Glossary
Three-Tier Reporting
The internal, external, public hierarchy of reporting channels established by EU Directive 2019/1937: internal reporting under Article 9, external reporting to the designated national authority under Article 11, and public disclosure under Article 15. The tiers are not strictly sequential. A reporter may start externally, but public disclosure is conditional under Article 15.
Full definition
EU Directive 2019/1937 codifies a three-tier escalation model: (1) internal reporting to the employer's own channel under Article 9, (2) external reporting to the designated national authority under Article 11, and (3) public disclosure under Article 15. The tiers are not strictly sequential: a reporter is free to start with the external authority and is not penalised for skipping the internal tier. Public disclosure is conditional and benefits from protection only where the earlier tiers have failed or where the conditions in Article 15 are otherwise met. Recital 33 explains the policy: the Directive seeks to encourage use of internal channels by making them safe and effective, on the assumption that early internal reporting is the fastest way for an organisation to remedy a breach. National authorities in most member states maintain published guidance illustrating which body acts as external channel for which subject-matter; in some (Ireland) a central Commissioner allocates externally received reports to prescribed authorities by subject-matter.
Related terms
- Internal Reporting Channel A confidential mechanism inside an organisation through which employees and other workers can report breaches. EU Directive 2019/1937 Article 8 requires every legal entity with 50 or more employees to operate one, accept reports in writing, orally, or through a physical meeting, acknowledge within 7 days, and provide substantive feedback within 3 months.
- External Reporting Channel A reporting route operated by a national competent authority, available as an alternative to internal channels. EU Directive 2019/1937 Article 11 requires each member state to designate authorities that receive reports directly, bypassing the employer. Reports made externally carry the same protection from retaliation as internal reports. Examples include Germany's Bundesamt für Justiz and France's Défenseur des droits.
- Public Disclosure A whistleblower's report made directly to the public such as via the media. EU Directive 2019/1937 Article 15 protects public disclosure only under specific conditions: prior internal and external reporting without action, imminent danger to the public interest, risk of retaliation, or low prospect of the breach being effectively addressed. It is the structurally last-resort tier.