Add a bookmark to get started

23 February 20227 minute read

The EU Whistleblower Directive is in effect – what should we do now?

Key questions and action steps

The EU’s Whistleblowing Directive is now in effect. Businesses with operations in Europe must take proactive steps to address the new requirements.


The whistleblowing regime in the US – based on the Sarbanes-Oxley Act of 2002 (SOX), Department of Justice (DOJ) guidance, and other US whistleblower statutes – has historically been regarded as the world’s gold standard. The EU Directive, however, goes farther, compelling member states to introduce laws that are different and more stringent.


Internal whistleblowing policies and procedures must therefore be evaluated to ensure that companies continue to comply with the changing legal landscape. While whistleblowing, by its very nature, applies to a whole host of issues, it is often the source of anti-corruption investigations (either internally, or externally). The Directive will impact not how allegations of corruption are reported, but how they are investigated, which adds another incentive to ensure that policies are up to date.


What is the Directive?


The Directive requires EU member states to implement legislation mandating that all companies with 50+ workers establish internal reporting channels to enable workers to report breaches of certain EU laws and ensure that those workers who have made a whistleblowing report are legally protected against any form of retaliation. “Workers” are broadly defined to include not just employees but any persons who by virtue of their work-related activities have access to information regarding the breaches – eg, agency workers, self-employed service providers, suppliers, mandate holders, shareholders, and even volunteers and job applicants.


The in-scope EU laws include (among others) those relating to public procurement, financial services, product safety and compliance, environmental protection, public health, consumer protection, and data protection. However, member states – and employers – can opt to extend the whistleblower protection to cover breaches of national laws, as well as laws in other areas. 


The Directive is only the “minimum” standard that all member states must implement.


Some countries may choose to go beyond that minimum, and therefore a close eye must be kept on each country’s implementing legislation.


Breaches can be reported either internally, externally via a state organized channel, or publicly, provided that whistleblower has reasonable grounds to believe that the matters being reported are true at the moment of reporting (motives are irrelevant) and that the information falls within the Directive’s scope.


We have a global whistleblowing policy compliant with SOX – is that sufficient?


Companies should review their whistleblowing policies in light of the differences in reporting and investigation between the Directive and SOX.


One of the biggest differences between the Directive and SOX relates to the way reports are handled. While SOX does not contain explicit requirements for addressing reports, the Directive generally requires that companies acknowledge receipt of a report within seven days and “provide feedback” to the reporter within three months. Similarly, the Directive requires that companies update the reporter as to the outcome of the investigation. Additional information about the differences between the Directive and SOX can be found here.


Can the HR team based in the US investigate a whistleblowing report made in an EU country?


While the Directive is silent as to whether employees in the United States can specifically investigate a whistleblowing report made in an EU country, guidance published by the European Commission in June 2021 provides that a reporter in the EU may request that a report made at the local level not be shared with or handled by the parent company and/or individuals outside of the local office – effectively blocking a US parent company’s ability to direct an investigation, or even access a report.


Companies should continue to carefully monitor country-level developments to identify any necessary changes to their internal investigative procedure requirements.


We have a central global hotline – is that acceptable?


Unfortunately, the European Commission has explicitly stated that a central global hotline, by itself, is not sufficient to meet the Directive’s requirements. While companies can continue to maintain their central hotlines – and even encourage employees to use it – a local reporting channel for each legal entity in each relevant member state must be available.


If member states haven’t yet introduced the implementing national law, do we need to do anything at this stage?


Monitoring the precise requirements set out in local law will be vital, particularly because member states can go beyond the standard required by the Directive and because it will likely be some time before all member states have passed implementing legislation. Indeed, for medium-sized employers (50-249 workers), member states may choose to delay requiring the implementation of internal reporting channel requirements until December 17, 2023.


However, businesses should not simply wait for local law to catch up. Reporting policies and procedures should be reviewed and updated to ensure compliance to the extent possible, and companies should be prepared to adapt further local law requirements as and when the national legislation is implemented.


What about data privacy considerations?


Companies should continue to be mindful of the General Data Protection Regulation (GDPR) requirements which apply to all processing of personal data in relation to whistleblowing reports and investigations.


How can I prepare?


US companies would be wise to take the following steps now:

  1. Monitor the progress of the Directive’s implementation in EU countries where your business operates.
  2. Review your current policies and processes, or introduce new ones, to ensure compliance with the Directive’s requirements.
  3. Assess and understand the data privacy implications of the Directive.
  4. Ensure that your reporting channels work properly: for instance, that lines of communication are clear; that dedicated departments or individuals are ready to follow up on any reporting; that managers and key players are appropriately trained.
  5. Inform and consult with the works council in the countries where required.
  6. Ensure reporting channels are appropriately communicated and readily available to all those who fall within the Directive’s scope – whether or not they are employed by your company.

For further information on assessing your company’s policies and processes in light of the Directive’s requirements, please contact any of the authors or your DLA Piper relationship partner.