The reporting channel the EU Directive requires
Under EU Directive 2019/1937[1], organizations with 50+ workers must operate a secure internal reporting channel. Non-compliance carries fines up to €1,000,000 under national transpositions.
[1] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. OJ L 305, 26.11.2019, p. 17-56.
- EU Directive 2019/1937 compliant
- EU-sovereign hosting
- Operational in minutes
- From €49/month
- No AI on report content
Without a channel, you're exposed
An employee witnesses fraud and has nowhere to report it internally. They go to a regulator, a journalist, or a lawyer. Now you have a compliance violation, a PR crisis, and no audit trail showing you took the Directive seriously. A reporting channel is not a checkbox. It is how you find problems before they find you.
Deployment
Step 1: Configure your portal
Create your account, set your portal's welcome text, report categories, and logo. No technical setup required.
Step 2: Share the link
Give employees your portal link or QR code. They can submit anonymous reports from any browser. No app or account is required.
Step 3: Handle reports securely
When a report comes in, communicate securely with the whistleblower, track your 7-day and 3-month deadlines, and export case files for auditors.
Built for EU compliance
Fully anonymous reporting
No IP logging, no tracking. File metadata (EXIF, GPS, author) is stripped automatically. Reports can be completely anonymous.
Encrypted at rest
All sensitive data, including report descriptions, names, and messages, is encrypted in the database. Hosted on Hetzner in Nuremberg, Germany.
Automatic deadline tracking
7-day acknowledgment and 3-month feedback deadlines are tracked automatically. Overdue cases trigger notifications.
Append-only audit trail
Every action is logged and cannot be edited or deleted. Auditors get the complete picture of who did what, and when.
File metadata stripping
EXIF data, GPS coordinates, and author info are removed from all uploads. A whistleblower's identity is never leaked through a photo.
Secure two-way messaging
Whistleblowers check back with a Case ID and passcode. No account needed. Handler names are never revealed.
Principled infrastructure
No AI on report content.
EthicsPortal does not transmit report content, reporter identity, or case messages to any large language model or AI inference provider. No AI categorisation, summarisation, or translation. No AI sub-processor on the GDPR Article 28 list. A deterministic audit trail records actor and action — not a probabilistic suggestion.
Read the commitment →Evidence for auditors
Four compliance documents available directly from the portal, ready to hand to legal, compliance, or regulators.
Compliance report
Directive 2019/1937 checklist, SLA metrics, data protection measures, and audit trail summary without exposing sensitive report data.
Compliance certificate
Shareable proof that your organization operates a reporting channel compliant with Directive 2019/1937 and your national transposition.
Whistleblower policy
Ready-to-adopt internal policy document your organization can publish and communicate to workers.
Privacy notice
GDPR Article 13/14 notice displayed to reporters before submission, pre-filled with your organization's controller details.
Fee schedule
One plan. Everything the Directive requires.
Full EU Directive 2019/1937 compliance. No per-employee fees. No tiers.
Excluding VAT
Unlimited reports, designated handlers, and file uploads.
Deploy your reporting channel