A whistleblower policy is the single document a regulator will ask for first when investigating compliance with EU Directive 2019/1937. It is also, in our experience reviewing roughly 200 policies adopted by mid-sized European companies, the document most often treated as compliance theatre — copied from a competitor’s website, signed once by the board, and never opened again.
This piece is the structural opposite: a section-by-section anatomy of a policy that actually works, with the directive article each section satisfies and the most common mistakes that void each section in practice.
Direct answer
A working EU whistleblower policy needs 11 sections: (1) purpose and legal basis, (2) personal scope, (3) material scope, (4) the three reporting channels, (5) confidentiality, (6) acknowledgement and feedback timelines, (7) investigation procedure, (8) anti-retaliation, (9) roles and responsibilities, (10) data protection and retention, (11) country annexes for each jurisdiction in scope. Each section maps to a specific article of EU Directive 2019/1937; missing any one of them creates an enforceable defect.
Section 1 — Purpose and legal basis
What it says. A two-paragraph statement of why the policy exists and which laws it implements.
Why it matters. This is what an external lawyer or auditor reads first. A vague purpose (“to promote ethical conduct”) signals a checkbox policy. A specific legal basis (“This policy implements EU Directive 2019/1937 of 23 October 2019 as transposed by [national law]”) signals a deliberately designed instrument.
Directive article. Recital 1 + Article 1 of EU Directive 2019/1937.
Common mistake. Citing only the EU directive without naming the national transposition. The directive is not directly applicable in EU member states — your enforcement authority is the national one (Bundesamt für Justiz, Défenseur des droits, ANAC, AAI, etc.). Naming both is non-negotiable.
Section 2 — Personal scope (who can report)
What it says. A list of every category of person who can submit a protected report.
Why it matters. EU Directive 2019/1937 has the broadest personal scope of any EU labour-related instrument. If your policy limits itself to “employees”, you are silently denying protection to two-thirds of the people the directive covers — and that denial is itself a violation.
Directive article. Article 4. The minimum list: current and former employees, applicants, self-employed persons, suppliers and their employees, shareholders, members of administrative or supervisory bodies, volunteers, paid or unpaid trainees.
Common mistake. Adding qualifiers like “with at least 6 months of tenure” or “for current employees only”. Both are unlawful narrowings.
Section 3 — Material scope (what can be reported)
What it says. The categories of wrongdoing the channel accepts.
Why it matters. The directive covers a defined list of EU-law breaches (public procurement, financial services, money laundering, product safety, transport safety, environmental protection, radiation, food and feed safety, animal welfare, public health, consumer protection, privacy and data protection, network and information systems security, internal market, etc.). Most national transpositions extend the scope to national-law breaches and to threats to the public interest. Your policy must reflect both.
Directive article. Article 2.
Common mistake. Naming only “ethics violations” without enumerating the directive categories. A reporter who reports an environmental breach cannot be told later that the channel “is for ethics matters only” — that would itself be a form of retaliation by procedural obstruction.
Section 4 — The three reporting channels
What it says. A description of (i) the internal channel, (ii) the external authority, and (iii) the conditions for public disclosure.
Why it matters. Pre-Waserman France required reporters to exhaust the internal channel first. The directive abolished this hierarchy in 2019 — reporters now choose. Your policy must explicitly state that the reporter is free to choose, and must provide working contact details for the external authority.
Directive articles. Articles 7-15.
Common mistake. Implying or stating that the internal channel is preferred. A “we encourage internal reporting first” line is permissible; a “you must report internally before contacting an external authority” line is not.
Section 5 — Confidentiality
What it says. The commitment to protect the reporter’s identity and the identity of any third party mentioned.
Why it matters. Confidentiality is the single substantive promise the policy makes that the channel must deliver technically. If the policy promises confidentiality and the channel logs IP addresses, sends notification emails to the reporter’s personal address, or uses an off-the-shelf CRM, the policy is a misrepresentation.
Directive article. Article 16.
Common mistake. Promising “anonymity” instead of (or alongside) confidentiality. Anonymity is a stronger guarantee — no identifier ever exists. The directive requires confidentiality; anonymity is optional per member state. Don’t promise what your channel cannot technically deliver.
Section 6 — Acknowledgement and feedback timelines
What it says. The two hard deadlines: 7 days for acknowledgement of receipt, 3 months for substantive feedback.
Why it matters. These are the most commonly missed deadlines in practice. A 7-day acknowledgement is harder than it sounds when the designated person is on holiday; a 3-month substantive feedback is harder still when the investigation is complex. The policy must commit to both — and the channel must enforce both with SLA timers and automatic reminders.
Directive article. Article 9(1)(b) and 9(1)(f).
Common mistake. Softening the language to “promptly” or “within reasonable time”. Use the exact phrases “within 7 days of receipt” and “within 3 months of acknowledgement”.
Section 7 — Investigation procedure
What it says. The steps from intake to closure: triage, investigation, decision, communication, archive.
Why it matters. A policy with a great channel and no investigation procedure produces tickets that pile up unactioned — the worst possible outcome because it both fails to remediate misconduct and exposes the company to reverse-burden-of-proof retaliation claims.
Directive article. Article 9(1)(d) — “diligent follow-up”.
Common mistake. Treating investigation as a generic HR procedure. Whistleblowing investigations differ: confidentiality is paramount, retaliation risk is acute, and the reporter must be kept informed without compromising the investigation’s integrity.
Section 8 — Anti-retaliation
What it says. A catalogue of prohibited retaliatory acts and a statement of the reverse burden of proof.
Why it matters. Article 21(5) of the directive shifts the burden of proof: once the reporter shows (a) a protected disclosure and (b) a subsequent adverse measure, the employer must prove the measure was unrelated. The policy must communicate this — both as a deterrent and as a notice to mid-level managers who might otherwise retaliate accidentally (negative performance review immediately after a report, for example).
Directive article. Article 19 (prohibited retaliation) + Article 21 (protection measures, including the reverse burden).
Common mistake. Listing only dismissal and demotion. The directive’s list is much wider — denied promotion, transfer, change of duties, change of working hours, withholding of training, negative performance assessment, reputational damage, blacklisting, early termination of a contract.
Section 9 — Roles and responsibilities
What it says. Who operates the channel, who is the deputy, who escalates, who reports to the board.
Why it matters. Article 8(5) requires the channel to be operated by a “person or department independent” of the persons it might investigate. Many policies designate “the HR director” — which fails the independence test for the most common categories of report (harassment, discrimination, bullying — all of which often implicate HR processes).
Directive article. Article 8(5).
Common mistake. A single designated person with no deputy. The 7-day acknowledgement deadline cannot pause for holidays.
Section 10 — Data protection and retention
What it says. The legal basis under GDPR, the data minimization commitments, the retention period, the RoPA reference, the DPIA reference.
Why it matters. Whistleblowing involves special-category personal data (allegations of criminal conduct) and processes data about identifiable third parties without their knowledge. National data-protection authorities have explicit inspection powers — and use them. A whistleblowing policy that does not engage with GDPR Articles 5, 6, 9, 17, and 30 is incomplete.
Directive article. Article 17 (data processing) + GDPR Articles 5, 6, 9.
Common mistake. Treating data protection as the DPO’s problem. The compliance officer and the DPO must co-own this section.
Section 11 — Country annexes
What it says. A short annex per country in scope: the national transposition law, the competent authority’s name and address, the language requirement, the fine ceiling, any local-law deviations.
Why it matters. A group-wide policy without country annexes implies that German, French, and Spanish requirements are identical. They are not. Spain’s fine ceiling is €1m; Germany’s is €50k. France requires the policy in French; the Netherlands permits English in defined circumstances. The annexes are where multinational policies live or die.
Directive article. Implicit — derives from the principle that a directive is implemented through national law, not directly.
Common mistake. Skipping annexes for countries the company considers “small”. A Maltese subsidiary with 60 employees triggers the same individual obligations as a German one with 60 employees — possibly more, since Malta’s threshold also catches certain regulated sectors with fewer employees.
What to do now
If you have an existing policy, audit it against these 11 sections. The most common defects we find: missing reverse-burden-of-proof clause (section 8), no country annexes (section 11), HR-routed channel (section 9), and softened language on timelines (section 6). Each of those is fixable in a single review pass.
If you don’t have a policy, the free Confidly whistleblowing policy template is exactly this 11-section structure. Each section is annotated with the directive article it satisfies, the country annexes are pre-filled for all 27 EU + 3 EEA member states, and the template is released under CC BY 4.0.