For the first time, EU law required a minimum standard of protection for people who report wrongdoing.
The EU Whistleblower Protection Directive — adopted in October 2019 with a transposition deadline of December 2021 — established, for the first time across the European Union, a mandatory baseline of protection for individuals who report breaches of EU law. Before the Directive, whistleblower protection across Member States was fragmented, inconsistent, and in many jurisdictions, effectively absent for significant categories of private-sector workers.
The Directive requires organisations with 50 or more employees — and all public bodies regardless of size — to establish internal reporting channels that are confidential, allow for anonymous reporting where national law permits, are managed by an impartial person or department, and are capable of acknowledging receipt and providing meaningful follow-up within defined timeframes: acknowledgement within seven days and feedback within three months.
The protection it extends to reporting persons is substantial. Retaliation — including dismissal, demotion, harassment, damage to professional reputation, and refusal of references — is prohibited. The burden of proof is reversed in retaliation proceedings: the employer must demonstrate that any adverse measure taken against a reporting person was not connected to their report. And interim relief pending the resolution of proceedings is available.
Formal compliance with the Directive is not the same as a functioning speak-up system.
Most large organisations in EU Member States have, by now, established the formal infrastructure the Directive requires: a confidential reporting channel, an acknowledgement process, a case management framework. In many cases, these were built or updated by external providers who offered compliance-as-a-service — a channel, a policy, and a documented procedure that satisfies the letter of the transposition requirement.
What a significant number of these organisations have not yet built is the cultural and operational substance that makes the channel worth using. A reporting channel that is not known to the people it is supposed to serve. A confidentiality commitment that employees have no reason to trust because they have seen how a previous reporter was treated. A follow-up process that satisfies the three-month feedback requirement in form — a generic response confirming the matter has been addressed — but provides nothing that would encourage a future reporter to come forward.
The Directive's protection provisions are also being missed in practice in a more fundamental way: many organisations have not trained their managers on what constitutes retaliation under the Directive. A manager who does not renew a fixed-term contract, removes a reporter from a high-profile project, or creates a subtly hostile environment following a report may believe they are acting for entirely unrelated reasons. The Directive's reversed burden of proof means that the organisation will need to demonstrate the absence of connection — and that is significantly harder if managers have never been told what the Directive prohibits.
The test of whether a speak-up system is functioning under the Directive is not whether the channel exists and the policy is documented. It is whether a person in your organisation who became aware of a serious breach of EU law would use it — and why. If the honest answer involves uncertainty about confidentiality, concern about managerial response, or doubt that anything would happen, the system is not functioning as the Directive intends, regardless of its formal compliance.
Three areas where implementation most commonly falls short.
First: the scope of protected disclosures. The Directive covers breaches of EU law across more than 25 defined areas, including financial services, anti-corruption, data protection, competition, consumer protection, environmental law, and public health. Many organisations have communicated their reporting channel as an anti-corruption or ethics tool, without making clear that the range of protected disclosures is substantially broader. A reporter who raises a data protection concern may not know they are protected — and may not use the channel as a result.
Second: the management of external reporting channels. The Directive establishes a hierarchy of reporting: internal channels first, then competent national authorities, then — in defined circumstances — public disclosure. Organisations that have invested heavily in internal channel infrastructure but have not thought carefully about how they would respond if a reporter escalated directly to a national authority — or made a public disclosure — are not fully prepared for the Directive's framework.
Third: the documentation of follow-up. The Directive requires that reporters receive meaningful feedback on the action taken in response to their report within three months. What constitutes meaningful feedback in a complex investigation, where the outcome cannot be shared for legitimate confidentiality reasons, is a question that many organisations have not resolved. The answer requires a communications framework that keeps the reporter genuinely informed without compromising the investigation — and that framework is rarely built before the first case that requires it.
This article reflects the compliance advisory perspective of Compliance House and is intended for informational purposes. It does not constitute legal advice. The regulatory landscape described is subject to ongoing development. Organisations seeking guidance on specific obligations should consult qualified legal counsel in the relevant jurisdiction.
Télécharger cet article
Enregistrez une copie PDF pour la lecture hors ligne ou partagez-la avec un collègue qui pourrait la trouver utile.