The brand new EU whistleblower directive – Employment and HR

To print this article, all you need to do is register or log in to

On October 23, 2019, the European Parliament and the European Council adopted Directive (EU) 2019/1937 (hereinafter ”the directive”) to protect persons who report violations of Union law1. The deadline for transposing the directive into national law by the EU member states is December 17, 2021.

The important feature of this directive is to protect whistleblowers who report Union violations that are detrimental to the public interest. The protective measures for whistleblowers are recognized at both national and international level.

A breach is any unlawful act or a breach of the financial interests of a Union or a breach related to the internal market in relation to acts in breach of corporate tax rules or agreements aimed at obtaining a tax advantage that is compatible with the purpose or The purpose of the applicable corporate income tax law.

The protection exists for employees, applicants, former employees, supporters of the whistleblower and journalists. These people are protected from dismissal, humiliation and all forms of discrimination. The protection only applies to reports of misconduct related to EU law, such as tax fraud, money laundering or criminal offenses in public procurement, product and road safety, environmental protection, public health and consumer and data protection

The whistleblower can choose whether to report a concern internally or directly to the responsible supervisory authority.

With these safeguards, the EU is signaling its safety to whistleblowers and encouraging them to report corporate violations.

The obligations of a Member State under the Directive apply to private sector legal persons with 50 or more employees who are obliged depending on the activities of the companies and the resulting risk, in particular to the environment and public health Obligation than 50 employees to set up internal reporting channels and procedures.

There are currently around 10 Member States that have established their legal framework. In Cyprus, the Directive has not yet been transposed into national law, but the Ministry of Justice and Public Order is in the process of drafting and defining the proposed legal requirements under the Directive

While the applicable national legislation provides some protection and guarantees in relation to the civil service, corruption and bribery, competition law and termination of employment, it seems that additional changes and channel portals to this directive need to be developed in order to ensure smooth implementation with the directive. Member States must also ensure that there is a competent ‘whistleblowing’ authority responsible for reporting a ‘whistleblower’ externally.

It is contradictory that there is no definition of the measure “whistleblowing” in the directive, but a reference to the protection of natural persons when reporting a violation of EU law.


The directive aims to report a complaint to any worker in the private and public sector who has received information about a breach of EU law in the workplace
good faith and have
reasonable reasons for adoption that the content of the report correct at the time of reporting. Anyone who owns and reports such information is eligible for protection under the policy.

The guideline itself offers central protection in relation to a “whistleblower”. It is at the discretion of each Member State to incorporate the Directive into national law. The Member State has to assess the potential EU infringement for each sector ie money laundering, environment, public health, financial services, corporate tax, etc.


  • Employees and self-employed, freelancers, contractors and subcontractors
  • Shareholders
  • Members of an administrative, management or supervisory body
  • Volunteers or interns
  • new employees who have not yet started work
  • Moderators
  • Third parties associated with the whistleblower
  • legal persons with which the whistleblower is connected


The directive affects all companies and government agencies with 50 or more employees. Companies with 250 or more employees must comply with the directive from December 17, 2021.

Companies with 50 to 249 employees must comply by December 17, 2023.

There are currently no plans at EU level to apply the directive to companies with fewer than 50 employees.


  • Financial services, products and markets, and the prevention of money laundering and terrorist financing
  • public procurement
  • Product safety and compliance
  • Transport security
  • environmental Protection
  • Radiation protection and nuclear safety
  • Food and feed safety, animal health and welfare
  • Healthcare
  • Consumer protection
  • Violations of the EU’s financial interests
  • Violations related to the EU internal market
  • Protection of privacy and personal data as well as security of network and information systems


If you are a company that falls under point C above, you should be a ‘Whistleblowing Policy and Procedure“To provide an internal mechanism for reporting, investigating and providing corrective action in the workplace.

A company must outline the types of issues that can be addressed, how they will be addressed, how they will be protected, and how the company will act. The company must ensure that the whistleblowing policy and procedures are in line with the company’s GDPR laws. The identity of the whistleblower may not be passed on to third parties beyond the person who is processing the report without express consent.

Secure and direct confidentiality and reporting channels must be provided within the company and suitable personnel must be appointed to investigate reports.

The company is required to distribute and publish the whistleblowing policy and procedures to all employees of the company AND to provide protection to third parties in connection with the whistleblower. In addition, the company must have the appropriate means to conduct investigation procedures and guidelines, as well as effective record keeping.


According to the guideline, organizations and individuals who take revenge on “whistleblowers” ​​are punished; People who make false reports and companies that have not followed their internal guidelines and lines of protection to keep the identity of a whistleblower confidential. The directive empowers the national legislation of a Union to impose sanctions.


It is mandatory for companies to ensure that reporting channels are in place and that every employee is familiar with this procedure. The whistleblower can use the reporting channels to make a written or oral report, but the identity of the whistleblower must always be treated confidentially. Disclosing the whistleblower’s identity and violating the above regulations can result in severe penalties.

The company / organization must designate a person or department to receive the investigation reports. It is expected that this role will either be assumed by a compliance officer, the head of the HR department, an internally appointed lawyer, the CFO or the managing director of a company. A named person who takes on such a role can also be outsourced.

The acknowledgment of receipt by the designated person of the company must be made within 7 days and a response must be made within 3 months of the confirmation, but can be extended to six months due to the special circumstances of the case, in particular the nature of the complexity of the report topic, which may require a lengthy investigation.

The guideline contains a permit for cases in which internal reporting channels either do not exist, are not mandatory or are used but not applied. For example, a whistleblower complaint has been filed against a company director and that person is the company designated person to receive such reports. In certain situations, protection is extended to public disclosures in situations where the internal or external channels are difunctional.

There are three phases to a warning: 1) the internal warning, 2) if the company has not taken action to allow such a warning, and 3) the warning must be directed to the appropriate authorities. Failure to continue a warning within 3 months may result in public disclosure.

The content of this article is intended to provide general guidance on the subject. Expert advice should be sought regarding your specific circumstances.