Directive (EU) 2019/1937, often called the EU Whistleblower Protection Directive, sets EU-wide minimum standards for protecting people who report breaches of European Union law they learn about through their work. It requires organisations and public authorities to provide safe, confidential reporting channels and prohibits retaliation against those who come forward in good faith.

The Directive entered into force on 16 December 2019, with a transposition deadline of 17 December 2021. As a directive, it does not apply directly; each EU Member State implements it through national law, and national rules may go further than the EU minimum. Private-sector organisations with 50 to 249 workers were given until 17 December 2023 to establish internal reporting channels.

What does the EU Whistleblower Directive do?

The Directive establishes common minimum standards across the EU for protecting whistleblowers who report breaches of Union law. According to the European Commission, it requires Member States to ensure that:

  • Whistleblowers have effective channels to report breaches confidentially, both internally within an organisation and externally to authorities.
  • Reports are properly investigated and acted upon by organisations and competent authorities.
  • Whistleblowers are protected from retaliation.

It is a minimum-harmonisation instrument: Member States may introduce more favourable protections, so the precise rules depend on each country's transposing legislation.

What breaches and which people are covered?

Material scope (Article 2). The Directive covers reports of breaches of EU law in defined policy areas, including: public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; protection of the environment; radiation protection and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data, and security of network and information systems; breaches affecting the EU's financial interests; and breaches of internal-market rules (including competition and corporate tax). Member States may extend protection to further areas.

Personal scope (Article 4). Protection covers reporting persons working in the private or public sector who acquired information in a work-related context — including employees, the self-employed, shareholders and members of management, volunteers and paid or unpaid trainees, and people working under contractors, subcontractors and suppliers. It also extends to job applicants and former workers, and to facilitators and third persons connected to the reporter (such as colleagues or relatives).

What are the three reporting channels?

The Directive sets up a three-tier reporting framework. Whistleblowers can generally choose between internal and external reporting; public disclosure is protected only under specific conditions.

  1. Internal reporting (Articles 7-9). Reporting within the organisation, through internal channels operated by the entity or by a designated third party.
  2. External reporting (Articles 10-14). Reporting to competent authorities designated by Member States to receive and follow up on reports.
  3. Public disclosure (Article 15). Making information public — for example, to the media. A person who makes a public disclosure qualifies for protection only if they first reported internally and externally (or directly externally) without appropriate action being taken, or they have reasonable grounds to believe the breach may present an imminent or manifest danger to the public interest, or that external reporting risks retaliation or has little prospect of the breach being effectively addressed.

Which organisations must set up internal reporting channels?

Under Article 8, legal entities in the private sector with 50 or more workers must establish internal channels and procedures for reporting and follow-up. The 50-worker threshold does not apply to entities in certain areas (for example, financial services or those vulnerable to money laundering), which must have internal channels regardless of size.

In the public sector, Member States must require legal entities to establish internal channels, though they may exempt municipalities with fewer than 10,000 inhabitants or fewer than 50 workers, and certain other small public entities.

Channels must allow reporting in writing, orally, or both, and must protect the confidentiality of the reporting person's identity. Entities with 50 to 249 workers may share resources for receiving and investigating reports.

What are the acknowledgement and feedback timelines?

The Directive sets specific deadlines for handling reports.

Internal reporting (Article 9). Organisations must:

  • Acknowledge receipt of the report to the reporting person within seven days of receipt.
  • Designate an impartial person or department to follow up.
  • Provide feedback within a reasonable timeframe not exceeding three months from acknowledgement of receipt (or, if no acknowledgement was sent, three months from the end of the seven-day period).

External reporting (Article 11). Competent authorities must likewise acknowledge receipt within seven days and provide feedback within three months — or up to six months in duly justified, complex cases.

"Feedback" means informing the reporting person of the action envisaged or taken as follow-up and the grounds for it.

How are whistleblowers protected from retaliation?

Article 19 prohibits all forms of retaliation against protected reporting persons, including threats and attempts. Prohibited retaliation includes dismissal, suspension or layoff; demotion or withholding of promotion; transfer of duties, reduction in wages or change of working hours; withholding of training; negative performance assessments or references; coercion, intimidation, harassment or ostracism; discrimination or blacklisting; early termination of a contract for goods or services; and reputational or financial harm.

Supporting protections include:

  • Conditions for protection (Article 6): the reporter must have had reasonable grounds to believe the information was true at the time of reporting, and must have reported through a channel recognised by the Directive. Motives are irrelevant.
  • Confidentiality (Article 16): the reporter's identity must not be disclosed without their consent, except where required by law.
  • Reversed burden of proof (Article 21): where a reporter shows they reported and then suffered a detriment, it is for the other party to prove the measure was not retaliation.
  • Immunity (Article 21): reporters are not liable for acquiring or accessing the reported information, provided this did not constitute a self-standing criminal offence.

When did the Directive take effect and what are the deadlines?

  • Entry into force: 16 December 2019.
  • Transposition deadline: Member States had to bring the Directive into national law by 17 December 2021 (Article 26(1)).
  • Extended deadline for mid-sized private entities: for legal entities in the private sector with 50 to 249 workers, the obligation to establish internal reporting channels could be deferred until 17 December 2023 (Article 26(2)).

Because this is a directive, the operative obligations on organisations arise from each Member State's national implementing law. Several Member States transposed late, and the Court of Justice of the European Union issued rulings against some for failing to meet the deadline; the Commission has reported that all Member States had transposed the Directive by mid-2024.

Frequently asked questions

Does the Directive apply directly to companies?

No. As an EU directive, it binds Member States as to the result to be achieved but must be implemented through national law. Organisations comply with the national legislation transposing the Directive, which may impose stricter or additional requirements than the EU minimum.

Which organisations must set up an internal reporting channel?

Private-sector legal entities with 50 or more workers must establish internal channels (Article 8). The 50-worker threshold does not apply in certain sectors, such as financial services and entities exposed to money-laundering risk, which must have channels regardless of size. Many public-sector entities must also have internal channels, subject to limited exemptions.

How quickly must a report be acknowledged and answered?

Receipt of a report must be acknowledged within seven days (Articles 9 and 11). Feedback must then be provided within a reasonable period not exceeding three months — extendable to up to six months for external reports in duly justified, complex cases.

Must a whistleblower report internally before going to authorities or the public?

Not always. The Directive lets whistleblowers choose between internal and external reporting and encourages internal reporting where the breach can be effectively addressed internally without risk of retaliation. Public disclosure is protected only under specific conditions in Article 15.

What kinds of breaches are covered?

Breaches of EU law in the areas listed in Article 2 — including public procurement, financial services and anti-money-laundering, product and transport safety, environmental protection, nuclear safety, food and feed safety, public health, consumer protection, data protection and network security, the EU's financial interests, and internal-market rules. Member States may extend coverage in national law.

What protections does a whistleblower receive?

Protected whistleblowers are shielded from retaliation such as dismissal, demotion, harassment or blacklisting (Article 19). They benefit from confidentiality of their identity, a reversed burden of proof in retaliation disputes, and immunity for acquiring the reported information — provided they had reasonable grounds to believe the information was true and reported through a recognised channel (Article 6).

Official sources