TOPICS·CORPORATE GOVERNANCE·EU DIRECTIVE 2019/1937

EU Whistleblower Protection Directive

The EU's framework for protecting persons who report breaches of Union law -- establishing mandatory internal reporting channels, a 3-tier reporting system, and comprehensive anti-retaliation safeguards for organisations with 50+ employees across all Member States.

EUDIRECTIVE89 regulations tracked4/27 on time · 23 lateUpdated April 2026
THE ESSENTIALS

The EU Whistleblower Protection Directive requires every organisation with 50 or more employees to set up a secure, confidential channel through which workers can report wrongdoing. This is not limited to fraud or corruption -- the directive covers breaches across 14 areas of EU law, from environmental violations and food safety to data protection and public procurement. Any person who reports in good faith through the proper channels is protected, whether they are an employee, a contractor, a volunteer, or even a job applicant who spotted something during the hiring process.

The directive establishes three ways to report. First, through the organisation's own internal channel. Second, directly to a national authority -- and crucially, the whistleblower does not have to try the internal route first. Third, by going public, though legal protection for public disclosure only kicks in under specific conditions, such as when earlier reports were ignored or there is an imminent danger to the public interest. Organisations must acknowledge reports within seven days and provide feedback on actions taken within three months.

Retaliation against whistleblowers is flatly prohibited. The directive lists twelve specific forms -- from dismissal and demotion to blacklisting and punitive psychiatric referrals -- and makes clear the list is not exhaustive. If a whistleblower suffers any adverse treatment, the burden of proof flips: the employer must demonstrate the action was entirely unrelated to the report. Interim relief, reinstatement, and full compensation are all available as remedies.

The transposition deadline for large organisations (250+ employees) was 17 December 2021. For medium-sized organisations (50 to 249 employees), Member States had until 17 December 2023. In practice, only four countries -- Denmark, Malta, Portugal, and Sweden -- met the original deadline on time. The European Commission launched infringement proceedings against virtually every other Member State, making this one of the worst-transposed directives in recent EU history. By now, all 27 Member States have transposed the directive into national law.

What
EU directive requiring organisations to establish internal reporting channels and protect persons who report breaches of EU law. Covers 14 areas from financial services to environmental protection.
Who
All private-sector organisations with 50+ employees and all public-sector entities. Organisations in financial services, aviation safety, maritime, and oil/gas regardless of size.
When
In force since December 2021. Organisations with 250+ employees: deadline 17 December 2021. Organisations with 50-249 employees: deadline 17 December 2023. Most Member States transposed late.
Penalty
Set by Member States individually. Must be effective, proportionate, and dissuasive. Penalties for retaliation, hindering reporting, breaching confidentiality, and bringing vexatious proceedings against whistleblowers.

The directive establishes a graduated reporting framework. Whistleblowers are encouraged -- but not required -- to report internally first. They may go directly to external authorities at any time.

CHANNELCompany reporting channel

The whistleblower reports through the organisation's internal reporting channel. This is the preferred first step encouraged by the directive.

CONDITIONSAvailable to all organisations with 50+ employees. Whistleblower may choose this route freely.
TIMELINEAcknowledgement within 7 days. Feedback on actions taken within 3 months.
Internal
or directly
External
if no action
Public

The directive protects a very broad range of persons -- far beyond traditional employees. Anyone who acquires information about breaches in a work-related context is covered.

Workers
Employees (full-time, part-time, fixed-term), civil servants
Self-employed persons
Freelancers, contractors, consultants
Shareholders & board members
Persons belonging to management or supervisory bodies
Volunteers & trainees
Unpaid volunteers, paid or unpaid trainees
Job applicants
Persons who acquired information during recruitment process
Former workers
Persons whose work relationship has ended
Facilitators
Persons who assist the whistleblower in the reporting process
Connected third persons
Colleagues, relatives of the whistleblower who could face retaliation
Legal entities
Entities owned/controlled by the whistleblower, or connected in a work context

The directive protects reports concerning breaches in 14 specific areas of EU law, plus violations affecting the EU's financial interests and the internal market.

AREAEXAMPLESREFERENCE
Public procurementEU procurement directives, defence procurementAnnex Part I.A
Financial servicesAML, market abuse, payment services, insuranceAnnex Part I.B
Product safetyCE marking, general product safety, cosmeticsAnnex Part I.C
Transport safetyAviation, maritime, rail, road transportAnnex Part I.D
Environmental protectionWaste, chemicals, emissions, water qualityAnnex Part I.E
Radiation protection & nuclear safetyNuclear safety, radioactive waste, spent fuelAnnex Part I.F
Food and feed safetyAnimal health, welfare, food hygieneAnnex Part I.G
Public healthCross-border health threats, medicines, medical devicesAnnex Part I.H
Consumer protectionConsumer rights, package travel, timeshareAnnex Part I.I
Data protection & privacyGDPR, ePrivacyAnnex Part I.J
Network & information systemsNIS Directive security of network servicesAnnex Part I.K
EU financial interestsRevenue, expenditure, assets of the EU budgetArticle 2(1)(a)(ii)
Internal market (competition & state aid)Antitrust, mergers, state aid rulesArticle 2(1)(a)(ii)
Corporate taxArrangements defeating the object of corporate tax lawArticle 2(1)(a)(ii)

Article 19 prohibits any form of retaliation. The burden of proof is reversed: where a whistleblower suffers detriment, the employer must prove it was wholly unrelated to the report.

12forms of retaliation explicitly prohibited
Dismissal or suspension
Termination, layoff, or suspension from employment
Demotion or withholding promotion
Refusal to promote or downgrading of position
Transfer of duties
Reassignment, relocation, or removal of responsibilities
Reduction in wages
Pay cuts, changed working hours, withheld benefits
Coercion or intimidation
Threats, bullying, harassment, ostracism
Discrimination
Any form of unfavourable or unequal treatment
AVAILABLE REMEDIES
Interim relief
Courts may grant interim measures to halt ongoing retaliation pending full proceedings
Reinstatement
Full reinstatement to previous position where dismissal or demotion occurred
Compensation
Full compensation for material and non-material damages suffered
Reversed burden of proof
The employer must demonstrate that any adverse measure was not connected to the report

The directive imposes different requirements based on the size of the organisation. Medium enterprises (50-249 employees) received an extended deadline and may share reporting channels.

THRESHOLD250+ employees
DEADLINE17 December 2021
Dedicated internal reporting channel
Designated impartial person or department
Written procedure for follow-up
Register of all reports received
Information and training for staff

The transposition deadline was 17 December 2021. Only 4 of 27 Member States met it on time. The European Commission launched infringement proceedings against the remaining Member States for late transposition -- one of the worst compliance records of any EU directive in recent history.

On time (4) Late transposition (23)
AT
Austria
Late
HinweisgeberInnenschutzgesetz (HSchG)
Feb 25, 2023
BE
Belgium
Late
Loi du 28 novembre 2022
Nov 28, 2023
BG
Bulgaria
Late
Whistleblower Protection Act
Jan 4, 2024
CY
Cyprus
Late
Feb 20, 2024
CZ
Czechia
Late
Act No. 171/2023
Aug 1, 2023
DE
Germany
Late
Hinweisgeberschutzgesetz (HinSchG)
Jun 2, 2023
DK
Denmark
On time
Whistleblower Protection Act (Lov nr. 1436)
Dec 17, 2021
EE
Estonia
Late
Whistleblower Protection Act (Rikkumisest teavitaja kaitse seadus)
Jan 1, 2024
ES
Spain
Late
Ley 2/2023 reguladora de la proteccion de las personas que informen
Feb 21, 2023
FI
Finland
Late
Whistleblower Protection Act (Ilmoittajansuojelulaki 1171/2022)
Jan 1, 2023
FR
France
Late
Loi Waserman (Loi no 2022-401)
Mar 21, 2022
GR
Greece
Late
Law 4990/2022
Mar 1, 2024
HR
Croatia
Late
Zakon o zastiti prijavitelja nepravilnosti
Apr 24, 2022
HU
Hungary
Late
Act XXV of 2023
Jul 24, 2023
IE
Ireland
Late
Protected Disclosures (Amendment) Act 2022
Jul 21, 2022
IT
Italy
Late
D.Lgs. 24/2023
Mar 15, 2023
LT
Lithuania
Late
Praneseju apsaugos istatymas
Feb 18, 2022
LU
Luxembourg
Late
Loi du 16 mai 2023
May 16, 2023
LV
Latvia
Late
Trauksmes celeja aizsardzibas likums
Feb 4, 2022
MT
Malta
On time
Protection of the Whistleblower Act (Chapter 527)
Dec 17, 2021
NL
Netherlands
Late
Wet bescherming klokkenluiders
Feb 18, 2023
PL
Poland
Late
Ustawa o ochronie sygnalistow
Sep 25, 2024
One of the last to transpose
PT
Portugal
On time
Lei no 93/2021
Dec 17, 2021
RO
Romania
Late
Law no. 361/2022 (amended 2024)
Jun 1, 2024
SE
Sweden
On time
Lag (2021:890) om skydd for personer som rapporterar om missforhallanden
Dec 17, 2021
SI
Slovenia
Late
Zakon o zasciti prijaviteljev (ZZPri)
Feb 22, 2023
SK
Slovakia
Late
Act No. 54/2019 (amended)
Jul 1, 2023
Apr 23, 2026
YOU ARE HERE
01
Internal reporting channels
Establish secure, confidential channels for workers and stakeholders to report breaches of EU law.
02
Acknowledgement and follow-up
Acknowledge receipt within 7 days and provide feedback on actions taken within 3 months.
03
Retaliation protection
Prohibit all forms of retaliation (dismissal, demotion, harassment) against whistleblowers and connected persons.
04
Confidentiality
Protect the identity of the reporting person; disclose only with explicit consent or as required by law.
05
Record keeping
Maintain records of all reports received in compliance with confidentiality and data protection requirements.
06
Designated person
Appoint an impartial person or department responsible for receiving, acknowledging, and following up on reports.

Select your company type for tailored compliance guidance.

KEY OBLIGATIONS
Establish secure internal reporting channels for written and oral reports
Designate an impartial person or department to handle reports
Acknowledge receipt within 7 days and provide feedback within 3 months
Protect reporting persons from any form of retaliation
YOUR FIRST STEP

Implement a secure internal reporting channel (digital or physical) and designate an impartial function to receive and investigate reports

JUR.TITLESTATUSLINKS
EUDirective (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (codification) (Text with EEA relevance. )adopted8
EUCommission Implementing Regulation (EU) 2021/637 of 15 March 2021 laying down implementing technical standards with regard to public disclosures by institutions of the information referred to in Titles II and III of Part Eight of Regulation (EU) No 575/2013 of the European Parliament and of the Council and repealing Commission Implementing Regulation (EU) No 1423/2013, Commission Delegated Regulation (EU) 2015/1555, Commission Implementing Regulation (EU) 2016/200 and Commission Delegated Regulation (EU) 2017/2295 (Text with EEA relevance)adopted6
EURegulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability‐related disclosures in the financial services sector (Text with EEA relevance)adopted5
EUCommission Delegated Regulation (EU) 2021/2178 of 6 July 2021 supplementing Regulation (EU) 2020/852 of the European Parliament and of the Council by specifying the content and presentation of information to be disclosed by undertakings subject to Articles 19a or 29a of Directive 2013/34/EU concerning environmentally sustainable economic activities, and specifying the methodology to comply with that disclosure obligation (Text with EEA relevance)adopted4
EURegulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013 as regards the leverage ratio, the net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective investment undertakings, large exposures, reporting and disclosure requirements, and Regulation (EU) No 648/2012 (Text with EEA relevance.)adopted4
EUCommission Delegated Regulation (EU) 2022/1214 of 9 March 2022 amending Delegated Regulation (EU) 2021/2139 as regards economic activities in certain energy sectors and Delegated Regulation (EU) 2021/2178 as regards specific public disclosures for those economic activities (Text with EEA relevance)adopted3
EUCouncil Directive (EU) 2015/652 of 20 April 2015 laying down calculation methods and reporting requirements pursuant to Directive 98/70/EC of the European Parliament and of the Council relating to the quality of petrol and diesel fuelsadopted3
EUDirective (EU) 2026/470 of the European Parliament and of the Council of 24 February 2026 amending Directives 2006/43/EC, 2013/34/EU, (EU) 2022/2464 and (EU) 2024/1760 as regards certain corporate sustainability reporting requirements and certain corporate sustainability due diligence requirements (Text with EEA relevance)adopted2
EUCommission Implementing Regulation (EU) 2025/2159 of 27 October 2025 amending the implementing technical standards laid down in Implementing Regulation (EU) 2021/2284 as regards supervisory reporting and disclosures of investment firmsadopted2
EURegulation (EU) 2025/2088 of the European Parliament and of the Council of 8 October 2025 amending Regulations (EU) No 1092/2010, (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010, (EU) No 806/2014, (EU) 2021/523 and (EU) 2024/1620 as regards certain reporting requirements in the fields of financial services and investment support (Text with EEA relevance)adopted2