Who is protected under the directive?

Protection extends to employees, former employees, job applicants, self-employed persons, shareholders, board members, volunteers, trainees, and any person assisting the whistleblower. Family members and colleagues of the whistleblower who may face retaliation in a work-related context are also protected.

Can whistleblowers go directly to the media?

Whistleblowers who make public disclosures retain protection only if: they first reported internally or externally and no action was taken, or there is an imminent or manifest danger to the public interest, or internal/external reporting would be ineffective due to risk of retaliation or evidence destruction.

TOPICS·CORPORATE GOVERNANCE·EU DIRECTIVE 2019/1937

EU Whistleblower Protection Directive

The EU's framework for protecting persons who report breaches of Union law -- establishing mandatory internal reporting channels, a 3-tier reporting system, and comprehensive anti-retaliation safeguards for organisations with 50+ employees across all Member States.

EUDIRECTIVE89 regulations tracked4/27 on time · 23 lateUpdated April 2026

THE ESSENTIALS

The EU Whistleblower Protection Directive requires every organisation with 50 or more employees to set up a secure, confidential channel through which workers can report wrongdoing. This is not limited to fraud or corruption -- the directive covers breaches across 14 areas of EU law, from environmental violations and food safety to data protection and public procurement. Any person who reports in good faith through the proper channels is protected, whether they are an employee, a contractor, a volunteer, or even a job applicant who spotted something during the hiring process.

The directive establishes three ways to report. First, through the organisation's own internal channel. Second, directly to a national authority -- and crucially, the whistleblower does not have to try the internal route first. Third, by going public, though legal protection for public disclosure only kicks in under specific conditions, such as when earlier reports were ignored or there is an imminent danger to the public interest. Organisations must acknowledge reports within seven days and provide feedback on actions taken within three months.

Retaliation against whistleblowers is flatly prohibited. The directive lists twelve specific forms -- from dismissal and demotion to blacklisting and punitive psychiatric referrals -- and makes clear the list is not exhaustive. If a whistleblower suffers any adverse treatment, the burden of proof flips: the employer must demonstrate the action was entirely unrelated to the report. Interim relief, reinstatement, and full compensation are all available as remedies.

The transposition deadline for large organisations (250+ employees) was 17 December 2021. For medium-sized organisations (50 to 249 employees), Member States had until 17 December 2023. In practice, only four countries -- Denmark, Malta, Portugal, and Sweden -- met the original deadline on time. The European Commission launched infringement proceedings against virtually every other Member State, making this one of the worst-transposed directives in recent EU history. By now, all 27 Member States have transposed the directive into national law.

What

EU directive requiring organisations to establish internal reporting channels and protect persons who report breaches of EU law. Covers 14 areas from financial services to environmental protection.

Who

All private-sector organisations with 50+ employees and all public-sector entities. Organisations in financial services, aviation safety, maritime, and oil/gas regardless of size.

When

In force since December 2021. Organisations with 250+ employees: deadline 17 December 2021. Organisations with 50-249 employees: deadline 17 December 2023. Most Member States transposed late.

Penalty

Set by Member States individually. Must be effective, proportionate, and dissuasive. Penalties for retaliation, hindering reporting, breaching confidentiality, and bringing vexatious proceedings against whistleblowers.

THREE-TIER REPORTING SYSTEM

The directive establishes a graduated reporting framework. Whistleblowers are encouraged -- but not required -- to report internally first. They may go directly to external authorities at any time.

CHANNELCompany reporting channel

The whistleblower reports through the organisation's internal reporting channel. This is the preferred first step encouraged by the directive.

CONDITIONSAvailable to all organisations with 50+ employees. Whistleblower may choose this route freely.

TIMELINEAcknowledgement within 7 days. Feedback on actions taken within 3 months.

CHANNELNational competent authority

The whistleblower reports to the designated national authority. This can be done directly without first using internal channels.

CONDITIONSAvailable at any time. Whistleblower is NOT required to try internal channels first. Each Member State designates competent authorities.

TIMELINEAcknowledgement within 7 days. Feedback within 3 months (extendable to 6 months in duly justified cases).

CHANNELMedia / public

The whistleblower makes information public (e.g., to media, social media, elected officials). Protection applies only under specific conditions.

CONDITIONSProtected only if: (a) internal/external report was made but no appropriate action taken, (b) there is imminent or manifest danger to public interest, or (c) risk of retaliation or evidence destruction makes other channels ineffective.

TIMELINENo prescribed timeline. Protection is retrospective upon meeting the conditions.

Internal

or directly

External

if no action

Public

PERSONAL SCOPE: WHO IS PROTECTED

The directive protects a very broad range of persons -- far beyond traditional employees. Anyone who acquires information about breaches in a work-related context is covered.

Workers

Employees (full-time, part-time, fixed-term), civil servants

Self-employed persons

Freelancers, contractors, consultants

Shareholders & board members

Persons belonging to management or supervisory bodies

Volunteers & trainees

Unpaid volunteers, paid or unpaid trainees

Job applicants

Persons who acquired information during recruitment process

Former workers

Persons whose work relationship has ended

Facilitators

Persons who assist the whistleblower in the reporting process

Connected third persons

Colleagues, relatives of the whistleblower who could face retaliation

Legal entities

Entities owned/controlled by the whistleblower, or connected in a work context

MATERIAL SCOPE: AREAS OF EU LAW COVERED

The directive protects reports concerning breaches in 14 specific areas of EU law, plus violations affecting the EU's financial interests and the internal market.

Public procurementEU procurement directives, defence procurementAnnex Part I.A

Financial servicesAML, market abuse, payment services, insuranceAnnex Part I.B

Product safetyCE marking, general product safety, cosmeticsAnnex Part I.C

Transport safetyAviation, maritime, rail, road transportAnnex Part I.D

Environmental protectionWaste, chemicals, emissions, water qualityAnnex Part I.E

Radiation protection & nuclear safetyNuclear safety, radioactive waste, spent fuelAnnex Part I.F

Food and feed safetyAnimal health, welfare, food hygieneAnnex Part I.G

Public healthCross-border health threats, medicines, medical devicesAnnex Part I.H

Consumer protectionConsumer rights, package travel, timeshareAnnex Part I.I

Data protection & privacyGDPR, ePrivacyAnnex Part I.J

Network & information systemsNIS Directive security of network servicesAnnex Part I.K

EU financial interestsRevenue, expenditure, assets of the EU budgetArticle 2(1)(a)(ii)

Internal market (competition & state aid)Antitrust, mergers, state aid rulesArticle 2(1)(a)(ii)

Corporate taxArrangements defeating the object of corporate tax lawArticle 2(1)(a)(ii)

RETALIATION PROTECTIONS

Article 19 prohibits any form of retaliation. The burden of proof is reversed: where a whistleblower suffers detriment, the employer must prove it was wholly unrelated to the report.

Dismissal or suspension

Termination, layoff, or suspension from employment

Demotion or withholding promotion

Refusal to promote or downgrading of position

Transfer of duties

Reassignment, relocation, or removal of responsibilities

Reduction in wages

Pay cuts, changed working hours, withheld benefits

Coercion or intimidation

Threats, bullying, harassment, ostracism

Discrimination

Any form of unfavourable or unequal treatment

AVAILABLE REMEDIES

Interim relief

Courts may grant interim measures to halt ongoing retaliation pending full proceedings

Reinstatement

Full reinstatement to previous position where dismissal or demotion occurred

Compensation

Full compensation for material and non-material damages suffered

Reversed burden of proof

The employer must demonstrate that any adverse measure was not connected to the report

OBLIGATIONS BY ORGANISATION SIZE

The directive imposes different requirements based on the size of the organisation. Medium enterprises (50-249 employees) received an extended deadline and may share reporting channels.

THRESHOLD250+ employees

DEADLINE17 December 2021

Dedicated internal reporting channel

Designated impartial person or department

Written procedure for follow-up

Information and training for staff

THRESHOLD50-249 employees

DEADLINE17 December 2023

MAY SHARE CHANNELS

Internal reporting channel (may share resources)

Designated person for follow-up

Acknowledgement within 7 days

Feedback within 3 months

Record keeping in compliance with GDPR

THRESHOLDBelow 50 employees in financial services, aviation safety, maritime, oil/gas

DEADLINE17 December 2021

Internal reporting channel (sector requirement)

Must meet same standards as large enterprises

No exemption based on company size for regulated sectors

THRESHOLDAll public sector entities (Member States may exempt municipalities with fewer than 10,000 inhabitants)

DEADLINE17 December 2021 (50-249 employee entities: 17 December 2023)

MAY SHARE CHANNELS

Internal reporting channels for all public workers

Designated impartial department

Confidentiality protections for reporters

Member States may allow sharing of channels between municipalities with fewer than 10,000 inhabitants

MEMBER STATE TRANSPOSITION

The transposition deadline was 17 December 2021. Only 4 of 27 Member States met it on time. The European Commission launched infringement proceedings against the remaining Member States for late transposition -- one of the worst compliance records of any EU directive in recent history.

On time (4) Late transposition (23)

Austria

Late

HinweisgeberInnenschutzgesetz (HSchG)

Feb 25, 2023

Belgium

Late

Loi du 28 novembre 2022

Nov 28, 2023

Bulgaria

Late

Whistleblower Protection Act

Jan 4, 2024

Cyprus

Late

Feb 20, 2024

Czechia

Late

Act No. 171/2023

Aug 1, 2023

Germany

Late

Hinweisgeberschutzgesetz (HinSchG)

Jun 2, 2023

Denmark

On time

Whistleblower Protection Act (Lov nr. 1436)

Dec 17, 2021

Estonia

Late

Whistleblower Protection Act (Rikkumisest teavitaja kaitse seadus)

Jan 1, 2024

Spain

Late

Ley 2/2023 reguladora de la proteccion de las personas que informen

Feb 21, 2023

Finland

Late

Whistleblower Protection Act (Ilmoittajansuojelulaki 1171/2022)

Jan 1, 2023

France

Late

Loi Waserman (Loi no 2022-401)

Mar 21, 2022

Greece

Late

Law 4990/2022

Mar 1, 2024

Croatia

Late

Zakon o zastiti prijavitelja nepravilnosti

Apr 24, 2022

Hungary

Late

Act XXV of 2023

Jul 24, 2023

Ireland

Late

Protected Disclosures (Amendment) Act 2022

Jul 21, 2022

Italy

Late

D.Lgs. 24/2023

Mar 15, 2023

Lithuania

Late

Praneseju apsaugos istatymas

Feb 18, 2022

Luxembourg

Late

Loi du 16 mai 2023

May 16, 2023

Latvia

Late

Trauksmes celeja aizsardzibas likums

Feb 4, 2022

Malta

On time

Protection of the Whistleblower Act (Chapter 527)

Dec 17, 2021

Netherlands

Late

Wet bescherming klokkenluiders

Feb 18, 2023

Poland

Late

Ustawa o ochronie sygnalistow

Sep 25, 2024

One of the last to transpose

Portugal

On time

Lei no 93/2021

Dec 17, 2021

Romania

Late

Law no. 361/2022 (amended 2024)

Jun 1, 2024

Sweden

On time

Lag (2021:890) om skydd for personer som rapporterar om missforhallanden

Dec 17, 2021

Slovenia

Late

Zakon o zasciti prijaviteljev (ZZPri)

Feb 22, 2023

Slovakia

Late

Act No. 54/2019 (amended)

Jul 1, 2023

KEY MILESTONES

Apr 23, 2026

YOU ARE HERE

KEY COMPLIANCE REQUIREMENTS

Internal reporting channels

Establish secure, confidential channels for workers and stakeholders to report breaches of EU law.

Acknowledgement and follow-up

Acknowledge receipt within 7 days and provide feedback on actions taken within 3 months.

Retaliation protection

Prohibit all forms of retaliation (dismissal, demotion, harassment) against whistleblowers and connected persons.

Confidentiality

Protect the identity of the reporting person; disclose only with explicit consent or as required by law.

Record keeping

Maintain records of all reports received in compliance with confidentiality and data protection requirements.

Designated person

Appoint an impartial person or department responsible for receiving, acknowledging, and following up on reports.

WHO DOES THIS AFFECT?

Select your company type for tailored compliance guidance.

KEY OBLIGATIONS

☐Establish secure internal reporting channels for written and oral reports

☐Designate an impartial person or department to handle reports

☐Acknowledge receipt within 7 days and provide feedback within 3 months

☐Protect reporting persons from any form of retaliation

YOUR FIRST STEP

Implement a secure internal reporting channel (digital or physical) and designate an impartial function to receive and investigate reports

KEY INTERPRETATIONS & FAQ

RELATED TOPICS

MOST CONNECTED REGULATIONS

JUR.	TITLE	STATUS	LINKS
EU	Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (codification) (Text with EEA relevance. )	adopted	8
EU	Commission Implementing Regulation (EU) 2021/637 of 15 March 2021 laying down implementing technical standards with regard to public disclosures by institutions of the information referred to in Titles II and III of Part Eight of Regulation (EU) No 575/2013 of the European Parliament and of the Council and repealing Commission Implementing Regulation (EU) No 1423/2013, Commission Delegated Regulation (EU) 2015/1555, Commission Implementing Regulation (EU) 2016/200 and Commission Delegated Regulation (EU) 2017/2295 (Text with EEA relevance)	adopted	6
EU	Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability‐related disclosures in the financial services sector (Text with EEA relevance)	adopted	5
EU	Commission Delegated Regulation (EU) 2021/2178 of 6 July 2021 supplementing Regulation (EU) 2020/852 of the European Parliament and of the Council by specifying the content and presentation of information to be disclosed by undertakings subject to Articles 19a or 29a of Directive 2013/34/EU concerning environmentally sustainable economic activities, and specifying the methodology to comply with that disclosure obligation (Text with EEA relevance)	adopted	4
EU	Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013 as regards the leverage ratio, the net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective investment undertakings, large exposures, reporting and disclosure requirements, and Regulation (EU) No 648/2012 (Text with EEA relevance.)	adopted	4
EU	Commission Delegated Regulation (EU) 2022/1214 of 9 March 2022 amending Delegated Regulation (EU) 2021/2139 as regards economic activities in certain energy sectors and Delegated Regulation (EU) 2021/2178 as regards specific public disclosures for those economic activities (Text with EEA relevance)	adopted	3
EU	Council Directive (EU) 2015/652 of 20 April 2015 laying down calculation methods and reporting requirements pursuant to Directive 98/70/EC of the European Parliament and of the Council relating to the quality of petrol and diesel fuels	adopted	3
EU	Directive (EU) 2026/470 of the European Parliament and of the Council of 24 February 2026 amending Directives 2006/43/EC, 2013/34/EU, (EU) 2022/2464 and (EU) 2024/1760 as regards certain corporate sustainability reporting requirements and certain corporate sustainability due diligence requirements (Text with EEA relevance)	adopted	2
EU	Commission Implementing Regulation (EU) 2025/2159 of 27 October 2025 amending the implementing technical standards laid down in Implementing Regulation (EU) 2021/2284 as regards supervisory reporting and disclosures of investment firms	adopted	2
EU	Regulation (EU) 2025/2088 of the European Parliament and of the Council of 8 October 2025 amending Regulations (EU) No 1092/2010, (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010, (EU) No 806/2014, (EU) 2021/523 and (EU) 2024/1620 as regards certain reporting requirements in the fields of financial services and investment support (Text with EEA relevance)	adopted	2

← ALL TOPICS