How to comply with the
EU Whistleblower Protection Directive

50 employees, or more? If so, you are affected by the EU Whistleblower Protection Directive.
Get our top tips for compliance.

The EU Whistleblower Protection Directive 


The EU Whistleblower Protection Directive aims at protecting and encouraging whistleblowers throughout the EU who report on misconduct in their workplace. All private and public legal entities with 50 or more employees will need to establish secure reporting channels. What can whistleblowers report on? Who can report? Find out more »

Use the EU Whistleblower Protection Directive to gain business value

Selecting the right skills, routines and system for internal reporting presents you with an opportunity for getting real business value from whistleblowing. Many WhistleB customers implement a whistleblowing system as a preventive measure. The very fact that the system is available may prevent misconduct occurring in the first place. Avoiding or minimising damages by implementing effective whistleblowing channels can prove a great return on investment on its own.

Our best advice for setting up a successful whistleblowing system

“We hear this from our customers over and over again: whistleblowers are a source of invaluable, hard-to-get information that can potentially save organisations from financial and reputational ruin.”

Gunilla Hadders and Karin Henriksson
Co-Founders of WhistleB

Get a free consultation

Top tips for EU Whistleblower Protection Directive readiness

1. Confidentiality of the identity of the whistleblower


What the law says:

The procedures for reporting and following-up of reports shall include channels for receiving the reports which are designed, set up and operated in a secure manner that ensures the confidentiality of the identity of the reporting person and any third party mentioned in the report, and prevents access to non-authorised staff members.

WhistleB advice:

Allow anonymous reporting and dialogue

–     Anonymous reporting and dialogue are essential for people to dare to reach out. Use a system that enables you to ensure the whistleblower’s anonymity both when reporting and in the ensuing dialogue.

–     Use a system with a secure Case management tool, through which you can appoint people who are authorised to read and act on reports received.


2. Response times

What the law says:

The procedures for reporting and following-up of reports shall include an acknowledgment of receipt to the reporting person within no more than seven days. The law also sets a time limit of three months from the receipt is set up to provide feedback to the reporting person about the follow-up.

WhistleB advice:

Be responsive to build trust

–         Make sure that you have a dedicated team to receive the reports, and the right team to handle and provide feedback to the whistleblower in a timely manner.

–          The receiver of whistleblower messages should be notified immediately by text message and e-mail that a report has been received. However, limit use of e-mail to notifications, all whistleblower messages that can contain sensitive or personal data should be securely encrypted and managed within a secure system.

–          Make sure that you have a dedicated team to receive the reports, and the right team to handle and provide feed-back to the whistleblower in a timely manner.

–          If your organisation receives many messages, you might want to have standard messages ready to send out to the whistleblower.


3. Contact persons

What the law says:

The procedures for reporting and following-up of reports shall include the designation of an impartial person or department competent for following up on the reports (…) and which will maintain communication with and, where necessary, ask for further information from and provide feedback to the reporting person.

WhistleB advice:

Ensure the right system, skills and routines are in place to handle investigations

–      Set up a team that is as non-operational as possible, and with roles from a range of different parts of the organisation. This strengthens the integrity of the team. In the WhistleB 2019 customer study, the whistleblowing team most often included these competences: legal and compliance, internal audit and risk, ethics and HR. Having Board representatives on the team is also becoming more common.

–      Make sure that you have a system that allows you to add the competences you need per case.

–      Make sure that you have a channel through which the whistleblower can add pictures, videos, text documents and other file formats while also allowing metadata cleansing.


4. Follow-up

What the law says:

The procedures for reporting and following-up of reports shall include diligent follow-up to the report by the designated person or department, diligent followup where provided  for in national law as regards anonymous reporting, and a reasonable timeframe to provide feedback to the reporting person about the follow-up to the report.

WhistleB advice:

Select a robust case management system to underpin diligent follow-up

–      Ensure your whistleblower system includes a case management tool that is integrated with the reporting channel and allows for dialogue with an anonymous or non-anonymous whistleblower. This will ensure seamless, compliant and secure case follow-up and processing. According to WhistleB’s 2019 customer study: approximately 50% of all reports lead to a dialogue with the whistleblower.

–      If your organisation operates multi-nationally, select a system with safe translation support for communication in any language.


Assess how your organisation handles investigations

–      Treat investigations with the utmost confidentiality and with respect for both the whistleblower and the person accused.

–      Establish processes for any action plans needed based on the outcome of the investigations.

–      Investigations can require very specialist skills which leaders may need to source externally, or you might want to have an external team to receive your reports. In this case, a system that allows external users to be securely included in case handling is important.


5. Communication & information

What the law says:

The procedures for reporting and following-up of reports shall include clear and easily accessible information regarding the conditions and procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union.

WhistleB advice:

Do all you can to give people confidence to report internally

Having your own trustworthy whistleblowing system, knowledgeable people handling the messages and a thorough process increase the organisation’s chances of receiving messages internally, and to be able to address and correct matters appropriately. A robust whistleblowing system is a concrete way of showing that you mean what you say in your ethical guidelines and that the organisation is willing to listen when things go wrong. It is also a form of insurance; with an internal whistleblowing system in place you can prevent inappropriate conduct happening in the first place.


6. GDPR Compliance

What the law says:

Any processing of personal data carried out pursuant to the Directive must comply with the GDPR.

WhistleB advice:

A GDPR compliant system makes things easy for you

–      Choose a system that is GDPR compliant, built to help you to comply with the GDPR.

–      Useful features for compliance include case and user logs, safe translations and deletion of personal data when the case is closed.

–      Check that you inform potential users correctly about national differences in reporting.


7. Record keeping of the reports

What the law says:

Authorities, private and public legal entities must keep records of every report received, in compliance with the confidentiality requirements provided for. Reports shall be stored for no longer than it is necessary and proportionate.

WhistleB advice:

Complete and close cases within one integrated whistleblower system

–      Ensure that you can keep a user and case log of each case. A GDPR compliant whistleblowing system does this automatically for you.

–      Ensure that your whistleblowing system allows for deleting personal data in line with the GDPR principle of accountability.


Count-down to the EU Whistleblower Protection Directive

23rd April 2019

Adoption of the EU Whistleblower Protection Directive.

17th December 2021

The new law must be transposed into national law by the Member States. Organisations with 250 employees or more must be ready to comply with the new law.

17th December 2023

Legal entities with 50 – 249 employees must be ready to comply with the new law.

What kind of whistleblowing channel needs to be implemented?

Internal channels for whistleblowing are more important than ever. According to the Directive, employees are to be encouraged to report internally, to their employer first, if an internal channel is available. However, whistleblowers will be protected by the Directive also when reporting to competent authorities or to the media.

The EU Whistleblower Protection Directive places specific requirements on the nature of the whistleblowing channel to be provided. The WhistleB solution complies with the legal requirements of the Whistleblowing Directive and is used by hundreds of customers from all parts of Europe.

Our plans

Our plans

Get a free consultation

How can I help you?


Please, fill in the form, and we will get back to you shortly by e-mail.

Thank you for getting in touch. We will get back to you as soon as we can (during office hours Central European Time).