EuroComply
Sign up

Whistleblower Directive

The Whistleblower Directive protects persons who report breaches of EU law. It requires organisations with 50+ employees to establish internal reporting channels and prohibits retaliation. Maximum administrative fine: Per member state.

Free EU Compliance Checker

What does Whistleblower require and when does it apply?

Whistleblower applies to All private sector (50+ employees) and Public Sector organisations across all EU member states. The key deadline is December 17, 2021 (250+ employees); December 17, 2023 (50โ€“249 employees). Non-compliance carries a maximum penalty of Per member state. Core obligations include establish secure internal reporting channels and acknowledge reports within 7 days.

  • Establish secure internal reporting channels
  • Acknowledge reports within 7 days
  • Follow up within 3 months
  • Protect reporter identity
  • Prohibit all forms of retaliation
DeadlineDecember 17, 2021 (250+ employees); December 17, 2023 (50โ€“249 employees)
Max finePer member state
Primary sectorsAll private sector (50+ employees), Public Sector, Financial Services
Source: Official Journal of the EU โ€” Whistleblower DirectiveReviewed:
TL;DR

Whistleblower: Per member state max fine

Whistleblower applies to All private sector (50+ employees) and Public Sector organisations in all EU member states. Key deadline: December 17, 2021 (250+ employees); December 17, 2023 (50โ€“249 employees).

Source: Official Journal of the European Union โ€” Whistleblower Directive

Deadline

December 17, 2021 (250+ employees); December 17, 2023 (50โ€“249 employees)

Max Fine

Per member state

Sectors Affected

All private sector (50+ employees), Public Sector, Financial Services

Per member statemaximum fine

The highest penalty for non-compliance with Whistleblower in the EU.

EU Official Journal

Key regulatory facts: Whistleblower Directive
Official nameDirective (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law
Reg. No.(EU) 2019/1937
CELEX32019L1937
Typedirective
In force2019-12-16
Applies from2021-12-17
Transposition2021-12-17
Max finePenalties set by national law โ€” must be effective, proportionate, dissuasive
Authorities
Member-state designated bodies (varies by country: national integrity authorities, ombudspersons, labour inspectorates) (member-state)
Source(EU) 2019/1937 โ€” EUR-Lex Official Journal

How do I comply with Whistleblower?

  • Establish secure internal reporting channels
  • Acknowledge reports within 7 days
  • Follow up within 3 months
  • Protect reporter identity
  • Prohibit all forms of retaliation

Does Whistleblower apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now โ€” free

Whistleblower by Country

๐Ÿ‡ฉ๐Ÿ‡ช

Germany

๐Ÿ‡ซ๐Ÿ‡ท

France

๐Ÿ‡ณ๐Ÿ‡ฑ

Netherlands

๐Ÿ‡ช๐Ÿ‡ธ

Spain

๐Ÿ‡ฎ๐Ÿ‡น

Italy

๐Ÿ‡ฆ๐Ÿ‡น

Austria

๐Ÿ‡ง๐Ÿ‡ช

Belgium

๐Ÿ‡ต๐Ÿ‡ฑ

Poland

๐Ÿ‡ธ๐Ÿ‡ช

Sweden

๐Ÿ‡ฎ๐Ÿ‡ช

Ireland

๐Ÿ‡ต๐Ÿ‡น

Portugal

๐Ÿ‡ฉ๐Ÿ‡ฐ

Denmark

๐Ÿ‡ซ๐Ÿ‡ฎ

Finland

๐Ÿ‡จ๐Ÿ‡ฟ

Czech Republic

๐Ÿ‡ท๐Ÿ‡ด

Romania

๐Ÿ‡ญ๐Ÿ‡บ

Hungary

๐Ÿ‡ธ๐Ÿ‡ฐ

Slovakia

๐Ÿ‡ง๐Ÿ‡ฌ

Bulgaria

๐Ÿ‡ญ๐Ÿ‡ท

Croatia

๐Ÿ‡ฌ๐Ÿ‡ท

Greece

๐Ÿ‡ฑ๐Ÿ‡บ

Luxembourg

๐Ÿ‡ช๐Ÿ‡ช

Estonia

๐Ÿ‡ฑ๐Ÿ‡ป

Latvia

๐Ÿ‡ฑ๐Ÿ‡น

Lithuania

๐Ÿ‡ธ๐Ÿ‡ฎ

Slovenia

๐Ÿ‡ฒ๐Ÿ‡น

Malta

Explore Whistleblower in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

Whistleblower by Industry

๐Ÿ’ป

SaaS & Software

๐Ÿ’ณ

Fintech & Financial Services

๐Ÿฅ

Healthcare & MedTech

๐Ÿญ

Manufacturing & Industry

๐Ÿ›’

E-commerce & Retail

๐ŸŽ“

EdTech & Education

๐Ÿšš

Logistics & Transport

โšก

Energy & Utilities

๐Ÿ“ก

Telecoms & Media

๐Ÿ‘ฅ

HR & Recruitment

โš–๏ธ

Legal & Professional Services

๐Ÿ›๏ธ

Public Sector & NGOs

Related Regulations

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

CSRD

CSRD expands mandatory sustainability reporting to large companies and listed SMEs. Companies must report according to European Sustainability Reporting Standards (ESRS) covering environment, social, and governance matters.

CS3D

CS3D requires large companies to conduct due diligence on actual and potential adverse impacts on human rights and the environment in their operations and supply chains.

Explore Whistleblower in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific Whistleblower guidance for SaaS, fintech, healthcare, and other affected industries.

Next step โ€” classify

Classify your AI systems

Use the free regulation checker to find out exactly which Whistleblower obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which Whistleblower obligations apply to your organisation in under 2 minutes.

Check Your EU Compliance

Frequently Asked Questions

What does the EU Whistleblower Directive require organisations to implement?
The EU Whistleblower Directive (Directive 2019/1937) requires organisations with 50 or more employees to establish secure internal reporting channels for breaches of EU law. Channels must protect reporter confidentiality, acknowledge reports within 7 business days, provide feedback on follow-up within 3 months, and maintain records for no more than 3 years. Organisations must designate an impartial person or department to handle reports. All forms of retaliation โ€” dismissal, demotion, negative performance assessment, intimidation, blacklisting โ€” are prohibited. The Directive covers financial services, product safety, environmental law, food safety, public health, GDPR, network security, competition law, and public procurement.
From what company size does the EU Whistleblower Directive apply?
The EU Whistleblower Directive applies to all private-sector organisations with 50 or more employees and all public sector bodies regardless of size. For organisations with 50โ€“249 employees, member states may allow shared reporting channel resources โ€” a joint channel managed by a third-party provider is permitted under Article 8(6). Organisations with 250 or more employees must have their own dedicated internal reporting channel. Municipalities with fewer than 10,000 inhabitants may be exempt in some member states. The Directive protects not just employees but also self-employed contractors, shareholders, board members, volunteers, trainees, and job applicants who discover breaches.
What sectors are covered by the EU Whistleblower Directive?
The EU Whistleblower Directive (Article 2) covers reporting breaches in: financial services, products, and markets including AML; transport safety; environmental protection; food and feed safety; public health; consumer protection; privacy and data protection (GDPR); network and information systems security (NIS2); EU competition law; corporate tax; and public procurement. Member states may extend coverage to national law violations โ€” Germany's HinSchG (Hinweisgeberschutzgesetz, in force December 2023) extends to criminal law; France's Sapin II covers corruption and financial crime more broadly. Reporters are protected for disclosures that were reasonably believed to be true at the time of reporting.

For informational purposes only. This is not legal advice โ€” consult qualified legal counsel.

Last verified: ยท Source: EUR-Lex 32019L1937 ยท Editorial policy