Directive (EU) 2019/1937 was adopted on 23 October 2019 and required transposition by 17 December 2021 for entities of 250+ employees, with the 50-249 tier given until 17 December 2023. Five years after adoption and a full enforcement year for the smaller-employer tier, the picture has emerged clearly enough to assess. This is an evidence-based review of what the Directive has delivered, where it has fallen short, and what the European Commission’s 2026 implementation report is expected to highlight.
Direct answer
Five years on, Directive 2019/1937 has produced four measurable effects: a 4-6x increase in external reports filed with competent authorities across the EU, full transposition (after delays) in all 27 member states by mid-2024, the first body of post-Directive case law on retaliation, and visible convergence between national channels in scope and procedure. It has not yet produced (a) consistent fine levels across member states, (b) a working cross-border reporting regime for multinationals, or (c) measurable convergence on anonymous-reporting acceptance, which remains country-specific. The 2026 Commission implementation report will likely propose targeted amendments on group privilege and on cross-border coordination, not a fundamental rewrite.
What the numbers show
The European Commission’s interim implementation tracking, the annual reports of national competent authorities, and the academic survey published by the European Foundation for the Improvement of Living and Working Conditions (Eurofound, 2025) converge on a similar quantitative picture.
External reports filed with competent authorities have risen sharply. Germany’s Bundesamt für Justiz, which acts as the federal external channel since the HinSchG entered into force, received ~700 reports in 2024 and ~1,250 in 2025, against ~150 in the comparable pre-Directive Federal Whistleblower Helpdesk. France’s Défenseur des droits saw a similar trajectory: ~400 protected-disclosure files opened in 2024 against ~80 the year before. ANAC in Italy went from ~700 in 2022 to ~2,800 in 2025. The Netherlands’ Huis voor Klokkenluiders has been more stable at around 500 cases per year, reflecting a pre-existing strong external regime.
Internal channel deployment has caught up. By Q4 2024 the European Commission’s survey found ~88% of in-scope private employers had deployed an internal channel; by Q4 2025 the figure was ~94%. The remaining gap is concentrated in the 50-99 employee band and in southern Europe.
Sanctions imposed have been modest in volume but consistent in pattern. German Land DPAs and the BfJ imposed about 40 published sanctions in 2024 and ~60 in 2025. Italian ANAC about 50 sanctions per year. French Défenseur des droits has been slower to use its sanction power directly, relying instead on injunctions to remedy. Spain’s AAI/Authority and Ireland’s Protected Disclosures Commissioner began their first published sanctions in late 2024.
What has worked
Four things have clearly worked.
The three-tier model. Internal-external-public reporting (Articles 7-15) has held up. National courts have respected the structure; reporters who fail the internal channel have a coherent route to the external authority without losing protection. Public disclosure under Article 15 remains rare but visible.
The reverse burden of proof. Article 21(5) has been the single most transformative provision in litigation. Where dismissals or other adverse measures follow a protected disclosure, courts in Germany, France, Ireland, and the Netherlands have applied the reverse burden consistently, requiring employers to evidence pre-existing performance or business grounds. The pattern has changed how compliance and HR co-counsel work together: documentation discipline is now far stronger.
Confidentiality by design. Article 16 has driven a measurable change in how internal channels are built. Anonymous reporting is more widely supported than before the Directive (in part because the Directive permits but does not require it, and the market converged anyway). Encryption-in-transit, IP-stripping, and role-segregated access have become baseline expectations.
Cross-sector applicability. Coverage of suppliers, contractors, shareholders, volunteers, and former employees has had a visible effect in sectors with concentrated supplier networks (construction, FMCG, automotive). Reports from these categories now make up ~30% of cases filed in larger employers, against ~5% pre-Directive.
What has not worked
Four areas need more work and are likely to feature in the Commission’s 2026 implementation report.
Fine levels are inconsistent. Maximum administrative fines for the same conduct range from €20,000 in Austria to €1,000,000 in Spain, with HinSchG at €500,000 in Germany. The legitimate variation in sanction levels by member state competence is wider than necessary for the policy goal. The Commission has signalled informally that harmonisation guidance, not a binding amendment, is likely.
Cross-border reporting is broken. A multinational with operations in 10 EU member states cannot, today, operate a single channel that satisfies all national rules without some compromise. National DPA positions on extraterritorial group channels diverge: the French CNIL prefers a per-entity model; the Italian Garante accepts a group model with specific safeguards; the German LDI NRW issued conflicting opinions in 2024. This is the single largest practical pain point cited by enterprise buyers and the most likely subject of a targeted Commission amendment in 2027.
Anonymous-reporting convergence has stalled. Article 6(2) leaves the obligation to accept anonymous reports to member-state discretion. Most major economies accept them in practice but the legal status varies. Reporters in Austria and parts of Central Europe still face a regime that does not formally accept anonymous reports, which suppresses reporting in those jurisdictions and creates an inequity within the single market.
Public-sector compliance lags. Public-sector employers, particularly municipalities and small public-health entities, are visibly behind private-sector ones in channel deployment and process discipline. Several DPA reports identify this and call for sector-specific support.
The case-law that defines the era
A handful of decisions have shaped how the Directive is now read. Three matter most:
- Bundesarbeitsgericht 2 AZR 78/24 (2025, Germany). Confirmed that constructive dismissal following a HinSchG-protected report falls within the protection. Reset the burden-of-proof analysis in dismissal cases.
- Cour de Cassation, ch. soc., 12 juin 2024, n° 22-19.853 (France). Reverse burden of proof applies even where the adverse measure pre-dates the report in time, if the report was foreseeable and the measure was prepared in anticipation of it.
- Tribunale di Milano, 18 sezione lavoro, decisione 14 marzo 2025 (Italy). Confidentiality breach by oral disclosure to a colleague outside the authorised case team is itself a sanctionable act under D.Lgs. 24/2023, independent of the underlying merits of the case.
These three decisions are now cited routinely in compliance training and inform internal channel design.
What’s coming in 2026-2028
The Commission’s implementation report under Article 27 of the Directive is due in 2026. Industry expectation is for three main proposals:
- A clarification (probably non-binding guidance) on group privilege for multinationals operating a single internal channel.
- A recommendation on minimum fine levels to narrow the cross-EU variance.
- A proposal to clarify the interaction with the Corporate Sustainability Reporting Directive (CSRD) and the AI Act, where overlapping obligations are creating compliance fatigue.
None of these are expected to be binding amendments to the Directive itself in the 2026 cycle. The Commission has signalled that the priority is implementation depth, not regulatory expansion. The next binding revision, if any, is expected for 2028 in line with the standard five-year review cycle.
What this means for compliance officers
The Directive era is now its own established regime, not a transition. The question for 2026-2027 is not whether to have a channel but whether the channel is run well enough to survive an inspection and a litigated retaliation claim. The biggest practical work is in cross-border consistency for multinationals, in audit-log discipline, and in keeping the channel accessible to non-employee categories. The big policy work — whether the regime should expand or contract — has settled. The everyday work is on running it.