EU Whistleblower Directive

Countdown to the EU Whistleblower Protection Directive: 30 Days to Enforcement

Matt Kelly

Last month we kicked off a countdown series to the new EU Whistleblower Directive, which goes into effect on Dec. 17, 2021. Now that the corporate compliance community is only 30 days from the start of enforcement, we should step back and look at the state of implementation from the regulators’ perspective.

How many EU member states have already implemented a version of the directive? Which ones have gone further than the directive’s requirements, and which ones haven’t even started yet? What enforcement mechanisms will exist once Dec. 17 arrives, and which companies will be held liable under the directive?

Especially for smaller businesses, or for businesses with operations across multiple EU member states (yes, we mean you, franchise businesses), tracking the directive’s progress can be a complicated endeavor. Let’s walk through the particulars, and then revisit the steps companies will need to take to assure compliance.

What are the important deadlines for the EU Whistleblowing Directive and who will be held liable under the directive’s requirements?

The most important deadline is the one already mentioned: Dec. 17, 2021. On that day, any organization working within the European Union with 250 or more employees will be subject to the Whistleblower Directive. EU member states are also expected to have transposed the directive into national law by that day, although not every state will have done so by the deadline. (More on that later.) 

Smaller organizations, with 50 to 250 employees, will have until Dec. 17, 2023 to comply with the directive. 
Both organizations and individuals can be held liable under the directive for violating its terms, such as retaliating against a whistleblower or failing to provide a means for whistleblowers to speak up. The directive does say that parties violating the directive should face penalties, but it does not specify what those penalties should be;  it leaves that question to EU member states themselves.

What is the status of EU member states’ implementing the Whistleblower Directive?

The picture is mixed. Two member states have fully transposed the directive into national law already, a handful haven’t even started, and most are somewhere in the middle of drafting or adopting their own version of the law.

  • Only Denmark and Sweden have implemented the Whistleblower Directive into national law and could be considered “finished” with transposing it. 
  • Cyprus, Hungary, Luxembourg, and Malta have not made any substantive progress on transposing the directive at all. 
  • The remaining 21 member states — from Ireland in the west to Bulgaria and Romania in the east; Finland in the north to Greece and Italy in the south — are in various stages of bringing their national laws into alignment with the directive. 
  • Since the United Kingdom is no longer part of the EU, it doesn’t need to implement the EU directive. British companies working in Europe, however, will still be subject to whistleblower protection laws that exist in the EU member countries where they do business. So those British companies will need to consider whether the whistleblower systems they have in place to comply with British law will also be sufficient to comply with the EU directive as applied across the continent.
  • The four countries in the European Free Trade Association — Norway, Iceland, Liechtenstein, and Switzerland; who technically aren’t part of the EU but model their legal regimes after it — are also in the middle of implementing the directive.

When a member state doesn’t implement an EU directive by the prescribed deadline, the European Commission can then bring proceedings against that state in the EU Court of Justice to force the issue. Those proceedings, however, can take quite a bit of time. 

Meanwhile, for companies operating in EU states that haven’t yet transposed the directive into national law, it’s wise to implement a whistleblower protection system that at least complies with the directive itself. You may still need to amend local policies and procedures as member states do finish transposing the directive, but that start is better than nothing.

What considerations are important for your organization as the implementation deadline draws near?

Even if the corporate world isn’t entirely clear on how countries will enforce the EU Whistleblower Directive — and let’s be honest; with so many member states still transposing the directive into national law, we’re not — corporate compliance teams can still anticipate much of what will come next. We know that member states will adopt the directive eventually and that enforcement under the directive will happen. So compliance officers can take several important steps even now, while member states resolve that last ambiguity.

Get the fundamentals in place

You will need an internal whistleblower hotline. It will need to be accessible to employees and others who might use it. Find whatever internal hotline mechanism works best for you (probably a dedicated whistleblower hotline provider, that can support multiple intake channels and multiple languages), and get that system operative as soon as possible. 

Work on training and communication

Cultivating a speak-up culture is not easy. Employees will need training and communication from management to understand that the whistleblower hotline exists for their use: what incidents they can report, how the company will respond, and the anti-retaliation protections that the company will provide as part of the directive. Middle managers will also need their own training on how to support a speak-up culture and how to recognize (and prevent) retaliatory behaviors that might happen. 

Always remember: the EU Whistleblower Directive isn’t just about creating a hotline tool; it’s about fostering a stronger speakup culture. It’s about driving your workforce to better performance. Motivating and guiding them will always be the biggest compliance challenge you face with the directive.

Develop a response capability.

When employees submit reports via the hotline, companies will need to respond — seven days to acknowledge receipt of the report, and three months to inform the employee of the outcome. So businesses will need to develop policies, procedures, and manpower strategies that can meet those response obligations.

Companies won’t necessarily need to launch a dedicated “Department of Whistleblower Investigations,” but they will need a response capability. Someone will need to receive and triage complaints, investigate, and reply to whistleblowers. Technology can help with some of those tasks, but ultimately the compliance team and senior management will need to assure that the company has assigned roles and responsibilities, and developed policies and procedures, to get the work done.

If your organization can get at least these three compliance objectives in place by Dec. 17, you’ll be positioned to enter the new world of the EU Whistleblower Directive with minimal turbulence. The clock is ticking.

Cover of EU Whistleblower Protection Directive eBook