Article 6(2) of Directive (EU) 2019/1937 leaves the obligation to accept anonymous reports to member-state discretion. The practical result is a patchwork: most member states accept anonymous reports, a few formally require channels to support them, and a small number still operate regimes that do not. For a multinational, the question “do we accept anonymous reports on this channel” has a different answer in every jurisdiction. This is the 2026 reference table.
Direct answer
As of mid-2026, 22 of 27 EU member states accept anonymous reports either by mandating channel support or by clearly permitting it. France, Germany, Italy, Spain, Netherlands, Ireland, Belgium, Portugal, Sweden, Finland, Denmark, Czech Republic, Poland, Greece, Romania, Croatia, Slovenia, Slovakia, Bulgaria, Lithuania, Latvia, Estonia all accept. Austria, Hungary, Cyprus, Luxembourg, Malta have more restrictive or ambiguous positions. The German position evolved in 2024 from “encouraged” to operationally near-mandatory. For multinationals, supporting anonymous reporting across all jurisdictions is the safe default; restricting it country-by-country produces friction with no compliance upside.
Why this varies
The Directive was drafted with the recognition that some member states (notably France) had pre-existing anti-corruption traditions that strongly supported anonymous reporting, while others (notably Germany) had reservations about a flood of bad-faith anonymous reports overwhelming case handlers. The Article 6(2) compromise was to require member states to “take a decision” on whether and under what conditions channels must accept anonymous reports, leaving the choice national. Transpositions then varied accordingly.
The country breakdown
Strong-acceptance jurisdictions: anonymous reporting is the default
France (Loi Sapin 2, Loi Waserman 2022). Anonymous reports are accepted without restriction. The protection attaches even where the reporter never identifies themselves. CNIL guidance supports anonymous reporting as the default for sensitive sectors. The Défenseur des droits accepts anonymous external reports.
Italy (D.Lgs. 24/2023). Anonymous reports are accepted. ANAC operates an anonymous external channel. The protection from retaliation attaches to anonymous reporters who are subsequently identified.
Spain (Ley 2/2023). Anonymous reports must be accepted by internal channels. The AAI supports anonymous external reporting.
Netherlands (Wbk). Anonymous reports are accepted. The Huis voor Klokkenluiders supports anonymous external reporting.
Ireland (Protected Disclosures Act 2014, as amended in 2022). Anonymous reports must be accepted by all in-scope channels. The Protected Disclosures Commissioner supports anonymous external reporting.
Belgium (Wet/Loi van 28 november 2022). Anonymous reports are accepted by internal and external channels.
Portugal (Lei n.º 93/2021). Anonymous reports are accepted. The Conselho de Prevenção da Corrupção supports anonymous external reporting.
Sweden (Lag (2021:890)). Anonymous reports are accepted. Sweden’s whistleblower tradition predates the Directive; anonymous reporting has been the default for decades.
Finland (Whistleblower Protection Act 1171/2022). Anonymous reports are accepted. The Office of the Chancellor of Justice supports anonymous external reporting.
Denmark (Lov om beskyttelse af whistleblowere). Anonymous reports are accepted. The Datatilsynet has issued specific guidance supporting anonymous reporting.
Slovenia, Slovakia, Czech Republic, Romania, Croatia, Bulgaria, Lithuania, Latvia, Estonia, Poland, Greece all accept anonymous reports in their transpositions. The implementation quality varies; Greece and Romania have been particularly slow to develop external-channel infrastructure, but the legal position accepts anonymous reporting.
Operationally-near-mandatory jurisdiction: Germany
Germany (HinSchG). §16(1) HinSchG addresses anonymous reporting. The original draft would have required internal channels to support anonymous reporting; the final text says channels “should” support it (the so-called Soll-Vorschrift). Politically this was a compromise. Operationally:
- The federal external channel at the BfJ accepts anonymous reports.
- Land DPAs strongly encourage internal channels to support anonymous reporting.
- The Bundesarbeitsgericht’s first decisions in 2024-2025 treat anonymous reporters identically to identified ones once anonymity is broken (e.g., by employer detective work).
- Industry survey data from late 2025 shows that ~92% of German private-sector internal channels now support anonymous reporting in practice.
The German position has evolved from a “Soll” rule to operationally near-mandatory; channels that do not support anonymous reporting face questions in BfJ inspections and miss the practical benefit of attracting reports from staff who would not engage an identified channel.
Restrictive or ambiguous jurisdictions
Austria (HinweisgeberInnenschutzgesetz, in force 25 February 2023). Anonymous reports are accepted under §9(3) HSchG but the act does not require channels to support them. Practice varies; the Federal Bureau of Anti-Corruption (BAK) accepts anonymous external reports. The Austrian transposition is the most ambiguous of the major EU economies.
Hungary (Act XXV of 2023). Anonymous reports may be accepted at the discretion of the channel operator. The Hungarian transposition is widely criticised in international evaluations for under-protecting reporters; the European Commission opened infringement proceedings in 2024 that remain ongoing as of mid-2026.
Cyprus (Law 6(I)/2022). Anonymous reports are accepted but the act allows the channel operator to refuse to follow up on a report where it is clearly malicious or insufficient. The protection-from-retaliation framework is weak in practice.
Luxembourg (Loi du 7 février 2023). Anonymous reports are accepted but Luxembourg’s specific concerns about banking-sector concerns have led to additional safeguards on the use of anonymous reports in financial-sector cases. CNPD has not issued explicit anonymous-reporting guidance.
Malta (Whistleblower Act of 2013 as amended in 2022). Anonymous reports are accepted but the protective framework is less developed than in larger member states; the Maltese Office of the Ombudsman has limited resources.
What this means for multinationals
The compliance design question for a multinational is whether to support anonymous reporting on all internal channels or only where required. The strong recommendation is to support it everywhere.
Reasons:
- The reporters who most need anonymity are the most vulnerable: junior staff, suppliers, those in non-permanent contracts. They are also the source of much of the most actionable information. A channel that they will not use is a channel that filters out the cases the organisation most needs to hear.
- The legal upside of restricting anonymous reporting is zero. There is no jurisdiction in the EU where channels are penalised for accepting anonymous reports.
- The operational cost of supporting anonymous reporting is small. Confidly’s case codes are issued automatically; the bcrypt-hashed reporter secret authenticates returning reporters; the IP is stripped at ingress.
- The reputational benefit is real. Channels that support anonymous reporting see ~30% higher submission rates in industry-wide surveys.
The country-specific differences matter primarily where a regulator inspects whether the channel accepts anonymous reports as a matter of design, and whether the protection framework attaches to anonymous reporters. Both are easier to demonstrate when the policy is “we accept anonymous reports across all channels”.
Reporter onboarding and the contextual-identification problem
Accepting anonymous reports is necessary but not sufficient. The contextual-identification problem (reporters who give away their identity through unique facts in the narrative) needs explicit reporter education. The recommended pattern, used by Confidly and by several other EU channel vendors:
- A landing page before the report form explains anonymity, including the limits.
- A note in the form invites reporters to consider whether the facts they include identify them and offers a “review and redact” step before final submission.
- The acknowledgement message references the contextual risk and invites the reporter to consider further redaction in any follow-up messages.
These three steps, costing nothing operationally, dramatically reduce the rate of unintentional self-identification.
What’s next
The European Commission’s 2026 implementation report is widely expected to recommend convergence on anonymous-reporting acceptance through soft-law guidance. A binding amendment is unlikely in this cycle. National regimes that currently restrict anonymous reporting (notably Hungary) are facing infringement proceedings and may be obliged to liberalise by 2027.
For compliance officers, the safe and operationally simple default is: accept anonymous reports in every jurisdiction, train the case handlers to handle them, and treat the operational consistency as the value rather than chasing per-country variation. The country differences will narrow; the practice of supporting anonymous reporting consistently will outlast them.