Preloader top bar
Preloader left handle Preloader icon Preloader right handle
🇬🇧 English
🇬🇧 English🇸🇪 Svenska🇫🇷 Français
Open mobile menu
For EU Based Organisations

A Guide to Whistleblowing

Whistleblowing is about reporting serious misconduct within an organisation – for example corruption, fraud, major safety deficiencies, environmental crimes or other unethical behaviour. The purpose is not to “expose” individuals, but to detect and remedy problems that may harm employees, customers, the public or society at large.

Across the European Union, protections for whistleblowers are regulated by Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law. The Directive requires Member States to ensure that organisations provide safe reporting channels, protect whistleblowers against retaliation and follow up reports within set deadlines.

Read Directive (EU) 2019/1937 on EUR-Lex Whistleblower Protection – European Commission
Illustration of a compliant organisation
Decorative vector

> 50

employees?
Mandatory!
Directive (EU) 2019/1937

Briefly About the EU Whistleblowing Directive

The EU Whistleblowing Directive aims to provide strong and harmonised protection against reprisals for persons who report breaches of EU law in a work-related context. It covers employees and a wide circle of persons working with or for an organisation, including contractors, shareholders and members of management bodies.

Under the Directive, organisations in both the private and public sector with 50 or more workers must establish secure internal reporting channels. Larger entities in sensitive sectors (such as financial services) are covered regardless of size.

Whistleblowers must be protected against dismissal, demotion, intimidation, discrimination or other negative measures because of their report.

Member States must ensure that whistleblowers can report internally, externally to competent authorities, or in some cases publicly (for example to the media) without losing protection, provided certain conditions are met.

The Directive has been implemented through national laws across the EU. For example, Germany has adopted the Hinweisgeberschutzgesetz (Whistleblower Protection Act), France has strengthened protection through legislation following the “Sapin II” law and its 2022 reform of whistleblower rights, and Spain has enacted Law 2/2023 on the protection of informants and created an independent whistleblowing authority.

For an overview of how EU Member States have implemented the Directive in practice, see for example Transparency International’s assessment of whistleblower protection laws in the EU.

Gavel icon representing legislation
Icon representing legal timeline

Dec 2021

Transposition deadline for EU states
Icon representing companies covered

0

Mandatory if 50+ employees
Icon symbolising 7-day confirmation deadline

7 days

Acknowledgement within 7 days
Icon symbolising follow-up requirement

3 months

Feedback within 3 months
Decorative background vector
EU Whistleblowing Directive

Background

The EU Whistleblowing Directive (2019/1937) was adopted to ensure that persons who report breaches of EU law receive comparable protection in all Member States. The Directive sets minimum standards, while allowing countries such as Germany, France, Spain and others to go further in some areas.

Illustration of scope of the directive Decorative shape Scope icon
Scope

Organisations in both public and private sectors with 50+ workers – and certain smaller entities in high-risk sectors – must provide internal reporting channels.

Illustration of accessibility Decorative shape Accessibility icon
Accessibility

Whistleblowers must be able to report in writing, orally or via a physical meeting, with clear and accessible information about how to do so.

Illustration of confidentiality Decorative shape Confidentiality icon
Confidentiality

Confidentiality regarding the identity of the whistleblower – and any third parties mentioned – must be ensured throughout the process.

Illustration of feedback requirements Decorative shape Feedback icon
Feedback Requirements

The organisation must acknowledge receipt of a report within 7 days and provide feedback on follow-up within 3 months in most cases.

People discussing internal reporting

What Is Whistleblowing?

Whistleblowing occurs when a person reports serious misconduct in an organisation – internally, externally to a competent authority, or in some cases to the media. It may involve actions that are illegal, unethical or seriously inappropriate, such as corruption, bribery, systematic shortcomings in the work environment, financial crime or breaches of EU rules.

The whistleblower may be an employee, former employee, job applicant, consultant, intern, volunteer, self-employed contractor, board member or shareholder – the Directive protects a broad group of people with a connection to the workplace.

Learn more on the European Commission’s website

Who Is Covered by the Directive?
Employees and former employees Job applicants Interns & volunteers Self-employed contractors Consultants & agency staff Active shareholders Management or supervisory bodies

This means that whistleblowing is not only a matter for “permanent employees”, but a central element of responsible governance for all organisations that collaborate with external partners and stakeholders.

Why Is Whistleblowing Important?

A Functioning Whistleblowing System Matters for Several Reasons

1

Detect Risks Early

Financial irregularities, bribery, safety issues or discrimination can be detected before they develop into major scandals or legal liability.

2

Protect Employees & Customers

Whistleblowing contributes to legal certainty, safety, a good work environment and reduced risks for both employees and customers across the EU.

3

Build Trust

Employees, customers and the public increasingly expect transparency and the possibility to report misconduct through safe and independent channels.

4

Legal Compliance

A whistleblowing function shows that the company is serious about compliance and ethics and acts as a quality mark – and for many organisations it is also a legal requirement under the EU framework.

Whistleblowing

Some Statistics and History

Statistics and Research on Whistleblowing in Europe

Research and reports show that whistleblowing is becoming more common and more formalised across the EU:

A 2023 report by Transparency International assesses whistleblower protection laws in 20 EU Member States and concludes that many still fall short of the Directive’s standards, especially when it comes to practical protection against retaliation.

Further analyses of whistleblowing systems in European organisations highlight both progress and challenges: while many large companies and public bodies have implemented internal channels, there are still gaps in awareness, follow-up routines and trust in the systems.

For companies, this means that expectations are rising and both legislators and society at large now assume that there are clear, secure and trustworthy ways to report misconduct.

Historical Background and Examples

Whistleblowing as a phenomenon is far from new. Internationally, high-profile cases in finance, public administration, defence, environmental protection and the tech industry have shown how individual persons can be crucial in exposing abuses, misconduct or systemic failures.

Historically, whistleblowers have often ended up in a vulnerable position and faced serious personal and professional consequences.

Legal protection has historically been weak or fragmented, which is one reason why the EU has now introduced a common minimum standard.

Several cases have led to political reforms, new rules or stronger oversight – both at EU level and in Member States such as Germany, France and Spain.

The EU Whistleblowing Directive and recent national laws can be seen as a response to this development – the ambition is to make whistleblowing less risky and more systematically handled.

Why Have a Whistleblowing Function?

Even for organisations not yet directly covered by all national requirements, a whistleblowing function can be an important part of compliance, sustainability and risk management. Some key reasons:

Legal requirement for many EU organisations

Reduces the risk of external scandal and regulatory action

Signal value for employees, customers and investors

Better internal control and early detection of structural problems

If employees feel that it is not possible to report internally, the risk increases that matters go directly to the media or authorities. In addition, a clear whistleblowing function shows that management is serious about ethics, transparency and zero tolerance for irregularities, and can lead to improved processes, governance and work environment.

Decorative appointment vector
What the EU Directive and Authorities Say

How Should a Whistleblowing Function Be Designed?

A modern whistleblowing function should meet both the legal requirements of Directive (EU) 2019/1937 and practical needs in day-to-day work. Guidance from the European Commission and national authorities – for example Germany’s BaFin, France’s Anti-Corruption Agency (AFA) and Spain’s new independent whistleblower authority – highlight, among other things:

Security and Confidentiality

The identity of the person reporting must be protected. Only authorised case handlers should have access to the cases, and the information must be handled in accordance with GDPR and relevant national secrecy rules.

Possibility for Anonymous Reporting and Dialogue

In many cases, the whistleblower wants to remain anonymous. The Directive does not force Member States to require anonymity, but many national systems – including in Germany, France and Spain – allow anonymous reporting or strongly protect confidentiality. A good system should make it possible to maintain a dialogue even if the identity is not disclosed.

A Good Whistleblowing System Also Makes It Possible To:

Report anonymously or with a protected identity

Continue a secure dialogue without revealing identity

Receive follow-up questions and provide additional information

On the market there are now systems and whistleblowing services that are designed to comply with these EU-level requirements. One example is the Swedish Heimdal Systems whistleblowing service. Heimdal has created a very streamlined and affordable whistleblowing service that fulfils the core legal requirements. In addition, Heimdal’s whistleblowing system offers a very well-thought-out flow for anonymous chats between whistleblowers and investigators, which facilitates investigative work.

Employee using a digital whistleblowing system
Types of Whistleblowing Solutions

There Are Several Ways to Organise a Whistleblowing Function

Simple Solutions – E-mail & Physical Mailboxes

Some organisations use a dedicated e-mail address or a physical mailbox. This can lower the threshold, but often has limitations:

Difficult to guarantee anonymity

Risk that e-mails are read by the wrong person

No structured case management

Harder to meet requirements on confidentiality and secure storage

In-House Forms and Channels

Some organisations develop their own web forms or internal systems. Advantages are flexibility and control, but challenges include:

Requirements on IT security, encryption and log management

Continuous further development and support

Responsibility to ensure that the system complies with evolving EU and national law

Uncertainty regarding recipient, security and anonymity if the solution is not carefully designed

External Whistleblowing Systems (SaaS)

Specialised whistleblowing systems are delivered as cloud-based services, focusing on:

Secure, encrypted communication

Anonymous dialogue

Support for statutory deadlines and internal routines

Whistleblowing is no longer only a matter for large corporations and authorities – it is a central part of modern, responsible leadership across the EU.