The EU Whistleblower Directive — what every company needs to know
The EU Whistleblower Protection Directive (2019/1937) requires thousands of companies and public bodies across Europe to establish secure internal reporting channels and protect those who speak up. Here's everything you need to know.
What is the directive?
EU Directive 2019/1937 — commonly known as the EU Whistleblower Directive — is a binding piece of European Union legislation that establishes minimum standards for protecting people who report breaches of EU law in the workplace.
It covers a wide range of areas including financial services, environmental protection, public health, food safety, privacy, anti-money laundering, public procurement, and more. Crucially, it requires affected organisations to set up internal reporting channels that allow employees (and in some cases, contractors, volunteers, and job applicants) to raise concerns safely.
Member states were required to transpose the directive into national law by 17 December 2021. Private employers with 50–249 employees received an extended deadline of 17 December 2023.
Who must comply?
| Organisation type | Threshold |
|---|---|
| Private companies | 50+ employees in any EU member state |
| Public authorities | All sizes (municipalities with <10,000 residents may be exempt in some states) |
| Financial services firms | All sizes — regardless of employee count |
| Companies with specific EU regulatory obligations | All sizes — check sector-specific rules |
* Rules vary by member state. Always verify the specific national law that applies to your jurisdiction.
Key requirements
Secure reporting channels
Companies must provide at least one confidential, secure channel through which employees can submit reports — in writing, orally, or both.
Designated person or department
A competent person or department must be assigned to receive, follow up, and provide feedback on reports.
Acknowledgement within 7 days
Reporters must receive confirmation that their report has been received within 7 days of submission.
Follow-up within 3 months
Companies must provide feedback on action taken within 3 months of the acknowledgement.
Protection from retaliation
Whistleblowers who report in good faith are protected from dismissal, demotion, harassment, and other forms of retaliation.
Confidentiality of identity
The identity of the reporter must be kept confidential and not disclosed without explicit consent — except in specific legal proceedings.
Record-keeping
Reports must be kept in a secure, confidential register. Verbal reports must be recorded and made available for correction.
Timeline
EU Directive 2019/1937 adopted
Deadline for member states to transpose into national law
Extended deadline for private companies with 50–249 employees
National authorities enforcing — fines and investigations active
What happens if you don't comply?
Member states have implemented their own penalty regimes. While they differ, the trend is towards significant fines and reputational exposure:
- Germany: Fines up to €50,000 for failure to establish an internal reporting channel.
- France: Criminal penalties for obstruction and retaliation against whistleblowers.
- Ireland: Up to €250,000 in fines; directors can be personally liable.
- Sweden: Fines scaled to company turnover for non-compliance and retaliation.
Beyond fines, retaliating against a whistleblower can expose your company to civil suits, regulatory investigations, and significant reputational harm.
Get compliant in days, not months
CanaryLine is purpose-built for EU Directive 2019/1937. Our guided onboarding gets your reporting channel live in 7 days.