The Whistleblowing Directive

Written on 12 Apr 2021

The new Whistleblowing Directive (2019/1937) is due to be implemented by EU Member States by the end of 2021. Businesses operating in the EU will need to review their policies and procedures in line with Member States' requirements.

The Directive provides protections for employees who report concerns from dismissal, degradation and other forms of discrimination. It also widens the net for protection, with job applicants, former employees, supporters of a whistle-blower and journalists also within scope.

Who does it apply to and when do businesses need to act?

The Directive applies to businesses with 50 or more employees based in the EU, but the deadline for compliance depends on the size of the business' presence in the EU.

  • A business with 250 or more employees must comply by 17 December 2021; but
  • A business with 50-249 employees has an additional two years, until 17 December 2023.

The protections of the Directive apply to reports of wrongdoing relating to EU law, such as tax fraud, money laundering or public procurement offences, product and road safety, environmental protection, public health, and consumer and data protection. However, the EU is encouraging national legislators to extend the protection to cover wrongdoing relating to national laws.

UK implementation

Following Brexit, as the UK is no longer an EU Member State, it will not be taking steps to implement the Directive into UK law.

Despite this, for UK companies who do business in the EU and/or have global whistleblowing policies and procedures that cover operations in the EU, understanding and meeting the requirements of the Directive will still be necessary. Even for those not obliged to comply, the Directive provides useful guidance for what "good" looks like in whistleblowing policy and procedure.

What will businesses caught by the Directive need to do?

In order to comply with their requirements, businesses should:

1. Provide internal reporting channels that are sufficiently safeguarded (so that members of staff, who should not have access to such reports, cannot easily gain access to them). This covers reports made via various channels, such as email, telephone, in writing or verbally.

2. Encourage employees to make internal reports before making an external one.

  • Employees should be made to feel that this is a "safe" option and that there is no risk of retaliation, or of their identity being leaked. Where applicable, employees should be made aware that they can report on an anonymous basis.
  • There are potential penalties for businesses for non-compliance, and employees should understand this (to further encourage reporting).
  • Businesses will also need to ensure (as most do now) that employees are aware of the potential repercussions of making a knowingly false declaration.

3. Designate independent persons or departments, and/or engage a third party provider to deliver a consistent point for reporting.

4. If a report is not made anonymously, ensure that the identity of any reporting person is kept confidential and not disclosed to anyone other than authorised members of staff. This includes any information that could identify them directly or indirectly.

5. Ensure that reports are acknowledged within seven days, that all reports are followed-up on, and feedback is given within three months to the reporting person.

6. Ensure that a record of all reports is kept, and retained as required by local law.

What is the practical impact?

For most businesses, the first step to compliance will be checking how the Directive has been implemented in relevant EU jurisdictions, comparing it to their existing policy and procedures, and updating where necessary. Fortunately, for most organisations, this is likely to be a matter of making adjustments to existing systems rather than a wholesale change of approach.

However, even if the ultimate changes to policy and procedure are small, it is important that this review is undertaken, in order to avoid the penalties for non-compliant businesses. These penalties, which under the Directive must be effective, dissuasive and proportionate, will be imposed by individual Member States. Penalties may be imposed for hindering or attempting to hinder reporting, retaliation against a reporting person, bringing vexatious proceedings against a reporting person and/or breaching the duty of confidentiality towards a reporting person.

Whenever whistleblowing is discussed, there is often a focus on the ability of a whistle-blower to make a report anonymously. While there are circumstances where a whistle-blower might justifiably feel they need the protection of anonymity, practically, reporting anonymously can make investigating and acting upon reports more difficult. It can also make it harder to identify and discipline an individual who intentionally makes a knowingly false report. The Directive therefore makes room for other EU and Member State legislation around anonymous reporting, but does not introduce any new obligations itself.