Understanding and Navigating the New EU Whistleblowing Protection Directive by December 17

By Jaagriti Sharma
November 8, 2021

The European Parliament and the European Council’s Whistleblower Protection Directive has been in the works for several years and is expected to be implemented by December 17, 2021. 

With just over a month until this deadline, companies operating in the EU are working quickly to ensure that their policies and procedures are compliant.

So what should companies know about the Whistleblower Protection Directive? And, what steps should companies take to update or introduce whistleblower reporting channels for their employees? We’ve got you covered. Keep reading to find out! 

What is the EU Whistleblowing Directive

According to the Official Journal of the European Union, the purpose of the Directive is to “enhance the enforcement of Union law and policies by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law.”

In short, the EU Whistleblowing Directive ensures that whistleblowers who report violations of EU law are protected against retaliation from their employers, managers, or colleagues.

Within this context, a whistleblower is defined as a natural person, not an entity, such as a self-employed person, shareholder, current or former employee, subcontractor,  job applicant, contractor, unpaid trainee, volunteer, and any other relevant individual who reports violations of EU law encountered in the context of work or work-related activities.

Retaliation in this context is defined broadly and includes discrimination, withholding of training, demotion, dismissal, suspension, disciplinary action, and intimidation. 

The Directive enforces a minimum standard for whistleblowing that member states must adhere to. However, because this new initiative is a directive and not a regulation, individual EU countries are able to introduce their own specific and extended protections to further shield whistleblowers from retaliation. Therefore, companies will need to build a compliance plan that takes into account the EU Directive and the specific regulations that are eventually rolled out by the member state(s) they operate in. 

Who Does the Directive Apply To?

The Directive concerns all businesses and government bodies that employ 50 or more employees. Companies with between 50-249 workers will need to be compliant by December 17, 2023. Companies with 250 or more employees must be compliant by December 17, 2021. There currently are no directives for companies with fewer than 50 employees.

What Exactly is Whistleblowing?

Whistleblowing is defined as the disclosing of suspected wrongdoing, that reveals either direct employer violation or misconduct by third parties.

The EU Directive specifies common minimum standards for whistleblowing concerning the following areas:

  • public procurement
  • financial services, products and markets, and prevention of money laundering and terrorist financing
  • product safety and compliance
  • transport safety
  • protection of the environment
  • radiation protection and nuclear safety
  • food and feed safety, animal health and welfare
  • public health
  • consumer protection
  • protection of privacy and personal data, and security of network and information systems
  • breaches affecting the financial interests of the Union
  • breaches relating to the internal market, including breaches of Union competition and State aid rules and applicable corporate tax law

This specified scope differs from UK law, where whistleblowing protection applies across all sectors, with more stringent provisions imposed on particular sectors. Under this EU directive, there are some general scopes that are common to most businesses, such as consumer protection and antitrust law, as well as more unique scopes such as radiation protection and nuclear safety. 

Who Does the Directive Protect?

The directive protects whistleblowers that report breaches of EU law if they file a report in good faith, have reasonable grounds to believe that the information they reported was true at the time of reporting, and file a report that falls within the aforementioned scope of the EU Whistleblowing Protection Directive. Whistleblowers can file reports internally, externally, or publicly, such as to the media. Specific reporting channels are not specified by the Directive meaning the whistleblower may choose where they file a report. 

The Directive allows for external disclosures to be protected where internal reporting channels do not exist, create a conflict of interest, or do not work effectively. In limited circumstances, protection will be extended to public disclosures where the internal or external reporting channels do not function effectively.

Under the Directive, whistleblowers are protected by:

  • exemption from liability for acquiring the information that is reported or disclosed, if this acquiring of information was not done via a ‘self-standing criminal offense
  • a reversal of the burden of proof for alleged retaliation, meaning the retaliator would need to prove that the perceived retaliation was not connected to the whistleblowing
  • access to appropriate remedial action such as adjusted work environment, interim leave pending an investigation, etc.

The Directive also extends protection beyond the individual whistleblower to individuals who may have aided the whistleblowing, such as colleagues and relatives, in the same workplace.

Challenges Businesses Face in Adhering to this Directive

Several challenges can be anticipated by companies adjusting their plans to adhere to this Whistleblowing Protection Directive. Being aware of and keeping these challenges top of mind will make the process much easier. Some of these challenges include:

  • Adhering to the EU Whistleblowing Protection Directive and the specific country regulations that will follow. Companies that operate multi-nationally, or across a number of EU countries will need to ensure that their compliance plan acknowledges all directives and requirements.
  • Defining whistleblowing within their organization. The definition provided in this directive is much broader than that applied under data protection laws, business conduct rules, and insurance policies. This means that disclosures about possible wrongdoing by third-party suppliers or contractors may be considered Directive protected acts. Companies should be careful to ensure that their whistleblowing procedures and related insurance policies do not contradict the definitions provided in the Directive.
  • Reviewing all internal whistleblowing and reporting procedures to ensure that employees have an easily accessible, secure, and understood means to report violations. However, employers need to ensure that they have the processes and manpower to respond and resolve violations, and distinguish between EU law violations and negative workplace issues.

How Companies Can Navigate These Challenges

Although the process of creating or updating an organization’s compliance plan can seem overwhelming, taking the right steps and actions will make the process easy as pie. As the December 17 date draws closer, here are some key things to keep in mind:

  • Don’t wait! Implementation of a compliant and comprehensive plan should and will take some time. Planning for and implementing a comprehensive compliance plan will save you from rushed preparations, and will ensure that any additional adjustments that will need to be made for specific country regulations will be minute.
  • Plan for and prepare for an impact on your budget. In order to comply, will your company need to renew contracts, outsource a whistleblower tool, or train additional staff members or current employees? Remember that the Directive establishes the baseline for compliance and your particular plan, which also adheres to your company’s mission and values, may end up being resource-heavy.
  • Ensure that your employees understand who the Directive protects, what the reporting scope of the Directive is, and how they will be protected as a whistleblower.

Steps to Take

  1. Create a comprehensive plan that details the reporting process, investigation process, and timeline.
  2. Designate an individual or department to receive and investigate reports. This responsibility can be assigned to an HR, compliance, legal, or executive level employee or outsourced ombudsman. This individual must acknowledge a report within 7 days and provide a response to the whistleblower within 3 months.
  3. Establish effective, confidential, and secure reporting channels. And, develop programs to actively communicate and train employees on the reporting process. Be transparent about any potential follow-up, the investigation process, and timeline.

Partnering with a Whistleblower Hotline Vendor

A key aspect of a comprehensive compliance plan is a whistleblower vendor or platform. These third-party organizations provide effective and confidential reporting channels that help support your initiatives and ensure that your employees feel secure reporting, and safe from retaliation. When selecting a whistleblower platform, be sure to look for features that are Directive compliant and compatible with any additional workplace culture requirements your organization may have, integrations with your current software, ease of accessibility, secure encryption, partnerships, support services and resources, and overall trustworthiness.

Should these characteristics interest you, don’t hesitate to reach out to us here at AllVoices.  The AllVoices employee feedback management platform is whistleblower compliant, yet more current, mobile, and user-friendly than a standard whistleblower hotline. We are well versed with the EU Whistleblowing Directive and can provide you with a comprehensive, low-cost method to ensure that your company complies with these Directive standards and the values of today's modern workplace.

Schedule a demo today to learn how we can help you be ready by December 17!

Don’t get caught off guard by employee feedback. AllVoices can help.
Request A Demo
We care about protecting your data. Here’s our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.