and update policies regularly as national laws evolve

For expert guidance on EU Whistleblowing Directive compliance, contact Safecall on +44 (0)191 516 7720 or visit our EU Whistleblowing Directive legislation page for additional resources.