The 5 conditions of whistleblowing: when a disclosure is actually protected (2026)

Photo by Guillaume Périgois on Unsplash

Ask the internet what “the five conditions of whistleblowing” are and you will get a generic listicle: substantial evidence, anonymity, compliance with the law, secure reporting systems, organisational support. That is not how the law works. Under EU Directive 2019/1937 and its national transpositions, a disclosure is protected when it meets five specific legal tests covering the reporter, the subject matter, the state of mind, the context, and the channel used. If any of the five fails, the disclosure is not a protected whistleblowing report under the directive, and the reporter does not get the directive’s anti-retaliation regime. Compliance teams that confuse the legal tests with the operational nice-to-haves end up running channels that are not Article 4 to 15 compliant. This guide sets out the five conditions as they appear in the directive and what each one means for an internal channel.

Direct answer

Under EU Directive 2019/1937 and its national transpositions, a disclosure is a protected whistleblowing report when all five legal conditions are met: (1) the reporter falls within the personal scope of Article 4 (a worker, former worker, applicant, contractor, supplier, shareholder, or person in a comparable work-related role); (2) the information falls within the material scope of Article 2 (a breach of EU law in one of the ten listed areas, or a breach of national law where the transposition extends the scope); (3) the reporter has reasonable grounds to believe the information is true at the time of reporting (Article 6(1)(a), the good-faith standard); (4) the information was obtained in a work-related context (Article 4(2)); and (5) the disclosure is made through one of the three protected channels in the order the directive prefers: internal first, then external to the competent authority, then public disclosure under the narrow conditions of Article 15. Personal grievances, gossip, information acquired outside work, and reckless or knowingly false disclosures do not qualify and do not get the directive’s retaliation protection.

Condition 1: personal scope (who can be a protected reporter)

The first test is whether the person making the disclosure is the kind of person the directive protects. Article 4 of EU Directive 2019/1937 lists the categories. It is wider than most compliance officers initially assume.

Protected reporters include:

• workers within the meaning of Article 45(1) TFEU, including civil servants
• self-employed persons within the meaning of Article 49 TFEU
• shareholders and members of the administrative, management, or supervisory body of an undertaking, including non-executive members
• volunteers and paid or unpaid trainees
• any person working under the supervision and direction of contractors, subcontractors, and suppliers
• former workers, where the information was acquired during the work relationship
• applicants, where the information was acquired during the recruitment process or other pre-contractual negotiations
• people whose work relationship has not yet started

Article 4(4) also extends the protection to “facilitators” (a colleague or relative who helps the reporter), to third parties connected to the reporter who could suffer retaliation in a work-related context (a sibling working at the same firm, for example), and to legal entities the reporter owns or works for.

What does not fall inside personal scope: a customer making a consumer complaint, a member of the public reporting because they read a news story, an anonymous tipster with no work nexus to the organisation. Those reports may still be sensible to investigate, but they are not directive-protected.

The practical implication: the channel’s intake form must accept reports from every category in Article 4, not just current employees. A form that gates on an employee number, a company email, or a department dropdown fails this condition before the reporter has typed a word.

Condition 2: material scope (what can be reported)

The second test is the subject matter. Article 2 sets out ten EU policy areas in which a breach of EU law is in scope:

1. Public procurement
2. Financial services, products, and markets, and the prevention of money laundering and terrorist financing
3. Product safety and compliance
4. Transport safety
5. Protection of the environment
6. Radiation protection and nuclear safety
7. Food and feed safety, animal health, and animal welfare
8. Public health
9. Consumer protection
10. Protection of privacy and personal data, and security of network and information systems

Article 2 also covers breaches affecting the financial interests of the Union (Article 325 TFEU), breaches of internal market rules including those relating to competition and State aid, and breaches relating to corporate tax. Most national transpositions extend the material scope beyond the EU floor. The German HinSchG covers the EU areas plus criminal offences generally and certain administrative offences. The Italian D.lgs 24/2023 covers EU breaches plus national crimes against the public administration. The Spanish Ley 2/2023 covers EU breaches plus serious or very serious administrative offences and criminal offences. The Irish Protected Disclosures (Amendment) Act 2022 was already broad before transposition. For a country-by-country comparison see our EU Directive 2019/1937 complete guide and the relevant country page.

Out of material scope: a personal grievance about pay or promotion, a complaint about a manager’s tone, a workplace dispute between two colleagues with no underlying breach of law. Article 22 makes this explicit: the directive does not affect national rules on workers’ representation, defamation, copyright, or the protection of trade secrets, and it does not apply to matters that fall solely within an employee’s individual relationship with their employer.

The practical implication: the intake categories should map onto the ten Article 2 areas plus the local extensions, and the case handler needs a triage step that confirms the report is in material scope before opening an investigation. Reports that turn out to be personal grievances should be redirected to the grievance procedure, with the channel keeping a record.

Photo by Markus Winkler on Unsplash

Condition 3: reasonable grounds to believe the information is true

The third test is the reporter’s state of mind. Article 6(1)(a) requires the reporter to have “reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of this directive”. This is the directive’s good-faith standard, and it is lower than most people expect.

The standard is not “you must be right”. The reporter is protected even if the breach turns out to be unfounded, provided that at the time of reporting they had reasonable grounds to believe it was true. The standard is also not a documentary one. The reporter does not have to produce evidence with the disclosure. Recital 32 makes this clear: requiring whistleblowers to provide documentary proof at the moment of reporting would defeat the purpose of the protection. What disqualifies a reporter is knowingly false reporting or recklessness about truth. Article 23(2) requires member states to penalise persons who knowingly report or publicly disclose false information.

Two consequences follow.

First, the channel must accept disclosures that are not yet supported by evidence. A form that says “please attach documentary proof” is a deterrent that runs against Recital 32 and tips off reporters who do not yet have evidence (which is most of them, most of the time).

Second, the case handler must do the evidence work. The reporter brings reasonable belief. The investigator brings proof. Confusing those two roles is the most common operational mistake on a new channel.

Condition 4: work-related context

The fourth test is whether the information was acquired in a work-related context. Article 4(2) frames this. Information about a breach that the reporter overheard on the train, found in a public news report, or invented based on conjecture does not qualify, because there is no professional nexus.

Work-related context is defined widely. It includes information acquired during the recruitment process (for applicants), during the work relationship (for current workers), and after the relationship has ended (for former workers). It includes information acquired in the course of negotiations with contractors and suppliers. It includes information acquired by non-executive directors in the course of their governance role.

What it excludes: information the reporter knows only as a private citizen, with no work connection to the organisation against which the report is made. A friend telling you about misconduct at a company you have never worked at is not a work-related context for you. If you then file a report, the directive does not protect you, although general national whistleblowing law might.

The practical implication: in the case-handler triage, the work nexus should be a checkbox. If the report comes from someone with no work-related connection to the organisation, the case should still be triaged on merit, but the reporter is not entitled to directive-grade retaliation protection, and the case file should record that.

Condition 5: the channel hierarchy (internal, external, public)

The fifth test is procedural. The directive recognises three reporting channels and prefers them in a specific order.

Internal first (Articles 7 to 9). The reporter discloses through the organisation’s internal channel. Companies with 50 or more workers must operate one. The acknowledgement deadline is 7 days and the substantive feedback deadline is 3 months. Member states may encourage but cannot mandate internal-first reporting. The reporter retains the right to skip internal reporting and go straight to the competent authority.

External (Articles 10 to 14). The reporter discloses to the competent national authority designated under the transposition. In Germany that is the Bundesamt für Justiz; in Italy ANAC; in Spain the Autoridad Independiente de Protección al Informante; in Ireland the Office of the Protected Disclosures Commissioner. The same 7-day and 3-month deadlines apply.

Public disclosure (Article 15). The reporter goes to the media or makes the information public. This is protected only in three narrow cases: (a) the reporter first reported internally or externally and no appropriate action was taken within the deadlines; (b) the reporter has reasonable grounds to believe the breach constitutes an imminent or manifest danger to the public interest; or (c) external reporting would be ineffective because of risk of retaliation, low prospect of effective handling, or collusion between the breach and the competent authority.

If the reporter goes outside this hierarchy without one of the Article 15 conditions being satisfied, the disclosure loses its directive protection. The reporter can still rely on other national or constitutional protections (free speech, freedom of the press, employment law against unfair dismissal), but not the directive’s reverse-burden-of-proof retaliation regime.

The practical implication: the internal channel must signal that going external is also a legitimate first move. Hiding the existence of the competent authority is a SYSC 18-style failure, and it is one that the EU directive directly prohibits via Article 13’s information-duties on the competent authority.

Photo by Jud Mackrill on Unsplash

What “evidence, anonymity, organisational support” gets wrong

The generic listicle (substantial evidence, anonymity, compliance with legal frameworks, secure reporting systems, organisational support) is everywhere on the open web because it is easy SEO copy. It conflates two different layers.

The legal layer (what the directive requires) is the five conditions above: personal scope, material scope, reasonable grounds, work-related context, channel. These are the tests that decide whether a court or competent authority treats the report as protected.

The operational layer (what makes a channel work) includes anonymity, secure intake, training, organisational support, visible follow-up. These improve report volume and quality, but they are not legal conditions of protection. A non-anonymous report with no organisational support is still protected if the five conditions are met. An anonymous, evidence-backed report through a state-of-the-art channel is still unprotected if it is about a personal grievance with no nexus to EU or extended national law.

When a retaliation claim lands in court, the question is not whether the channel had a slick UX. It is whether the disclosure met the five conditions. Compliance officers who buy a channel because “it has all five elements” but never check the legal scope are set up for losing tribunals.

How a channel passes all five conditions cleanly

The cleanest design is to surface the five tests inside the case-handler workflow, not just inside the intake form.

• Intake asks the reporter to confirm a work-related connection to the organisation (Condition 1 + 4) and to pick a subject-matter category that maps to Article 2 plus the local extensions (Condition 2). The form does not demand evidence (Condition 3) and explicitly states the option to report externally (Condition 5).
• Triage verifies all five conditions are plausibly satisfied. If not, the case is still opened, but the file flags which condition is in doubt so the legal team can decide whether the reporter is entitled to directive-grade protection or only to ordinary procedural fairness.
• Investigation does the evidence work the reporter is not required to do, and it documents the chain of custody so the audit trail holds up in front of the competent authority.
• Closure triggers the 3-month substantive feedback obligation (Article 9) regardless of outcome, and the case file shows which of the five conditions were ultimately met.

Confidly’s intake form, triage view, and audit log are built around this model. The country-specific intake templates for HinSchG, Loi Sapin II, D.lgs 24, Ley 2 and the Wbk auto-configure the category list and the local extensions of material scope. To calibrate the fine exposure if a channel fails this discipline, see the fines calculator.

FAQ

Are the five conditions the same in every EU country?

The five conditions in the directive are the EU-wide floor. Member states had to transpose at least this floor and were free to extend protection further (Article 25). Personal scope, reasonable grounds, work-related context, and the channel hierarchy are identical across transpositions because they mirror the directive’s text. The main variation is material scope: some countries (Italy, Spain, Germany) extended the subject-matter list to include national-law offences. The Irish Protected Disclosures (Amendment) Act 2022 was already broader than the directive floor. Confidly’s country-specific intake templates encode the local extension automatically.

Does the reporter need to be right for the disclosure to be protected?

No. Article 6(1)(a) requires “reasonable grounds to believe” the information is true at the time of reporting, not proof that it was. A report can turn out to be unfounded and still be protected, provided the reporter was not reckless or knowingly false. Article 23(2) penalises knowingly false reporting but does not penalise honest mistakes.

Is anonymous reporting one of the five legal conditions?

No. Anonymity is operationally important but is not a legal condition of protection. Article 6(2) leaves anonymous reporting to member-state discretion. Many transpositions allow it (Italy, Spain, Ireland), some leave it ambiguous, but in every case a non-anonymous report that satisfies the five conditions is still protected. See our anonymous whistleblowing in the EU guide for the country-by-country position.

Does the directive cover reports of bullying or harassment?

Only if the bullying or harassment also breaches EU law (for example, anti-discrimination law) or a national-law area that the local transposition extended into the scope. Pure interpersonal grievance, with no underlying legal breach, is not directive-protected and belongs in the employer’s grievance procedure. The line can be blurry, so the case-handler triage should record why a report was treated as in or out of material scope.

What happens if a disclosure fails one of the five conditions?

The reporter does not get the directive’s anti-retaliation regime, which includes the reverse burden of proof, the prohibited-list of detrimental measures, and the access to support measures via the competent authority. They may still rely on ordinary national protections (unfair-dismissal law, free speech, freedom of the press), but those are usually weaker than the directive’s regime. For the organisation, the right move is still to investigate the underlying matter on its merits.

Where do the five conditions sit in the case file?

In Confidly, each of the five conditions is a triage field on the case detail view: personal scope, material scope, reasonable grounds, work-related context, and channel. The case handler also records the legal team’s view on whether the disclosure is directive-protected, ordinary national-law protected, or unprotected.

See also

• EU Directive 2019/1937: complete guide (2026)
• What is whistleblowing: definition and protections (2026)
• Whistleblower retaliation: the 27 types named in the directive
• Country guide: Ireland (Protected Disclosures Act)
• Fines calculator: estimate exposure under your transposition