Photo by Yuriy Vertikov on Unsplash
Whistleblowing has a precise legal meaning that’s narrower than the everyday use of the word. Not every complaint is whistleblowing, and not every whistleblower is protected. This guide gives the 2026 definition under EU and US law, the three legal routes a report can take, and what “protection” actually means when someone uses one of them.
Direct answer
Whistleblowing is the act of reporting information about a breach of law (or, in some jurisdictions, a serious threat to the public interest) that was acquired in a work-related context. In the EU since 2023, the legal definition is set by Directive 2019/1937 and covers reports made through an internal channel, the external channel of a national authority, or public disclosure. The reporter is protected from retaliation if they had reasonable grounds to believe the information was true at the time of reporting. Protection covers current and former employees, applicants, suppliers, contractors, shareholders, board members, volunteers, and trainees. In the US, the equivalent legal frameworks include the Whistleblower Protection Act 1989 (federal employees) and sector-specific statutes (Dodd-Frank for finance, SOX for public companies, False Claims Act for federal contracts).
The legal definition in 2026
Across modern jurisdictions, whistleblowing has three constituent elements that have to be present together.
1. Information about a breach. What was reported has to relate to an actual violation, or a reasonable belief in one. The breach can be of a specific law (most common), of a regulatory standard, or of the public interest in a broader sense (less common; some jurisdictions only). What the reporter believed at the time matters more than what later turned out to be true. Good-faith reports about misunderstandings are protected. Knowingly false reports are not.
2. A work-related context. The information has to have been acquired through some kind of work relationship: employment, contracting, internship, volunteering, board membership, supplier relationship, shareholding. A private citizen’s complaint about a company they have no work connection to is not whistleblowing in the legal sense. It might be valuable, but it doesn’t trigger whistleblower protections.
3. A report through a recognised channel. The information has to be communicated to someone. Internally (to the employer’s reporting channel), externally (to a competent authority), or publicly (to the press or social media). Different jurisdictions have different rules about which routes are protected and in what sequence. The EU directive, for instance, treats internal reports as the default first step but does not require it.
These three elements together produce the legal status of “whistleblower” with attached protections. Missing any one of them and the protections don’t apply, even if the underlying concern is real.
The three reporting routes
Modern whistleblower-protection frameworks recognise three distinct routes, with different rules attached to each.
Internal reporting
A report to the employer’s designated channel. This is the default route under EU Directive 2019/1937 and most national equivalents. Internal reporting is the most operationally useful: the organisation gets early warning, can investigate quietly, and can remediate before public damage. From the reporter’s side, it’s also the lowest-friction route. The reporter retains full protection if the channel is properly set up.
For internal reporting to work as a protected route:
- The employer must have a confidential channel that meets statutory requirements (in the EU: any company with 50+ employees, plus most public-sector bodies, plus regulated-sector entities of any size).
- The reporter must use the channel as intended. Going around it (telling a manager directly, posting in Slack) might still be protected under the broader good-faith standard, but the explicit procedural protections only attach to the channel itself.
- The employer must respond within statutory deadlines (7 days for acknowledgement, 3 months for substantive feedback under the EU directive).
External reporting
A report to a competent national or regional authority. In the EU, each member state has designated one or more external authorities under Article 11 of the directive. In Germany it’s the Bundesamt für Justiz; in France the Défenseur des droits; in Spain the Autoridad Independiente de Protección al Informante; in the Netherlands the Huis voor klokkenluiders. Sector-specific external authorities also exist (financial regulators, data protection authorities, environmental agencies).
External reporting is protected as an alternative to internal reporting. The reporter is not required to try internal first under EU law. They are required to under some US state laws and under some sector-specific regimes (Dodd-Frank is one of the few US frameworks that explicitly rewards external reporting with bounties).
Public disclosure
A report to the press, social media, or the general public. This is the most legally fragile route. EU Directive 2019/1937 protects public disclosure only under specific conditions in Article 15:
- The reporter first made an internal or external report and didn’t receive a substantive response within the statutory timeframe, or
- The reporter has reasonable grounds to believe the breach may constitute an imminent or manifest danger to the public interest, or
- In the case of external reporting, there is a risk of retaliation or a low prospect of the breach being effectively addressed.
If one of those conditions applies, the public disclosure is protected. If none of them apply, the reporter loses the directive’s protections, although they may still have other defences (free-speech rights, public-interest exceptions).
Public disclosure is rare in practice. The 2024 Eurobarometer survey on whistleblowing found that of EU workers who reported wrongdoing, 71 percent used the internal channel, 22 percent used the external authority, and 7 percent went public. Of the 7 percent, fewer than half met the Article 15 conditions for protection.
Photo by Vitaly Gariev on Unsplash
Who is legally a whistleblower
Article 4 of EU Directive 2019/1937 takes the broadest scope in modern law. Protection extends to anyone who reports a breach acquired in a work-related context, regardless of:
- Whether the relationship is current, past, or pre-employment (an applicant who reports a breach found during interviews is protected).
- Whether the relationship is direct or indirect (suppliers, subcontractors, contractors of subcontractors are protected).
- Whether the person was paid or volunteered (trainees, volunteers, board members, shareholders count).
- Whether the person is reporting on their own behalf or on behalf of someone else (an HR manager who escalates an employee’s concern is also protected).
National transpositions sometimes extend further. Spain’s Ley 2/2023 covers household staff of public officials. France’s Loi Sapin II protects legal entities (a supplier company that reports a buyer’s wrongdoing is protected, not just individuals). Italy’s Dlgs 24/2023 protects union representatives reporting on behalf of members.
What is NOT protected: a member of the general public with no work connection. An anonymous concerned citizen who tips off a regulator about a company they have no employment relationship with does not get the directive’s procedural protections. The tip-off may still be valuable to the regulator, and the citizen may still have whistleblower-style protections under sector-specific laws (data protection authorities, for instance, accept and protect any tip-off). But the explicit EU framework requires a work-related connection.
What “protection” actually means
The word does a lot of work and often gets misunderstood. In practice, protection has five concrete components.
1. Confidentiality of identity. The reporter’s identity must be kept confidential through the lifecycle of the case, with limited exceptions (when disclosure is necessary for an investigation and is proportionate; when required by law). A breach of confidentiality is itself a violation and triggers separate sanctions.
2. Immunity from contractual or disciplinary action. The employer cannot use the report as a basis for any adverse personnel decision: dismissal, demotion, transfer, performance review, exclusion from training, change of duties, change of working hours, change of remuneration. Article 19 lists 15 specific forms; the list is non-exhaustive.
3. Burden-of-proof reversal. If the reporter alleges retaliation after making a protected disclosure, the employer must prove the adverse action was unrelated to the report. This reverses the normal civil-law default. Multiple national supreme courts have ruled that the reversal applies broadly, including to indirect detriment like being assigned to less desirable shifts.
4. Legal liability shield. A reporter who breaches a confidentiality obligation (NDA, contractual confidentiality clause, restrictive covenant) in the course of reporting a genuine breach is shielded from civil and (in many jurisdictions) criminal liability for that disclosure, provided the report was made through a recognised route and in good faith.
5. Remedies if retaliation happens anyway. Reinstatement, compensation for lost earnings, compensation for emotional harm, and (in some jurisdictions) punitive damages. France’s Loi Sapin II uniquely allows the Défenseur des droits to order interim reinstatement during the investigation.
What is not whistleblowing
The legal definition is narrow enough that several common scenarios fall outside it, even when employees colloquially call them whistleblowing.
Personal grievances. A complaint about being unfairly passed over for promotion, about a difficult manager, or about workplace conflict is an employment grievance. It uses different procedures and different protections. The directive explicitly excludes interpersonal grievances that don’t involve a breach of EU or national law.
Reports made knowingly false. Article 6(1)(b) requires that the reporter “had reasonable grounds to believe that the information on the breaches reported was true at the time of reporting.” A report known to be false at the time of submission is not protected and can itself be the basis for disciplinary action.
Information classified for national security. Specific exclusions apply for classified information, judicial deliberations, attorney-client privilege, and medical confidentiality. National laws spell these out differently. Germany’s HinSchG has the most extensive exclusion list.
Reports made to seek personal gain. The directive doesn’t preclude protection just because the reporter benefits. But several US frameworks (Dodd-Frank notably) explicitly tie protection to procedural requirements designed to filter out bounty-hunting at the expense of the genuine public interest.
Whistleblowing in the EU vs the US
The two legal traditions converged in 2023 when the EU directive took full effect, but several differences remain.
| Aspect | EU (Directive 2019/1937) | US (Federal patchwork) |
|---|---|---|
| Scope of protected reporters | All work-related persons including indirect (suppliers, contractors) | Varies by statute; narrower (typically direct employees) |
| Bounty/reward | None at EU level; some member states permit it | Yes (Dodd-Frank SEC: 10-30% of recovered funds; IRS; False Claims Act) |
| Anonymous reporting | Member-state discretion (required in 4, permitted in 19) | Generally permitted; sometimes incentivised |
| Internal-first requirement | No (reporter chooses route) | Varies (some statutes require internal first; SOX recently relaxed) |
| Public disclosure | Protected only under Article 15 conditions | Stronger First Amendment overlay; case-by-case |
| Burden-of-proof reversal | Yes (Article 21(5)) | Varies (SOX has full reversal; most others partial) |
| Statutory acknowledgement deadline | 7 days | None federal; some state laws have 30-day equivalents |
For a multinational operating in both regions, the practical approach is to use the EU framework as the operational floor (it’s more procedurally strict) and overlay US-specific requirements per sector (Dodd-Frank for finance, SOX for public companies, False Claims Act for federal contracts).
Photo by Ninthgrid on Unsplash
How an organisation should operationalise the definition
If you’re the compliance officer on the receiving end of this, the legal definition turns into four operational decisions.
1. Define your accepted-reports scope conservatively. Don’t only accept what the directive technically requires. Accept the broader category of “violations of law or serious breaches of internal policy.” A narrower scope generates marginal reports that you’d want to know about anyway, and signals trust.
2. Train managers to recognise protected reports when they see them. Most reports don’t come through the channel. They come up in a 1:1, in a Slack message, or in a casual conversation. If a manager treats a protected report as an ordinary grievance, the procedural protections never attach and the organisation loses the early-warning value.
3. Document the work-related context in the case file. When a report arrives, the case handler should confirm and record the reporter’s work-related connection (employment status, role, dates). This is what determines whether the protections attach, and what the burden-of-proof reversal will rest on if retaliation is later alleged.
4. Distinguish whistleblowing from grievances at intake. Confidly’s intake form asks the reporter (gently) whether they’re reporting a breach of law/policy or a personal grievance, and routes the case accordingly. Both deserve a response; only the first attaches the directive’s protections, and the procedural rules are different.
FAQ
Is reporting to my manager whistleblowing? Possibly, but with weaker procedural protections. Article 7(2) of the directive permits internal reporting to “any other entity designated by [the employer],” which can include line managers. The protection attaches if your manager treats it as a protected disclosure and escalates appropriately. The cleaner route is the formal channel.
Can I be a whistleblower about my own employer if I’ve already resigned? Yes. The directive explicitly extends protection to former employees, including for breaches that came to light during employment but are reported after departure. The reporter doesn’t lose status by leaving.
What if I report something that turns out to be wrong? You’re still protected, provided you had reasonable grounds to believe the information was true at the time. The protection is for good-faith reporters, not for being right.
Does HR see my whistleblowing report? Depends on the channel design and the reported matter. In a well-designed channel, HR sees a report only if it’s specifically routed to them (an HR-related concern) and only the named handler sees the report in the first instance. Confidly’s permission model defaults to a single designated handler with explicit delegation for conflicts of interest.
Can my employer find out I reported, even if I’m anonymous? Under a properly designed channel, no. Confidly’s anonymous-reporter flow issues a server-side case code and a reporter-secret that never gets tied to an email, IP address, or browser identifier. The reporter follows up through the case code without ever revealing identity. Channels that require an email at intake do not provide true anonymity.
Is whistleblowing the same as informing? Legally, no. Informing usually refers to assisting a law enforcement investigation in exchange for cooperation or immunity. Whistleblowing is a separate civil-law concept tied to the work-related context and the procedural protections described above. The two can overlap (a whistleblower can also be an informer), but the legal status comes from the procedural route, not the act of disclosing.
See also
- EU Directive 2019/1937 complete guide: the legal framework that defines whistleblowing in the EU.
- Anonymous whistleblowing across the EU: country-by-country status.
- Whistleblowing policy template: the internal channel’s foundation document.
- Country compliance guides: jurisdiction-specific rules.