Get started!
Get started!

EU Whistleblowing Directive 2019/1937: A practical guide

Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law — commonly known as the EU Whistleblowing Directive — is the most significant piece of European whistleblower protection legislation to date. It establishes minimum standards for internal reporting channels, reporter protection, and follow-up procedures across all EU member states.

Who does it apply to?

The Directive applies to all legal entities in the private sector with 50 or more employees. In the public sector, it applies to all entities regardless of size, though member states may exempt municipalities with fewer than 10,000 inhabitants.

This means the vast majority of medium and large organisations across Europe are required to comply. Member states were also free to extend coverage to smaller organisations in their national transposition.

Key threshold: 50 or more employees in the private sector. All public-sector entities.

What does the Directive require?

Article 8 of the Directive sets out the core obligation: organisations must establish internal reporting channels that allow workers to report breaches securely and confidentially. Specifically:

  • Reporting channels must allow reports in writing or orally, or both (Article 9(2))
  • The identity of the reporting person must be kept confidential (Article 16)
  • Receipt of a report must be acknowledged within 7 days (Article 9(1)(b))
  • An impartial person or department must be designated to follow up on reports (Article 9(1)(c))
  • Feedback must be provided to the reporting person within 3 months (Article 9(1)(f))
  • Clear and accessible information about reporting procedures must be provided (Article 9(1)(g))
  • Channels must be designed and operated in a secure manner that ensures confidentiality (Article 9(1)(a))

How are whistleblowers protected?

Chapter VI of the Directive establishes a comprehensive prohibition on retaliation. Article 19 prohibits any form of retaliation, including dismissal, demotion, harassment, discrimination, or any other unfavourable treatment.

Critically, Article 21 reverses the burden of proof: if a reporting person suffers a detriment, the employer must prove that the detriment was not connected to the report. This is a significant legal protection that makes retaliation costly and difficult to defend.

Article 20 provides support measures for reporting persons, including access to legal aid, financial assistance, and psychological support where available under national law.

What can be reported?

The Directive covers breaches of EU law in specific areas listed in Part I of the Annex, including:

  • Public procurement
  • Financial services and prevention of money laundering
  • Product safety and compliance
  • Transport safety
  • Environmental protection
  • Radiation protection and nuclear safety
  • Food and feed safety, animal health and welfare
  • Public health
  • Consumer protection
  • Privacy and data protection (GDPR)
  • EU financial interests and internal market competition

Member states may extend this scope in their national transposition. Many have done so to cover additional areas such as national tax law, labour law, and corruption.

Internal, external, and public reporting

The Directive establishes a three-tier reporting framework:

  1. Internal reporting — Through the organisation's own channel. The Directive encourages internal reporting as the preferred first step where the breach can be effectively addressed internally.
  2. External reporting — To a competent national authority. Reporting persons may go directly to external channels without first reporting internally.
  3. Public disclosure — As a last resort, where internal or external reporting has not resulted in appropriate action, or in cases of imminent danger or irreversible damage to the public interest.

Transposition deadlines

The Directive entered into force on 16 December 2019. Member states were required to transpose it into national law by:

  • 17 December 2021 — for all provisions relating to organisations with 250 or more employees
  • 17 December 2023 — for provisions relating to organisations with 50–249 employees

All EU member states have now transposed the Directive, though specific requirements vary. Non-EU EEA states (Norway, Iceland, Liechtenstein) have adopted equivalent legislation.

How Report Securely helps you comply

Report Securely is a digital whistleblowing platform built specifically for EU Directive 2019/1937 compliance. It addresses the Directive's requirements directly:

  • Secure, confidential reporting channels accessible via web — satisfying Article 9(1)(a)
  • Anonymous and confidential reporting modes — satisfying Article 16
  • Receipt acknowledgement and feedback tracking — satisfying Article 9(1)(b) and (f)
  • Designated handler assignment with audit trail — satisfying Article 9(1)(c)
  • 28 European language support — ensuring accessibility for workers across borders
  • Optional partner law firm handling for independent, external review of whistleblowing reports
  • AI text rephrasing for stylometric anonymisation — additional identity protection

Further reading

Security & data protection → Frequently asked questions → Pricing →

Start your free trial

Set up your EU Directive-compliant reporting channel in minutes. Full access for 3 months.

Get started free See all features