Who must comply with the EU Whistleblower Directive? #
Short answer: if your organization has 50 or more employees and operates in the EU, you almost certainly need an internal whistleblower reporting channel. This is not optional. It is law in all 27 EU member states.
Here is everything you need to know to determine whether you must comply, what compliance actually requires, and what happens if you do not.
The threshold: 50 employees #
EU Directive 2019/1937, Article 8(3)-(4), establishes the obligation:
- 250+ employees: Must have had an internal reporting channel since December 17, 2021 (the original transposition deadline per Art. 26(1)).
- 50–249 employees: Must have had an internal reporting channel since December 17, 2023 (extended deadline per Art. 26(2)).
If you have 50 or more employees in the EU, the deadline has already passed. You should have a channel in place now.
How employees are counted #
The Directive does not define “employee” narrowly. Member states count:
- Full-time and part-time employees (part-time may be counted proportionally in some countries)
- Fixed-term and temporary workers
- In some member states: posted workers, trainees, and apprentices
The count is based on your legal entity, not your group. If you are part of a corporate group, each entity with 50+ employees needs its own channel — though entities of 50–249 employees may share resources for receiving and investigating reports (Art. 8(6)).
Who is covered beyond headcount #
Several categories of organizations must comply regardless of employee count:
Financial services (Art. 8(4)) #
All entities operating in financial services — banks, investment firms, insurance companies, payment institutions, crypto-asset providers — must have a reporting channel irrespective of size. This applies even if you have 5 employees. The Directive defers to the sector-specific EU legislation listed in Part I.B and Part II of the Annex.
Public sector (Art. 8(9)) #
Member states may require municipalities and other public bodies to establish internal channels. Many have done so, often with lower thresholds or no threshold at all.
National extensions #
Some member states go beyond the Directive’s minimum:
- Italy: Organizations with a “Model 231” compliance program must comply regardless of size. Source: Norton Rose Fulbright
- Belgium: Companies with 250+ employees must accept anonymous reports (stricter than the Directive’s baseline). Source: Van Olmen & Wynant
- France: The Loi Waserman (2022-401) transposing the Directive removed the requirement to use internal channels before going to external authorities — reporters can now choose either path. Sapin II’s broader anti-corruption compliance obligations (separate from the whistleblower channel) still apply to companies with 500+ employees and €100M+ revenue.
Who can report #
The Directive protects a broad category of “reporting persons” — not just employees. Under Article 4, the following people are protected when they report through your channel:
- Workers (employees, civil servants, interns, trainees)
- Self-employed persons (contractors, freelancers)
- Shareholders and board members
- Volunteers
- Suppliers and their workers (anyone in your supply chain)
- Job applicants (people who learned of wrongdoing during the recruitment process)
- Former workers (people who learned of wrongdoing during a previous employment)
Your reporting channel must be accessible to all of these groups, not just current employees.
What compliance actually requires #
Having a channel means meeting the requirements in Articles 8, 9, and 16 of the Directive. Here is the minimum:
1. A secure reporting channel (Art. 8) #
An internal channel that allows reporting in writing (and optionally orally). It must:
- Be accessible to all persons covered by the Directive (employees, contractors, suppliers, etc.)
- Protect the confidentiality of the reporter’s identity
- Not require the reporter to identify themselves (anonymous reporting is permitted in most member states)
2. A documented procedure (Art. 9) #
The channel must follow a defined procedure:
| Requirement | Deadline | Article |
|---|---|---|
| Acknowledge receipt of the report | Within 7 days | Art. 9(1)(b) |
| Assign an impartial person or department to handle it | Upon receipt | Art. 9(1)(a) |
| Follow up diligently | Ongoing | Art. 9(1)(c) |
| Provide feedback to the reporter | Within 3 months | Art. 9(1)(f) |
| Inform the reporter of external reporting options | At submission | Art. 9(1)(g) |
3. Confidentiality protections (Art. 16) #
The reporter’s identity must not be disclosed to anyone beyond the staff handling the report, without the reporter’s explicit consent. This means:
- Access controls: only authorized handlers see reports
- No IP logging or tracking that could identify anonymous reporters
- Data encrypted at rest
4. Record-keeping (Art. 18) #
Reports must be stored securely and retained in compliance with national law. You need an audit trail that can demonstrate compliance to regulators.
5. Anti-retaliation measures (Art. 19–21) #
You must not retaliate against reporters. This includes dismissal, demotion, withholding promotion, changing duties, or any other form of disadvantage. Reporters must be informed of this protection.
What does NOT count as compliance #
Some things organizations try that do not meet the Directive’s requirements:
- A generic email address (e.g., compliance@company.com). This does not protect confidentiality, does not track deadlines, and does not create an audit trail.
- An anonymous suggestion box. No two-way communication, no acknowledgment, no feedback mechanism.
- A page in the employee handbook. The channel must be operational, not just documented.
- A third-party hotline with no case management. If reports come in by phone but are not tracked through a system with deadlines and audit trails, you are not compliant with Art. 9.
What happens if you do not comply #
Every member state has defined penalties. They vary widely:
| Country | Penalty for no reporting channel | Source |
|---|---|---|
| Spain | Up to €1,000,000 | Law 2/2023 |
| Belgium | €24,000–€576,000 + up to 3 years prison | CMS Expert Guide |
| Germany | €20,000–€500,000 (legal entities) | HinSchG §40 |
| Italy | €10,000–€50,000 | D.Lgs. 24/2023 |
| Poland | Up to PLN 1,080,000 (~€250,000) | Act of 14 June 2024 |
Enforcement is not theoretical. In March 2025, the EU Court of Justice fined five member states a combined €39 million for being late to transpose the Directive. National enforcement authorities are now operational in most countries and actively issuing fines.
See our full penalties by country page for all 27 member states.
The fastest path to compliance #
If your organization has 50+ employees, the deadline has passed. Here is how to get compliant:
- Set up a reporting channel. EthicsPortal takes minutes — sign up, configure your portal, share the link. €49/month, everything included.
- Designate a handler. Assign at least one impartial person to receive and investigate reports.
- Inform employees. Share the portal URL and QR code via posters, onboarding materials, and internal communications.
- Document your procedure. Adopt an internal whistleblower protection policy that describes the process, deadlines, and anti-retaliation protections.
The software is the easy part. The entire setup — channel, configuration, QR code — can be done in a lunch break. The organizational steps (handler designation, policy, training) take longer but are straightforward.
For an article-by-article breakdown of how EthicsPortal meets the Directive’s requirements, see our compliance page.