On 16 December 2019, Directive (EU) 2019/1937, on the protection of persons who report breaches of Union law (the Directive), entered into force. Member States have two years to implement measures which comply with the Directive (i.e., by 17 December 2021). The changes set out in the Directive will require organisations to update their existing whistle-blower policies to the minimum standards set out in the Directive; it is of course possible that EU Member States choose to adopt measures which go beyond the EU minimum standards, which would require organisations to tailor the policies of their national operations to match the localised standard where required.

Background and Purpose of the Directive

The EU has acknowledged that the protection afforded to whistle-blowers across its Member States is currently fragmented and inconsistent. A study commissioned by Directorate-General for Justice and Consumers assessed the national legislative frameworks on whistle-blowing and found that only 10 EU Member States (France, Hungary, Ireland, Italy, Lithuania, Malta, Netherlands, Slovakia, Sweden and UK) currently ensure that whistle-blowers are fully protected. Within the remaining EU countries, protection is only partial or applies only to specific industries or groups of employees.

The Directive aims to strengthen the legal protection available for all whistle-blowers and ensure that this protection is broadly consistent throughout the EU Member States; its purpose is to provide minimum EU-wide standards for:

  • reporting channels for organisations of a certain size; and
  • the level of protection afforded to persons that report breaches of Union law.

In seeking to achieve its purpose, the Directive places a greater burden on companies as regards the steps that they need to take to receive and handle reports from whistle-blowers.


The Directive provides that:

  • EU-based organisations with over 50 employees, and local authorities which provide services for more than 10,000 people, must create internal reporting procedures (Affected Organisations). Note that Affected Organisations with between 50-249 employees will have until 17 December 2023 to implement compliant measures.
  • Reporting persons will include not only employees, but also non-executive directors, the self-employed, contractors, volunteers, trainees and shareholders.
  • Whistle-blowers and their supporting colleagues and / or relatives must be protected from retaliation.
  • Protection is extended to those who had reasonable grounds to believe that the information on breaches reported was true at the time of reporting, irrespective of whether those breaches are substantiated.
  • Whistle-blowers will not be considered as infringing any restriction on disclosure of information imposed by contract or by law (i.e., non-disclosure agreements, confidentiality clauses, breach of copyright, trade secrets etc.) and will be protected from liability when disclosing such information.
  • Whistle-blowers are able to benefit from the protection afforded by the Directive when reporting internally to the employee's Affected Organisation, as well as in certain cases externally to authorities and /or publicly to the media.

Notable points

Remit of the Directive

The Directive has a wide remit and common minimum standards for the protection of whistle-blowers are provided across a large number of areas, including areas such as public procurement, financial services, product safety, transport safety, protection of the environment, radiation protection and nuclear safety, food safety, animal health and welfare, public health, consumer protection, data privacy, competition law and State Aid rules, and corporate tax laws. Member States are free to extend these rules to other areas (e.g. sexual harassment).

Protections afforded to whistle-blowers

One of the Directive's main aims is to protect whistle-blowers against retaliatory behaviours; the Directive sets out an extensive (non-exhaustive) list of prohibited behaviours that constitute retaliation, including termination, discrimination, the non-extension of employment contracts (removal of the time limit), bad evaluations, denial of training measures, downgrading or omitting promotion, etc.

Furthermore, the Directive contains a presumption that retaliatory action has taken place if the whistle-blower asserts that they have suffered any damage. In this respect, the burden of proof will shift to the person (typically the Affected Organisation) that is accused of taking the detrimental action "who should then be required to demonstrate that the action taken was not linked in any way to the reporting or the public disclosure".

In addition to this, while whistle-blowers are encouraged to report internally, whistle-blowers who opt to report externally in the first instance will not be penalised from receiving the Directive's protection. This could have significant practical, legal and reputational consequences for any organisation implicated by the report as, if a whistle-blower chooses to report externally before notifying the organisation, the relevant authority may open an investigation into the organisation which the organisation will have very limited control over.

Taking the above into account, it is clear that the Directive provides additional protections for whistle-blowers, which is likely to encourage them to report any information that they believe supports breaches of EU law; this is likely to have implications for Affected Organisations which they should manage pro-actively.

What this means for Affected Organisations

It would be prudent for Affected Organisations to review their existing whistle-blower policies / introduce new whistle-blower policies, in relation to their EU operations, to ensure that they are in line with the EU-minimum standard. This would involve, inter alia, ensuring that:

  • reporting channels allow whistle-blowers to report via an online system, email, post or a telephone hotline. Upon the request of the reporting person, such channels must allow for a physical meeting within a reasonable timeframe;
  • internal channels are compliant with the relevant timeframes conferred by the Directive and provide for a process of diligent follow-up;
  • an impartial person or department is designated for following up on reports and maintaining communications, such as the Head of HR or Compliance;
  • existing company and employee handbooks reflect the changes to internal reporting procedures e.g. information should also be provided concerning external reporting processes to competent authorities and internal handbooks should be easily accessible, e.g. on an intranet; and
  • employees understand the relevant internal reporting channels and are incentivised to utilise these channels as opposed to the external ones (e.g. providing comfort that confidentiality will be maintained etc.).

We note that, over the next two years, Member States will incorporate these standards into their national laws and that Member States' implementation may go further than what is set out in the Directive. Updating national whistle-blower policies accordingly is something that will need to be considered on a country-by-country ongoing basis.

Explore More Insight