How to set up a whistleblower reporting channel in 5 minutes #

EU Directive 2019/1937 requires every organization with 50 or more employees to operate an internal whistleblower reporting channel. The requirement is clear, but most implementations take far longer than they should.

This guide explains what the Directive actually requires from the channel itself, why enterprise tools make the process unnecessarily slow, and how to get a working channel live in minutes.

What the Directive requires #

Article 8 and Article 9 specify what an internal reporting channel must do:

• Accept reports in writing or orally
• Allow anonymous reporting (required in some member states, strongly recommended everywhere)
• Enable two-way communication with the reporter, even if they are anonymous
• Ensure only authorized persons can access reports
• Acknowledge receipt within seven calendar days
• Provide feedback within three months

That is the legal minimum. No specific technology is mandated — the Directive is technology-neutral. A web portal, a phone line, or even a locked physical mailbox can qualify, as long as the requirements above are met.

Why most implementations take weeks #

Enterprise whistleblower platforms are designed for large organizations with complex procurement processes. A typical implementation looks like this:

1. Request a demo — fill out a form, wait for a sales rep to call you back
2. Attend the demo — a 30–60 minute call where the vendor walks you through features you may not need
3. Receive a proposal — custom pricing based on employee count, modules, and add-ons
4. Negotiate the contract — legal review, DPA signing, procurement approval
5. Onboarding kickoff — a project manager is assigned, another call is scheduled
6. Configuration — the vendor configures your portal, categories, and branding (or trains you to do it)
7. Testing and launch — review, approve, and go live

For a 100-person company that just needs a compliant channel, this process is weeks of elapsed time and hours of meetings. It is designed for enterprises where a six-week procurement cycle is normal. For an SME, it is friction that delays compliance.

The 5-minute setup with EthicsPortal #

EthicsPortal is built for the opposite scenario: you need a compliant channel, and you need it today.

Step 1: Sign up (1 minute) #

Go to ethicsportal.eu and create an account. No demo request, no sales call, no “contact us for pricing.” You enter your email, set a password, and you are in.

Step 2: Configure your portal (2 minutes) #

From the dashboard, set up your reporting portal:

• Organization name — appears on the portal so reporters know they are in the right place
• Report categories — define what types of issues can be reported (fraud, harassment, safety violations, etc.). Sensible defaults are provided.
• Welcome text — the message reporters see when they land on the portal. A clear, reassuring default is pre-filled.
• Brand color — match your organization’s visual identity
• Language — choose the portal language for your reporters

The portal is live at a unique URL as soon as you save. No deployment, no waiting.

Step 3: Share the portal with employees (1 minute) #

Every portal gets a shareable link and a QR code. You can:

• Email the link to all employees
• Print the QR code and post it in break rooms, offices, or common areas
• Add the link to your intranet or employee handbook
• Include it in your written whistleblower policy

Step 4: Start receiving and managing reports (1 minute) #

When someone submits a report through the portal, you receive a notification. From the dashboard, you can:

• Read the report
• Communicate with the reporter via secure two-way messaging (even if they are anonymous — they use an access code)
• Track the seven-day acknowledgment deadline
• Track the three-month feedback deadline
• Update the case status and add internal notes
• Close the case with a documented outcome

That is it. Your channel is live, compliant, and ready to receive reports.

What to do after setup #

A reporting channel is the technical foundation, but compliance requires organizational steps too:

Designate a case handler #

Appoint one or more persons to receive and investigate reports. This person should be impartial and not likely to be the subject of reports. A compliance officer, legal counsel, or senior HR person typically fills this role. For small organizations, the managing director can serve as handler.

Train your handlers #

Case handlers need to understand: how to use the platform, confidentiality obligations, the seven-day and three-month deadlines, basics of conducting an internal investigation, and anti-retaliation rules.

Write a whistleblower policy #

Document how your organization handles reports. Cover scope, who can report, confidentiality, anti-retaliation, and the investigation process. See our free policy template for a ready-to-use document.

Inform employees #

The Directive requires you to proactively tell employees about the channel. Send an email, post on the intranet, mention it in team meetings, and include it in onboarding. The QR code makes this easy — print it and put it where people will see it.

Common mistakes to avoid #

Using a generic email address. An email like compliance@company.com does not meet the Directive’s requirements in most cases. Email lacks encryption, does not support anonymous reporting, and does not provide two-way communication with anonymous reporters.

Requiring reporters to identify themselves. While the Directive does not uniformly require anonymous reporting across all member states, several national transposition laws do, and making identification mandatory discourages reporting. Allow anonymity by default.

Forgetting the deadlines. Seven days for acknowledgment, three months for feedback. These are not suggestions — they are legal requirements. Missing them is a compliance failure. Use a system that tracks these deadlines automatically.

Not designating a handler. The channel is a mailbox. Someone needs to open it, read the reports, and act on them. If no one is designated, reports go unanswered and deadlines pass.

Over-engineering the setup. You do not need a full GRC suite, custom integrations, or a six-month rollout to comply. A working channel with anonymous reporting, two-way communication, and deadline tracking covers the legal requirements. Start simple, add complexity only if you need it.

Get started #

EthicsPortal is €49/month flat — no per-employee pricing, no annual contracts, no sales calls. Set up your compliant reporting channel in minutes and focus on what matters: protecting the people who speak up.