Skip to main content Required by EU law for organizations with 50+ employees →

EU whistleblower directive compliance checklist for companies #

EU Directive 2019/1937 requires organizations with 50 or more employees to establish internal whistleblower reporting channels and protect persons who report breaches of Union law. Most member states have transposed the Directive into national law, and enforcement is active.

This checklist walks you through the twelve steps to full compliance. For each item, we cite the relevant Directive article, share practical tips, and note where tooling can help.

The checklist #

1. Determine if your organization is in scope #

Directive reference: Article 8(3–4)

All legal entities in the private sector with 50 or more workers must establish internal reporting channels. Public sector entities, municipalities, and entities in certain regulated sectors (financial services, aviation safety, maritime, etc.) are in scope regardless of size.

Practical tip: Count all workers, not just full-time employees. Part-time staff, contractors working on-site, and temporary agency workers may count toward the threshold depending on your member state’s transposition law.

2. Establish an internal reporting channel #

Directive reference: Article 8(1), Article 9(1)(a)

The channel must allow reporting in writing (online form, email, postal) or orally (phone, voice messaging system), or both. On request, it must also allow in-person meetings within a reasonable timeframe.

Practical tip: A web-based portal is the most practical option — it is accessible 24/7, creates an automatic record, and supports anonymous two-way communication. Avoid using generic email addresses; they lack encryption, anonymity, and audit trails.

How EthicsPortal helps: Provides a branded web portal with encrypted anonymous reporting and two-way messaging, ready in minutes.

3. Designate an impartial person or department to handle reports #

Directive reference: Article 9(1)(c)

You must designate a person or department competent to follow up on reports. This person must be impartial — they should not have a conflict of interest with the subject matter of reports.

Practical tip: Common choices include a compliance officer, a legal counsel, an HR director, or an external ombudsperson. For smaller organizations, the managing director can serve this role if they are not likely to be the subject of reports. Consider designating a backup handler.

4. Set up the acknowledgment process (7-day deadline) #

Directive reference: Article 9(1)(b)

You must acknowledge receipt of a report within seven calendar days. This applies to all reports, including anonymous ones.

Practical tip: Automate this. A manual process risks missing the seven-day window during holidays or absences.

How EthicsPortal helps: Tracks the acknowledgment deadline for each report and shows case handlers which reports need attention.

5. Define the feedback process (3-month deadline) #

Directive reference: Article 9(1)(f)

You must provide feedback to the reporting person within three months of the acknowledgment. Feedback includes: whether the report is being assessed, is under investigation, or has been closed, and the outcome of any investigation.

Practical tip: “Feedback” does not require disclosing the full investigation outcome. Informing the reporter that the matter was investigated and appropriate action was taken is sufficient. For anonymous reporters, feedback must be available through the reporting channel (for example, via an access code).

How EthicsPortal helps: Tracks the three-month feedback deadline per case and supports two-way messaging with anonymous reporters via access codes.

6. Implement confidentiality measures #

Directive reference: Article 16

The identity of the reporting person must not be disclosed to anyone beyond authorized case handlers without the reporter’s explicit consent. This also covers information from which the reporter’s identity could be indirectly deduced.

Practical tip: Limit access to reports strictly. Do not share report details in meetings where unauthorized persons are present. When referring cases internally, redact identifying information about the reporter. Ensure your IT systems enforce access controls.

How EthicsPortal helps: Role-based access ensures only designated case handlers can view reports. Reporter identity is never exposed unless the reporter voluntarily shares it.

7. Establish anti-retaliation protections #

Directive reference: Articles 19, 20, 21

Reporting persons, facilitators, and connected third parties must be protected from retaliation. The Directive defines retaliation broadly: dismissal, demotion, intimidation, blacklisting, and more. The burden of proof is reversed — if a reporter suffers a detriment after reporting, the employer must prove the detriment was unrelated to the report.

Practical tip: Document this protection in your whistleblower policy. Train managers on what constitutes retaliation. Track personnel actions involving anyone who has made a report, so you can demonstrate that decisions were made on legitimate grounds.

8. Train case handlers #

Directive reference: Article 9(1)(c–f) (implied)

The Directive does not prescribe specific training, but case handlers must be competent to fulfill the obligations it creates: maintaining confidentiality, providing acknowledgment within seven days, conducting diligent follow-up, and providing feedback within three months.

Practical tip: At a minimum, train case handlers on: how to use the reporting channel, confidentiality obligations, investigation basics, anti-retaliation rules, and data protection. Document the training. Refresh annually.

9. Inform employees about the reporting channel #

Directive reference: Article 9(1)(g)

You must provide clear and easily accessible information about how to use the internal reporting channel. You must also inform employees about their right to report externally to competent authorities.

Practical tip: Publish the information on your intranet, include it in onboarding materials, and display it in common areas. A QR code linking to the reporting portal is an effective way to make the channel discoverable.

How EthicsPortal helps: Generates a QR code and shareable link for your portal that you can print and distribute.

10. Set up data retention and deletion #

Directive reference: Article 17(1–3)

Personal data in reports must not be kept longer than necessary. Data that is manifestly not relevant must be deleted promptly. Specific retention periods depend on your member state’s law, but the principle is: retain as long as needed for the investigation and any resulting proceedings, then delete.

Practical tip: Define a retention period in your policy. National laws vary — for example, France requires 5 years, Germany requires 3 years (HinSchG §11), and Italy requires 5 years (D.Lgs. 24/2023). See our GDPR and whistleblower reporting guide for a full comparison. Set calendar reminders to review and delete closed cases.

11. Prepare a written whistleblower policy #

Directive reference: Articles 8, 9 (implied), plus most national transposition laws

While the Directive does not explicitly mandate a standalone policy document, most national transposition laws do, and it is practically necessary to fulfill the information obligations in Article 9(1)(g).

Practical tip: Your policy should cover: scope, who can report, what can be reported, how to report, confidentiality, anti-retaliation, investigation process, feedback timelines, and data protection. See our free whistleblower policy template for a ready-to-use document.

12. Document compliance for regulatory review #

Directive reference: Article 11(2) (external channels), national transposition laws (internal)

Several member states require organizations to document that they have fulfilled their obligations and to make this documentation available to regulators on request.

Practical tip: Keep records of: when the reporting channel was established, who the designated case handlers are, training records, the whistleblower policy (with version history), and aggregate statistics on reports received and handled. Do not store individual case details longer than your retention period allows.

Next steps #

If you have checked every box above, your organization is compliant with the core requirements of Directive 2019/1937. Compliance is not a one-time event — review your setup annually, retrain handlers, and update your policy as national law evolves.

Need a reporting channel? EthicsPortal gives you a compliant, anonymous reporting portal in minutes — €49/month flat, no per-employee pricing, no sales calls. Get started today.