This is what you need to know about the EU Whistleblower Protection Directive

We all know the whistleblower Edward Snowden – there’s even a movie about him! Or this other thriller with Keira Knightley, what was it called? Oh right, “Official secrets”. And recently there was this lady, Frances Haugen.

We certainly do see a lot of whistleblowers in the news and their stories often make us think they could become scripts for a  fast-paced suspense thriller. However, like in real life, things are usually not just black or white. 

It is true that whistleblowers have helped to uncover fraud cases or other misconduct. However, it is also true that people can make false allegations, either knowingly or unknowingly. 

In truth, people who witness perceived, potential or actual wrongdoing and come forward might do so breaching local laws or contractual arrangements. Others might try to take advantage of existing laws or policies that were put in place to grant truthful whistleblowers a financial reward. 

Whistleblowers who act in good faith might still face sanctions or dismissal, prison and financial charges and even threats to their life and that of their loved ones. This results in many people who witness actual wrongdoing, such as discrimination, ethical misconduct or financial crime, not daring to come forward because they fear potential consequences. 

Until now, international legislation differs or is completely silent regarding the definition of a whistleblower, how to blow the whistle legally and what kind of protection and support can be granted to them.  What’s needed is a clear legal framework to outline proper channels and define the rights but also limits of whistleblowers. This would allow, incentivise and support truthful whistleblowing and discourage and sanction any abuse.  

This article explores the reasons for the implementation of an EU standard on whistleblowing, the key requirements of the Directive and few tips to get ready for its upcoming  application. 

Why was a EU Whistleblower Protection Directive passed?

Currently, only few EU countries have comprehensive whistleblower protection in place, for instance France. Other countries, such as Luxembourg, offer only partial protection and the provisions are outlined in various laws that make it difficult to get a thorough view. 

On the bloc level, the European Parliament estimates that between €5.8 to €9.6 billion of potential benefits are lost just in EU public procurement, since people don’t report issues due to a lack of protection.

Aiming at both granting truthful whistleblowers the protection they need to feel safe to act and having EU wide standards, the EU passed the Directive on the protection of persons who report breaches of Union law – commonly referred to as the “Whistleblowing Directive”. 

By enabling early reporting of misconduct and wrongdoing (as outlined in the Directive), organisations have more chances to remedy them timely and more promptly. 

Creating internal reporting channels, one of the requirements of the Directive (Article 8), allows organisations to deal with allegations internally and to avoid “washing their dirty laundry in public”. This shall also limit or prevent reputational damage that public disclosures frequently bring with them. 

What are the key requirements of the EU Whistleblower Directive?

Firstly, let’s revisit the organisational headcount variable because it determines when the Directive is applied. 

In fact, the Directive will concern legal entities of the private sector with at least 50 employees. This threshold, however, does not apply to financial sector organisations which are required to implement whistleblowing systems regardless of the number of employees (unless otherwise specified by the national law). 

Credit institutions incorporated in Luxembourg already must have internal alert systems according to Circular CSSF 12/552 (as amended), yet they will have to be enhanced following the Directive.

Also, the public sector falls within the Directive scope, but Member States can choose to only require municipalities with more than 10.000 inhabitants to comply, or public sector organisations with at least 50 workers. 

The main requirements for legal entities include:

  • Establishing internal reporting channels  in writing or orally or both and procedures for follow-up
  • Ensuring the confidentiality of the identity of the reporting person and any third party mentioned in the report. 
  • Designating and train an impartial person/department to handle the reports
  • Ensuring to send an acknowledgment of receipt within 7 days, having a adequate follow-up  and defining a reasonable timeframe to provide feedback, not exceeding three months
  • Protecting whistleblowers from retaliation (this may include removing responsibilities, negative feedback, discrimination or psychiatric/medical referrals)
Under the EU Whistleblower Directive, what can be reported and by whom?

People can report on different breaches of Union law including public procurement, financial services, products and money laundering and terrorist financing but also the protection of the environment, public health or protection of personal data. EU countries can also go beyond these topics when implementing the Directive. 

Workers and self-employed professionals can report such breaches, and shareholders or members of the supervisory body, volunteers and trainees, prospective and former employees as well. The protection granted under Directive also applies to facilitators or third persons connected to the reporting person, e.g. colleagues or relatives.

How are countries implementing the EU Whistleblower Directive?

EU countries have until 17 December 2021 to transpose the Directive into national law. But so far, not many countries have actually done so, including Luxembourg. This is not completely unusual, since the implementation of Directives into national law is not always on schedule. However the pressure will increase soon.

The first country to transpose the Directive was Denmark which passed its national law on 24th June 2021. It is noteworthy that the Danish Whistleblower Protection Act goes beyond the scope of the Directive and allows not only reporting of breaches of EU Law but also of Danish national law, including infringements of a serious nature such as bribery, corruption or sexual harassment.

So, what to look out for?

Due to the ongoing pandemic we foresee an implementation delay. The transposition of the Directive is mandatory, however, and organisations falling within its scope should anticipate upcoming necessary actions. They will have to implement all the requirements already laid down and, depending on the Luxembourgish bill, those requirements might even be enlarged. 

This means that entities might also have to rework existing whistleblowing systems. 

The current Luxembourgish legal framework has a smaller scope both in terms of topics that can be reported and persons who can report. Existing country regulations cover the financial sector or public servants but, following the Directive, the scope enlarges and also public entities and private companies are called to comply.

Depending on the size, organisations can develop an in-house solution or partner up an external software provider to bring it about. Also, they can assign the responsibilities for handling the allegations to existing teams, e.g. in compliance or legal departments. 

Yet, these professionals do not only have to know how to assess incoming reports, engage with whistleblowers and ensure confidentiality. If the reported case is deemed substantial, they also need to know how to manage an internal investigation and when and how to report to the authorities. 

Organisations don’t want to wait for the final bill to get started with the implementation. In our view, they need to start acting without further delay.  

Start acting on the EU Whistleblower Directive

What you can do already now is anticipate the main requirements and get fit for them:

1. Designate an impartial person (internal or external, e.g. an attorney) or department who will be in charge of the whistleblowing channel—this can still be changed at a later stage.

Create a secure channel for receiving whistleblower reports in writing and orally—this can be a simple email-address and a phone number, for now.


Ensure the minimum procedural requirements, that is acknowledgment of the receipt of the report within seven days (e.g. an email response to the whistleblower), follow-up of the report (i.e. internal discussion and potential further communication with the whistleblower followed by an identification of actions), feedback to the whistleblower within three months (again, e.g. by email) and record-keeping for each report received in line with GDPR.


Ensure the confidentiality of the reports received, i.e. if the whistleblower provides a name or other information that can be used to identify them. Also, ensure that only a very limited number of persons have access to this information and when shared with others (e.g. the Board), anonymise it.


Train the internal team or person, if any, in charge of handling the reports.


Communicate about the existence, functioning and purpose of the whistleblowing channels stressing the protection from retaliation, e.g. on the intranet, per email or with a policy.

What we think


Tamara Czetto, Manager Forensic Services at PwC Luxembourg
Tamara Czetto, Manager Forensic Services at PwC Luxembourg

The debate is no longer about whether whistleblower channels and protection should be granted or not. The EU Commission has passed its Directive and companies have to be prepared for its transposition in national law. Therefore, the discussion should now focus on how to organise and communicate the implementation of whistleblowing systems to ensure a responsible and trustful management.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top