Whistleblowing policy: what it must include in 2026 (with template)

Photo by Vitaly Gariev on Unsplash

A whistleblowing policy is the document an organisation publishes to make its internal reporting channel work in practice. Under EU Directive 2019/1937 and its 27 national transpositions, the policy is not a nice-to-have. It is a legal artefact that the enforcer will ask to see during an inspection, and that a tribunal will read first if a reporter sues for retaliation. This guide covers what the document must contain in 2026, the mistakes that most often cause it to fail, and how to keep it short enough that employees will actually read it.

Direct answer

A compliant whistleblowing policy in 2026 must cover ten elements: scope of protected persons, types of breaches accepted, the internal reporting channel and how to access it, the external authority alternative, anonymity rules, the 7-day acknowledgement and 3-month feedback commitments, the identity of the case handler, confidentiality and data-protection commitments, the prohibition of retaliation with examples, and the consequences for breaching the policy. Average length: 6 to 12 pages. Average employee read-rate when sent as an attachment: under 5 percent. The single highest-impact change is to publish a one-page summary alongside the full document.

Why the policy exists in the legal sense

EU Directive 2019/1937 Article 13(2) requires organisations to “provide clear and easily accessible information regarding the procedures for reporting.” Every national transposition has put this into more specific language. Spain’s Ley 2/2023 requires a written internal information procedure. Germany’s HinSchG requires a verfahrensbeschreibung. France’s Loi Sapin II requires a procédure de signalement. The Netherlands’ Wbk requires a meldprocedure. They all mean the same thing: a written document that explains how the channel works, who it’s for, and what reporters and the organisation are committing to.

The policy serves three audiences in three different moments:

1. Employees, when they’re deciding whether to use the channel. A bad policy here looks intimidating and gets ignored. A good policy normalises reporting.
2. The enforcer, during a compliance inspection. A bad policy here triggers fines for documentation gaps even when the underlying channel is fine.
3. A tribunal or court, if a reporter sues for retaliation. A bad policy here makes the employer’s defence harder, because the burden-of-proof reversal in Article 21(5) leans on what the policy promised.

The ten elements every policy must contain

The list below is the intersection of what’s required across all 27 EU member states. Individual jurisdictions add specifics (Spain requires a separate “Sistema Interno de Información” naming; Germany requires explicit reference to HinSchG § 16). Cover all ten, then localise.

1. Scope of protected reporters. Who is allowed to use this channel. The legal minimum under Article 4 is current employees, former employees, applicants, shareholders, members of administrative bodies, volunteers, paid or unpaid trainees, contractors, subcontractors, and suppliers. Some national laws extend this further (Spain includes household staff of public officials; France includes legal entities acting in good faith). Be inclusive. A narrow scope is a red flag.

2. Types of breaches accepted. What the channel is for. The legal minimum is the ten subject-matter areas in Article 2: public procurement, financial services, product safety, transport safety, environmental protection, food safety, public health, consumer protection, privacy and data protection, and the financial interests of the EU. Most policies (and most national laws) also include national-law breaches and serious internal-policy breaches. Be explicit. Vague language (“any concerns about wrongdoing”) is fine; restrictive language (“only fraud over €10,000”) is not.

3. The internal channel and how to access it. The URL, the in-app entry point, the phone number, or however reporters actually start a report. If you have a web form, link directly to it. If you have an alternative for non-digital workers (a physical box, an SMS line), include both. A policy that names a channel without a working link is a documentation gap an enforcer will note.

4. The external authority alternative. Reporters have a right under Article 10 to report to the national external authority instead of (or in addition to) the internal channel. The policy must name this authority. The national enforcers as of 2026: Bundesamt für Justiz (Germany), Défenseur des droits (France), Autoridad Independiente de Protección al Informante (Spain), Huis voor klokkenluiders (Netherlands), ANAC (Italy), and so on. Naming the external route does not weaken the internal channel. It builds trust.

5. Anonymity rules. Whether reports can be submitted anonymously, and what happens if they are. Across the 27 member states, anonymous reporting is required in 4 (Italy, Spain, Romania, Slovenia), permitted in 19, and optional in 4. Be explicit about your stance. If you accept anonymous reports, say how the reporter can follow up (case code, secret token). If you do not, say what the reporter’s protection looks like instead.

Photo by Beatriz Cattel on Unsplash

6. The 7-day and 3-month commitments. Article 9 of the directive requires acknowledgement of receipt within 7 days and substantive feedback within 3 months. State both, verbatim if possible, and explain what “substantive feedback” means in practice (an update on what action was taken, not the full result of a confidential investigation).

7. The identity of the case handler. A named role (Compliance Officer, Head of Legal, designated case handler) and a fallback for conflicts of interest. The handler must be functionally independent of the reported matter. Several national enforcers have specifically flagged “the CEO is the only handler” policies as non-compliant, because the CEO cannot independently handle reports about the CEO.

8. Confidentiality and data-protection commitments. What information is collected, how it’s stored, who can see it, and how long it’s kept. Cross-reference your GDPR Records of Processing (Article 30 GDPR). Specify the retention period; the standard is the lifecycle of the case plus a defined retention window (typically 2 to 5 years; check national rules). Confirm EU data residency.

9. The retaliation prohibition with examples. Article 19 of the directive lists 15 prohibited forms of retaliation. The policy should name the major ones (dismissal, demotion, transfer, negative review, exclusion, intimidation) and add that the list is non-exhaustive. State that the burden of proof flips: if a reporter alleges retaliation, the organisation must prove the adverse action was unrelated. This is not a concession. It’s a statutory rule and your policy reflects it.

10. Consequences for breaching the policy. Both directions. What happens to a reporter who knowingly reports false information in bad faith (the directive only protects good-faith reporters under Article 6(1)(b)). And what happens to a manager who retaliates (disciplinary action up to dismissal, plus the statutory liability under national law). Be even-handed. A policy that only threatens reporters reads as hostile and undermines its own credibility.

Length and format

The most common length is 6 to 12 pages. Anything shorter usually misses a required element; anything longer rarely gets read. The best policies follow a layered structure:

• Page 1: a one-page summary with the channel link, the SLAs, and the retaliation prohibition. This is what employees actually read.
• Pages 2 to 8: the ten elements above, in plain language, with sub-headings.
• Pages 9 to 12: definitions, data-protection details, version history, and the named handler with contact information.

Several enforcers (notably Germany’s BfJ) have noted that policies longer than 15 pages tend to score worse on inspection, because they often contain contradictions between sections that a shorter document would have caught.

The five most common policy mistakes

Drawing on enforcement decisions and our own customer review history from 2024 to 2026.

1. The policy exists but was never communicated. Article 13(2) requires that the procedure be communicated “in a manner that is easy to understand and easily accessible.” A policy in a SharePoint folder that the workforce has never been pointed at fails this test. The fix: include the policy in the induction pack, send an annual reminder, and put a visible link on the company intranet homepage.

2. The named handler has left the company. Policies go out of date. A handler who left two years ago is still named in the document, the email forwards to nobody, the channel functionally doesn’t exist. The fix: an annual review with a documented sign-off, plus a generic functional email ([email protected]) that survives staff changes.

3. The policy contradicts the actual channel. The policy says “anonymous reports accepted” but the form requires an email address. Or the policy promises 7-day acknowledgement but the case management system has no SLA timer. Inspectors check both the document and the live system. The fix: derive the policy from the channel’s actual configuration, not the other way round.

4. The retaliation language is hedged. “We will endeavour to protect reporters where possible” is not a commitment. The directive prohibits retaliation. The policy must reflect the statutory rule, not a softened version. The fix: use the directive’s language verbatim where possible.

5. The policy doesn’t mention the external authority. Several national supervisors (notably the Dutch Huis voor klokkenluiders) consider this a procedural failure on its own. The fix: name the authority, name the URL, in one sentence. It will rarely be used. Naming it builds trust and discharges a legal obligation.

Photo by Austin on Unsplash

Free policy template

Confidly publishes a free, EU-compliant whistleblowing policy template under a permissive licence. It covers all ten elements above, includes the one-page summary, and ships in DOCX and PDF. The template is generic across EU jurisdictions; localise to your specific national law before adopting.

Download the policy template

The template is the same one we ship to Confidly customers as a starting point. Roughly 70 percent of adopters use it without modification; the remaining 30 percent edit clauses 5 (anonymity) or 7 (named handler) to match their internal setup.

Operational checklist

If you’re writing a policy from scratch, or auditing an existing one, the order that tends to work:

1. Identify which national transposition applies (or which apply, for multinationals).
2. Confirm or designate the case handler with their conflict-of-interest fallback.
3. Configure the channel and confirm the SLAs are wired (Confidly does this by default).
4. Draft the ten elements above using the channel configuration as the source of truth.
5. Write the one-page summary last, so it reflects the final document.
6. Translate into the working languages of the workforce (legal language must be in the local language; the summary can be in English plus locals).
7. Communicate: induction pack, all-hands email, intranet link, annual reminder.
8. Schedule the next review (annual, plus immediate after any change to the channel or handler).

How Confidly fits

Confidly is the channel the policy points at. The product enforces the ten elements operationally:

• Designated case handler with role-based permissions and a conflict-of-interest delegation flow.
• 7-day and 3-month SLA timers with red countdowns when overdue.
• Append-only audit log for inspections.
• EU-only data residency and a signed Data Processing Agreement.
• Anonymous case-code follow-up for reporters who don’t want to identify.
• Retaliation surface minimisation: reporters never need to disclose to managers or HR directly.

If the policy you draft matches the Confidly configuration, the document and the system stay consistent automatically. That removes the most common cause of failed inspections (the policy-vs-system contradiction in section 3 above).

FAQ

Do we need a separate whistleblowing policy if we already have a Code of Conduct? Yes. The Code of Conduct describes expected behaviour. The whistleblowing policy describes what happens when something has gone wrong. National laws across all 27 member states treat them as separate documents. A Code of Conduct that includes a paragraph on “speak up” does not meet the Article 13(2) requirement.

Can we use a single group-wide policy across all our EU subsidiaries? Operationally yes, legally with caveats. Article 8(6) of the directive allows shared resources, but each in-scope subsidiary must still meet the local requirements for content, language, and accessibility. Spain’s 2026 draft guidance is the strictest reading so far: each Spanish subsidiary should publish a localised version of the policy in Spanish, naming the local handler.

How often should we review the policy? Once a year as a baseline, and immediately whenever the channel changes, the handler changes, the national transposition is amended, or an enforcer issues new guidance. The annual review can be a 30-minute exercise if the channel and handler haven’t changed.

What if our workforce speaks multiple languages? The policy itself must be available in the working language of the workforce. Most multinationals publish in English plus the local language of each country of operation. The one-page summary should be in every relevant language; the full document can be English-plus-local. Translations should be from a sworn translator for the local-law version.

Does the policy need board approval? Not strictly under the directive, but several national transpositions require sign-off by the highest governance body. As a practical matter, board approval signals that the policy has organisational weight, which strengthens the credibility of the channel.

See also

• EU Directive 2019/1937 complete guide: the underlying legal framework.
• Whistleblowing policy template (DOCX + PDF): the free, EU-compliant starting point.
• Calculate your maximum fine: exposure under each country’s law.
• Country compliance guides: jurisdiction-specific requirements.