Skip to content


Countdown to the EU Whistleblower Directive: It's Here

By Matt Kelly (Updated )

Well, ethics and compliance professionals, after two long years of preparation, it’s finally here: The EU Whistleblower Protection Directive has now gone into effect.

From here forward, businesses working in the European Union must provide internal whistleblower systems for employees (and others, such as former employees or contract workers) to report allegations of misconduct; and protect those whistleblowers from retaliation after a report is filed. Organizations that fail to meet either of those obligations can face regulatory enforcement, including the potential for monetary fines, in any EU member state where they do business.

As we mentioned above, companies have had two years’ advance notice to prepare their compliance programs as necessary. Even better, the EU directive is quite similar to other whistleblower protection statutes that have existed in the United States for years — so for global businesses, the demands of the EU Whistleblower Directive are not unfamiliar ideas.

Still, for many smaller businesses that operate primarily in Europe, compliance with the directive will be a new experience. Moreover, each of the EU’s 27 member states can adopt the directive in its own way; so businesses will need to navigate a complex landscape of legal requirements.

All of this means that compliance officers have plenty to do here. Let’s take a look at the details.

What the Dec. 17 Deadline Means for Your Business

We can begin with the basics of EU Whistleblower Directive compliance.

What businesses are covered under the directive?

Any business working in the EU with 250 or more employees is now covered by the Whistleblower Directive. Businesses with 50 to 249 employees will be covered starting December 2023. Businesses with fewer than 50 employees will (as of today, at least) be exempt from compliance.

What does the directive require?

First, companies must create internal whistleblower systems for people to submit reports of misconduct (typically, violations of EU law) either verbally or in writing. The directive also defines “people” broadly, to include current employees, former employees, contract labor, family members of employees, and other groups who might be aware of misconduct.

Second, businesses must develop a capability to investigate those reports and respond back to the whistleblower. For example, once an allegation is submitted to the whistleblower hotline, the company must send an acknowledgement of receipt back to the whistleblower within one week. The company must also assign a specific person or team (such as the compliance officer) to look into the complaint; and that person must keep the whistleblower informed about the case, such as letting him or her know within 90 days whether the report was substantiated.

Third, companies must develop anti-retaliation policies and procedures to keep whistleblowers protected. Those policies and procedures should include training for employees (and, where necessary, specialized training for managers), disciplinary action for anyone who does retaliate, and protocols to keep a whistleblower’s identity confidential during an investigation.

Compliance officers should also remember that the EU Directive itself does not expressly say that a company’s internal whistleblower hotline should allow for anonymous reporting. Individual EU member states, however, can require businesses to accept anonymous reports — and if a member state does, then the same anti-retaliation protections apply to that person if his or her identity is later disclosed.

What are the penalties?

The directive doesn’t specify what the penalties for non-compliance should be. It says that there should be penalties, but leaves each EU member state to decide those for itself.

We still need to see how each EU state will “transpose” the EU Whistleblower Directive into national law to get a full understanding of what the penalties might be, but you could use existing whistleblower protection laws as a guideline. For example, Italy’s whistleblower protection statute allows a penalty of €5,000 to €30,000 against people who retaliate against a whistleblower.

Companies accused of violating the directive will also face costs to deal with regulators investigating that complaint; those expenses could easily be much larger than whatever final penalty you end up paying.

The Benefit of a Whistleblower and Case Management Platform

One question compliance officers will need to answer sooner rather than later is whether their business should use a whistleblower system provider to manage the routine operation of the hotline. Every company will have its own circumstances to consider, but there are several compelling benefits to using a whistleblowing software provider.

  • Easier management of calls and issues. Without a dedicated provider, your business will need to answer hotline calls directly. That can be an inefficient use of staff and resources. Likewise , leveraging a software solution to process reports will allow you to centrally manage reports and maintain overview of progress of investigations.
  • Better ability to be objective. Hotline providers have call center employees trained to be objective and follow procedure while taking information from whistleblowers; and because those employees don’t work for your business directly, they are much less likely to bring any bias into the interview that could jeopardize results later. Deploying a whistleblowing solution will also enable you to offer a way for employees to report anonymously online if they prefer to do so.
  • Better reporting and data analytics. Whistleblowing software providers also have specially developed technology and procedures to collect data about whistleblowing reports, so they can provide a holistic picture of the issues within your organization. You can then use those insights to revise policies, procedures, or risk assessments as necessary.

What To Do If You’re Not Ready for the Directive

Compliance with the EU directive will not be easy for many companies, since you’ll need to implement technology, policies, and procedures that could vary considerably from one EU state to the next. If you haven’t yet completed those efforts, don’t panic. You can still complete some tasks right away that will leave you better positioned for the more nettlesome compliance challenges to come.

First, identify the EU jurisdictions most important to your compliance objectives — both the countries where you do the most business, and the countries where you currently have the weakest compliance systems. Research the current state of whistleblower protection law in those places. Understand whether they’ve already transposed the EU directive, or when they will.

Second, start developing plans for the implementation of a whistleblowing system. Decide whether you want to use a whistleblower software provider. If you do, understand all the issues you should consider while evaluating specific providers, so you can find the best fit for you.

Third, roll out anti-retaliation and speakup training immediately. These objectives are more about changing the ethical culture at your organization. That’s something you can begin to do immediately (even something as simple as senior executives talking more often about the importance of anti-retaliation) while sorting out technical issues related to the implementation of whistleblowing and case management systems. 
Fourth, demonstrate and document that you have a plan. Regulators understand that no business is perfect. They aren’t gleeful to punish every infraction they can find. What they want to see is that a company is making the best possible effort it can to achieve a culture of compliance. Simply having a clear, sensible plan to develop a culture of compliance will help your business to stay in regulators' good graces, even when violations (inevitably) occur.

Cover of EU Whistleblower Protection Directive eBook

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.