If employees have to ask where the whistleblowing channel is, you don’t have one #
An employee suspects fraud. They want to report it. Their first step should not be walking up to HR and asking “do we have a whistleblowing channel?”
The act of asking is itself a signal. In the exact kind of workplace the Directive exists to address — where misconduct is happening and someone wants to report it — asking around about a reporting channel tells people that you are thinking about reporting something. Before you have typed a single word, you are exposed.
The law is clear: you must inform employees #
EU Directive 2019/1937 does not just require organizations to set up a reporting channel. It requires them to make sure workers know about it.
Article 9(1)(g) mandates “clear and easily accessible information” about reporting procedures — both internal and external. This is not optional. If you have a reporting channel but your employees do not know it exists, you are not compliant.
National transpositions go further:
- Germany (HinSchG §7(3), §13(2)): Employers must provide “clear and easily accessible information” about both internal reporting procedures (§7(3)) and external reporting options (§13(2)).
- France (Loi Waserman, 2022-401): Companies must inform employees about reporting procedures and publish this information via accessible means.
- Poland (Ustawa o ochronie sygnalistów): Employers must establish internal reporting procedures and publish them to all employees. The procedure takes effect 7 days after publication.
The pattern is the same everywhere: setting up the channel is half the job. Making employees aware of it is the other half.
The design problem nobody talks about #
Most compliance discussions stop at “inform employees” and assume a company-wide email or an intranet page solves it. It does not.
Think about what actually happens:
Scenario 1: The channel is on the company intranet. The employee has to use their work computer, log into the corporate network, navigate to the compliance section, and click through to the reporting portal. Every step leaves a digital trail on a device their employer controls. The IT department can see what pages you visit on the intranet.
Scenario 2: The channel requires a company app. The employee has to download an app, possibly through a corporate MDM (mobile device management) system, and create an account. The act of installing a whistleblower app on your work phone is itself a statement.
Scenario 3: The channel is mentioned once in the employee handbook. Page 47, section 12.3, between the parking policy and the dress code. Nobody remembers it exists. When someone needs it, they have to ask. And asking is the problem.
What “easily accessible” actually means #
If you take the Directive’s intent seriously — protecting people who report wrongdoing — then “easily accessible” means:
The employee should be able to access the channel without:
- Using a company device
- Being on the company network
- Installing an app
- Creating an account
- Asking anyone where to find it
- Leaving any trace that they looked for it
This narrows the options considerably. The channel needs to be a public URL that works in any browser on any device — including a personal phone on mobile data, completely outside the employer’s infrastructure.
How to make the channel truly accessible #
1. A public URL, not an intranet page. The reporting portal should be accessible from any browser, on any device, without authentication. An employee at home, on their personal phone, at 11pm, should be able to type in a URL and start a report. No VPN, no login, no company email required.
2. QR codes in private spaces. Print the QR code and put it where people can scan it without being watched: bathroom stalls, break rooms, locker rooms, the back of elevator doors. An employee scanning a QR code on a bathroom wall leaves no digital trail and draws no attention.
3. Physical posters, not just emails. A company-wide email about the whistleblowing channel is easily missed and hard to find six months later. A poster on the wall of every office kitchen with a QR code and a URL is always there when someone needs it.
4. Mention it during onboarding — every time. New employee orientation should include the reporting channel URL and a printed card with the QR code. Not buried in a handbook. Handed to them directly.
5. No account required. If the reporting tool requires the employee to create an account with their email address to file a report, it is not anonymous and it is not safe. The reporter should be able to submit without providing any identifying information and receive an access code to check back later.
This is how EthicsPortal works #
Every EthicsPortal organization gets a public reporting URL. It works on any browser, any device. No app, no account, no company network.
The portal generates a QR code that can be printed and posted anywhere. Scan it, and you are on the reporting page. No login, no trail.
Reporters submit anonymously — no name, no email, no IP logging. They receive an access code to check back for updates. The entire interaction happens in a browser window that can be closed and leaves nothing behind.
The handler never sees the reporter’s identity. The reporter never sees the handler’s name. The system counts to 7 days, counts to 3 months, and logs everything.
That is what “easily accessible” looks like when you take the Directive seriously.
If your organization’s whistleblowing channel requires employees to ask someone where to find it, you have a compliance checkbox. You do not have a reporting channel. Set up a real one in ten minutes.