Whistleblower Directive
Die Whistleblower-Richtlinie schützt Personen, die Verstöße gegen EU-Recht melden. Organisationen ab bestimmten Schwellenwerten müssen sichere interne Meldekanäle einrichten, Fristen einhalten und Vergeltungsmaßnahmen verhindern.
Free EU Compliance CheckerWhat does Whistleblower require and when does it apply?
Whistleblower applies to All private sector (50+ employees) and Public Sector organisations across all EU member states. The key deadline is December 17, 2021 (250+ employees); December 17, 2023 (50–249 employees). Non-compliance carries a maximum penalty of Per member state. Core obligations include establish secure internal reporting channels and acknowledge reports within 7 days.
- Establish secure internal reporting channels
- Acknowledge reports within 7 days
- Follow up within 3 months
- Protect reporter identity
- Prohibit all forms of retaliation
| Deadline | December 17, 2021 (250+ employees); December 17, 2023 (50–249 employees) |
| Max fine | Per member state |
| Primary sectors | All private sector (50+ employees), Public Sector, Financial Services |
Whistleblower: Per member state max fine
Whistleblower applies to All private sector (50+ employees) and Public Sector organisations in all EU member states. Key deadline: December 17, 2021 (250+ employees); December 17, 2023 (50–249 employees).
Source: Official Journal of the European Union — Whistleblower Directive
Who does Whistleblower apply to?
Betroffen sind insbesondere private Organisationen mit mindestens 50 Beschäftigten sowie öffentliche Stellen; einzelne Sektoren können unabhängig von der Größe erfasst sein.
- Sichere interne Meldekanäle einrichten
- Eingang von Meldungen innerhalb von 7 Tagen bestätigen
- Innerhalb von 3 Monaten Rückmeldung zu Folgemaßnahmen geben
- Identität der meldenden Person schützen und Repressalien untersagen
What are the penalties for Whistleblower non-compliance?
Sanktionen werden national festgelegt. Risiken entstehen insbesondere bei fehlenden Kanälen, Vertraulichkeitsverletzungen oder Repressalien.
| Maximum fine | Penalties set by national law — must be effective, proportionate, dissuasive |
When does Whistleblower apply?
Die Richtlinie ist umgesetzt bzw. umzusetzen; für private Organisationen mit 50+ Beschäftigten war der zentrale spätere Anwendungstermin der 17. Dezember 2023.
- 2019-12-16 — Entry into force
- 2021-12-17 — Transposition deadline (entities with 250+ employees)
- 2023-12-17 — Extended deadline for entities with 50–249 employees
Schwellenwert, ab dem viele private Organisationen interne Meldekanäle bereitstellen müssen.
Richtlinie (EU) 2019/1937 — EUR-Lex
December 17, 2021 (250+ employees); December 17, 2023 (50–249 employees)
Per member state
All private sector (50+ employees), Public Sector, Financial Services
Schwellenwert, ab dem viele private Organisationen interne Meldekanäle bereitstellen müssen.
Richtlinie (EU) 2019/1937 — EUR-Lex
| Official name | Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law |
| Reg. No. | (EU) 2019/1937 |
| CELEX | 32019L1937 |
| Type | directive |
| In force | 2019-12-16 |
| Applies from | 2021-12-17 |
| Transposition | 2021-12-17 |
| Max fine | Penalties set by national law — must be effective, proportionate, dissuasive |
| Authorities | Member-state designated bodies (varies by country: national integrity authorities, ombudspersons, labour inspectorates) (member-state) |
| Source | (EU) 2019/1937 — EUR-Lex Official Journal |
How do I comply with Whistleblower?
- Establish secure internal reporting channels
- Acknowledge reports within 7 days
- Follow up within 3 months
- Protect reporter identity
- Prohibit all forms of retaliation
Does Whistleblower apply to your business?
Find out in 2 minutes with our free regulation checker.
Check now — freeWhistleblower by Country
Explore Whistleblower in depth
Whistleblower by Industry
Related Regulations
GDPR
GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.
CSRD
CSRD expands mandatory sustainability reporting to large companies and listed SMEs. Companies must report according to European Sustainability Reporting Standards (ESRS) covering environment, social, and governance matters.
CS3D
CS3D requires large companies to conduct due diligence on actual and potential adverse impacts on human rights and the environment in their operations and supply chains.
Explore Whistleblower in depth
Penalties & Fines
See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.
Deadline Timeline
Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.
Industry Guides
Sector-specific Whistleblower guidance for SaaS, fintech, healthcare, and other affected industries.
Next step — classify
Classify your AI systems
Use the free regulation checker to find out exactly which Whistleblower obligations apply to your business in 2 minutes.
Check Your Compliance Obligations
Find out which Whistleblower obligations apply to your organisation in under 2 minutes.
Frequently Asked Questions
- What does the EU Whistleblower Directive require organisations to implement?
- The EU Whistleblower Directive (Directive 2019/1937) requires organisations with 50 or more employees to establish secure internal reporting channels for breaches of EU law. Channels must protect reporter confidentiality, acknowledge reports within 7 business days, provide feedback on follow-up within 3 months, and maintain records for no more than 3 years. Organisations must designate an impartial person or department to handle reports. All forms of retaliation — dismissal, demotion, negative performance assessment, intimidation, blacklisting — are prohibited. The Directive covers financial services, product safety, environmental law, food safety, public health, GDPR, network security, competition law, and public procurement.
- From what company size does the EU Whistleblower Directive apply?
- The EU Whistleblower Directive applies to all private-sector organisations with 50 or more employees and all public sector bodies regardless of size. For organisations with 50–249 employees, member states may allow shared reporting channel resources — a joint channel managed by a third-party provider is permitted under Article 8(6). Organisations with 250 or more employees must have their own dedicated internal reporting channel. Municipalities with fewer than 10,000 inhabitants may be exempt in some member states. The Directive protects not just employees but also self-employed contractors, shareholders, board members, volunteers, trainees, and job applicants who discover breaches.
- What sectors are covered by the EU Whistleblower Directive?
- The EU Whistleblower Directive (Article 2) covers reporting breaches in: financial services, products, and markets including AML; transport safety; environmental protection; food and feed safety; public health; consumer protection; privacy and data protection (GDPR); network and information systems security (NIS2); EU competition law; corporate tax; and public procurement. Member states may extend coverage to national law violations — Germany's HinSchG (Hinweisgeberschutzgesetz, in force December 2023) extends to criminal law; France's Sapin II covers corruption and financial crime more broadly. Reporters are protected for disclosures that were reasonably believed to be true at the time of reporting.
For informational purposes only. This is not legal advice — consult qualified legal counsel.
Last verified: · Source: EUR-Lex 32019L1937 · Editorial policy