EU Whistleblower Protection Directive - How Our Online Solution Helps You Comply

Directive (EU) 2019/1937 (commonly referred to as the "EU Whistleblower Protection Directive") was adopted by the European Council in 2019. It aims to strengthen protections for people who report breaches of EU law, create safer, better defined reporting channels across all EU member states, and move member states towards a unified legal framework.
Download this guide to learn how our online whistleblowing solution helps you comply with the Directive.

Download now

EU Whistleblower Protection Directive guide

How Our Solution Helps You Comply

What is the EU Whistleblower Protection Directive?

Directive (EU) 2019/1937 (commonly referred to as the “EU Whistleblower Protection Directive”) was adopted by the European Council in 2019. It aims to strengthen protections for people who report breaches of EU law, create safer, betterdefined reporting channels across all EU member states, and move member states towards a unified legal framework.
The Directive has implications for hundreds of thousands of organisations within the EU—and beyond. December 2021 marks the deadline for member states to enact national law satisfying the requirements of the Directive for organisations of 250 people or more, leaving two further years for smaller organisations of 50 or more people. Laws will vary by country, as the Directive establishes minimum standards, which will be transposed to national law in each member state.

What are the benefits of complying with the Directive?

Beyond the legal requirements established in the legislation, research suggests there are real benefits to organisations that encourage internal reporting. A study from George Washington University in the United States showed that higher organisational whistleblowing rates correlate with decreases in material lawsuits, settlements and negative news stories1.
Low reporting numbers rarely indicate a lack of misconduct in an organisation. Rather, unreported concerns represent a serious risk, creating organisational blind spots that can become glaring (and sometimes, public) crises if left unresolved. An effective, trusted avenue for employees and affected parties to report allegations of wrongdoing is fundamental to creating a more ethical culture in any organisation. Beyond empowering and protecting individuals who choose to speak up, the insight gained through a mature whistleblowing programme can be hugely beneficial to organisations of any size.
The knowledge collected from whistleblowing can be used to identify areas of organisational risk, inform and enhance internal training programmes, and modify policies to encourage more positive operational outcomes.

Does our current governance, risk and compliance (GRC) programme align with the Directive?

While legislation will vary at member state level, the Directive establishes several fundamental minimum requirements that organisations must satisfy. WhistleB is a straightforward solution designed to help you meet the requirements laid out in the Directive:

Whistleblower Protection Directive Requirement

Provide safe, accessible channels to receive whistleblowing reports to the organisation. Whistleblowers should be able to submit reports orally, in writing and/or in person.

WhistleB Solution Features

WhistleB is a secure, simple-to-use, web-based system that incorporates both a reporting channel and a case management tool. It enables the reporting of suspected misconduct via an online channel that can be accessed any time, around the world, in a variety of languages and from any device. Reports captured internally, through conversations or in-person meetings, can also be added to the system, enabling all reports to be properly and securely managed and tracked in one place.

Whistleblower Protection Directive Requirement

Maintain confidentiality for the whistleblower, the person named in the report and any third parties referenced.

WhistleB Solution Features

The WhistleB system is designed to ensure the whistleblower and any third-party information remains confidential throughout the process. Where anonymous reporting is allowed, anonymity of the whistleblower is guaranteed during reporting and throughout follow-up.

Communication is encrypted in transmission and at rest, meaning whistleblowers cannot be traced through IP addresses or other digital means. Two-factor authentication ensures the case management tool is accessible only to authorised individuals.

Whistleblower Protection Directive Requirement

Acknowledge receipt of reports within seven days.

WhistleB Solution Features

When reporting through WhistleB, whistleblowers receive a confirmation that their message has been sent. The case managers can send a response confirming receipt and they can use templates for this.

Further, the system can be configured to notify case managers automatically, either by email or text message, that a report has been received.

Whistleblower Protection Directive Requirement

Respond to and follow up on reports within three months, define and detail the investigation and decision-making process.

WhistleB Solution Features

The case management tool within the WhistleB system enables case managers to follow a structured process for handling cases and to provide timely feedback to interested parties.

Cases can be assigned to different teams for processing, and case-related discussions can be held between team members securely within the system.

If more information is needed for the investigation, the WhistleB system allows the whistleblower to upload supporting files and digital content anonymously and securely.

Whistleblower Protection Directive Requirement

Respond to and follow up on reports within three months, define and detail the investigation and decision-making process. (continued)

WhistleB Solution Features

WhistleB includes an advanced statistics and reporting tool that provides an overview of current and historic data, status, alerts, performance indicators and in-depth analysis.

The EU Whistleblower online training course, available through NAVEXEngage™, covers best practices and expectations for managers handling and escalating reports to give their employees confidence in the reporting process.

Finally, the WhistleB Resource Centre provides users everything they need for a successful, speedy implementation.

Whistleblower Protection Directive Requirement

Maintain auditable reporting records while adhering to confidentiality requirements.

WhistleB Solution Features

WhistleB is part of the NAVEX Global suite of incident management solutions. These help organisations create clear, auditable, thoroughly documented report management processes to help prevent and/or identify any potential retaliatory activity against whistleblowers.

Encouraging reporting and protecting whistleblowers from retaliation goes beyond incident management. Organisations should develop, implement and maintain effective policies and processes that will protect employees from retaliation.

A well-formed, broadly accepted code of conduct helps give employees the confidence to speak up. Policy and procedure management is key for distribution and attestation, especially when managed through an automated programme such as NAVEX Global’s PolicyTech™. NAVEX Global’s EU Whistleblower online training course provides employees and managers with training on best practices for reporting and how to identify and prevent retaliatory actions.

Whistleblower Protection Directive Requirement

Provide workforce with appropriate information on the existence and proper usage of reporting channels.

WhistleB Solution Features

Through WhistleB, such information can be made available to users, such as employees, when they log in to the homepage of the whistleblower system. Information can be adapted for each country of operation, published in the local language, and explain organisational processes, local requirements, relevant external authorities and laws.

Awareness materials and communications templates are available in the WhistleB Resource Centre to help create visibility and communicate the availability of the reporting channel to employees and other stakeholders.

Whistleblower Protection Directive Requirement

Provide access to reporting channels for third-party networks to report breaches within a work-related context.

WhistleB Solution Features

The WhistleB system can be extended to parties operating externally or tangentially to an organisation such as suppliers, partners, customers and the general public. These groups can report confidentially, and anonymously if desired, on misconduct committed by members of the organisation.

Whistleblower Protection Directive Requirement

Ensure impartiality and competence of the people managing the reporting channels and handling the reports.

WhistleB Solution Features

As an online system, WhistleB guides the case management process according to the Directive. It can support a team of authorised whistleblowing managers, and is thus independent of any single individual.

When case investigations require additional expertise, both internal and external professionals can be added to the team, securely and on a case-by-case basis, maintaining the full confidentiality of the whistleblower’s identity.

Finally, WhistleB can be used for organisations that want to outsource the management of a reporting channel entirely

without sacrificing security.

Whistleblower Protection Directive Requirement

Process any personal data in accordance with GDPR requirements.

WhistleB Solution Features

The WhistleB system enables users to comply with GDPR requirements for the handling of personal data, as well as security by design and security by default. The system enables deletion of personal data when cases are closed and allows the organisation to inform potential users about differences in national reporting.

Access to data is strictly controlled using multi-factor authentication and is limited to users appointed by the organisation. Data is strongly encrypted in transmission and at rest and is stored on servers located in the EU. The

organisation itself controls the encryption, thus only the organisation can access the data. WhistleB does not have access to sensitive customer data such as whistleblower messages and dialogue, unless otherwise authorised by the organisation/customer.

Frequently Asked Questions

What if we operate in multiple EU member states?

According to the text of the legislation, there is no legal basis requiring separate, dedicated whistleblower setups in each affected country. If member state legislation arises that does create a basis for this requirement, WhistleB enables you to create multiple intake systems customised by geographic location and/or subsidiary. Note that the European Commission has clarified its position on the Directive’s demand for the establishment of separate whistleblowing channels for subsidiaries of a certain size. Here too WhistleB facilitates compliance, by allowing customers to create separate channels, with varying user access levels.

Does my whistleblower reporting system comply with data privacy legislation?

Depending on where you operate, the data associated with your whistleblower system is likely to be governed under one or many overarching data privacy regulations. The WhistleB whistleblowing solution is tailored to help you satisfy both GDPR requirements and national data protection laws.

How is anonymous reporting handled?

The WhistleB solution supports anonymous reporting. The ability for whistleblowers to report and follow up on allegations anonymously remains a valuable tool in the compliance toolkit.

This is a directive, not a regulation; what will the effect be for my organisation/state?

While this document pertains to the specific requirements laid out in the text of the Directive (rather than specific legislation), the Directive will have a direct effect in each member state. The requirements established by the Directive are required to be transposed into national law by each member state by 17th December 2021. The resulting laws will be legally enforceable at member state level from that date. We are closely monitoring the transposition process across all EU countries.

Will legal implementation differ among EU states?

The Directive seeks to establish a unified framework and legal standard across all member states. As each member state must transpose the Directive into national law, the states will have control over how individual aspects are applied at a local level. Some member states may extend their transposition to encompass a broader scope or stricter standards – this

is allowable if their implementation meets or exceeds the minimum standard established in the Directive.

Will there be additional requirements in my country?

Member state transpositions may result in expanded legal requirements at the national level. Aspects such as types of misconduct reported and whether reports have been submitted anonymously may also see some disparity in the qualification for protection in different member states. Deterrents, such as financial or legal penalties for those organisations or persons that breach the new rules, will similarly be set at member state level and are likely to produce some divergence across the 27 member states.

The full extent of the differences will only become clear as we move closer to the transposition deadline.

Can I do more to encourage ethical behaviour in my organisation?

A whistleblowing platform serves as a valuable foundation for any risk and compliance management programme. The reports captured through these channels constitute a wealth of information and can provide leaders with valuable insight into the health and wellbeing of their organisation, its structures, and everyone directly involved in the operations.

Organisations that use whistleblowing and speak-up programmes to feed into their larger compliance framework see benefits in the form of deeper insights and a stronger workplace culture. NAVEX Global offers a comprehensive platform of solutions and products that work in concert with an organisation’s whistleblowing programme.

First, all ethics and compliance programmes should be underpinned by a strong code of conduct. This document should function as a thoughtful expression of an organisation’s values, and reinforce the fact that employees are encouraged to speak up when they see something wrong.

Robust training programmes act as a strong foundation for promoting a speak-up culture when paired with whistleblowing programmes. Training programmes teach employees best practices, highlight real-world examples of sometimes complex issues, and show employees their organisation takes unethical behaviour seriously.

Training and enforcement of your organisation’s values is a continual process. Many organisations employ a comprehensive, programmatic policy management system to effectively update, communicate, and distribute their internal policies among a varied collection of stakeholders. Centralised repositories and digital distribution systems provide employees easy reference while providing organisations with an auditable attestation record.

When implemented thoughtfully and maintained effectively, these systems work together to foster a more ethical organisational culture.

To learn more about the details and implications of the EU Whistleblower Protection Directive, please visit or contact us to discuss the details of your organisation’s ethics and compliance programme.