Skip to main content Required by EU law for organizations with 50+ employees

How to deploy an internal reporting channel #

Every EU member state now requires organizations with 50 or more employees to operate an internal reporting channel — through national laws like Loi Waserman (France), HinSchG (Germany), Ley 2/2023 (Spain), and the Act of 14 June 2024 (Poland), all transposing EU Directive 2019/1937. The requirement is clear, but most implementations take far longer than they should.

This guide explains what the law actually requires from the channel itself, why broad enterprise tools can slow deployment, and what a compliant channel needs before it is put into operation.

What the Directive requires #

Article 8 and Article 9 specify what an internal reporting channel must do:

That is the legal minimum. No specific technology is mandated — the Directive is technology-neutral. A web portal, a phone line, or even a locked physical mailbox can qualify, as long as the requirements above are met.

Why most implementations take weeks #

Enterprise whistleblower platforms are designed for large organizations with complex procurement processes. A typical implementation looks like this:

  1. Request a vendor presentation — fill out a form and wait for a sales representative to call back
  2. Attend the presentation — a 30–60 minute call where the vendor walks through features you may not need
  3. Receive a proposal — custom pricing based on employee count, modules, and add-ons
  4. Negotiate the contract — legal review, DPA signing, procurement approval
  5. Onboarding kickoff — a project manager is assigned, another call is scheduled
  6. Configuration — the vendor configures your portal, categories, and branding (or trains you to do it)
  7. Testing and launch — review, approve, and go live

For a 100-person company that just needs a compliant channel, this process is weeks of elapsed time and hours of meetings. It is designed for enterprises where a six-week procurement cycle is normal. For an SME, it is friction that delays compliance.

Operational in minutes with EthicsPortal #

EthicsPortal is built for a narrower scenario: your organization needs a compliant Directive channel without a broader GRC implementation.

Step 1: Activate the portal #

Go to ethicsportal.eu , create the organization account, choose a plan, and enter the portal administration area.

Step 2: Configure your portal #

From the dashboard, set up your reporting portal:

The portal has a unique URL as soon as you save the configuration.

Step 3: Share the portal with employees #

Every portal gets a shareable link and a QR code. You can:

Step 4: Start receiving and managing reports #

When someone submits a report through the portal, you receive a notification. From the dashboard, you can:

At this point, the internal reporting channel is configured and ready to receive reports.

What to do after setup #

An internal reporting channel is the technical foundation, but compliance requires organizational steps too:

Designate a case handler #

Appoint one or more persons to receive and investigate reports. This person should be impartial and not likely to be the subject of reports. A compliance officer, legal counsel, or senior HR person typically fills this role. For small organizations, the managing director can serve as handler.

Train your handlers #

Case handlers need to understand: how to use the platform, confidentiality obligations, the seven-day and three-month deadlines, basics of conducting an internal investigation, and anti-retaliation rules.

Write a whistleblower policy #

Document how your organization handles reports. Cover scope, who can report, confidentiality, anti-retaliation, and the investigation process. See our free policy template for a ready-to-use document.

Inform employees #

The Directive requires you to proactively tell employees about the channel. Send an email, post on the intranet, mention it in team meetings, and include it in onboarding. The QR code makes this easy — print it and put it where people will see it.

Common mistakes to avoid #

Using a generic email address. An email like compliance@company.com does not meet the Directive’s requirements in most cases. Email lacks encryption, does not support anonymous reporting, and does not provide two-way communication with anonymous reporters.

Requiring reporters to identify themselves. While the Directive does not uniformly require anonymous reporting, several national laws do (e.g., Belgium mandates anonymous reporting for companies with 250+ employees). Making identification mandatory discourages reporting. Allow anonymity by default.

Forgetting the deadlines. Seven days for acknowledgment, three months for feedback. These are not suggestions — they are legal requirements. Missing them is a compliance failure. Use a system that tracks these deadlines automatically.

Not designating a handler. The channel is a mailbox. Someone needs to open it, read the reports, and act on them. If no one is designated, reports go unanswered and deadlines pass.

Over-engineering the setup. You do not need a full GRC suite, custom integrations, or a six-month rollout to comply. A working channel with anonymous reporting, two-way communication, and deadline tracking covers the legal requirements. Start simple, add complexity only if you need it.

Deploy the channel #

EthicsPortal is €60/month flat with no per-employee pricing. Deploy the internal reporting channel, assign handlers, publish the link, and keep the focus on protecting the people who speak up.

Last updated: