Is a whistleblowing policy required under EU Directive 2019/1937?

Yes. Companies with 50+ employees and all public-sector entities must adopt an internal whistleblowing policy describing the reporting channel, the people authorized to handle reports, the acknowledgement and feedback timelines, and the anti-retaliation protections. The policy must be made available to all employees and other persons in scope.

What must a whistleblowing policy include?

At minimum: (1) scope (who can report what), (2) reporting channels (internal, external, public), (3) confidentiality and data-protection commitments, (4) acknowledgement within 7 days and feedback within 3 months, (5) anti-retaliation protection, (6) recordkeeping and retention, (7) the designated person or team responsible, (8) external authority contacts in your country.

Can I use the same whistleblowing policy across multiple EU countries?

A single group-wide policy is acceptable provided it is supplemented by country-specific annexes covering local thresholds, the local enforcement authority, the local language requirement, and any local-law deviations (e.g., Spain's larger fine ceiling, France's mandatory annual reporting to the Défenseur des droits). Confidly customers receive country annexes automatically when they activate a country channel.

Does the policy need to be in the local language?

Yes, the policy must be available in at least the official language(s) of each country where you have reporting employees. Most member states (Germany, France, Italy, Spain, Netherlands among them) require the local language; English-only policies are not sufficient even for multinationals.

How often should the policy be reviewed?

At least annually, and after any of: a national-law amendment, a substantive change to your reporting channel, an organizational restructure that changes responsible roles, or a substantiated retaliation incident. Confidly emits an annual policy-review reminder to the designated case handler.

Is a free template legally binding?

No template, free or paid, is legally binding by itself, it becomes binding when adopted by your organization (typically via board resolution or a signed management decision) and published to employees. The template below is a starting point; have it reviewed by your in-house counsel or DPO before adoption.

Free template · Updated May 2026

Whistleblowing Policy Template: EU Directive 2019/1937

A free, lawyer-reviewed whistleblowing policy template aligned with EU Directive 2019/1937 and the national transpositions in all 27 EU member states. Use the template below as a starting point, every section is annotated with the article of the directive it satisfies. Adopt, sign, and publish to employees.

This template is the same one Confidly customers receive when they activate a channel. It is structured in 11 sections, each annotated with the article of EU Directive 2019/1937 it implements and the relevant national references where member states have stricter requirements. Free to use under CC BY 4.0 , attribution to confidly.eu appreciated but not required.

Download the template

DOCX + PDF, ready to adapt. The full policy text is on this page (un-gated); the downloadable files require a work email so we can email future updates.

Or write to [email protected] with subject "Send me the template", same destination, no form needed.

What's in the template

Purpose & legal basis, references EU Directive 2019/1937 Art. 1 + your national transposition
Scope, who can report (Art. 4), what can be reported (Art. 2)
Reporting channels, internal, external, public disclosure (Arts. 7-15)
Confidentiality, Art. 16 + GDPR Art. 5(1)(f)
Acknowledgement & feedback timelines, Art. 9(1)(b),(f): 7 days, 3 months
Investigation procedure, Art. 9(1)(d): diligent follow-up
Anti-retaliation protection, Art. 19 + national-law strict liability
Roles & responsibilities, designated person, deputy, conflicts
Data protection & recordkeeping, Art. 17 + GDPR Art. 30
Communication & training, Art. 9(2): make policy known
Country annex, local enforcement authority, fine ceiling, language

The 7 most common mistakes in DIY policies

Missing the 7-day acknowledgement. Art. 9(1)(b) is hard, many DIY policies say "we will reply promptly" which is not equivalent. Use exactly "within 7 days of receipt".
Confusing 'anonymous' with 'confidential'. Anonymous means the reporter is never identifiable to the organization. Confidential means identity is known to a small protected group. The directive requires confidentiality; anonymous reporting is optional per member state.
Failing to name the external authority. Each country has a designated competent authority (Bundesamt für Justiz in DE, Défenseur des droits in FR, A.A.I. in IT, AAI in ES). The policy must reference yours.
No anti-retaliation reverse-burden clause. Art. 21(5) shifts the burden of proof, once retaliation is alleged, the employer must prove the adverse measure was unrelated. Many DIY policies omit this.
Retention period inconsistent with national law. The directive itself is silent on retention; national laws vary (5 years in DE, case duration + 3 years in FR). Country annex must override the base policy.
Treating the policy as an HR document. The reporting channel must be independent of regular HR, Art. 8(5). The policy must therefore not route reports through HR by default.
No record of board adoption. The policy needs a date and a signed adoption record. Without it, enforcement authorities can argue the policy was not in force.

Country annexes included

The template comes with annexes for all 27 EU member states + Norway, Iceland, and Liechtenstein. Each annex covers the local transposition law, the enforcing authority, the language requirement, the fine ceiling, and any deviations from the base directive.

Beyond the policy: the channel itself

A policy without an actual reporting channel is non-compliance. Confidly is the channel, anonymous intake, 27-language reporter UI, SLA timers for the 7-day acknowledgement and 3-month feedback, append-only audit log for enforcement inspections. The policy template above maps 1:1 to Confidly's defaults; if you adopt it as-is, Confidly is preconfigured to deliver every commitment in it.

Frequently asked questions

Is a whistleblowing policy required under EU Directive 2019/1937?: Yes. Companies with 50+ employees and all public-sector entities must adopt an internal whistleblowing policy describing the reporting channel, the people authorized to handle reports, the acknowledgement and feedback timelines, and the anti-retaliation protections. The policy must be made available to all employees and other persons in scope.
What must a whistleblowing policy include?: At minimum: (1) scope (who can report what), (2) reporting channels (internal, external, public), (3) confidentiality and data-protection commitments, (4) acknowledgement within 7 days and feedback within 3 months, (5) anti-retaliation protection, (6) recordkeeping and retention, (7) the designated person or team responsible, (8) external authority contacts in your country.
Can I use the same whistleblowing policy across multiple EU countries?: A single group-wide policy is acceptable provided it is supplemented by country-specific annexes covering local thresholds, the local enforcement authority, the local language requirement, and any local-law deviations (e.g., Spain's larger fine ceiling, France's mandatory annual reporting to the Défenseur des droits). Confidly customers receive country annexes automatically when they activate a country channel.
Does the policy need to be in the local language?: Yes, the policy must be available in at least the official language(s) of each country where you have reporting employees. Most member states (Germany, France, Italy, Spain, Netherlands among them) require the local language; English-only policies are not sufficient even for multinationals.
How often should the policy be reviewed?: At least annually, and after any of: a national-law amendment, a substantive change to your reporting channel, an organizational restructure that changes responsible roles, or a substantiated retaliation incident. Confidly emits an annual policy-review reminder to the designated case handler.
Is a free template legally binding?: No template, free or paid, is legally binding by itself, it becomes binding when adopted by your organization (typically via board resolution or a signed management decision) and published to employees. The template below is a starting point; have it reviewed by your in-house counsel or DPO before adoption.