Whistleblower Protection Directive (EU) 2019/1937 — Reporti

Do we need a whistleblower reporting channel, and what happens if an employee reports a compliance breach before we have one?

Every private-sector entity with 50 or more workers must operate a secure internal reporting channel under Directive (EU) 2019/1937 — the transposition deadline has passed in all Member States, and failure to protect a reporting person exposes the organisation to effective, proportionate and dissuasive penalties set by national law [Art. 23].

Short Answer

Directive (EU) 2019/1937 obliges all private-sector legal entities with 50 or more workers and all public-sector bodies to establish confidential internal reporting channels covering breaches of EU law across areas such as public procurement, financial services, product safety, data protection and the environment [Art. 8(1), Art. 2(1)]. Reporting persons — including employees, self-employed contractors, trainees and shareholders — are protected against any form of retaliation, and the burden of proof shifts to the employer once a detriment is established [Art. 21(5)]. Reports must be acknowledged within seven days and substantive feedback provided within three months [Art. 9(1)(b), (f)]. Member States may extend the Directive's scope beyond the EU-law areas listed in the Annex [Art. 2(2)].

Who is affected

Private-sector legal entities with 50 or more workers must operate internal reporting channels [Art. 8(3)]. Entities in financial services, AML, transport safety, environmental protection and product safety are covered regardless of headcount [Art. 8(4)]. All public-sector entities are covered, though municipalities with fewer than 10,000 inhabitants or fewer than 50 workers may be exempted by national law [Art. 8(9)]. Protection extends to workers, civil servants, self-employed persons, shareholders, board members, volunteers, trainees and contractor staff [Art. 4(1)].

Deadline

The general transposition deadline was 17 December 2021 [Art. 26(1)]. For private entities with 50 to 249 workers, internal reporting channel obligations applied from 17 December 2023 [Art. 26(2)]. All deadlines have passed — the obligations are permanently enforceable. Ongoing operational deadlines: acknowledge reports within 7 days [Art. 9(1)(b)], provide feedback within 3 months [Art. 9(1)(f)].

Risk

The Directive requires Member States to provide for effective, proportionate and dissuasive penalties for hindering reporting, retaliating against reporting persons, bringing vexatious proceedings, or breaching whistleblower confidentiality [Art. 23(1)]. Penalty levels are set by national transposition law — for example, Germany's HinSchG provides fines up to EUR 50,000. Beyond fines, employers face reversed burden of proof in retaliation claims [Art. 21(5)], potential full compensation orders [Art. 21(8)], and reputational damage from public disclosure if internal and external channels fail [Art. 15].

Proof

Legal status

• In force
• as of 2026-04-17
• Consolidated version of 30.12.2024 (incorporating amendments M1–M6)

Primary sources

• EUR-Lex — Full text of the legal act
• European Commission — Whistleblower protection — EU whistleblower protection policy

What to do now

Legal / DPO

•Map your national transposition law against the Directive's minimum standards — several Member States grant broader protection or additional subject-matter scope [Art. 25(1)] — and document any gaps in a legal register.
•Review all employment contracts, NDAs and settlement agreements for clauses that purport to waive whistleblower rights; such clauses are void under the Directive [Art. 24].
•Prepare a retaliation-response protocol ensuring the burden-of-proof reversal is operationally understood: once a reporting person shows detriment, the employer must prove the measure was independently justified [Art. 21(5)].

Compliance

•Establish or audit internal reporting channels that accept reports in writing and orally, protect the identity of the reporting person, and prevent access by unauthorised staff [Art. 9(1)(a), Art. 9(2)].
•Implement a case-management workflow guaranteeing acknowledgement within 7 days and substantive feedback within 3 months from acknowledgement [Art. 9(1)(b), (f)].
•Designate an impartial person or department for follow-up, ensure they receive specific training, and document that shared-resource arrangements (for entities with 50–249 workers) still meet confidentiality requirements [Art. 9(1)(c), Art. 8(6)].

IT / Security

•Design the reporting channel's technical infrastructure to ensure end-to-end confidentiality, integrity and durable storage of reports, preventing access by non-authorised staff [Art. 9(1)(a), Art. 18(1)].
•Implement access controls and audit logging so that the identity of reporting persons cannot be disclosed without explicit consent or a proportionate legal obligation [Art. 16(1), Art. 16(2)].
•Ensure personal data collected through the reporting channel complies with GDPR requirements — manifestly irrelevant data must be deleted without undue delay [Art. 17].

Product / Engineering

•If your product or platform processes whistleblower reports for clients, verify that channel design meets the completeness, integrity and confidentiality criteria of the Directive [Art. 12(1)].
•Build retention and deletion policies into your product so that report records are stored no longer than necessary and proportionate [Art. 18(1)].
•Support oral, written and in-person reporting workflows, including transcript-and-sign features for oral reports, as required by the Directive [Art. 9(2), Art. 18(2)–(4)].

Key Terms

Reporting person: A natural person who reports or publicly discloses information on breaches of Union law acquired in a work-related context [Art. 5(7)].
Internal reporting: The oral or written communication of information on breaches within a legal entity in the private or public sector [Art. 5(4)].
External reporting: The oral or written communication of information on breaches to a competent national authority designated to receive and follow up on reports [Art. 5(5)].
Facilitator: A natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance must remain confidential [Art. 5(8)].
Retaliation: Any direct or indirect act or omission in a work-related context, prompted by reporting or public disclosure, that causes or may cause unjustified detriment to the reporting person [Art. 5(11)].
Public disclosure: Making information on breaches of Union law available in the public domain, protected under specific conditions where internal and external channels have failed or danger is imminent [Art. 5(6), Art. 15].
Follow-up: Any action taken by the report recipient or competent authority to assess the accuracy of allegations and address the reported breach, including enquiries, investigations, prosecution or fund recovery [Art. 5(12)].

Frequently Asked Questions

Which employees are protected as reporting persons?

Workers (including civil servants), self-employed persons, shareholders, board members (including non-executive), volunteers, paid and unpaid trainees, and anyone working under the supervision of contractors, subcontractors or suppliers [Art. 4(1)]. Protection also extends to facilitators, connected third persons (e.g. colleagues and relatives) and legal entities connected with the reporting person [Art. 4(4)].

Can a reporting person go directly to an external authority without first reporting internally?

Yes. While Member States encourage internal reporting first where the breach can be addressed effectively and there is no risk of retaliation [Art. 7(2)], reporting persons may report directly to competent external authorities and still qualify for full protection [Art. 10].

What are the mandatory timelines for handling a report?

The entity must acknowledge receipt within 7 days [Art. 9(1)(b)]. Substantive feedback must be provided within a reasonable timeframe not exceeding 3 months from the acknowledgement — or, if no acknowledgement was sent, 3 months from the expiry of the 7-day period [Art. 9(1)(f)].

Can entities with 50 to 249 workers share reporting resources?

Yes. These entities may share resources for receiving reports and conducting investigations [Art. 8(6)]. However, each entity retains its own obligations regarding confidentiality, feedback to reporting persons, and addressing the reported breach.

Under what conditions may a reporting person make a public disclosure?

Public disclosure qualifies for protection if (a) the person first reported internally and/or externally but no appropriate action was taken within the prescribed timeframes, or (b) the person reasonably believes the breach constitutes an imminent or manifest danger to the public interest, or there is a risk of retaliation or low prospect of effective redress via external reporting [Art. 15(1)].

What types of retaliation are explicitly prohibited?

The Directive lists 15 forms of prohibited retaliation including dismissal, demotion, wage reduction, withholding of training, negative references, disciplinary penalties, harassment, blacklisting, contract cancellation and psychiatric referrals [Art. 19(a)–(o)].

How does the burden of proof work in retaliation cases?

Once the reporting person establishes that they made a report or public disclosure and suffered a detriment, it is presumed that the detriment was retaliatory. The employer must then prove the measure was based on duly justified grounds unrelated to the report [Art. 21(5)].

Assessment Factors & Checklist

Premium

Start 7-day free trial

Questions for Your Lawyer

Premium

Start 7-day free trial

Conclusion & Summary

Premium

Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial →

Keine Kreditkarte heute. Kündigung jederzeit.