EU Directive 2019/1937 famously left the question of anonymous reporting to each member state. Three years into national implementation, the picture has clarified considerably — but not uniformly. This guide captures the current (May 2026) status across the 27 EU member states plus the three EEA countries, with the legal article that sets the rule in each jurisdiction.
Direct answer
Anonymous whistleblower reporting is legally permitted in 23 of 27 EU member states plus all 3 EEA countries. It is explicitly required in 4 (Italy, Spain, Romania, Slovenia). The remaining 4 (Cyprus, Malta, Bulgaria, Luxembourg) leave it optional but do not prohibit it. No EU country prohibits anonymous reporting outright; the most common pattern is “permitted but not required”, giving the organization discretion.
The directive’s position
Article 6(2) of EU Directive 2019/1937 states that the directive “shall not affect the power of Member States to decide whether legal entities in the private or public sector and competent authorities are required to accept and follow up on anonymous reports of breaches”. In other words: each member state chooses.
This delegation has produced a patchwork. In practice, three patterns emerge:
- Mandatory acceptance — the channel must accept anonymous reports and treat them with the same diligence as named reports (Italy, Spain, Romania, Slovenia).
- Discretionary acceptance — the organization may choose whether to accept anonymous reports (Germany, France, the Netherlands, Belgium, Austria, and most of Eastern Europe).
- Silent on the question — the national law neither mandates nor prohibits; in practice, the safe interpretation is that anonymous reports are permitted (Cyprus, Malta, Bulgaria, Luxembourg).
No EU member state prohibits anonymous reporting outright.
Country-by-country status (May 2026)
| Country | Status | National law reference |
|---|---|---|
| 🇮🇹 Italy | Required | D.Lgs. 24/2023, Art. 4(6) |
| 🇪🇸 Spain | Required | Ley 2/2023, Art. 7(3) |
| 🇷🇴 Romania | Required | Lege 361/2022, Art. 6(2) |
| 🇸🇮 Slovenia | Required | ZZPri (2023), Art. 13(1) |
| 🇩🇪 Germany | Permitted (since 2023 reform) | HinSchG § 16(1) sentence 2 |
| 🇫🇷 France | Permitted | Loi 2022-401, Art. 8-I.1 |
| 🇳🇱 Netherlands | Permitted | Wet bescherming klokkenluiders, Art. 2(2) |
| 🇧🇪 Belgium | Permitted | Loi 28/11/2022, Art. 8 |
| 🇦🇹 Austria | Permitted | HSchG § 13(2) |
| 🇸🇪 Sweden | Permitted | Lag 2021:890, § 8 |
| 🇩🇰 Denmark | Permitted | Lov 1436/2021, § 5(3) |
| 🇫🇮 Finland | Permitted | Laki 1171/2022, § 12 |
| 🇮🇪 Ireland | Permitted | Protected Disclosures Act 2014 (as amended 2022), s.5 |
| 🇵🇹 Portugal | Permitted | Lei 93/2021, Art. 7 |
| 🇬🇷 Greece | Permitted | N. 4990/2022, Art. 9 |
| 🇨🇿 Czechia | Permitted | Zákon 171/2023, § 9 |
| 🇸🇰 Slovakia | Permitted | Zákon 54/2019 (as amended), § 11 |
| 🇭🇺 Hungary | Permitted | 2023. évi XXV. törvény, § 14 |
| 🇧🇬 Bulgaria | Optional (no explicit rule) | ZZLPSPN, in practice permitted |
| 🇭🇷 Croatia | Permitted | NN 46/2022, Art. 13 |
| 🇪🇪 Estonia | Permitted | RT I, 30.06.2023, 1 |
| 🇱🇻 Latvia | Permitted | Trauksmes celšanas likums (2022), Art. 9 |
| 🇱🇹 Lithuania | Permitted | XIV-1583, Art. 14 |
| 🇱🇺 Luxembourg | Optional (no explicit rule) | Loi 16/05/2023, in practice permitted |
| 🇲🇹 Malta | Optional (no explicit rule) | Cap. 527, in practice permitted |
| 🇨🇾 Cyprus | Optional (no explicit rule) | Law 6(I)/2022, in practice permitted |
| 🇵🇱 Poland | Permitted | Ustawa o ochronie sygnalistów (2024), Art. 10 |
| 🇳🇴 Norway | Permitted | Arbeidsmiljøloven § 2 A-1 |
| 🇮🇸 Iceland | Permitted | Lög 40/2020 |
| 🇱🇮 Liechtenstein | Permitted | Whistleblower-Schutzgesetz (2024) |
Why the four “required” countries went further
Italy’s D.Lgs. 24/2023 contains the most explicit language: “The internal reporting channels must permit the submission of reports in oral or written form, in confidence and anonymously” (Art. 4(6)). The legislative history makes clear that the Italian legislator viewed anonymous reporting as the only practical defence against retaliation in Italy’s specific cultural context.
Spain’s Ley 2/2023 followed similar reasoning. Spain’s organized crime and corruption history, combined with the very high fine ceiling (€1m, the EU’s highest), made anonymous reporting non-negotiable in the legislative debate.
Romania and Slovenia adopted similar provisions in the same political window (late 2022 - early 2023), explicitly to address the structural vulnerability of reporters in their respective business environments.
What anonymity technically requires
The legal permission to accept anonymous reports does not mean the typical SaaS reporting tool is anonymous. True anonymity requires:
- No email field on the report form (most platforms require email “for follow-up”).
- No IP address logged anywhere in the request chain.
- No cookies set on the reporter’s browser.
- No device fingerprinting via canvas, WebRTC, or other browser surface.
- A way for the reporter to authenticate on follow-up without revealing identity — usually a server-issued case code plus a reporter-only secret.
Most legacy whistleblowing platforms fail at least two of these. Confidly was built specifically to meet all five — the reporter UI uses a server-generated case code and a 6-digit PIN held only by the reporter, with no email, IP, cookies, or fingerprinting.
The practical case for accepting anonymous reports
Even in jurisdictions where anonymous reporting is optional, the operational case for accepting it is strong:
- Higher report volume. Empirical studies (HHL Leipzig 2026, ECI 2025) show 2-3x more reports per 1,000 employees in organizations that accept anonymous reporting.
- Earlier detection. Anonymous reports about senior leaders or culturally taboo topics (sexual harassment, fraud by leadership) arrive on average 8 months earlier than named reports.
- Reduced retaliation risk. Anonymous channels are structurally incapable of producing retaliation — there is no reporter identity to retaliate against.
- No legal downside. No EU member state penalizes acceptance of anonymous reports; the directive does not prohibit them; courts have ruled on multiple occasions that accepting anonymous reports is fully compatible with both employment law and data protection law.
The objection most often raised — “anonymous reports are unreliable / vexatious” — does not survive contact with data. Studies consistently find that the substantiation rate of anonymous reports is within 5 percentage points of named reports.