EU Directive 2019/1937 on whistleblower protection

A practical guide for organisations that need to understand and comply with the European Union's Whistleblower Protection Directive.

What is the Whistleblower Protection Directive?

Directive (EU) 2019/1937 of the European Parliament and of the Council, adopted on 23 October 2019, establishes common minimum standards for the protection of persons reporting breaches of Union law. It requires organisations to set up secure, confidential reporting channels and prohibits retaliation against whistleblowers.

The Directive covers a broad range of EU law areas, including public procurement, financial services, product safety, environmental protection, food safety, public health, consumer protection, data protection, and more.

Who must comply?

The Directive requires internal reporting channels for:

• Private sector organisations with 50 or more employees
• All public sector entities, including municipalities and government bodies
• Financial sector entities, regardless of size (banks, insurance, investment firms)
• Organisations in regulated sectors covered by EU law (AML, aviation safety, etc.)

Note that individual member states may set broader requirements in their national transposition. Always verify the specific obligations in each jurisdiction where your organisation operates.

Core requirements

Organisations subject to the Directive must:

1. Establish internal reporting channels

Provide secure channels that allow workers to report breaches confidentially. Channels must accept reports in writing (online platform, email, postal) and/or orally (telephone hotline, voice messaging). The channel must ensure the confidentiality of the reporting person’s identity.

2. Designate a responsible person or department

Assign an impartial person or department to receive and follow up on reports. This function must have the authority to conduct investigations and must operate independently from management that could be subject to reports.

3. Follow prescribed timelines

• 7 days — Acknowledge receipt of the report to the whistleblower
• 3 months — Provide feedback to the whistleblower on the follow-up actions taken
• Maintain records of all reports in compliance with data protection requirements

4. Protect whistleblowers from retaliation

The Directive prohibits any form of retaliation, including dismissal, demotion, intimidation, damage to reputation, and blacklisting. Member states must provide effective remedies and support measures for reporting persons who suffer retaliation.

5. Ensure data protection compliance

All personal data collected through the reporting channel must be processed in accordance with the General Data Protection Regulation (GDPR). Data must be stored only as long as necessary and access must be limited to authorised personnel.

Penalties for non-compliance

Member states define their own penalty regimes in national transposition laws. Penalties may be imposed for:

• Failing to establish reporting channels
• Obstructing or attempting to obstruct reporting
• Retaliating against reporting persons
• Breaching confidentiality obligations
• Bringing vexatious proceedings against reporting persons

In Germany, for example, the Hinweisgeberschutzgesetz (HinSchG) provides for fines of up to €50,000 for failing to establish a reporting channel and up to €100,000 for retaliation. Other member states have similar penalty ranges.

National transpositions

Each EU member state has transposed (or is in the process of transposing) the Directive into national law, often with additional requirements:

• Germany — Hinweisgeberschutzgesetz (HinSchG), in force since July 2023
• France — Loi Sapin II (updated 2022), with broader scope than the Directive
• Sweden — Visselblåsarlagen, in force since December 2021
• Denmark — Lov om beskyttelse af whistleblowere, in force since December 2021
• Netherlands — Wet bescherming klokkenluiders, updated February 2023
• Poland — Ustawa o ochronie sygnalistów, in force since September 2024

Choosing a reporting channel solution

When selecting a digital reporting platform to meet the Directive’s requirements, organisations should evaluate:

• Compliance coverage — Does the platform support all jurisdictions where you operate?
• Anonymous reporting — Can reporters submit reports without identifying themselves?
• Two-way communication — Can the designated person communicate with the reporter while maintaining anonymity?
• Deadline tracking — Does the platform enforce the 7-day and 3-month response deadlines?
• Data hosting — Is data processed and stored within the EU, in compliance with GDPR?
• Audit trail — Does the platform maintain a complete record of all actions for compliance documentation?
• Deployment speed — How quickly can the channel be operational?