In the Picture

Pdf version Archive Subscribe

Blow the whistle! New European protection for whistleblowers.

February 2021


You are a CEO and one day a senior employee from the financial department asks to have a private talk with you. During the conversation, the employee explains that she has a strong suspicion that her manager is engaged in fraudulent activity. She has had this suspicion for some time now, but there was nowhere she could go with it. After all, the company’s policy is that employees must report potential breaches to their direct manager – something the employee couldn´t possibly do, given that the information she had concerned precisely her manager.

At the end of the talk, the employee mentions that your company’s policy in this area is in urgent need of reform. She notes that companies will soon be obliged to set up a system that enables employees to securely report possible violations, without running any risk of retaliation. You have to admit that you aren´t really up to speed on this. Is that really the case? Time to contact the legal department…

A brief clarification.   

A number of major scandals – such as Dieselgate, Luxleaks, the Panama Papers and Cambridge Analytica – have recently come to light because individuals, often employees, addressed the outside world with their concern about potential breaches of important laws, sometimes at great risk to themselves. In practice, the protection of so-called “whistleblowers” within the EU is indeed highly fragmented. Due to a fear of retaliation, many potential whistleblowers refrain from reporting violations. 

In October 2019 the European Union therefore adopted a directive that establishes a common minimum protection for whistleblowers throughout the EU. The directive must be transposed into national law by the end of this year (at the latest on 17 December 2021).    

What kinds of breaches are involved? The protection of whistleblowers applies for breaches of important EU legislation. The legislation concerned is listed in the directive and covers (amongst other things) public calls for tenders, financial services, product and food safety, environmental protection, privacy protection, corporate income tax as well as competition law. The directive only sets a minimum level of protection, so Member States are free to introduce or enforce rules that are more favourable for whistleblowers.

Who enjoys protection? The protection applies for the reporting of information on breaches that was obtained in a work-related context by an employee or a self-employed individual. The protection extends to third parties, such as their colleagues or family members. The protection applies for reporting both breaches committed by the organisation for which the reporting person works and breaches committed by organisations with which he has been in contact on the basis of his work, such as competitors, suppliers or customers. A condition for the protection is that the whistleblower had reasonable grounds to believe that the information he provides about the suspected breach is true. The protection does not apply for those who prove to be malicious, frivolous or abusive informants.

What actions must a company take? Every company with 50 or more employees, regardless of the nature of its activities, must set up internal reporting channels. It can manage these internal reporting channels itself or entrust this task to a third party. In both cases it must be possible to make the report either in writing or orally, the identity of the whistleblower must be protected, and the report must be diligently followed up by an impartial person or department. The follow-up entails, amongst other things, that the reporting person must receive firstly a confirmation of receipt within seven days, and then feedback within a reasonable period (no longer than three months). The internal reporting channels must also provide information about the external reporting channels to the competent authorities.

Is a whistleblower also protected if he reports outside the organisation? Yes. These external reporting channels must be designated by the EU Member States in accordance with the directive. In certain cases, a whistleblower will enjoy the directive’s protection even if he discloses the breach via the press. This is the case when the internal and external reporting channels failed to take any appropriate measures in respond to an earlier report.    

Last but not least: what protection does the whistleblower enjoy? The protection is extensive and includes a prohibition on any form of retaliation, e.g. dismissal, discrimination, intimidation, the withholding of promotions, or blacklisting, as a result of which the reporting person can no longer find a job in the sector. When a supplier or customer acts as a whistleblower, it is prohibited to prematurely terminate his contract as a retaliation. The directive obliges the Member States to take measures to guard against these kinds of retaliation. For example, they must provide that whistleblowers cannot be held liable for their reporting or disclosure in proceedings against them relating to e.g. defamation, disclosure of trade secrets or breach of personal data protection.


  • By the end of 2021, a minimum protection will apply in the EU for those who report suspected breaches of important legislation. The Member States can go further and adopt an even more protective regime. 

  • Every company with 50 or more employees must provide for internal reporting channels that guarantee the anonymity of the whistleblowers, and their reports must be diligently followed up. 

  • Whistleblowers must be protected against any form of retaliation and incur no liability due to reporting suspected breaches, not even when this entails violating their duties of confidentiality.

  • The protection applies not only for the whistleblowers themselves, but also for their colleagues and family members. It also applies when the breaches are reported to the competent authorities and possibly to the press. 

Want to know more?