On 7 October 2019, the EU Council of Ministers adopted a new whistleblower protection directive which obliges the member states to implement whistleblower rules which cover companies and public authorities and oblige these to introduce whistleblower protection schemes that include all employees in the company/authority.

On 7 October 2019, the EU Council of Ministers adopted a new whistleblower protection directive which obliges the member states to implement whistleblower rules which cover companies and public authorities and oblige these to introduce whistleblower protection schemes that include all employees in the company/authority. The deadline for the implementation is 17 December 2021. Bird & Bird has in this article taken a deeper look into the coming regulation.

The fundamental aim of the new directive is to strengthen compliance with and enforcement of specific areas of EU law, by making it mandatory for all concerned companies and authorities to establish a whistleblower scheme, and by this to strengthen the protection of whistleblowers reporting EU law breaches within the scope of the directive.

The directive applies to private companies with 50 or more employees. However, this threshold does not apply if there is an obligation to establish a whistleblower scheme under other special legislation, including financial services regulations or the money laundering regulations. As a rule, all public authorities must establish an internal whistleblower system. However, the Member States may exclude municipalities with less than 10,000 inhabitants or fewer than 50 employees and other government agencies with fewer than 50 employees.

Under the new whistleblower directive, also external partners may report violations under the scheme.

For companies in the private sector with 50 to 249 employees it is noted, that there is a "special deadline" for implementation in Article 26 (2), according to which Member States may decide to implement the rules for (and thus oblige) companies with between 50 and 249 employees no later than by 17 December 2023 (i.e. two years later than the “main” implementation deadline). On this basis, Member States have more time to introduce rules for whistleblowing channels for companies with between 50 and 249 employees. The legal position is therefore considered more favorable for these companies if the Member States postpone the implementation on this basis. Hence, it ultimately depends on how Member States choose to implement the directive.

Scope of the whistleblower schemes

From a subject matter perspective, the directive’s scope is breach of EU law. More specifically, violation of EU law in the following areas are covered: (1) public procurement, (2) financial services, (3) money laundering prevention, (4) product security and product identity (5) environmental protection, (6) consumer and data protection, (7) public health, (8) radiation security and nuclear security and, (9) protection of the privacy.

However, Member States may choose to extend the material scope of the directive. One of the interesting things to follow will be to what extent Member States may choose to include reporting on breaches of other sets of legislation under the implementation legislation. Obvious elements to consider would be workplace harassment and discrimination along with various types of misuse of governmental/public funds, including i.a. bribery, which are not directly covered by the directive.

Protection of the “whistleblower”

The main scope of the directive is to prohibit Member States and employers from any form of reprisal against whistleblowers as a whistleblower might be intimidated from making a report if this is the case. Such reprisals include suspension, termination, demotion or failed promotion, pay reduction, change in working hours, coercion, harassment or exclusion in the workplace etc. and applies to both employees, consultants, and suppliers etc.

The whistleblower is only protected from those reprisals if the whistleblower had reasonable grounds to assume that the relevant information was true and correct and that the reporting related to breaches (of EU legislation) that fell within the scope of the directive at the time of the reporting.

On this basis, if a whistleblower is exposed to such reprisals after making a report (coved by the scope of the directive), it will be assumed that the reprisals are initiated due to the report and the employer must in this case prove that the reprisals were not initiated due to report. This will be a heavy burden of proof to lift by the employer, and expectedly it will be rather similar to the protection currently found in the EU based anti-discrimination and equal treatment legislation.

Requirements to the whistleblower channels

According to the directive, it is up to the relevant Member State to define how to establish the necessary whistle blower channels as long as the relevant potential whistleblowers’ identities are ensured to be kept confidential.

The authority/company should, however, ensure that some minimum requirements in the Directive are followed, e.g. that:

  • The channel is designed, established and operated in a secure manner that ensures the confidentiality of the reporting person's identity and that any third party mentioned in the reporting is protected, and that prevents unauthorised employees' access to it;
  • A confirmation of receipt of the report is given to the reporting person within seven days;
  • An impartial, competent person or department is appointed to follow up on the reports. This person or department must maintain communication with the reporting person and, where necessary, request further information from and provide feedback
    to this reporting person;
  • A careful follow-up is carried out on the designated person or department;
  • A reasonable time limit is set for giving feedback which does not exceed three months from the acknowledgment of receipt or, if no acknowledgment was sent to the reporting person, three months from the expiry of a period of seven days after the alert was given;
  • The channel contains clear and easily accessible information on the procedures for making reports externally to competent authorities.

In addition, the Member States may add more procedural rules when implementing the directive.


According to the directive’s preamble 34, it is up to each Member State to decide whether it should be possible to report anonymously or not and, in this connection, whether each Member State is obliged to follow up on anonymous reports.

If one or more Member States decide to only follow up on non-anonymous reports, it may cause doubt on whether employees (or external partners) at the end of the day are willing to report any breaches of EU law even though the employees (or external partners) will be protected from reprisals.

With that being said, it is implied in the directive’s article 6 (3) that persons who reported or publicly disclosed information on breaches anonymously, but who are subsequently identified and suffer retaliation, shall nonetheless qualify for the protection under the directive.

Bird & Bird's comments:

It is expected that the whistleblower directive will have a bigger impact on the standard employees’ (and other protected persons in the directive) than the current legislation has due to the reach of the directive.

The directive must, as stated, be implemented no later than 17 December 2021.

The purpose of the directive is to grant the individual employee a wider and better protection, and furthermore the new Directive ensures that not only selected companies within certain industries are covered by the directive, but in general all types of companies with 50 employees or more. In this connection it will be interesting to see if the implementation of the directive will result in an extended material scope of coverage in the Member States and to what extent (e.g. on workplace (sexual) harassment and discrimination, and various types of misuse of governmental/public funds, including i.a. bribery).

Even though companies with less than 50 employees as a main rule are excepted from the rules in the directive, such companies should consider implementing whistleblower schemes. This would be a good idea in case the company grows to more than 49 employees, but also because implementation of a whistleblower scheme will send a signal to all employees, as well as the industry that the company aims to settle with criminal and unethical behaviour and that employees should not be worried about reporting any such suspicious behaviour.

Bird & Bird will follow the implementation process thoroughly, and we will of course follow up when a suggestion to the implementation bill is presented for Parliaments in the various Member States.

In the meantime, reference is also made to Bird & Bird’s “EU Employment Law Report” mentioning the implementation as well as our previous newsletter on the matter:

Latest insights

More Insights

“Home office in Germany as permanent establishment?” – German tax authorities comment on the topic for the first time

May 24 2024

Read More
Suspension bridge over water at sunset

China TMT Bi-monthly Update - March & April 2024 Issue

May 24 2024

Read More
Car on Target

Book Launch: "Autonomous Vehicles and Civil Liability in a Global Perspective"

May 24 2024

Read More