6 minimum requirements of the EU-wide whistleblowing laws


By Daniel Vaknine, Partner, Visslan

Daniel Vaknine is CEO and Partner of Visslan, a Sweden-based whistleblowing solution to simplify whistleblowing and compliance with the new EU Whistleblowing Directive.

The new EU Whistleblowing Directive places a lot of new demands on organizations regarding whistleblowing. Many existing whistleblower solutions also need to be reviewed or reworked to meet the new requirements. Here, we take a closer look at the 6 minimum requirements for complying with the new law. As long as your company has 50 employees or more, you need to ensure compliance before the 17th of December 2023.

The requirements below are the absolute minimum you who are covered by the Whistleblower Act need to do, but just because a whistleblower solution meets the requirements does not necessarily mean that it is as good as it could have been. This simply means that you meet the statutory minimum requirements.

Tips on how to further improve your whistleblower solution can be found in my previous post for the Compliance & Ethics Blog Optimize your whistleblowing function with these 6 tips Checklist for a good whistleblower solution. Furthermore, you’re welcome to read a more thorough checklist for a good whistleblowing solution.

1. Internal reporting channels

Offering internal reporting channels is a requirement under the EU Directive for all organizations with more than 50 employees. This internal reporting channel must offer sufficient confidentiality and security.

Although it is possible to refuse to allow anonymous whistleblowing, it is strongly recommended to allow and enable this (if you want to enable anonymous whistleblowing, have an extra look at number 4 below!).

In short, reporting channels for whistleblower reports need to allow full confidentiality of the whistleblower’s identity. Regardless of whether only internal personnel handle the case or if external parties become involved, the whistleblower’s identity should be able to remain protected.

It should also be possible for the whistleblower to follow their case, as well as the possibility to delete data if necessary or in agreement with the GDPR.

2. Protection against retaliation

Whistleblowers need to be protected from retaliation as a result of choosing to blow the whistle. The protection is extensive and includes not only termination but e.g. also a negative assessment, non-promotion or demotion, change of working conditions, disciplinary sanctions, non-renewal of an employment contract, threats or harassment and so on.

Legal or contractual obligations imposed on employees, such as loyalty clauses or confidentiality obligations, can not prevent the application of protection against retaliation.

3. GDPR & Data Protection

As whistleblowing involves the handling of personal information, the GDPR also applies to whistleblowing. These requirements must be met to avoid violations of the GDPR Act.

Remember that violations of the GDPR Act can result in fines equivalent to up to 20 million euros or four percent of the global annual turnover of your organization. This of course complicates parts of handling whistleblowing reports.

4. Feedback and follow-up

After a report has been received, there are guidelines for how to handle it. Timelines, feedback and follow-up are something that is extremely important to comply with the requirements of whistleblowing. These can vary a bit depending on what EU country you operate in, but most follow the below-mentioned framework.

Within 7 days

A confirmation that the case has been received must be sent to the whistleblower within 7 days. This is one of the reasons why it is good to have more than one case manager because even if a person is ill or on holiday, a confirmation always needs to be sent out within 7 days.

Within 3 months

Within 3 months, there must be a follow-up on the investigation’s results where one should inform about measures that have been taken or will be taken. If the case has been closed, this can also be announced in this follow-up. Even if the investigation is incomplete, a longer follow-up must be given within 3 months with information about what is happening in the case.

After 2 years

2 years after the information in a case is no longer needed, it must be deleted from the whistleblower system. What applies is thus not 2 years from the time the information came in, but 2 years from the time the information is no longer needed. Different countries within the EU have different regulations for how long a case and information may be stored, but in most EU countries it is 2 years.

5. Whistleblower policy

A whistleblower policy should include all the relevant information that employees within the organization need to know. Secondly, which channels they can use to blow the whistle? But also all other relevant information that can be good to know. As a helping hand, check out how to make your whistleblower policy easy to understand.

Go the extra mile – Communication & education

This is not a minimum requirement, but it can be a good idea to keep in mind: How you choose to communicate whistleblowing to employees and how you “train” them. Even if your whistleblower solution covers the minimum requirements, there is still the risk that no one dares to use it, either due to uncertainty or ignorance.

A couple of simple methods to remedy this is to regularly remind employees of your whistleblower policy and routines for whistleblowing (preferably anonymously). You can also hold quizzes or role-plays between colleagues to further get the knowledge stuck – whatever works for your employees! The exact methodology differs between different organizations, but the important thing is that your whistleblower solution is used and the employees feel safe in the workplace. Anonymity can be a key to this but do not forget that you still have to be able to follow up with the whistleblower.