EU Whistleblower Protection Directive

EU rules protecting persons who report breaches of EU law from retaliation.

In force since December 2021, the Whistleblower Protection Directive (2019/1937) establishes minimum standards across the EU for protecting persons who report breaches of EU law in areas including public procurement, financial services, product and transport safety, environmental protection, food and feed safety, public health, consumer protection, data protection, and tax fraud. The directive recognises that whistleblowers play a vital role in uncovering wrongdoing that harms the public interest, and that fear of retaliation has historically deterred many potential reporters from coming forward.

The directive applies to private sector organisations with 50 or more employees and to all public sector entities, including municipalities and public bodies. Companies with 50 to 249 employees had until December 2023 to establish internal reporting channels (with Member States having the option to extend this deadline). Larger companies with 250 or more employees and public sector entities were required to have channels in place by December 2021. The directive protects a wide range of reporting persons, including employees, former employees, job applicants, self-employed workers, shareholders, board members, volunteers, and persons who assist the reporting person.

Core obligations require organisations to establish secure and confidential internal reporting channels that allow written and oral reporting, and optionally in-person meetings. Organisations must designate impartial persons or departments to handle reports, acknowledge receipt within seven days, provide feedback within three months, and maintain records of reports. Reporting persons may also use external reporting channels operated by national authorities, which must be established by each Member State, and may in certain circumstances make public disclosures while retaining protection.

Protection from retaliation is the directive's central mechanism. Prohibited retaliation includes dismissal, demotion, harassment, discrimination, coercion, and any other detrimental treatment. Where a reporting person suffers retaliation, the burden of proof shifts to the employer, who must demonstrate that the adverse action was not connected to the report. Member States must provide effective remedies, including interim measures, reinstatement, and compensation.

The Whistleblower Protection Directive supports the effectiveness of other EU regulations, particularly the AML framework, where suspicious activity reporting is critical, and supply chain due diligence obligations under the CSDDD, which requires companies to establish complaints mechanisms. For businesses, implementing compliant whistleblower systems is not merely a legal requirement but a governance best practice that can help identify and address risks before they escalate into regulatory violations, financial losses, or reputational damage.

Select your company type for tailored compliance guidance.