Skip to content


The EU Whistleblowing Directive: Finding the Right Solution

By Matt Kelly (Updated )

For many years, corporate whistleblowers in Europe were left to fend for themselves when they tried to raise alarms about misconduct. The very idea of whistleblowing carried a stigma in Europe, tracing back to the continent’s dark history during fascism and World War II. However, last year's EU Whistleblower Directive symbolizes a new wave of thought around the topic. 

Over the last decade, the attitude has been changing. The European Union has adopted new whistleblower protection directives for the whole region, and one country after another has adopted its own national law to encourage corporate whistleblowers. 

This is a welcome advance in ethics and compliance, although global businesses do face challenges in complying with EU’s new wave of whistleblower protection laws. Compliance programs must balance competing interests around privacy, cultivating a speak-up culture, and rooting out misconduct that is reported as efficiently as possible. 

The EU Whistleblower Directive and More

Corporations working in Europe will encounter whistleblower protection laws at multiple levels. 

First is the EU Whistleblowing Directive, which went into force at the end of 2019. This rule directs all member states of the European Union to adopt their own version of the directive as national law by the end of 2021. 

The directive itself says companies working in the EU that have 50 or more employees must create internal reporting systems to help employees and other third parties report violations of EU law and to protect those persons from retaliation when they do speak up. 

At a minimum, the national laws must include all the whistleblower protections listed in the EU directive, although they can also go further and include more protections if a country wants. For example, the EU directive lets individual states decide how to handle anonymous reporting, or whether to give financial rewards to whistleblowers who bring concerns to the government that result in monetary penalties. 

Second, are those national whistleblower protection laws in each EU state. Some countries have already adopted whistleblower protection laws that reflect the EU directive’s goals; others have embedded the same protections in anti-corruption laws. For example:

Not every EU country has specific whistleblower protection statutes yet. Germany, for example, only has whistleblower protections that arise from general employment law and labor agreements. Spain has whistleblower protections for the securities industry, and its criminal code encourages businesses to protect whistleblowers, but that’s all. 

Why You Need to be Mindful of the EU Whistleblower Directive

According to the directive, any company with 50 employees or more is required to establish a robust internal reporting and investigations system that will allow employees and anyone working on behalf of the company to submit allegations of misconduct as well as strong controls to prevent retaliation against whistleblowers. Reports need to be handled with diligence and impartially and companies must allocate adequate competence to investigations.

Requirements of EU Whistleblower Protection Rules  

All EU whistleblower protection laws require the same basic elements: a system to allow employees and third parties to submit allegations of misconduct, and policies and procedures to protect those whistleblowers from retaliation after they do speak up. 

That said, the specific requirements of each country’s whistleblower protection rules can vary quite a bit. So organizations working across Europe, facing compliance with multiple whistleblower protection laws simultaneously, will need to ask themselves several questions as they try to understand precisely compliance obligations they have. For example: 

Is your business covered by a nation’s whistleblower protection rules?

Most global organizations are large enough that they will be covered, but that may not always be the case. As mentioned, Spain’s rules only apply to the securities sector. In France, Sapin II’s anti-corruption provisions apply to any company doing business in France with more than 500 employees, but the whistleblower protection clauses apply to companies with as few as 50 employees. 

What allegations can be submitted?

The EU Whistleblower Directive provides protections for certain violations of EU law, such as allegations about accounting fraud, food safety, money laundering, nuclear safety, and public health. National laws can go further, to protect allegations about violations of local criminal law or even the company’s own Code of Conduct. 

How should anonymous reports be handled?

National whistleblower protection laws will handle anonymous reporting in different ways. For example, countries such as Germany and France focus more on shielding the identity of the whistleblower through data protection laws, although even then the laws allow for some circumstances when a whistleblower’s identity might be revealed. (Such as when an accused person demands to know where an allegation came from.)

How will data protection laws intersect with whistleblower protection laws?

This issue can get complicated quickly because while whistleblower protection laws vary from one EU state to another, the EU General Data Protection Regulation (GDPR) applies universally across the entire union. So the subject of a complaint might have privacy rights that apply under the GDPR, even as a company tries to protect the identity of a whistleblower under other laws. This complexity can have implications for how the company handles the intake of complaints, investigations, and even follow-up communication with the original reporter. 

Altogether, compliance officers can see the larger challenge here. First, they must conduct a wide-ranging assessment of EU whistleblower protection rules that might apply to the organization. Then they need to construct the right blend of policies, procedures, and training that meet all the expectations of whistleblower protection rules without violating any data privacy rules.

How to Comply with the EU Whistleblower Directive

In order to be in compliance with the directive, organizations will need to identify a technology partner to provide whistleblower and case management services. Keeping in mind accessibility and safety as precursors to an effective internal reporting system, our Investigations solution offers whistleblowers an array of reporting channels, all of which are equally intuitive. A workflow-powered and highly configurable Investigations platform enables you with an ideal case management process that matches your company’s needs and organizational structure to help you close compliance gaps in no time. Here are some of the main criteria to take into account when selecting a whistleblower and case management solution.

Go Mobile

Our presence on the web is increasingly via our mobile phone. In fact, it accounted for more than 52% of worldwide traffic in 2020 compared to only around 16% in 2013. So, if you would like to present whistleblowers with a 21st century whistleblowing solution you need to go mobile. GAN’s Investigations solution empowers whistleblowers with a fully mobile reporting solution that allows employees and third parties to intuitively submit allegations of misconduct from anywhere and at any time. A mobile solution also makes it easier to attach evidence including photos or videos which, most of the time, are stored on our phones.  

Our Investigations solution supports a variety of reporting channels, including submission via whistleblower hotline and a highly configurable web-intake form. The online form which can be customized to match your company’s brand and populated with the content you wants to display, including company policies, important disclaimers, or hotline numbers.

The directive does not impose multiple reporting forms or state that submission must be done orally or in writing, providing multiple reporting channels will broaden access to invite external parties, such as suppliers and customers, to bring their allegations to your attention, an initiative that is strongly encouraged by the directive.

compliance technology

Protect the Whistleblower

One of the main reasons for passing the new directive is to protect whistleblowers and enable them to speak up about misconduct. In turn, this allows companies to address breaches at an early stage. Studies reveal that almost one in four respondents were aware of misconduct, yet less than half of them chose to report it due to, in second place, fear of retaliation.

The directive encourages whistleblowers to report their concerns internally, but provides protection to those who choose to take their concerns to regulators. Therefore, failing to establish adequate whistleblowing systems and a culture of compliance, will not only discourage employees from reporting misconduct, but will also make whistleblowers feel confident passing their employers by completely.

Nurturing and safeguarding a strong speak up culture is fundamental and in the log run profitable for business. In fact, a strong speak up culture is also synonymous with healthier business, greater profitability, and workforce productivity metrics. Empowering employees to speak up raises the chances of detecting misconduct before it spirals into a full-fledged violation, costing the business precious time and money, far exceeding the investment of having a whistleblowing program.

Up Your User Governance

A crucial part of protecting your whistleblowers, is appropriate triage. With sophisticated user governance you can efficiently and quickly route reports to the appropriate manager to avoid any potential conflicts or jeopardize the whistleblower’s identity. Thanks to highly configurable workflows you can allow your triage team to route cases to the appropriate case manager from an available and predetermined list of stakeholders. Cases can also be assigned based on location, type of incident, or any other parameter of your choice.

Additionally to ensure adequate routing, you can avoid unintended bias by limiting access of non-authorised employees to sensitive data. With GAN’s user management capabilities you can determine the scope of visibility and potential actions users can undertake by coupling access to employee attributes. You don’t need to worry about any future changes to attributes as the platform systematically reflects changes in any given user’s access rights.

Embrace Anonymity

Anonymity is key for encouraging people to report, yet compliance departments and investigators can sometimes feel hindered when digging into reports and concluding cases. Without jeopardizing the identity of the whistleblower and without compromising case manager’s ability to thoroughly investigate reports, GAN’s platform allows anonymous conversations to go on beyond the submission of reports. All whistleblowers are enabled to anonymously log back into their company’s submission portal using their confidential case ID and password. They can communicate with investigators, provide additional evidence and track overall progress of their cases.

compliance technology

Don’t Miss a Beat

Once the EU directive enters into force, liable companies must acknowledge receipt of reports within seven days and with reports potentially being submitted via different channels, it can get messy to keep track of when allegations were made. It is therefore essential to concurrently decentralized and anonymize reports so that you have centralized oversight and to ensure adequate and timely management of cases.

Centralized management and visibility are therefore a core component of GAN’s platform design giving compliance managers sleek and intuitive dashboards enabling them with a bird’s-eye view of incoming reports and progress of cases with the ability to dig into cases as needed.

Automated notifications are triggered to case managers upon the reception of reports or assignment of new cases, and also whenever anonymous whistleblowers submit additional evidence or send new comments via the platform’s integrated messaging tool. This ensures that case owners are always on top of updates and that whistleblowers are instantly heard.

Investigate with Care

When it comes to investigating cases, the directive emphasizes the importance of diligence, adequate protection of whistleblowers, and timely follow up to ensure reporters that their concerns are being addressed.

GAN’s Investigation solution allows you to appropriately route reports, assign the necessary number of stakeholders, and escalate concerns to top management when the need arises. The case manager can assign a lead investigator, set the investigation start date, deadline, and any other additional instructions or information all in one configurable platform. Acknowledging the complexity of cases and, at times, the need to dig into adjacent matters, our platform allows you to conduct multiple investigations linked to the same case, assign respective investigative teams, and maintain overall progress of the case and related investigations.

When appropriate, you can designate outside counselors, lawyers, or external investigators to follow up on reports, engage in investigations or assess evidence by granting temporary, and limited access to a specific segment of an investigation.

The same applies to internal employees thanks to the platform’s architecture that relies on the meticulous separation of the workflows underlying cases, investigations, evidence, case notes, and remedial action. Each of these variables have independent life cycles, allowíng users to review, edit, progress and validate actions all in a separate workflow process independent of the overall case progress. Separation of tasks and dashboard views is not only based on position, hierarchy or region, but also on the type and complexity of the case. Case managers, however, continuously maintain overview of progress and findings of each related investigation, evidence and any other case-related entity of all the cases assigned to them.

Aligned with the EU Whistleblower Directive’s impartiality and confidentiality requirements, segmentation of cases enables different stakeholders to engage in certain parts of cases without influencing or accessing each other. Compliance managers on the other hand are empowered to assign the best competences to their area of expertise and achieve the best results with the highest efficiency.

compliance software solutions

Document Your Activity

Like all other major compliance regulations, the EU directive sets documentation standard imposing the obligation of adequately documenting all case management activity. This can quickly turn into a herculean task, particularly if several compliance managers, investigators, and other stakeholders are involved in managing cases. With the platform’s integrated activity log, you can rest assured that all activity is automatically recorded along with the date and owner of actions leaving you with clear and accessible information for later reference. The activity log is at all times visible within the application capturing and time stamping the actions users take and the data points they change or update.

Capture the Spirit of the Directive with Analytics

The new requirements of the EU Whistleblower Directive definitely raise the bar for companies internal reporting programs, yet the underlying aim of the law is to adopt a proactive approach to whistleblowing and leverage the insights that flow into a your investigations program.

All of that and more is possible with integrated reporting and analytics into GAN’s Investigations solution. Data from all cases are distilled, aggregated, and displayed in one encompassing dashboard that gives you a bird’s-eye view of the effectiveness and efficiency of your program. An integrated analytics solution, known as GANalytics, enables you to monitor data in real-time and share the latest insights with management via ad-hoc and tailored reports.

The Investigations platform’s reporting and analytics capabilities empower you to surface actionable insights with elaborate visualizations and drill down functionalities. Dashboards can also be accessed based on user attributes, empowering your team with the data and insights to keep performance on track. Likewise, tailored dashboards can be configured to meet the needs of your senior leadership team and align your findings and strategy with business objectives.

Enforcement of the EU Whistleblowing Directive is almost on our doorstep and compliance with the law will soon be a reality for many companies in Europe. If you are still considering how to effectively be ready before the deadline, our out-of-the-box solution can help you get there in no time.

Why Whistleblower Protection Programs Are Important

If for no other reason, whistleblower protection programs are important because a company exposes itself to litigation or regulatory enforcement actions without them.

Most EU whistleblower protection rules first direct employees to report their concerns internally, either to the compliance department or some other office. If the company ignores the complaint, only then can the employee bring his or her concerns to regulators. (This is the case in Germany and the Netherlands, for example.)
So the less responsive a company is to whistleblowers, the greater the chance those whistleblowers will report misconduct to outside authorities. This means more money spent responding to regulators, who might also impose penalties for weak whistleblower programs or retaliation along the way.

Across the EU, whistleblowers who experience retaliation can also seek redress in the courts, such as by filing a wrongful termination lawsuit. Laws differ about how much damages a whistleblower could claim, but at the least, they could sue to get back their jobs. Even if they don’t win, their cases mean more time and resources spent by the legal department.

More broadly, however, a strong culture of whistleblower protection helps companies in other ways. Employee morale is likely to be higher, and turnover is likely to be lower. Numerous studies have also shown that higher rates of internal reporting correlate with fewer material lawsuits against the company, fewer regulatory enforcement actions, and even better financial performance.

So even if a company can’t quantify a specific ROI for stronger whistleblower protection, when you compare the costs of investing in whistleblower programs versus the risks and expense of whistleblower protection failures—clearly, that ROI does exist. The European Union is converging on the same high standards for whistleblower reporting that already exist in the United States, and businesses ignore that fact at their peril.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.