Photo by Natalie Dunn on Unsplash
EU Directive 2019/1937, known formally as the Directive on the protection of persons who report breaches of Union law, has been in national force across all 27 member states since 17 December 2023. Three years in, the rule book is settled, the enforcers are active, and the fines are real. This guide covers what the directive actually requires, who is in scope, what changes when a national transposition tightens the rules, and the four mistakes that most often trigger an investigation.
Direct answer
EU Directive 2019/1937 requires every private-sector company with 50 or more employees in any EU member state, plus all public-sector bodies, to operate a confidential internal whistleblowing channel. Reports must be acknowledged within 7 days and substantively answered within 3 months. Reporters are protected from any form of retaliation. Each member state has transposed the directive into national law with its own enforcer and its own statutory fines, ranging from €6,000 (Lithuania) to €1,000,000 (Spain) per violation.
What the directive does
The directive sets a floor for whistleblower protection across the EU. Member states must transpose it into national law and are free to go further, but cannot go below it. As of 2026, every member state has transposed (Estonia and Hungary were the last, both completing in 2023).
The directive does three things at the same time.
It mandates a confidential internal reporting channel. Private-sector employers above the size threshold and most public-sector bodies must operate a channel that lets reporters submit information about breaches of EU law in confidence, follow up on their report, and receive feedback. The channel must be available to a wide population of “reporters” that goes well beyond current employees.
It imposes statutory deadlines. Acknowledgement of receipt within 7 days. Substantive feedback to the reporter within 3 months of acknowledgement. National laws sometimes shorten these or add intermediate milestones, but never extend them.
It outlaws retaliation. Article 19 lists 15 specific forms of retaliation that are prohibited (dismissal, demotion, transfer, negative performance review, coercion, intimidation, and so on). The burden of proof flips: if a reporter shows they made a protected disclosure and then suffered detriment, the employer must prove the detriment was unrelated. Most national transpositions go further and create a presumption of retaliation for any adverse action taken within a defined window after the report.
Who must comply
Three groups are in scope under the directive itself. National laws frequently extend the scope.
Private-sector employers with 50 or more workers. Worker is broadly defined and includes part-time, seasonal, temporary agency, and trainee staff. Companies between 50 and 249 had until 17 December 2023 to comply, and that deadline has now passed in every member state. Larger employers were on the hook from 17 December 2021.
Public-sector bodies. Almost always required regardless of size, with a common exemption for municipalities of fewer than 10,000 inhabitants.
Regulated-sector entities regardless of size. Financial services firms, anti-money-laundering obligated entities, product safety regulated entities, public procurement bodies, and transport safety entities must comply even below 50 employees, because they are caught by sector-specific instruments that the directive incorporates by reference. A 12-person accounting firm with money-laundering reporting obligations is in scope.
A company that operates in several member states usually has to comply with each country’s national transposition separately. Group-wide channels are permitted under the directive (Article 8(6)) but several enforcers have signalled that a group channel alone is not enough: each in-scope subsidiary must have its own designated channel, or a clear delegation arrangement.
Photo by Olena Kholina on Unsplash
What “compliant” actually means in practice
The directive states the requirements at a fairly high level. The national transpositions and enforcer guidance flesh out what compliance actually looks like operationally. The consistent baseline across all 27 member states:
-
A dedicated, confidential channel. Not a shared inbox. Not a generic HR email. The channel must keep the reporter’s identity confidential by default, and must keep the report’s contents accessible only to the designated case handler(s). Multiple enforcers have stated that a shared mailbox fails this test on its face.
-
A designated case handler. A specifically appointed person or team responsible for receiving and following up on reports. The appointment must be in writing. The handler must be functionally independent (no conflict of interest with the reported matter) and trained.
-
Acknowledgement within 7 days. A receipt to the reporter within 7 calendar days. This is a statutory deadline, not a best practice. Several enforcers have already issued penalties for breaches of this deadline alone.
-
Substantive feedback within 3 months. A response to the reporter describing what action has been taken or is planned, within 3 months of the acknowledgement. “Feedback” does not mean disclosing the result of a confidential investigation; it means telling the reporter the report was taken seriously and what direction the response is going in.
-
An audit-ready record. Every action taken on every report must be logged in a way that can be presented to the national enforcer during an inspection. Most enforcers ask for an append-only audit trail with timestamps and the identity of the actor (without breaching reporter confidentiality).
-
No retaliation, and active protection of the reporter. Operationally this means the employer documents that the protected disclosure was taken into account in any subsequent personnel decision, and (in practice) inverts the default presumption: assume any negative employment action within 12 to 24 months of a report is retaliatory until proven otherwise.
National penalties at a glance
Each member state sets its own maximum fines. The dispersion is wide. A non-exhaustive snapshot for 2026:
| Country | Law | Max fine | Enforcer |
|---|---|---|---|
| 🇪🇸 Spain | Ley 2/2023 | €1,000,000 | Autoridad Independiente de Protección al Informante |
| 🇳🇱 Netherlands | Wet bescherming klokkenluiders | €900,000 | Huis voor klokkenluiders |
| 🇬🇷 Greece | N. 4990/2022 | €500,000 | Εθνική Αρχή Διαφάνειας |
| 🇮🇪 Ireland | Protected Disclosures Act 2014 (as amended 2022) | €250,000 | Protected Disclosures Commissioner |
| 🇵🇹 Portugal | Lei 93/2021 | €250,000 | Mecanismo Nacional Anticorrupção |
| 🇱🇺 Luxembourg | Loi du 16 mai 2023 | €250,000 | Office des dénonciateurs |
| 🇸🇰 Slovakia | Zákon o ochrane oznamovateľov | €100,000 | Úrad na ochranu oznamovateľov |
| 🇫🇷 France | Loi Sapin II (Waserman 2022) | €60,000 | Défenseur des droits |
| 🇸🇮 Slovenia | ZZPri | €60,000 | Komisija za preprečevanje korupcije |
| 🇩🇪 Germany | HinSchG | €50,000 | Bundesamt für Justiz |
| 🇮🇹 Italy | Dlgs 24/2023 | €50,000 | ANAC |
| 🇧🇪 Belgium | Loi du 28 novembre 2022 | €72,000 | Federal Ombudsman |
| 🇪🇪 Estonia | Whistleblower Act 2023 | €32,000 | Justiitsministeerium |
| 🇦🇹 Austria | HSchG | €20,000 | Bundesamt zur Korruptionsprävention |
| 🇱🇹 Lithuania | XIV-1583 | €6,000 | Generalinė prokuratūra |
The full 30-country comparison (including non-EUR jurisdictions like Sweden, Denmark, Norway, Hungary, Poland, Czechia) is on the Confidly fines calculator, which also estimates your specific exposure based on company size and current setup.
A few patterns from the 2025 enforcement record:
- Spain leads on absolute amounts. The Autoridad Independiente de Protección al Informante has imposed multiple six-figure fines, primarily on financial-services firms and large industrial groups, and once a seven-figure fine.
- The Netherlands’ Huis voor klokkenluiders is the most active enforcer per capita. Fewer fines in absolute terms than Spain, but a higher prosecution rate relative to in-scope companies.
- Germany’s BfJ is the most procedurally strict. It has issued multiple smaller fines (€10,000 to €30,000) for documentation gaps, even where the underlying channel existed.
- France has so far focused on retaliation cases, with the Défenseur des droits investigating individual reporter claims rather than systemic non-compliance.
The four most common compliance mistakes
Drawing on published enforcement decisions across 2024 and 2025, four patterns account for the majority of fines.
1. A shared inbox or HR email used as the “channel”. A [email protected] mailbox accessible to multiple HR staff fails the confidentiality test the moment a second person can see the report. Several national enforcers (notably Spain’s AAI and Germany’s BfJ) have explicitly stated this. The fix is a dedicated channel with role-based access and an audit log.
2. Missing the 7-day acknowledgement deadline. Companies often discover the requirement only after an external complaint. A first-time acknowledgement-deadline miss is now a common entry-point fine. The fix is a timer in the case management system and a designated backup handler.
3. No audit log, or an audit log that can be edited. Several enforcers ask, at the start of an inspection, “Show us the case log for the last twelve months.” An exportable but editable spreadsheet fails. The fix is an append-only log with cryptographic integrity (Confidly hashes each entry and links them in a chain).
4. A whistleblowing policy that exists on the intranet but was never communicated. Article 13(2) of the directive requires that the reporting procedure be communicated “in a manner that is easy to understand and easily accessible.” A policy buried in a SharePoint folder is not communicated. The fix is an annual reminder, induction training, and a visible link on the company intranet.
How Confidly maps to the requirements
The product is purpose-built for the directive. Concretely:
- Confidential channel: every report is encrypted at rest and accessible only to designated case handlers. The reporter receives a server-issued case code and a 6-digit secret for follow-up. No email, no IP capture, no browser fingerprint.
- Designated handler: the admin dashboard supports multiple named handlers with role-based permissions (HR, Legal, Compliance) and an explicit “in case of conflict of interest” delegation flow.
- 7-day and 3-month SLAs: both timers run automatically. The dashboard shows a red countdown when an acknowledgement is overdue.
- Audit log: every action (report received, handler assigned, status changed, message sent) is written to an append-only log with timestamps and actor identity. Exportable as CSV or JSON for enforcer review.
- No retaliation surface: reporters never need to disclose their identity. When they do (some choose to), the platform never exposes them to the broader organization.
- GDPR alignment: EU-only hosting, signed Data Processing Agreement, compliant retention windows. See the GDPR and whistleblowing guide for the detailed mapping.
What changed in 2024 to 2026
Three developments are worth tracking.
Stricter retaliation case law. The Court of Justice of the EU (CJEU) ruled in 2024 (Case C-484/22) that the burden-of-proof reversal in Article 21(5) applies broadly, including to indirect detriment like exclusion from training or being assigned to less desirable shifts. Several national supreme courts have followed.
Expanded sectoral scope in 2025. The Digital Services Act and the Corporate Sustainability Due Diligence Directive (CSDDD) both incorporate Directive 2019/1937 by reference. In-scope companies under either now have whistleblowing obligations even below 50 employees.
Group-channel pushback in 2026. Spain’s Autoridad has issued draft guidance (still in consultation as of May 2026) clarifying that a group-level channel does not discharge each Spanish subsidiary’s obligation. France and Germany are likely to follow. Multinationals should plan for either local channels or formal delegation arrangements.
FAQ
Does the directive apply to public-sector bodies as well as private companies? Yes. Public-sector bodies are generally required regardless of size, with a common exemption for municipalities of fewer than 10,000 inhabitants. National laws often specify this differently, so check the local transposition.
What counts as a “breach of Union law” that a reporter can flag? Article 2 of the directive lists ten subject-matter areas: public procurement, financial services, product safety, transport safety, environmental protection, food safety, public health, consumer protection, privacy and data protection, and the financial interests of the EU. National laws have typically broadened this to include national-law breaches as well.
Can we use a single group-wide channel for all our EU subsidiaries? Technically yes (Article 8(6)), in practice partially. Several enforcers expect each in-scope subsidiary to either have its own channel or a formal delegation to the group channel that has been communicated to local workers in the local language. Spain’s draft 2026 guidance is the strictest interpretation so far.
What happens if we just ignore the requirement? Eventually a report is made via the external channel of your national enforcer, or a reporter sues for retaliation, and an investigation follows. Enforcers can now levy administrative fines (see table above) and order remedial action. In repeat cases the fine multiplies, and in regulated sectors a non-compliance finding can trigger separate sectoral consequences (loss of license, exclusion from public procurement).
Is the directive likely to change? A first formal review is scheduled by the Commission for end of 2026 / early 2027. The most likely amendments under discussion are: expanding scope to companies between 10 and 49 employees in some sectors, tightening the timing rules, and adding explicit anonymous-reporting language. None of these would substantially change the existing operational requirements for already-in-scope companies.
See also
- Calculate your maximum fine for your country and current setup.
- Anonymous whistleblowing across the EU: country-by-country status of anonymous reporting.
- Country compliance guides: the exact rules in each of the 30 EU/EEA jurisdictions.