Photo by Wolfgang Weiser on Unsplash
Whistleblower protection laws are the statutory shields that prevent retaliation against people who report wrongdoing acquired in a work-related context. They exist in roughly the form most people imagine in three jurisdictions that matter for an EU-headquartered or transatlantic compliance programme: the EU (Directive 2019/1937 and its 27 national transpositions), the UK (the Public Interest Disclosure Act 1998), and the US (the Whistleblower Protection Act 1989 plus a stack of sector statutes). This guide compares all three in 2026: who counts as a protected person, what counts as retaliation, where the burden of proof sits, and what a reporter can recover if the law is broken.
Direct answer
Whistleblower protection laws prohibit retaliation against people who report breaches of law or serious threats to the public interest that they learned about through work. In the EU since 2023, Directive 2019/1937 sets a 27-country floor: protected reporters include employees, ex-employees, applicants, suppliers, contractors, shareholders, board members, volunteers, and trainees; prohibited retaliation covers dismissal, demotion, transfer, negative reviews, and 11 other listed forms; the burden of proof reverses to the employer once a reporter shows a detriment after a report. The UK applies a narrower framework under PIDA 1998 (employees and workers; “qualifying disclosures” only; uncapped compensation for unfair dismissal on whistleblower grounds). The US runs a patchwork of statute-specific protections (WPA for federal employees, SOX for public companies, Dodd-Frank for finance, the False Claims Act for federal contracts) with monetary bounties in some sectors that do not exist in the EU or UK.
What “whistleblower protection laws” actually mean
Every jurisdiction’s framework answers the same four questions in different ways:
- Who is a protected reporter? The class of people whose report triggers anti-retaliation rights.
- What kind of report qualifies? The subject matter (breach of law, public-interest threat, internal policy violation) and the route (internal channel, external authority, public disclosure).
- What counts as retaliation? The catalogue of adverse acts the law treats as prohibited consequences.
- What remedies are available? Reinstatement, damages, criminal liability, and, in some jurisdictions, financial bounties.
A US-style bounty programme has no EU equivalent. A UK-style “qualifying disclosure” test does not exist in EU law. Most multinationals draft their channel and policy against the EU floor and layer the local extras on top.
The EU framework: Directive 2019/1937
The EU Whistleblower Directive has been in force across all 27 member states since 17 December 2023 (companies with 50 to 249 employees were the last group to come under it). Each member state transposed the directive into its own national law: Germany’s HinSchG, France’s Loi Sapin II (amended in 2022 to align), Spain’s Ley 2/2023, Italy’s D.lgs. 24/2023, the Netherlands’ Wbk, and 22 others. The national laws diverge in detail; the directive sets the floor.
Protected reporters. Article 4 of the directive defines the protected class broadly: current and former employees, job applicants, paid and unpaid trainees, volunteers, contractors and subcontractors, suppliers, shareholders, members of administrative or supervisory bodies, and any person who acquires information about a breach in a work-related context. Several member states extend further. Spain’s Ley 2/2023 covers household staff of public officials. France’s transposition covers legal entities acting in good faith.
Reportable subject matter. Article 2 lists ten EU-law areas: public procurement, financial services, product safety, transport safety, environmental protection, food safety, public health, consumer protection, privacy and data protection, and protection of EU financial interests. Most national transpositions extend the list to national-law breaches and, in several cases, to serious internal-policy violations.
Prohibited retaliation. Article 19 lists 15 categories of retaliation: dismissal, suspension, demotion, withholding of promotion, transfer of duties, change of location, reduction in wages, change in working hours, withholding of training, negative performance assessment, disciplinary measures, coercion, intimidation, harassment, ostracism, discrimination, failure to convert a temporary contract to permanent, failure to renew a temporary contract, harm to reputation, blacklisting, early termination of a goods-or-services contract, cancellation of a licence, and psychiatric or medical referrals. The list is non-exhaustive.
The burden of proof. Article 21(5) is the operative clause. Once a reporter shows that they made a protected report and suffered a detriment, the burden shifts to the employer to prove the detriment was unrelated to the report. In practice this is a high bar; several 2025 to 2026 national supreme-court rulings (Spain’s Tribunal Supremo, France’s Cour de cassation, Germany’s Bundesarbeitsgericht) have confirmed the strict reading.
Remedies. The directive itself does not set quantum. National transpositions do. Spain’s Ley 2/2023 caps administrative fines at €1,000,000 and allows compensation for “all damages suffered” without statutory cap. Germany’s HinSchG caps fines at €50,000 per breach. France’s Loi Sapin II adds a separate criminal offence for obstructing a report (up to one year imprisonment and €15,000 in fines). The fines calculator shows the cap and enforcer for each country.
Photo by Olena Kholina on Unsplash
The UK framework: PIDA 1998
The United Kingdom did not transpose Directive 2019/1937. It is not an EU member state. UK whistleblower protection runs on the Public Interest Disclosure Act 1998 (PIDA), which amended the Employment Rights Act 1996 by inserting new sections 43A to 43L. PIDA pre-dates the EU directive by two decades and uses a different conceptual frame.
Protected reporters. PIDA protects “workers”, a category that includes employees, agency workers, NHS practitioners, trainees, and some self-employed contractors providing personal services. It does not extend to volunteers, shareholders, or board members in the EU directive’s sense.
Qualifying disclosures. A disclosure is “qualifying” under PIDA section 43B if the worker reasonably believes the information tends to show one of six categories: criminal offence, breach of legal obligation, miscarriage of justice, health and safety endangered, environmental damage, or deliberate concealment of any of the above. The reasonable-belief test sets a lower evidentiary bar than continental “good-faith” tests but a higher subject-matter bar (no internal-policy-only reports).
Protected disclosures. A qualifying disclosure becomes protected if it is made to the right recipient: typically the employer, a prescribed regulator (the FCA, HSE, HMRC, and 67 others on the prescribed list), a legal adviser, or, in narrow circumstances, the wider public.
Remedies. PIDA awards uncapped compensation for unfair dismissal where the principal reason was a protected disclosure. This is unusual in UK employment law (the ordinary unfair dismissal cap is roughly £115,000 in 2026); the uncapped quantum is what gives PIDA bite. Detriment short of dismissal also attracts compensation.
No bounty. UK law does not pay reporters. A 2024 Treasury consultation explored a US-style bounty for financial-services tips; as of 2026 no statutory bounty has been enacted.
The US framework: a federal patchwork
The US does not have a single whistleblower protection law. It has dozens, layered by sector and jurisdiction. The four that matter most for a multinational compliance team:
Whistleblower Protection Act 1989 (WPA, expanded 2012). Protects federal employees against retaliation for disclosing waste, fraud, abuse, illegality, or specific public health and safety dangers. Enforced through the Office of Special Counsel and the Merit Systems Protection Board. Applies to federal civilian employment, not the private sector.
Sarbanes-Oxley Act 2002 (SOX) section 806. Protects employees of US-listed public companies and their subsidiaries who report fraud against shareholders, securities-law violations, or related matters. Enforced through the Department of Labor’s OSHA division and then federal courts. Reinstatement, back pay, and compensatory damages including attorneys’ fees.
Dodd-Frank Act 2010 section 922. Establishes the SEC’s bounty programme: anyone whose original information leads to an SEC enforcement action with sanctions over $1 million can receive 10 to 30 percent of the sanctions collected. No employment relationship required. Pays out at scale: the SEC has paid over $2 billion in bounties since the programme started.
False Claims Act (FCA) qui tam provisions. Allows private individuals (“relators”) to sue government contractors for fraud against the federal government and to keep 15 to 30 percent of the recovery. The relator must have original-source information. Many billion-dollar healthcare and defence settlements run through FCA qui tam.
The US patchwork creates situations the EU framework cannot replicate. A US-listed EU company can be in scope of SOX section 806 for its US-resident employees and of Directive 2019/1937 for its EU-resident employees simultaneously. The two regimes mostly stack, but the bounty asymmetry creates operational tension: a US employee may have a direct financial incentive to bypass the internal channel and report to the SEC.
Who is protected: the eligibility comparison
| Category | EU Directive 2019/1937 | UK PIDA 1998 | US (federal patchwork) |
|---|---|---|---|
| Current employees | Yes | Yes | Yes |
| Former employees | Yes | Yes (subject to time limits) | Yes |
| Job applicants | Yes | Limited (Royal Mail v Jhuti type cases) | Sector-dependent |
| Contractors | Yes | Yes (workers providing personal service) | Sector-dependent |
| Volunteers | Yes | No | Generally no |
| Shareholders | Yes | No | No |
| Board members | Yes | No | Sector-dependent |
| Trainees | Yes (paid and unpaid) | Yes | Sector-dependent |
| Suppliers | Yes | No | Generally no |
Three takeaways. The EU class is the broadest and the simplest to operationalise: the channel must accept reports from anyone who acquired the information at work. The UK class is narrower but better defined for employment-tribunal litigation. The US patchwork is sector-specific and the eligibility question often turns on which statute applies, not on the reporter’s general status.
What “retaliation” means
The directive’s 15-category list (above) is the most comprehensive. PIDA uses a broader-but-vaguer “detriment” test in section 47B: any act or deliberate failure to act that disadvantages the worker. The US statutes use “discriminate against in the terms and conditions of employment” or similar formulations, which courts have read to include the standard EU-directive list plus some US-specific items (blacklisting in the industry, denial of security clearance).
The practical operationalisation is similar across all three jurisdictions: keep a contemporaneous record of any adverse personnel action involving a person who has made a report, even if the action looks unrelated, and review it against the catalogue before it is taken.
Photo by Fabian Kleiser on Unsplash
The burden of proof
The burden-of-proof allocation is the single most important difference for litigation outcomes.
EU: reversed. Article 21(5) of the directive requires that, once a reporter shows a detriment after a report, the employer must prove the detriment was for reasons unrelated to the report. National transpositions implement this in slightly different ways (Spain explicit, Germany via § 36 HinSchG, France via Article L. 1132-3-3 of the Code du travail), but the floor is the same.
UK: hybrid. The worker carries the initial evidential burden of showing the disclosure and the detriment; once that is shown, the employer must show the principal reason was something else. Recent case-law (Royal Mail v Jhuti, Kong v Gulf International Bank) has tightened the test in the worker’s favour.
US: depends on the statute. SOX section 806 uses a “contributing factor” test: the worker must show the protected activity was a contributing factor, then the employer must show by clear-and-convincing evidence that it would have taken the same action regardless. Dodd-Frank uses a similar test. The general WPA test is less favourable to the federal employee.
The practical message for an EU or UK employer: any adverse action against a person who has made a protected report is litigation-grade until the contemporaneous file proves otherwise.
What a reporter can recover
The remedies landscape diverges sharply.
EU. No bounty. Compensation is for damages actually suffered: lost earnings, future earnings (sometimes capped, often not), moral damages, and reinstatement where feasible. Quantum varies by member state: Spain has paid moral-damages awards over €100,000 in recent cases; Germany typically lands in the €20,000 to €60,000 range; France runs higher when reinstatement is refused. Administrative fines on the employer are in addition to civil damages. The country guides list the cap and enforcer per jurisdiction.
UK. Uncapped compensation for unfair dismissal where whistleblowing was the principal reason, plus uncapped detriment compensation, plus an additional injury-to-feelings award (Vento bands, typically £10,000 to £56,000 in 2026). No bounty.
US. Bounties where the statute provides one. SEC tips under Dodd-Frank pay 10 to 30 percent of sanctions over $1 million; the average payout in 2024 was roughly $7 million. False Claims Act qui tam pays 15 to 30 percent of recovery; cases settle in the hundreds of millions routinely. SOX and the WPA pay compensatory damages with no bounty component.
How an EU compliance programme handles all three
For an EU-headquartered organisation with a UK and US footprint, the practical operationalisation tends to converge on five rules:
- Adopt the EU directive class of protected persons as the floor. It is the broadest. Anyone the UK or US would protect is already protected.
- Run a single internal channel with country-specific intake configuration (language, local-handler routing, local SLA). Confidly does this by default.
- Document every adverse personnel action involving a reporter against the prohibited-act catalogue before it is taken. This is the single highest-impact retaliation defence.
- Disclose the existence of US bounty programmes in policies for US-resident employees. Failure to disclose has been litigated as constructive retaliation in some SOX cases.
- Audit the policy and the channel annually against the latest national supervisor guidance. Several member-state supervisors (BfJ, AAI, ANAC) published tightened 2026 guidance.
The whistleblowing policy guide covers the ten elements every policy must contain to discharge Article 13(2) of the directive. The anonymous whistleblowing guide covers the design choices that affect both Article 21 reporter protection and Article 9 channel operation.
FAQ
Are whistleblowers protected if their report turns out to be wrong? Yes, provided the reporter had reasonable grounds to believe the information was true at the time of reporting. Subsequent disproof does not strip protection under the EU directive (Article 6) or PIDA. Knowingly false reports are not protected and may attract liability in defamation or criminal law.
Is anonymous reporting legally required? The directive leaves this to member states. Four require it (Italy, Spain, Romania, Slovenia), 19 permit it, four leave it optional. PIDA does not require anonymous reporting but does not prohibit it. US bounty programmes accept anonymous submissions provided the reporter is represented by counsel. Practical recommendation: accept anonymous reports and provide a follow-up mechanism (case code, secret token).
Does whistleblower protection cover internal-policy-only breaches? The EU directive covers breaches of EU law plus national-law breaches in 22 transpositions. Pure internal-policy violations may be protected by national law in countries that have extended the scope. PIDA does not cover policy-only breaches. US SOX section 806 is limited to fraud against shareholders.
What is the time limit to bring a retaliation claim? In the EU it varies by member state, typically two to three years. Spain’s Ley 2/2023 allows two years from the retaliatory act; Germany’s HinSchG allows three. PIDA in the UK requires the claim within three months of the act, an unusually short window. US SOX section 806 requires filing with OSHA within 180 days.
Can a whistleblower in the EU receive a financial reward? Not under the directive itself; protection is anti-retaliation only. The Netherlands and Germany have run consultations on US-style bounty programmes, but as of 2026 no EU jurisdiction has enacted one.
What happens if a UK employee reports a US-listed parent company? The two regimes stack. The employee is protected by PIDA for the employment relationship and by SOX section 806 if the parent is US-listed and the report touches in-scope subject matter. Litigation can run in both jurisdictions, so any UK subsidiary of a US-listed parent should operate a channel that complies with both frameworks.
See also
- EU Directive 2019/1937 complete guide: the legal text and its 27 national transpositions.
- Whistleblowing policy: what it must include in 2026: the ten policy elements that operationalise these protections.
- Anonymous whistleblowing in the EU: how to honour Article 21 confidentiality without losing follow-up capability.
- Calculate your maximum fine: exposure under each EU member state’s law.
- Country compliance guides: jurisdiction-by-jurisdiction transposition details.