Whistleblower law in Malta #
Malta implemented Directive (EU) 2019/1937 by amending the Protection of the Whistleblower Act (Cap. 527). Malta’s framework combines the usual 50-worker private-sector trigger with a visible public-service reporting-officer model.
Applicable law #
Who must establish an internal channel #
- All public-sector entities — each Government ministry, with a whistleblowing reporting officer at Assistant Director level or above.
- Private organisations with 50 or more workers (entities with exactly 50 are in scope).
- Voluntary organisations raising more than €500,000 a year from public collections and donations.
- Private entities with fewer than 50 workers can be brought into scope by a risk assessment (nature of activities; risk to environment and public health).
The 2021 amendments (in force 24 December 2021) lowered the private-sector trigger from the old ~250-employee test to 50 workers; the 50-249 band had until 17 December 2023 to establish channels.
Penalties and enforcement #
Malta’s penalty structure is criminal, not administrative, and narrowly drawn. The one specific monetary figure the law fixes is under Article 19: a person who uses violence, threats, or besetting to compel another to abstain from a protected disclosure faces imprisonment up to one year or a fine (multa) of €500–5,000 — rising to €1,500–10,000 (plus increased imprisonment) where they succeed.
An honest assessment of enforcement. Two things matter here. First, the research found no specific fine dedicated to “failing to establish a reporting channel” — the obligation is mandatory, but the sourced penalty attaches to actively coercing a whistleblower, not to the administrative gap of lacking a channel. Second, no company has been publicly recorded as fined or sanctioned for whistleblowing non-compliance to date, and the enforcement mechanics across the sector bodies are not well documented. External disclosures are only protected if an internal report was first made or attempted (subject to exceptions such as the head of the organisation being implicated, urgency, or risk of evidence being destroyed) — which is itself a practical reason to operate a credible internal channel.
External reporting authority #
Malta uses competent authorities and reporting officers rather than one single universal external authority. The First Schedule to Cap. 527 designates external-disclosure authorities including the MFSA (financial services), the FIAU (anti-money-laundering), the Commissioner for Revenue, the Commissioner for Voluntary Organisations, the Permanent Commission Against Corruption, and the Ombudsman. The official whistleblower.gov.mt portal explains the Maltese reporting-officer model for the public service.
Data protection authority #
For complaints about the handling of whistleblower data, the relevant authority is the Information and Data Protection Commissioner (IDPC) .
Key compliance points #
- Malta’s public-service model is operationally visible: each ministry has a whistleblowing reporting officer and public-facing procedures.
- The public guidance stresses that identified reporting is important to obtain formal whistleblower status and protection, even though anonymous submissions may still surface concerns.
- Organisations operating in Malta should explain clearly whether they are describing the statutory whistleblowing process or a broader grievance / speak-up workflow.
Official sources #
- Protection of the Whistleblower Act (Cap. 527) — official text
- Government whistleblower portal
- Government whistleblower guidance
- Government whistleblower questions and answers
- MFSA — whistleblowing (designated external authority)
- MFSA — external disclosure procedure (PDF)
- IDPC — file a complaint
Deploy your reporting channel →
Last updated: