https://ethicsportal.eu/blog/EthicsPortal is a secure, anonymous whistleblower reporting platform that helps organizations comply with EU Directive 2019/1937.enMon, 25 May 2026 01:23:15 +0000https://ethicsportal.eu/images/logo.svghttps://ethicsportal.eu/https://ethicsportal.eu/blog/whistleblower-reports-do-not-belong-inside-an-llm/Sun, 24 May 2026 00:00:00 +0000https://ethicsportal.eu/blog/whistleblower-reports-do-not-belong-inside-an-llm/Seven whistleblower platforms sold into the EU now process report content through large language models. Six of them won't tell you whose. EthicsPortal does neither. Screenshots and sources inside.<h1 id="whistleblower-reports-do-not-belong-inside-an-llm"> Whistleblower reports do not belong inside an LLM <a href="#whistleblower-reports-do-not-belong-inside-an-llm" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Seven whistleblower platforms sold into the EU run report content through large language models. They summarise reports, transcribe voice intake, run AI agents that talk to whistleblowers, and produce “insights” across case archives. Only one of the seven names which AI provider does the work.</p> <p>EthicsPortal does none of this. Our <a href="/dpa/#610-no-ai-or-llm-processing-of-report-content">DPA §6.10</a> and our <a href="/subprocessors/">sub-processor list</a> say so.</p> <p>Every claim below is quoted from the vendor’s own live page or public DPA, captured 24 May 2026. Translation and categorisation can run on-prem, so we did not include vendors whose only AI claim is “AI translation” or “AI categorisation”. The seven below claim more than that.</p> <h2 id="navex--ai-supported-case-briefs-and-suggested-rewrites"> NAVEX — “AI-supported case briefs and suggested rewrites” <a href="#navex--ai-supported-case-briefs-and-suggested-rewrites" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>NAVEX is the largest enterprise whistleblowing vendor in the world. EthicsPoint sits inside most Fortune 500 compliance programs.</p> <p>From the <a href="https://www.navex.com/en-us/platform/whistleblowing-software-solutions/" rel="nofollow">whistleblowing platform page</a> :</p> <blockquote> <p>“Summarize complex cases with <strong>AI-supported case briefs and suggested rewrites</strong>”</p> <p>“Spot recurring themes earlier through higher-level insights and analytics”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/navex-ai-case-briefs-rewrites.png" alt="NAVEX whistleblowing platform — “Summarize complex cases with AI-supported case briefs and suggested rewrites”"></p> <p>To suggest a rewrite, the model has to read the original report. NAVEX does not name the model on any public page.</p> <h2 id="eqs-integrity-line--ai-powered-summaries-and-transcription-in-80-languages"> EQS Integrity Line — “AI-powered summaries and transcription” in 80+ languages <a href="#eqs-integrity-line--ai-powered-summaries-and-transcription-in-80-languages" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EQS Group (Munich-listed) runs the largest whistleblower platform in continental Europe. From their <a href="https://www.eqs.com/en-us/platform-compliance-ethics/integrity-line-whistleblower-software/" rel="nofollow">Integrity Line page</a> :</p> <blockquote> <p>“<strong>AI that works for you.</strong> Handle reports in over 80 languages with AI-powered summaries and transcription, and transform voice recordings into searchable texts. Get helpful insights from past cases for faster resolution including suggestions for case categories and priorities.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/eqs-integrity-line-ai-summaries-transcription.png" alt="EQS Integrity Line — “AI that works for you”: AI-powered summaries, transcription of voice recordings, case-category suggestions"></p> <p>Summaries, voice transcription, and cross-case insights. 4,000+ organisations on the platform. Provider not named.</p> <h2 id="speakup--sienna-ai-a-whole-ai-product-line"> SpeakUp — “Sienna AI”: a whole AI product line <a href="#speakup--sienna-ai-a-whole-ai-product-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>SpeakUp’s <a href="https://www.speakup.com/sienna-ai" rel="nofollow">Sienna AI</a> is not a feature, it is a sub-brand:</p> <blockquote> <p>“<strong>Sienna AI. Compliance reimagined.</strong> The intelligence layer behind the future of compliance and ethics.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/speakup-sienna-ai-compliance-reimagined.png" alt="SpeakUp Sienna AI hero — “Compliance reimagined. The intelligence layer behind the future of compliance and ethics.”"></p> <p>The page markets an <strong>AI Voice Agent</strong> that has reporters “speak freely and safely” through a “guided, conversational intake”, <strong>Sienna Insights</strong> (“AI does the digging. You get the insight.”), and AI translation, transcription, and routing of submissions into the case management system. Reporters in SpeakUp’s flow are talking to a model. Provider not named.</p> <h2 id="whispli--use-ai-to-capture-clearer-more-complete-hotline-reports"> Whispli — “Use AI to capture clearer, more complete hotline reports” <a href="#whispli--use-ai-to-capture-clearer-more-complete-hotline-reports" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>From Whispli’s <a href="https://www.whispli.com/whistleblowing-hotline" rel="nofollow">Voice AI hotline page</a> (the page title is literally “AI Whistleblowing Hotline”):</p> <blockquote> <p>“<strong>Use AI to capture clearer, more complete hotline reports.</strong> Manage global whistleblowing hotline reporting with an AI-powered voice intake agent that captures, structures and routes cases securely across jurisdictions.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/whispli-voice-ai-hotline.png" alt="Whispli hotline hero — “Use AI to capture clearer, more complete hotline reports” with a Voice transcribed / Case created flow"></p> <p>The flow diagram on the page shows it plainly: Incoming Voice Report → Voice transcribed → Case created. The most exposed reporter, the one who picked up a phone, is talking to an AI agent. Provider not named.</p> <h2 id="faceup--voice-based-ai-conducts-natural-conversations-with-whistleblowers"> FaceUp — “Voice-based AI conducts natural conversations” with whistleblowers <a href="#faceup--voice-based-ai-conducts-natural-conversations-with-whistleblowers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>FaceUp is a Czech-EU platform with 3,500+ organisations across 70+ countries. Their <a href="https://www.faceup.com/en/whistleblowing/hotline" rel="nofollow">whistleblower hotline page</a> offers three tiers: a Live Hotline staffed by human agents, an Automated Hotline with a scripted flow, and the new AI-Powered Hotline in the middle:</p> <blockquote> <p>“<strong>Voice-based AI conducts natural conversations, asks follow-ups, and converts calls into structured, actionable reports.</strong> Multilingual, 24/7.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/faceup-ai-powered-hotline.png" alt="FaceUp three-tier hotline comparison — “AI-Powered Hotline” (centre, marked “new”) with “Voice-based AI conducts natural conversations, asks follow-ups, and converts calls into structured, actionable reports”"></p> <blockquote> <p>“The AI agent guides the reporter and follows up where needed to capture complete and accurate information.”</p> </blockquote> <p>FaceUp’s three-card layout is the clearest framing of the choice in the category: a human handles the call, a scripted flow handles the call, or an AI handles the call. They sell all three and mark the AI option “new”. Provider not named.</p> <h2 id="whistlelink--mistral-ai-france-and-deepl-germany-named-in-the-public-dpa"> Whistlelink — Mistral AI (France) and DeepL (Germany) named in the public DPA <a href="#whistlelink--mistral-ai-france-and-deepl-germany-named-in-the-public-dpa" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Whistlelink is the only vendor of the seven that publicly names its AI providers. Their <a href="https://www.whistlelink.com/ro/contract-de-prelucrare-a-datelor/" rel="nofollow">Romanian DPA</a> , Section 5.5:</p> <blockquote> <p>“Sub-Imputerniciți: Swerolab AB (Suedia), SMSAPI (Polonia), Brevo (Franța), OPSWAT (Germania), Glesys (Suedia), T-Systems International (Germania), Friendly Captcha (Germania), <strong>DeepL (Germania), Mistral AI (Franța)</strong>.”</p> </blockquote> <p><img src="/images/blog/no-ai-commitment/whistlelink-dpa-mistral-deepl.png" alt="Whistlelink DPA Section 5.5 — sub-processor list naming DeepL (Germany) and Mistral AI (France)"></p> <p>The <a href="https://www.whistlelink.com/product/" rel="nofollow">product page</a> explains what the AI Assistant does: “AI Assistant automatically generates concise case summaries.” Mistral is the only LLM provider on the sub-processor list above.</p> <p>The Article 16 confidentiality concern still applies. But an operator signing this DPA knows what they are signing. Operators signing the other six don’t.</p> <h2 id="ethicontrol--ai-intake-agent-on-the-pricing-page"> Ethicontrol — “ai intake agent” on the pricing page <a href="#ethicontrol--ai-intake-agent-on-the-pricing-page" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Ethicontrol’s <a href="https://ethicontrol.com/en/pricing" rel="nofollow">pricing page</a> lists <code>+ ai intake agent for web portal and WhatsApp</code> as a paid feature starting at the Standard tier (€174/month):</p> <p><img src="/images/blog/no-ai-commitment/ethicontrol-pricing-ai-intake-agent.png" alt="Ethicontrol pricing — Standard tier includes “+ ai intake agent for web portal and WhatsApp”"></p> <p>In 2026, an “intake agent” for whistleblower reports is a conversational LLM. The privacy policy and Trust Center do not name the provider.</p> <h2 id="six-of-the-seven-wont-tell-you-whose-ai"> Six of the seven won’t tell you whose AI <a href="#six-of-the-seven-wont-tell-you-whose-ai" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Of the seven above, only Whistlelink names the AI providers (Mistral, DeepL). The other six say “AI”, “AI-powered”, “Sienna AI”, or “Voice-based AI” without naming the model, the provider, the jurisdiction, or whether the inference call leaves the operator’s encryption boundary.</p> <p>We searched every vendor’s privacy policy, DPA, sub-processor page, and trust center we could reach on 24 May 2026. For six, the provider is not disclosed. The feature is in the marketing copy. The disclosure is not in the legal pages.</p> <p>That is the harder problem. An operator running a Data Protection Impact Assessment cannot disclose a sub-processor they cannot name, cannot assess GDPR Chapter V transfer mechanisms for a provider that has not been disclosed to them, and cannot offer the reporter a meaningful privacy notice when the architecture has a box labelled “AI” and no further detail.</p> <h2 id="why-a-whistleblower-reporting-channel-is-the-wrong-place-for-ai"> Why a whistleblower reporting channel is the wrong place for AI <a href="#why-a-whistleblower-reporting-channel-is-the-wrong-place-for-ai" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Article 16 of Directive 2019/1937 says the identity of the reporting person, and information from which it can be deduced, must not be disclosed to anyone beyond authorised case-handling staff. Member-state laws (HinSchG, Sapin II / Loi Waserman, Law 361/2022, the 2024 Polish Act) lift that into criminal or administrative penalties. An LLM API provider is not authorised case-handling staff. Their engineers can read prompts. Their abuse-detection systems are designed to read prompts. The Directive has no “but it was just for a summary” carve-out.</p> <p><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019L1937" target="_blank" rel="noopener noreferrer">Art. 22</a> of the GDPR sits on top of that. AI categorisation, “suggested rewrites” of a report body, AI case briefs that an investigator reads instead of the original, and “insights” that decide investigative priority are exactly the automated decision-making the article is written about. Disclosure, DPIA, sub-processor listing with notice and objection rights, and reporter-facing transparency all attach.</p> <p>A no-AI commitment removes the entire disclosure tree. The privacy notice is shorter, the DPIA is shorter, the sub-processor list is shorter, and the reporter’s expectation matches the architecture.</p> <h2 id="our-commitment"> Our commitment <a href="#our-commitment" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><a href="/dpa/#610-no-ai-or-llm-processing-of-report-content">DPA §6.10</a> : report content, reporter identity, handler messages, attachments, and audit logs are not transmitted to any large language model, generative AI service, or AI-based classifier, whether operated by us or by a third party. OpenAI, Anthropic, Google, and Mistral are named in the DPA as examples of providers we do not transmit to. A change to this would be a material change to the service, notified 30 days in advance with an objection right.</p> <p>Our <a href="/subprocessors/">sub-processor list</a> has six entries: Hetzner (EU hosting), Cloudflare (marketing-site CDN only), Mailjet (email), Stripe (billing), AppSignal (handler-side error monitoring), Crisp (handler-side chat). No AI sub-processor appears.</p> <h2 id="if-you-are-evaluating-a-vendor"> If you are evaluating a vendor <a href="#if-you-are-evaluating-a-vendor" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Ask in writing: is any large language model, generative AI service, or AI-based classifier — operated by you or by a third party — a sub-processor of report content, reporter identity, handler messages, attachments, or audit logs? Name the provider, the jurisdiction, the function, and whether it is on by default. And will you contractually commit that this answer cannot change without 30 days’ notice and an objection right?</p> <p>We answered both in our DPA before anyone had to ask.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/best-whistleblower-software/Tue, 14 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/best-whistleblower-software/An independent comparison of the top whistleblower reporting platforms in 2026, including pricing, features, and who each tool is best for.<h1 id="best-whistleblower-software-in-2026-an-honest-comparison"> Best whistleblower software in 2026: an honest comparison <a href="#best-whistleblower-software-in-2026-an-honest-comparison" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>If you are looking for whistleblower software to comply with EU Directive 2019/1937, you have probably noticed that every vendor publishes a “best whistleblower software” article — and ranks themselves first. We are not going to do that. This is an honest, side-by-side comparison of the platforms we evaluated before building EthicsPortal, plus EthicsPortal itself.</p> <p>We looked at pricing transparency, setup speed, EU hosting, feature depth, and how well each tool serves small-to-mid-sized companies versus enterprises.</p> <hr> <h2 id="quick-comparison-table"> Quick comparison table <a href="#quick-comparison-table" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Platform</th> <th>Starting price</th> <th>Free trial</th> <th>EU hosting</th> <th>Setup time</th> <th>Best for</th> </tr> </thead> <tbody> <tr> <td>EthicsPortal</td> <td>€49/mo flat</td> <td>No</td> <td>Yes (Germany)</td> <td>Minutes</td> <td>SMEs, fast compliance</td> </tr> <tr> <td>Hintbox</td> <td>€49–€149+/mo (+VAT)</td> <td>Yes</td> <td>Yes (Germany)</td> <td>Days</td> <td>German-speaking markets</td> </tr> <tr> <td>LegalTegrity</td> <td>€49–€166/mo</td> <td>No</td> <td>Yes (Germany)</td> <td>Days</td> <td>German SMEs, phone included</td> </tr> <tr> <td>Vispato</td> <td>€79/mo flat</td> <td>No</td> <td>Yes (Germany)</td> <td>Days</td> <td>DACH flat-rate alternative</td> </tr> <tr> <td>DigitalPA (Legality Whistleblowing)</td> <td>From €29/mo</td> <td>No</td> <td>Yes (Italy)</td> <td>Days</td> <td>Italian market, ISO 37001/37002</td> </tr> <tr> <td>ithikios</td> <td>From €29/mo</td> <td>Yes</td> <td>Yes (Spain)</td> <td>Hours</td> <td>Spanish SMEs, modular compliance</td> </tr> <tr> <td>Canal Etico App</td> <td>€96/mo flat</td> <td>No</td> <td>Yes (Spain)</td> <td>Days</td> <td>Spanish Ley 2/2023 compliance</td> </tr> <tr> <td>Whistlelink</td> <td>€79–€299/mo</td> <td>Yes (30 days)</td> <td>Yes (Sweden)</td> <td>Days</td> <td>Nordic companies, mid-market</td> </tr> <tr> <td>Sygnanet</td> <td>4,000–10,000 zł/yr</td> <td>Yes</td> <td>Yes (Poland)</td> <td>Hours</td> <td>Polish market</td> </tr> <tr> <td>Trusty Compliance</td> <td>Credit-based</td> <td>Yes (7 days)</td> <td>Yes (Switzerland)</td> <td>Hours</td> <td>Swiss/DACH, broader compliance</td> </tr> <tr> <td>Formalize (whistleblowersoftware.com)</td> <td>Custom (request quote)</td> <td>Yes (14 days)</td> <td>Yes (Denmark)</td> <td>Days</td> <td>Mid-market EU companies</td> </tr> <tr> <td>FaceUp</td> <td>Custom (request quote)</td> <td>No</td> <td>Yes (Czech Republic)</td> <td>Hours</td> <td>Schools, multilingual orgs</td> </tr> <tr> <td>Whispli</td> <td>Custom (~€3,000+/yr)</td> <td>No</td> <td>Yes (optional)</td> <td>Weeks</td> <td>Enterprises, complex workflows</td> </tr> <tr> <td>SpeakUp (People Intouch)</td> <td>~€3,000/yr</td> <td>No</td> <td>Yes (Netherlands)</td> <td>Days</td> <td>Mid-to-large EU companies</td> </tr> <tr> <td>EQS Integrity Line</td> <td>Custom (~€3,000+/yr)</td> <td>Yes (Essential)</td> <td>Yes</td> <td>Weeks</td> <td>Large enterprises</td> </tr> <tr> <td>NAVEX Global</td> <td>Custom (€5,000+/yr)</td> <td>No</td> <td>Yes (optional)</td> <td>Weeks</td> <td>Large US/EU enterprises</td> </tr> </tbody> </table> <hr> <h2 id="detailed-reviews"> Detailed reviews <a href="#detailed-reviews" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="eqs-integrity-line"> EQS Integrity Line <a href="#eqs-integrity-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EQS is the heavyweight of European compliance software. Their Integrity Line is used by banks, insurers, and listed companies across the EU.</p> <p><strong>Strengths:</strong> Deep integration with broader GRC (governance, risk, compliance) suites. Excellent audit trails. Strong brand recognition among enterprise compliance teams. Supports 70+ languages.</p> <p><strong>Weaknesses:</strong> Pricing is opaque — you will not find a number on their website. Expect to spend several thousand euros per year, and you will need to go through a sales process. Implementation typically takes weeks with dedicated onboarding. Overkill for a 50-person company.</p> <p><strong>Best for:</strong> Large enterprises (500+ employees) in heavily regulated sectors that need a full GRC ecosystem.</p> <h3 id="formalize-whistleblowersoftwarecom"> Formalize (whistleblowersoftware.com) <a href="#formalize-whistleblowersoftwarecom" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Formalize, marketed as WhistleblowerSoftware.com, is a Danish platform backed by a €15M Series A with 500+ consultancy partners including PwC and Baker McKenzie. They have rebranded and expanded into broader compliance (NIS2, DORA, ISO 27001).</p> <p><strong>Strengths:</strong> 80+ languages. ISO 27001 and ISAE 3000 certified. Strong partner ecosystem. 14-day free trial.</p> <p><strong>Weaknesses:</strong> No longer publishes pricing — requires requesting a custom quote. Expanding beyond whistleblowing into NIS2/DORA compliance may dilute focus. Setup involves a demo/sales process, not instant self-serve.</p> <p><strong>Best for:</strong> Mid-sized EU companies (50–500 employees) that want a polished product and do not mind per-employee pricing.</p> <h3 id="whistlelink"> Whistlelink <a href="#whistlelink" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Swedish platform with a strong presence in the Nordics. Whistlelink positions itself as easy to use and EU-compliant.</p> <p><strong>Strengths:</strong> Available in 50+ languages. Good case management. Hosted in Sweden. Straightforward UI for reporters. All pricing tiers include the same feature set. 30-day free trial.</p> <p><strong>Weaknesses:</strong> Starting at €79/month (billed annually) is reasonable but still above the flat-rate options. Per-employee pricing scales to €299/month for larger organizations. Scaling past 1,000 employees requires contacting sales.</p> <p><strong>Best for:</strong> Nordic and Northern European companies looking for a regional vendor with solid language support.</p> <h3 id="faceup"> FaceUp <a href="#faceup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>FaceUp is a Czech-founded whistleblower platform that has expanded from its original focus on schools into corporate compliance, now serving organizations across 70+ countries. They support 113 languages and offer a mobile app for reporters.</p> <p><strong>Strengths:</strong> Available in 113 languages — among the highest in the market. Mobile app for reporters. ISO 27001 certified. Strong presence in the education sector alongside corporate compliance.</p> <p><strong>Weaknesses:</strong> Pricing is not published — all plans show “Get a Quote” buttons despite listing tier names (Starter, Professional, Enterprise). Pricing is in US dollars, which adds currency risk for European companies. The school-oriented origin shows in some of the UX.</p> <p><strong>Best for:</strong> Organizations that need 113 languages, want a mobile reporting app, or operate in both education and corporate sectors.</p> <h3 id="navex-global"> NAVEX Global <a href="#navex-global" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>NAVEX is the 800-pound gorilla of ethics and compliance, primarily in North America but increasingly in Europe. Their EthicsPoint product has been around for decades.</p> <p><strong>Strengths:</strong> Massive feature set. Benchmarking data from thousands of clients. Hotline services (phone-based reporting). Strong analytics.</p> <p><strong>Weaknesses:</strong> Enterprise pricing — expect custom quotes well above €5,000/year. Long implementation cycles. The platform can feel dated compared to newer entrants. North American DNA means EU-specific requirements sometimes feel bolted on rather than native.</p> <p><strong>Best for:</strong> Large multinationals (1,000+ employees) that want a single vendor for their entire ethics and compliance program, including hotlines.</p> <h3 id="whispli"> Whispli <a href="#whispli" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>An Australian-founded company that has expanded into Europe. Whispli emphasizes anonymous two-way communication.</p> <p><strong>Strengths:</strong> Strong anonymous messaging system. Good mobile experience. Supports voice and video reporting. Flexible workflow builder.</p> <p><strong>Weaknesses:</strong> Custom pricing with no public numbers — reports suggest starting around €3,000/year. Implementation involves onboarding calls and configuration. Smaller European presence compared to EU-native vendors.</p> <p><strong>Best for:</strong> Organizations that prioritize anonymous two-way communication and need multimedia reporting (voice, video).</p> <h3 id="speakup-people-intouch"> SpeakUp (People Intouch) <a href="#speakup-people-intouch" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Dutch platform that has been in the whistleblower space since before the EU Directive made it mandatory. SpeakUp offers both software and managed services (outsourced case handling).</p> <p><strong>Strengths:</strong> Long track record. Option to outsource case handling entirely. Hosted in the Netherlands. Phone reporting included.</p> <p><strong>Weaknesses:</strong> Pricing starts at €3,000/year for companies under 1,000 employees, custom for larger. The managed services model means you are paying for humans, not just software. Interface is functional but not modern.</p> <p><strong>Best for:</strong> Mid-to-large EU companies that want the option to outsource report handling to a third party.</p> <h3 id="hintbox"> Hintbox <a href="#hintbox" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A German platform (part of lawcode Suite) with 1,000+ customers including Rewe, s.Oliver, and FC Bayern. ISO 27001 certified, hosted on Hetzner in Germany. Expanding into LkSG (Supply Chain Act) and CSRD compliance beyond whistleblowing.</p> <p><strong>Strengths:</strong> Mature product with large customer base. ISO 27001 certified. 30+ languages with AI translation. 2FA, metadata stripping, virus scanning all included. Starting at €49/month — the cheapest tier alongside EthicsPortal. Free trial available.</p> <p><strong>Weaknesses:</strong> Per-employee pricing scales to €149+/month for larger companies. Add-on costs pile up: voice bot (+€49/mo), email integration (+€29/mo), custom domain (+€29/mo). DACH-centric — limited presence outside German-speaking markets. Expanding into multiple compliance frameworks may dilute whistleblower focus.</p> <p><strong>Best for:</strong> German, Austrian, and Swiss companies that want a local vendor with ISO 27001, deep HinSchG expertise, and a proven track record.</p> <h3 id="legaltegrity"> LegalTegrity <a href="#legaltegrity" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Frankfurt-based platform founded by Dr. Thomas Altenbach, hosted on Deutsche Telekom’s Open Telekom Cloud. Positioned for German SMEs with transparent tiered pricing.</p> <p><strong>Strengths:</strong> Phone reporting channel included on every plan — even the €49/month Essential tier. 40+ languages available. Hosted on Deutsche Telekom Open Telekom Cloud (ISO 27001-certified infrastructure). 3-month money-back guarantee. OmbuTegrity add-on offers an external ombudsperson service for companies that need an independent reporting office.</p> <p><strong>Weaknesses:</strong> Essential tier limits customization (standard form, LegalTegrity branding, 2 admin accounts). Additional languages cost €29/month each beyond the 2 included. No public API. Primarily German-market focused.</p> <p><strong>Best for:</strong> German and DACH-region SMEs (under 1,000 employees) that want phone reporting included at a competitive price.</p> <h3 id="vispato"> Vispato <a href="#vispato" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A German whistleblowing platform from the HR WORKS group, hosted on DATEV-managed servers. Vispato is notable for its flat-rate pricing regardless of company size.</p> <p><strong>Strengths:</strong> Flat €79/month with unlimited users, cases, and storage — no per-employee scaling. 18 languages. ISO 27001-certified hosting (DATEV). WCAG 2.1 AA accessibility compliance. No setup costs, no consulting upsells. 12-month minimum term.</p> <p><strong>Weaknesses:</strong> No free trial — demo required before signup. No public API. 18 languages is fewer than most mid-market competitors. Enterprise features (SSO, custom domain, custom branding) require a custom-quote Enterprise plan.</p> <p><strong>Best for:</strong> DACH-region companies of any size that want predictable flat pricing without employee-count tiers or add-on fees.</p> <h3 id="digitalpa-legality-whistleblowing"> DigitalPA (Legality Whistleblowing) <a href="#digitalpa-legality-whistleblowing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>An Italian platform operated by DigitalPA with offices in Cagliari, Milan, Rome, and Barcelona. Holds four ISO certifications (27001, 37001, 37002, 37301) — more than any other platform in this comparison.</p> <p><strong>Strengths:</strong> Starting at €29/month — the cheapest published price in this comparison. ISO 27001, 37001 (anti-bribery), 37002 (whistleblowing management), and 37301 (compliance management) certified. Multi-channel intake including phone reports and in-person meeting requests. Mobile app. AI translation between handler and reporter. 1,000+ customers.</p> <p><strong>Weaknesses:</strong> Pricing beyond the €29 small-business tier requires a custom quote. Annual billing only. Italian-market focused. No public API.</p> <p><strong>Best for:</strong> Italian companies and organizations that need a locally certified platform, especially public sector entities required to comply with D.Lgs. 24/2023.</p> <h3 id="ithikios"> ithikios <a href="#ithikios" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Spanish modular compliance suite from Digital Products Development SL. Whistleblowing is one of six modules alongside policy, incident, rights, third-party, and trust-center management.</p> <p><strong>Strengths:</strong> Starting at €29/month. ISO 27001 certified. 1,000+ companies across 10 countries. Free trial available. 7 interface languages (ES, EN, FR, DE, IT, PT, CA). Modular: buy the whistleblowing channel, add NIS2/DORA/policy modules later. Partner program for lawyers and consultants.</p> <p><strong>Weaknesses:</strong> Primarily Spanish-market focused. Limited to 7 languages — the fewest among multi-market vendors. No public API.</p> <p><strong>Best for:</strong> Spanish SMEs that need Ley 2/2023 compliance and may want to add policy management, incident management, or third-party risk modules over time.</p> <h3 id="canal-etico-app"> Canal Etico App <a href="#canal-etico-app" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Spanish platform from Smart Dev Technology with flat €96/month pricing.</p> <p><strong>Strengths:</strong> Flat pricing regardless of company size. Unlimited reports. Written and voice reporting channels. Anonymous bidirectional communication. No IP storage, encrypted content. Implementation in 1–2 business days.</p> <p><strong>Weaknesses:</strong> No ISO 27001 certification published. Spanish-language support only. No public API. Higher price point than ithikios and DigitalPA for the same Spanish market.</p> <p><strong>Best for:</strong> Spanish companies that want simple flat pricing for Ley 2/2023 compliance without per-employee scaling.</p> <h3 id="sygnanet"> Sygnanet <a href="#sygnanet" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Polish platform from SpecFile Project Sp. z o.o. Built specifically for the Polish Act on Protection of Whistleblowers (in force 25 September 2024).</p> <p><strong>Strengths:</strong> End-to-end encryption with zero vendor access to report content. 12-language reporting form. Free trial. Pricing in Polish zloty (4,000–10,000 zł/year). Public bodies buying the internal-reporting licence get an external-reporting channel bundled free. Periodic penetration testing.</p> <p><strong>Weaknesses:</strong> Polish-market focused. Pricing in PLN only. No ISO 27001 certification published. No public API. Admin panel limited to 4 languages (PL, EN, DE, FR).</p> <p><strong>Best for:</strong> Polish organizations that need a local vendor compliant with the Act of 14 June 2024.</p> <h3 id="trusty-compliance"> Trusty Compliance <a href="#trusty-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>A Swiss platform (Trusty AG, Hünenberg, Zug) offering whistleblowing as one module in a broader compliance suite covering risk screening, EUDR, policy management, and training.</p> <p><strong>Strengths:</strong> 4,000+ companies. 7-day free trial. Credit-based pricing — buy credits and allocate them across any Trusty product. Quick setup (vendor claims under 5 minutes). 6 interface languages. Broader compliance coverage (EUDR, NIS2, third-party risk, training) in addition to whistleblowing.</p> <p><strong>Weaknesses:</strong> No ISO 27001 certification published. Credit-based pricing makes cost comparison difficult. Whistleblowing is one module of many — breadth may come at the expense of depth. No public API.</p> <p><strong>Best for:</strong> Swiss and DACH companies that want a single platform covering whistleblowing, risk screening, EUDR, and compliance training.</p> <h3 id="ethicsportal"> EthicsPortal <a href="#ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>EthicsPortal is our product. We designed it to deliver full EU Directive 2019/1937 compliance with transparent pricing and immediate deployment.</p> <p><strong>Strengths:</strong> Flat €49/month pricing regardless of employee count. No sales calls — sign up and configure your portal in minutes. EU-hosted. Covers the core Directive requirements: encrypted anonymous reporting, two-way messaging via access codes, case management, 7-day acknowledgment and 3-month feedback tracking, QR code generation, and multilingual portals. Open, transparent pricing.</p> <p><strong>Weaknesses:</strong> No phone hotline. No outsourced case handling. Limited integrations (no HRIS connectors yet). Not suitable for organizations that need a full GRC suite.</p> <p><strong>Best for:</strong> SMEs, startups, and mid-sized companies (50–1,000 employees) that need Directive compliance without enterprise complexity or pricing.</p> <hr> <h2 id="how-we-chose"> How we chose <a href="#how-we-chose" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>We evaluated each platform across five criteria:</p> <ol> <li><strong>Pricing transparency.</strong> Can you find the price on the website without requesting a demo? Bonus points for flat-rate pricing.</li> <li><strong>Setup speed.</strong> How quickly can a non-technical compliance officer get from sign-up to a working reporting channel?</li> <li><strong>EU Directive coverage.</strong> Does the platform natively support the key requirements of Directive 2019/1937 — anonymous reporting, two-way communication, acknowledgment deadlines, confidentiality?</li> <li><strong>Data residency.</strong> Is data hosted in the EU by default, or is it an add-on?</li> <li><strong>Target audience fit.</strong> Is the platform designed for your company size, or are you paying for features built for organizations ten times larger?</li> </ol> <p>We used publicly available pricing where possible and contacted sales teams where pricing was not published. Prices cited are as of Q1 2026 and may vary by region, contract length, and negotiation.</p> <p>No affiliate links. No sponsorships. We built EthicsPortal because we saw a gap — this article explains where that gap is, and where other tools may be the better choice for your situation.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/top-whistleblower-software-eu-directive-2019-1937/Tue, 14 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/top-whistleblower-software-eu-directive-2019-1937/A ranked comparison of whistleblower platforms that meet the requirements of EU Directive 2019/1937. Evaluated on Article 8–16 coverage, pricing, EU hosting, and setup speed.<h1 id="top-whistleblower-software-for-eu-directive-20191937-compliance"> Top whistleblower software for EU Directive 2019/1937 compliance <a href="#top-whistleblower-software-for-eu-directive-20191937-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>EU Directive 2019/1937, now transposed into national law in all 27 member states (e.g., <a href="/whistleblower-laws/france/">Loi Waserman</a> in France, <a href="/whistleblower-laws/germany/">HinSchG</a> in Germany, <a href="/whistleblower-laws/spain/">Ley 2/2023</a> in Spain), requires every organization with 50 or more employees to operate a secure internal reporting channel. The law is specific about what that channel must do: accept written and oral reports, protect reporter confidentiality, acknowledge receipt within 7 days, provide feedback within 3 months, and maintain records without exposing the reporter’s identity.</p> <p>Here is what is strange about this market: whistleblower reporting is a simple tool. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and keeps an audit trail. That is the entire product.</p> <p>Yet most vendors hide their pricing behind “contact us for a demo” forms, require weeks-long sales processes, and pad their feature lists with AI-powered analytics, sentiment analysis, and other additions that have nothing to do with what the Directive actually requires. The result is that a compliance officer at a 100-person company ends up on a sales call for a tool that should take ten minutes to set up.</p> <p>This article ranks the top whistleblower software specifically by how well each platform meets the Directive’s legal requirements — not by brand recognition, AI feature count, or how impressive the sales deck looks.</p> <hr> <h2 id="how-we-scored"> How we scored <a href="#how-we-scored" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every platform was evaluated against the six core requirements of Directive 2019/1937:</p> <table> <thead> <tr> <th>Requirement</th> <th>Directive articles</th> <th>What the law demands</th> </tr> </thead> <tbody> <tr> <td>Secure reporting channel</td> <td>Art. 8</td> <td>Encrypted, accessible to all workers, no account required</td> </tr> <tr> <td>Reporter confidentiality</td> <td>Art. 16</td> <td>Identity not disclosed without consent, access restricted to authorized staff</td> </tr> <tr> <td>Receipt acknowledgment</td> <td>Art. 9(1)(b)</td> <td>Written confirmation within 7 days</td> </tr> <tr> <td>Feedback deadline</td> <td>Art. 9(1)(f)</td> <td>Substantive feedback within 3 months</td> </tr> <tr> <td>Two-way communication</td> <td>Art. 9(1)(b)</td> <td>Ability to communicate with the reporter, including anonymous reporters</td> </tr> <tr> <td>Record-keeping</td> <td>Art. 18</td> <td>Reports stored securely, retained per legal requirements, deletable when no longer needed</td> </tr> </tbody> </table> <p>We also considered practical factors: pricing transparency, EU data residency, setup speed, and whether the platform requires a sales call to get started.</p> <hr> <h2 id="the-ranking"> The ranking <a href="#the-ranking" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="1-ethicsportal--best-for-smes-that-need-fast-affordable-compliance"> 1. EthicsPortal — best for SMEs that need fast, affordable compliance <a href="#1-ethicsportal--best-for-smes-that-need-fast-affordable-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> EthicsPortal was built specifically for EU Directive 2019/1937. Every feature maps to an article.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>How EthicsPortal handles it</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Encrypted web portal, unique URL per organization, no app required</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>No IP logging, file metadata stripping (EXIF, GPS, author), encrypted data at rest</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Automatic deadline tracking with handler notifications</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Automatic deadline tracking with overdue alerts</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Anonymous message thread via access code — handler names never revealed</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Append-only audit trail, PDF export for auditors</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> €49/month flat. No per-employee fees, no add-ons. <strong>EU hosting:</strong> Yes — Hetzner, Nuremberg, Germany. <strong>Setup time:</strong> Minutes. Self-serve signup, no sales call.</p> <p><strong>Why it ranks first:</strong> Whistleblower reporting is not a complex problem. The Directive tells you exactly what the tool needs to do, and EthicsPortal does exactly that — nothing more, nothing less. No AI sentiment analysis, no “risk scoring,” no features that exist to justify a higher price tag. Full Art. 8–18 compliance at €49/month, visible on the website, no sales call required.</p> <p>The trade-off is that EthicsPortal is newer and does not yet have ISO 27001 certification or phone hotline services.</p> <p>EthicsPortal is our product. We designed it to deliver full Directive compliance with transparent pricing and immediate deployment.</p> <hr> <h3 id="2-formalize-whistleblowersoftwarecom--best-for-mid-market-companies-wanting-a-polished-product"> 2. Formalize (WhistleblowerSoftware.com) — best for mid-market companies wanting a polished product <a href="#2-formalize-whistleblowersoftwarecom--best-for-mid-market-companies-wanting-a-polished-product" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Built in Denmark with the EU Directive as the primary design driver.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web portal with encryption</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — access controls, data encryption</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — automated tracking</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — automated tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Custom quote required. Previously published per-employee pricing; no longer public. <strong>EU hosting:</strong> Yes — Denmark. <strong>Setup time:</strong> Days — involves a demo/sales process.</p> <p><strong>Why it ranks here:</strong> Strong Directive compliance, ISO 27001 and ISAE 3000 certified, and 80+ languages. Formalize used to publish pricing on their website — they no longer do, which tells you something about the direction they are heading. You now need to request a quote and go through a sales process to learn what it costs. If you need certifications and a partner ecosystem (PwC, Baker McKenzie), Formalize is a strong choice — but be prepared to negotiate pricing you cannot see upfront.</p> <hr> <h3 id="3-hintbox--best-for-german-speaking-markets"> 3. Hintbox — best for German-speaking markets <a href="#3-hintbox--best-for-german-speaking-markets" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> German platform with 1,000+ customers. Part of the lawcode suite.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted portal, hosted on Hetzner (Germany)</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — metadata stripping, 2FA, virus scanning</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging, optional voice bot (+€49/mo)</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Starting at €49/month. Scales to €149+/month with employee count. Add-ons: voice bot (+€49/mo), email integration (+€29/mo), custom domain (+€29/mo). <strong>EU hosting:</strong> Yes — Hetzner, Germany. ISO 27001 certified. <strong>Setup time:</strong> Days.</p> <p><strong>Why it ranks here:</strong> Mature product, large customer base (Rewe, s.Oliver, FC Bayern), ISO 27001 certified. The per-employee pricing and add-on costs mean the effective price is significantly higher than the €49 starting point for most organizations. DACH-focused — limited presence outside German-speaking markets.</p> <hr> <h3 id="4-legaltegrity--best-for-german-smes-that-want-phone-reporting-included"> 4. LegalTegrity — best for German SMEs that want phone reporting included <a href="#4-legaltegrity--best-for-german-smes-that-want-phone-reporting-included" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Frankfurt-based, hosted on Deutsche Telekom Open Telekom Cloud.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted portal, Deutsche Telekom hosting (Germany)</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — role-based access</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — deadline tracking with reminders</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging, phone channel on all plans</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail, reporting</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Essential €49/month (<50 employees), Professional €99/month (<250), Professional €166/month (<1,000), Enterprise on request. Annual billing. <strong>EU hosting:</strong> Yes — Deutsche Telekom Open Telekom Cloud, Germany. ISO 27001-certified hosting. <strong>Setup time:</strong> Days. 3-month money-back guarantee.</p> <p><strong>Why it ranks here:</strong> LegalTegrity includes a phone reporting channel on every plan, including the €49 Essential tier. That is unusual — most competitors charge extra for phone intake or do not offer it at all. 40+ languages available. The trade-off: per-employee tiered pricing means costs rise as your organisation grows, and additional languages cost €29/month each beyond the two included.</p> <hr> <h3 id="5-vispato--best-flat-rate-alternative-in-dach"> 5. Vispato — best flat-rate alternative in DACH <a href="#5-vispato--best-flat-rate-alternative-in-dach" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> German platform, part of the HR WORKS group.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted portal, DATEV-hosted (Germany)</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — role-based access, ISO 27001 hosting</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> €79/month flat. Unlimited users, cases, and storage. Enterprise tier with SSO and custom domain is quote-based. <strong>EU hosting:</strong> Yes — DATEV-managed servers, Germany. <strong>Setup time:</strong> Days. No free trial, demo required.</p> <p><strong>Why it ranks here:</strong> Flat €79/month regardless of company size, with no add-on fees. 18 languages. WCAG 2.1 AA accessibility. For DACH-region companies that want predictable costs without employee-count tiers, Vispato is the cleanest alternative. The trade-off: fewer languages than competitors (18 vs. 30–80), and no free trial.</p> <hr> <h3 id="6-digitalpa-legality-whistleblowing--best-for-italy"> 6. DigitalPA (Legality Whistleblowing) — best for Italy <a href="#6-digitalpa-legality-whistleblowing--best-for-italy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Italian platform with four ISO certifications.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web, voice, phone, and in-person intake</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — 2FA, anonymous and confidential modes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — deadline tracking</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging with AI translation</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail, investigation reports</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Standard from €29/month (<50 employees). Premium from €41/month. Medium/Large/Enterprise tiers require a quote. Annual billing only. <strong>EU hosting:</strong> Yes — Italy. <strong>Setup time:</strong> Days.</p> <p><strong>Why it ranks here:</strong> The cheapest starting price in this comparison (€29/month) and the most ISO certifications (27001, 37001, 37002, 37301). Multi-channel intake including phone and in-person meeting requests. 1,000+ customers. The trade-off: pricing beyond the small-business tier is quote-based, and the platform is Italian-market focused.</p> <hr> <h3 id="7-ithikios--best-for-spanish-smes"> 7. ithikios — best for Spanish SMEs <a href="#7-ithikios--best-for-spanish-smes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> Spanish modular compliance suite.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — encrypted cloud portal, ISO 27001 servers</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — anonymous and confidential modes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes — anonymous messaging</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — case management with documentation</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> From €29/month. Free trial available. <strong>EU hosting:</strong> Yes — Spain. ISO 27001 certified. <strong>Setup time:</strong> Hours.</p> <p><strong>Why it ranks here:</strong> Budget-friendly at €29/month with ISO 27001 and a free trial. 1,000+ companies across 10 countries. Modular platform: buy the whistleblower channel now, add policy management or NIS2 modules later. 7 interface languages. The trade-off: primarily Spanish-focused, and 7 languages is limited for cross-border organisations.</p> <hr> <h3 id="8-faceup--best-for-multilingual-organizations-113-languages"> 8. FaceUp — best for multilingual organizations (113 languages) <a href="#8-faceup--best-for-multilingual-organizations-113-languages" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong></p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — access controls</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes — automated</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes — automated</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — audit trail</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Not public. Three tiers (Starter, Professional, Enterprise) but all require “Get a Quote” — no prices shown on the website. Priced in USD. <strong>EU hosting:</strong> Yes — Czech Republic. <strong>Setup time:</strong> Hours.</p> <p><strong>Why it ranks here:</strong> FaceUp supports 113 languages — among the highest in the market — and offers a mobile app for reporters. Originally built for schools in the Czech Republic, they have expanded into corporate compliance across 70+ countries. Pricing is in US dollars and not publicly displayed — all three tiers (Starter, Professional, Enterprise) show “Get a Quote” buttons rather than prices, making it impossible to budget without a sales conversation.</p> <hr> <h3 id="9-whistlelink--best-for-nordic-companies"> 9. Whistlelink — best for Nordic companies <a href="#9-whistlelink--best-for-nordic-companies" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong></p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Starting at €79/month (billed annually). Scales by employee count: €79 → €99 → €149 → €199 → €299/month. 1,000+ employees: contact sales. <strong>EU hosting:</strong> Yes — Sweden. <strong>Setup time:</strong> Days. 30-day free trial available.</p> <p><strong>Why it ranks here:</strong> Solid Directive compliance with 50+ languages and good case management. All pricing tiers include the same feature set — no feature gating. Starting at €79/month, pricing is higher than the cheapest options but transparent. Strong regional presence in the Nordics.</p> <hr> <h3 id="10-speakup-people-intouch--best-for-outsourced-case-handling"> 10. SpeakUp (People Intouch) — best for outsourced case handling <a href="#10-speakup-people-intouch--best-for-outsourced-case-handling" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> One of the longest-running European whistleblower platforms (Netherlands).</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web + phone reporting</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Starting at ~€3,000/year for companies under 1,000 employees. Custom for larger. <strong>EU hosting:</strong> Yes — Netherlands. <strong>Setup time:</strong> Days.</p> <p><strong>Why it ranks here:</strong> Unique value proposition: outsourced case handling by trained professionals. If your organization does not have internal resources to manage reports, SpeakUp handles it for you. The trade-off is price — you are paying for human operators, not just software.</p> <hr> <h3 id="11-eqs-integrity-line--best-for-large-enterprises"> 11. EQS Integrity Line — best for large enterprises <a href="#11-eqs-integrity-line--best-for-large-enterprises" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete.</strong> The European enterprise standard.</p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — 70+ languages</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes — enterprise-grade access controls</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — integrates with GRC suites</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Not published. Estimated €2,000+/month. Requires sales process. <strong>EU hosting:</strong> Yes. <strong>Setup time:</strong> Weeks.</p> <p><strong>Why it ranks here:</strong> If you are a bank, insurer, or listed company with 5,000+ employees, EQS is the safe enterprise choice. For everyone else, you are paying for features and scale you do not need. Implementation takes weeks, not minutes.</p> <hr> <h3 id="12-navex-global--best-for-us-multinationals-with-eu-operations"> 12. NAVEX Global — best for US multinationals with EU operations <a href="#12-navex-global--best-for-us-multinationals-with-eu-operations" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive coverage: complete, but EU compliance feels bolted on.</strong></p> <table> <thead> <tr> <th>Directive requirement</th> <th>Coverage</th> </tr> </thead> <tbody> <tr> <td>Secure channel (Art. 8)</td> <td>Yes — web + phone hotline</td> </tr> <tr> <td>Confidentiality (Art. 16)</td> <td>Yes</td> </tr> <tr> <td>7-day acknowledgment (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>3-month feedback (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Two-way communication (Art. 9)</td> <td>Yes</td> </tr> <tr> <td>Record-keeping (Art. 18)</td> <td>Yes — strong analytics</td> </tr> </tbody> </table> <p><strong>Pricing:</strong> Custom. Typically €5,000+/year. Requires sales process. <strong>EU hosting:</strong> Available as an option, not default. <strong>Setup time:</strong> Weeks.</p> <p><strong>Why it ranks here:</strong> NAVEX is the dominant US compliance platform with decades of history and thousands of clients. Their EthicsPoint product covers the Directive, but the platform was designed for US regulatory frameworks first. EU hosting is available but not the default. Enterprise pricing and long implementation cycles put it out of reach for SMEs.</p> <hr> <h2 id="which-platform-should-you-choose"> Which platform should you choose? <a href="#which-platform-should-you-choose" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <table> <thead> <tr> <th>Your situation</th> <th>Best choice</th> </tr> </thead> <tbody> <tr> <td>SME or startup, need compliance fast, budget-conscious</td> <td><strong>EthicsPortal</strong> (€49/mo, minutes to set up)</td> </tr> <tr> <td>German SME, want phone reporting included</td> <td><strong>LegalTegrity</strong> (€49+/mo, phone on all plans)</td> </tr> <tr> <td>DACH region, want flat pricing with no add-ons</td> <td><strong>Vispato</strong> (€79/mo flat)</td> </tr> <tr> <td>Italian company, need local certifications</td> <td><strong>DigitalPA</strong> (from €29/mo, ISO 27001/37001/37002)</td> </tr> <tr> <td>Spanish company, need Ley 2/2023 compliance</td> <td><strong>ithikios</strong> (from €29/mo, ISO 27001)</td> </tr> <tr> <td>Mid-market, want certifications and partner ecosystem</td> <td><strong>Formalize</strong> (custom pricing, ISO certified)</td> </tr> <tr> <td>German-speaking market, need ISO 27001 at scale</td> <td><strong>Hintbox</strong> (€49+/mo, ISO 27001)</td> </tr> <tr> <td>Need 113 languages or mobile reporting app</td> <td><strong>FaceUp</strong> (custom quote)</td> </tr> <tr> <td>Nordic company, prefer regional vendor</td> <td><strong>Whistlelink</strong> (€79+/mo)</td> </tr> <tr> <td>Need outsourced case handling</td> <td><strong>SpeakUp</strong> (~€3,000/yr)</td> </tr> <tr> <td>Large enterprise (500+ employees), full GRC suite</td> <td><strong>EQS Integrity Line</strong> (custom pricing)</td> </tr> <tr> <td>US multinational with EU subsidiary</td> <td><strong>NAVEX Global</strong> (custom pricing)</td> </tr> </tbody> </table> <hr> <h2 id="why-most-platforms-are-overpriced-for-what-they-do"> Why most platforms are overpriced for what they do <a href="#why-most-platforms-are-overpriced-for-what-they-do" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every platform on this list covers the core requirements of Directive 2019/1937. That is worth repeating: the basic compliance functionality is the same across all of them. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and logs an audit trail.</p> <p>The price difference between €49/month and €5,000+/year is not explained by the Directive’s requirements. It is explained by sales teams, enterprise packaging, AI features that no compliance officer asked for, and the assumption that “compliance software” can be priced like enterprise SaaS.</p> <p>Many platforms on this list do not publish their pricing. You have to fill out a form, get on a call, sit through a demo, and then — maybe — receive a quote. For a tool that does what a spreadsheet could do (badly), this is absurd.</p> <p>If you are evaluating platforms, focus on three things:</p> <ol> <li><strong>Does it cover Art. 8–18?</strong> All platforms above do, at their paid tiers.</li> <li><strong>Is data hosted in the EU?</strong> Non-negotiable for GDPR and Directive compliance.</li> <li><strong>Can you see the price and sign up today?</strong> If a vendor will not show you the price, ask yourself what they are optimizing for.</li> </ol> <p>No whistleblower platform can make your organization compliant by itself. Compliance also requires internal policies, designated handlers, training, and documented procedures. The software is the reporting channel — one piece of a larger compliance framework. It should not be the most expensive or time-consuming piece.</p> <p>For a detailed article-by-article breakdown of how EthicsPortal meets each requirement, see our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/whistleblower-software-is-a-form-and-a-database/Sun, 05 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/whistleblower-software-is-a-form-and-a-database/What a whistleblower reporting tool actually needs to do under EU Directive 2019/1937 — and what features matter vs. what's just marketing.<h1 id="what-to-look-for-in-whistleblower-compliance-software"> What to look for in whistleblower compliance software <a href="#what-to-look-for-in-whistleblower-compliance-software" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>The EU Whistleblower Protection Directive requires your organization to operate a secure internal reporting channel. But not all tools that claim Directive compliance actually deliver it.</p> <p>Here’s how to evaluate what matters.</p> <hr> <h2 id="what-a-whistleblower-reporting-tool-actually-needs-to-do"> What a whistleblower reporting tool actually needs to do <a href="#what-a-whistleblower-reporting-tool-actually-needs-to-do" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive’s requirements translate into five core functions:</p> <ol> <li>A reporter submits a report through a secure channel.</li> <li>The report is stored confidentially in an encrypted system.</li> <li>A designated case handler reviews it and responds.</li> <li>The system tracks the 7-day acknowledgment and 3-month feedback deadlines.</li> <li>Every action is recorded in an append-only audit trail.</li> </ol> <p>These five functions are the compliance baseline. Any tool you evaluate should demonstrate how it handles each one.</p> <hr> <h2 id="features-that-matter-for-compliance"> Features that matter for compliance <a href="#features-that-matter-for-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>When evaluating platforms, focus on what the Directive actually requires:</p> <ul> <li><strong>Anonymous reporting</strong> — Article 6(1) requires confidentiality. The strongest implementation means no IP logging, no tracking, and automatic stripping of file metadata (EXIF, GPS, author info) that could reveal identity.</li> <li><strong>Two-way communication</strong> — Article 9(1)(b) requires follow-up with the reporter. This means secure messaging without requiring the reporter to create an account or reveal their identity.</li> <li><strong>Deadline tracking</strong> — Articles 9(1)(b) and 9(1)(f) set the 7-day acknowledgment and 3-month feedback deadlines. Automated tracking with notifications prevents compliance failures.</li> <li><strong>Audit trail</strong> — Article 18 requires documentation. An append-only log of all actions provides the evidence regulators and auditors expect.</li> <li><strong>EU data residency</strong> — GDPR applies to all report data. Hosting within the EU simplifies compliance and avoids cross-border transfer questions.</li> <li><strong>Data retention controls</strong> — Article 17(1)(d) requires defined retention periods. Configurable auto-deletion ensures data isn’t kept longer than necessary.</li> </ul> <hr> <h2 id="features-that-sound-impressive-but-arent-in-the-directive"> Features that sound impressive but aren’t in the Directive <a href="#features-that-sound-impressive-but-arent-in-the-directive" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Some platforms emphasize capabilities that go beyond what compliance requires:</p> <ul> <li>“AI-powered risk scoring”</li> <li>“Sentiment analysis”</li> <li>“Predictive analytics dashboards”</li> <li>“Benchmarking against 10,000+ organizations”</li> </ul> <p>These features may serve larger organizations with mature compliance programs. But they are not Directive requirements, and their presence doesn’t make a tool more compliant. Evaluate whether they serve your actual needs before paying for them.</p> <hr> <h2 id="pricing-transparency-as-a-signal"> Pricing transparency as a signal <a href="#pricing-transparency-as-a-signal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive applies to organizations of very different sizes — from 50-person companies to multinational enterprises. The tool you choose should match your scale.</p> <p>Some platforms publish their pricing openly. Others require a sales process to learn the cost. Neither approach is inherently better, but transparent pricing lets you evaluate fit faster and avoids committing time to demos before knowing whether the budget works.</p> <hr> <h2 id="what-to-ask-during-evaluation"> What to ask during evaluation <a href="#what-to-ask-during-evaluation" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>When reviewing any whistleblower platform, ask:</p> <ol> <li><strong>Where is data stored?</strong> Confirm EU hosting and data residency.</li> <li><strong>How are reporters protected?</strong> Verify IP anonymization and metadata stripping.</li> <li><strong>How are deadlines tracked?</strong> Confirm automatic 7-day and 3-month tracking with notifications.</li> <li><strong>Is the audit trail append-only?</strong> Ensure entries cannot be edited after creation.</li> <li><strong>What happens when we cancel?</strong> Understand data export and deletion policies.</li> <li><strong>Is a DPA available?</strong> Required for GDPR compliance as a data processor relationship.</li> </ol> <hr> <h2 id="how-ethicsportal-addresses-these-requirements"> How EthicsPortal addresses these requirements <a href="#how-ethicsportal-addresses-these-requirements" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><a href="https://ethicsportal.eu">EthicsPortal</a> is built specifically for EU Directive 2019/1937 compliance:</p> <ul> <li>€49/month, all features included</li> <li>Anonymous reporting with IP anonymization and file metadata stripping</li> <li>Secure two-way messaging via access code</li> <li>Automatic deadline tracking with overdue notifications</li> <li>Append-only audit trail and PDF case export</li> <li>Hosted on Hetzner in Nuremberg, Germany — all data stays in the EU</li> </ul> <p>See our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> for an article-by-article breakdown of how each requirement is met.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/if-employees-have-to-ask-you-dont-have-a-channel/Sat, 04 Apr 2026 00:00:00 +0000https://ethicsportal.eu/blog/if-employees-have-to-ask-you-dont-have-a-channel/EU law requires employers to inform workers about their reporting channel. But if finding it requires asking someone, the channel is already compromised.<h1 id="if-employees-have-to-ask-where-the-whistleblowing-channel-is-you-dont-have-one"> If employees have to ask where the whistleblowing channel is, you don’t have one <a href="#if-employees-have-to-ask-where-the-whistleblowing-channel-is-you-dont-have-one" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>An employee suspects fraud. They want to report it. Their first step should not be walking up to HR and asking “do we have a whistleblowing channel?”</p> <p>The act of asking is itself a signal. In the exact kind of workplace the Directive exists to address — where misconduct is happening and someone wants to report it — asking around about a reporting channel tells people that you are thinking about reporting something. Before you have typed a single word, you are exposed.</p> <hr> <h2 id="the-law-is-clear-you-must-inform-employees"> The law is clear: you must inform employees <a href="#the-law-is-clear-you-must-inform-employees" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EU Directive 2019/1937 and its national transpositions (<a href="/whistleblower-laws/france/">Loi Waserman</a> in France, <a href="/whistleblower-laws/germany/">HinSchG</a> in Germany, the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> in Poland, and others) do not just require organizations to set up a reporting channel. They require them to make sure workers know about it.</p> <p><strong>Article 9(1)(g)</strong> mandates “clear and easily accessible information” about reporting procedures — both internal and external. This is not optional. If you have a reporting channel but your employees do not know it exists, you are not compliant with your national law.</p> <p>National transpositions go further:</p> <ul> <li><strong><a href="/whistleblower-laws/germany/">Germany</a> (<a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">HinSchG</a> §7(3), §13(2)):</strong> Employers must provide “clear and easily accessible information” about both internal reporting procedures (§7(3)) and external reporting options (§13(2)).</li> <li><strong><a href="/whistleblower-laws/france/">France</a> (<a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi Waserman, 2022-401</a> ):</strong> Companies must inform employees about reporting procedures and publish this information via accessible means.</li> <li><strong><a href="/whistleblower-laws/poland/">Poland</a> (<a href="https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20240000928" rel="nofollow">Ustawa o ochronie sygnalistów</a> ):</strong> Employers must establish internal reporting procedures and publish them to all employees. The procedure takes effect 7 days after publication.</li> </ul> <p>The pattern is the same everywhere: setting up the channel is half the job. Making employees aware of it is the other half.</p> <hr> <h2 id="the-design-problem-nobody-talks-about"> The design problem nobody talks about <a href="#the-design-problem-nobody-talks-about" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Most compliance discussions stop at “inform employees” and assume a company-wide email or an intranet page solves it. It does not.</p> <p>Think about what actually happens:</p> <p><strong>Scenario 1: The channel is on the company intranet.</strong> The employee has to use their work computer, log into the corporate network, navigate to the compliance section, and click through to the reporting portal. Every step leaves a digital trail on a device their employer controls. The IT department can see what pages you visit on the intranet.</p> <p><strong>Scenario 2: The channel requires a company app.</strong> The employee has to download an app, possibly through a corporate MDM (mobile device management) system, and create an account. The act of installing a whistleblower app on your work phone is itself a statement.</p> <p><strong>Scenario 3: The channel is mentioned once in the employee handbook.</strong> Page 47, section 12.3, between the parking policy and the dress code. Nobody remembers it exists. When someone needs it, they have to ask. And asking is the problem.</p> <hr> <h2 id="what-easily-accessible-actually-means"> What “easily accessible” actually means <a href="#what-easily-accessible-actually-means" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you take the Directive’s intent seriously — protecting people who report wrongdoing — then “easily accessible” means:</p> <p><strong>The employee should be able to access the channel without:</strong></p> <ul> <li>Using a company device</li> <li>Being on the company network</li> <li>Installing an app</li> <li>Creating an account</li> <li>Asking anyone where to find it</li> <li>Leaving any trace that they looked for it</li> </ul> <p>This narrows the options considerably. The channel needs to be a <strong>public URL</strong> that works in any browser on any device — including a personal phone on mobile data, completely outside the employer’s infrastructure.</p> <hr> <h2 id="how-to-make-the-channel-truly-accessible"> How to make the channel truly accessible <a href="#how-to-make-the-channel-truly-accessible" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>1. A public URL, not an intranet page.</strong> The reporting portal should be accessible from any browser, on any device, without authentication. An employee at home, on their personal phone, at 11pm, should be able to type in a URL and start a report. No VPN, no login, no company email required.</p> <p><strong>2. QR codes in private spaces.</strong> Print the QR code and put it where people can scan it without being watched: bathroom stalls, break rooms, locker rooms, the back of elevator doors. An employee scanning a QR code on a bathroom wall leaves no digital trail and draws no attention.</p> <p><strong>3. Physical posters, not just emails.</strong> A company-wide email about the whistleblowing channel is easily missed and hard to find six months later. A poster on the wall of every office kitchen with a QR code and a URL is always there when someone needs it.</p> <p><strong>4. Mention it during onboarding — every time.</strong> New employee orientation should include the reporting channel URL and a printed card with the QR code. Not buried in a handbook. Handed to them directly.</p> <p><strong>5. No account required.</strong> If the reporting tool requires the employee to create an account with their email address to file a report, it is not anonymous and it is not safe. The reporter should be able to submit without providing any identifying information and receive an access code to check back later.</p> <hr> <h2 id="this-is-how-ethicsportal-works"> This is how EthicsPortal works <a href="#this-is-how-ethicsportal-works" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every EthicsPortal organization gets a public reporting URL. It works on any browser, any device. No app, no account, no company network.</p> <p>The portal generates a <strong>QR code</strong> that can be printed and posted anywhere. Scan it, and you are on the reporting page. No login, no trail.</p> <p>Reporters submit anonymously — no name, no email, no IP logging. They receive an access code to check back for updates. The entire interaction happens in a browser window that can be closed and leaves nothing behind.</p> <p>The handler never sees the reporter’s identity. The reporter never sees the handler’s name. The system counts to 7 days, counts to 3 months, and logs everything.</p> <p>That is what “easily accessible” looks like when you take the Directive seriously.</p> <hr> <p><em>If your organization’s whistleblowing channel requires employees to ask someone where to find it, you have a compliance checkbox. You do not have a reporting channel. <a href="https://secure.ethicsportal.eu/session/new" rel="nofollow">Set up a real one in ten minutes.</a> </em></p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/gdpr-and-whistleblower-reporting/Fri, 20 Mar 2026 00:00:00 +0000https://ethicsportal.eu/blog/gdpr-and-whistleblower-reporting/How GDPR applies to whistleblower reports. Legal basis for processing, anonymous vs. pseudonymous data, retention periods, and the right to erasure.<h1 id="gdpr-and-whistleblower-reporting-what-you-need-to-know"> GDPR and whistleblower reporting: what you need to know <a href="#gdpr-and-whistleblower-reporting-what-you-need-to-know" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Every whistleblower report contains personal data. The reporter may include their name. The report will likely name the person accused of wrongdoing. The handler’s actions are logged. All of this is personal data under GDPR.</p> <p>This creates a tension that compliance officers deal with every day: the Whistleblower Directive (2019/1937) requires you to collect and store reports, and GDPR requires you to have a lawful basis for doing so, minimize what you collect, and delete it when you no longer need it.</p> <p>Here is how the two frameworks interact, and what it means in practice.</p> <hr> <h2 id="what-personal-data-does-a-whistleblower-report-contain"> What personal data does a whistleblower report contain? <a href="#what-personal-data-does-a-whistleblower-report-contain" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>More than you might think:</p> <table> <thead> <tr> <th>Data</th> <th>Source</th> <th>GDPR category</th> </tr> </thead> <tbody> <tr> <td>Reporter’s name (if provided)</td> <td>Voluntary</td> <td>Personal data</td> </tr> <tr> <td>Reporter’s contact details (if provided)</td> <td>Voluntary</td> <td>Personal data</td> </tr> <tr> <td>Name of the accused person</td> <td>Report content</td> <td>Personal data (third party)</td> </tr> <tr> <td>Details of the alleged misconduct</td> <td>Report content</td> <td>May include special category data (Art. 9) or criminal offence data (Art. 10)</td> </tr> <tr> <td>Uploaded files (documents, photos)</td> <td>Reporter</td> <td>May contain metadata (GPS, author, timestamps)</td> </tr> <tr> <td>Handler actions and notes</td> <td>Case management</td> <td>Personal data (handler)</td> </tr> <tr> <td>Timestamps and audit trail</td> <td>System</td> <td>Personal data</td> </tr> </tbody> </table> <p>If a report describes harassment, discrimination, or health issues, it may contain <strong>special category data</strong> under GDPR Article 9 — which triggers stricter processing conditions. Reports involving criminal allegations fall under <strong>Article 10</strong> (criminal convictions and offences), which has its own restrictions.</p> <hr> <h2 id="what-is-the-legal-basis-for-processing"> What is the legal basis for processing? <a href="#what-is-the-legal-basis-for-processing" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>You need a lawful basis under GDPR Article 6 to process personal data in whistleblower reports. The most commonly used bases:</p> <h3 id="article-61c--legal-obligation"> Article 6(1)(c) — Legal obligation <a href="#article-61c--legal-obligation" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>This is the primary basis. EU Directive 2019/1937 and its national transpositions impose a legal obligation to operate a reporting channel. Processing personal data is necessary to comply with that obligation.</p> <p>This covers:</p> <ul> <li>Receiving the report</li> <li>Storing it securely</li> <li>Investigating the allegations</li> <li>Communicating with the reporter</li> <li>Maintaining an audit trail</li> </ul> <h3 id="article-61f--legitimate-interest"> Article 6(1)(f) — Legitimate interest <a href="#article-61f--legitimate-interest" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Some organizations use legitimate interest as a secondary basis, particularly for processing that goes beyond the Directive’s minimum requirements (e.g., internal analysis, trend reporting). This requires a legitimate interest assessment (LIA) and balancing test.</p> <h3 id="article-61e--public-interest-public-sector"> Article 6(1)(e) — Public interest (public sector) <a href="#article-61e--public-interest-public-sector" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Public sector organizations may rely on the public interest basis, particularly where national law explicitly authorizes processing for whistleblower protection.</p> <h3 id="what-about-consent"> What about consent? <a href="#what-about-consent" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Do not rely on consent.</strong> The reporter-employer power imbalance means consent is unlikely to be freely given (GDPR Recital 43). A reporter cannot meaningfully consent when their job may depend on the outcome. Use legal obligation (Art. 6(1)(c)) instead.</p> <hr> <h2 id="anonymous-reports-and-gdpr"> Anonymous reports and GDPR <a href="#anonymous-reports-and-gdpr" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This is the question compliance officers ask most: if a report is truly anonymous, does GDPR apply?</p> <h3 id="if-the-reporter-is-unidentifiable-gdpr-does-not-apply-to-them"> If the reporter is unidentifiable: GDPR does not apply to them <a href="#if-the-reporter-is-unidentifiable-gdpr-does-not-apply-to-them" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>GDPR applies to personal data relating to an identified or identifiable person (Art. 4(1)). If a reporter submits without providing a name, email, or any identifying information — and the system does not log their IP address or any other identifier — the report content is not personal data <em>with respect to the reporter</em>.</p> <p>However:</p> <ul> <li>The <strong>accused person</strong> named in the report is still identifiable. GDPR fully applies to their data.</li> <li>If the report content contains details that could indirectly identify the reporter (“I am the only woman on the third floor”), it may still constitute personal data.</li> </ul> <h3 id="what-anonymous-requires-technically"> What “anonymous” requires technically <a href="#what-anonymous-requires-technically" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>For anonymity to hold up under GDPR scrutiny, your reporting tool must:</p> <ul> <li><strong>Not log IP addresses.</strong> Any IP logging makes the reporter pseudonymous, not anonymous.</li> <li><strong>Not require an account or email.</strong> If the reporter authenticates, they are identifiable.</li> <li><strong>Strip file metadata.</strong> Uploaded photos and documents contain EXIF data (GPS coordinates, author name, device information) that can identify the reporter.</li> <li><strong>Not use analytics or tracking cookies</strong> on the reporting portal.</li> </ul> <p>If your tool does any of these things, you are collecting pseudonymous data, not anonymous data, and GDPR applies in full.</p> <hr> <h2 id="data-minimization-art-51c"> Data minimization (Art. 5(1)(c)) <a href="#data-minimization-art-51c" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive requires a reporting channel. It does not require collecting more data than necessary.</p> <p>In practice:</p> <ul> <li><strong>Reporter identity must be optional.</strong> The reporter should be able to submit without providing their name or contact details.</li> <li><strong>Intake forms should collect only what is needed.</strong> A description of the misconduct, the category, and optional supporting files. Do not require department, employee ID, or other identifiers unless the reporter chooses to provide them.</li> <li><strong>Handler notes should be relevant to the investigation.</strong> Do not log extraneous personal details about the reporter or accused.</li> </ul> <hr> <h2 id="the-accused-persons-rights"> The accused person’s rights <a href="#the-accused-persons-rights" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>This is where it gets complicated. The person accused in a whistleblower report has GDPR rights — including the right to be informed (Art. 14), the right of access (Art. 15), and the right to erasure (Art. 17).</p> <p>But exercising those rights cannot compromise the reporter’s confidentiality (Directive Art. 16).</p> <h3 id="right-to-be-informed-art-14"> Right to be informed (Art. 14) <a href="#right-to-be-informed-art-14" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Under GDPR, you must inform people when you process their data. But Directive Art. 16(1) requires protecting the reporter’s identity. The solution:</p> <ul> <li>You <strong>may</strong> inform the accused person that a report has been made — but only when doing so does not risk identifying the reporter.</li> <li><strong>Timing matters.</strong> Many member states allow delaying notification until it would no longer jeopardize the investigation. Germany’s HinSchG explicitly restricts disclosure during the investigation period.</li> <li>National data protection authorities generally accept that the Directive’s confidentiality requirements override the immediate notification obligation.</li> </ul> <h3 id="right-of-access-art-15"> Right of access (Art. 15) <a href="#right-of-access-art-15" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The accused person can request access to data held about them. You must provide it — but you must redact any information that would identify the reporter. This includes the reporter’s name, but also contextual details that could reveal them indirectly.</p> <h3 id="right-to-erasure-art-17"> Right to erasure (Art. 17) <a href="#right-to-erasure-art-17" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The accused person cannot demand deletion of a report that is part of an ongoing investigation or that must be retained under legal obligations. GDPR Art. 17(3)(b) and (e) provide exceptions for legal obligations and legal claims.</p> <hr> <h2 id="retention-periods"> Retention periods <a href="#retention-periods" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive (Art. 18) requires maintaining records of reports. GDPR (Art. 5(1)(e)) requires not keeping personal data longer than necessary.</p> <h3 id="how-long-should-you-retain-reports"> How long should you retain reports? <a href="#how-long-should-you-retain-reports" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Directive does not prescribe a specific retention period. National transpositions vary:</p> <table> <thead> <tr> <th>Country</th> <th>Retention period</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td><a href="/whistleblower-laws/france/">France</a> </td> <td>5 years after case closure</td> <td><a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046357368" rel="nofollow">Decree 2022-1284</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/italy/">Italy</a> </td> <td>5 years from date of report</td> <td><a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">D.Lgs. 24/2023, Art. 14</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/germany/">Germany</a> </td> <td>3 years after case closure (unless ongoing proceedings)</td> <td><a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">HinSchG §11</a> </td> </tr> <tr> <td><a href="/whistleblower-laws/spain/">Spain</a> </td> <td>Not specified (general GDPR minimization applies)</td> <td><a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Law 2/2023</a> </td> </tr> </tbody> </table> <h3 id="best-practice"> Best practice <a href="#best-practice" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <ul> <li>Set a configurable retention period (e.g., 12, 24, 36, or 60 months after case closure).</li> <li>Automatically delete closed cases when the retention period expires.</li> <li>Allow manual deletion by admins for cases where retention is no longer necessary.</li> <li>Document your retention policy and be prepared to justify it to a regulator.</li> </ul> <hr> <h2 id="international-data-transfers"> International data transfers <a href="#international-data-transfers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Whistleblower data must stay in the EU unless you have a valid transfer mechanism under GDPR Chapter V.</p> <p>This matters when choosing a reporting tool:</p> <ul> <li><strong>EU-hosted platforms</strong> (data stored in Germany, France, Netherlands, etc.): no transfer issue.</li> <li><strong>US-hosted platforms</strong> or platforms using US cloud providers (AWS US, Azure US, Google Cloud US): require reliance on Standard Contractual Clauses (SCCs) or the <a href="https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en" rel="nofollow">EU-US Data Privacy Framework</a> — both of which have been <a href="https://curia.europa.eu/juris/liste.jsf?num=C-311/18" rel="nofollow">legally challenged</a> .</li> </ul> <p>The simplest path: choose a platform that hosts all data in the EU. This eliminates the transfer question entirely.</p> <hr> <h2 id="data-protection-impact-assessment-dpia"> Data Protection Impact Assessment (DPIA) <a href="#data-protection-impact-assessment-dpia" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>GDPR Article 35 requires a DPIA when processing is “likely to result in a high risk to the rights and freedoms of natural persons.”</p> <p>Whistleblower reporting likely qualifies because:</p> <ul> <li>It involves sensitive allegations about identified individuals</li> <li>Reports may contain special category data (Art. 9)</li> <li>There is an inherent power imbalance between reporter and organization</li> <li>Confidentiality failures could lead to retaliation</li> </ul> <p>Most data protection authorities recommend conducting a DPIA before implementing a whistleblower reporting system.</p> <hr> <h2 id="what-your-reporting-tool-must-do"> What your reporting tool must do <a href="#what-your-reporting-tool-must-do" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Based on the GDPR requirements above, your whistleblower software should:</p> <table> <thead> <tr> <th>Requirement</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>Optional reporter identity</td> <td>Data minimization (Art. 5(1)(c))</td> </tr> <tr> <td>No IP logging</td> <td>Preserve anonymity, avoid creating pseudonymous data</td> </tr> <tr> <td>File metadata stripping</td> <td>Prevent accidental identification via EXIF/GPS data</td> </tr> <tr> <td>Encryption at rest</td> <td>Integrity and confidentiality (Art. 5(1)(f))</td> </tr> <tr> <td>Configurable retention periods</td> <td>Storage limitation (Art. 5(1)(e))</td> </tr> <tr> <td>Automatic deletion of expired cases</td> <td>Storage limitation enforcement</td> </tr> <tr> <td>Role-based access controls</td> <td>Confidentiality (Directive Art. 16)</td> </tr> <tr> <td>Append-only audit trail</td> <td>Accountability (Art. 5(2))</td> </tr> <tr> <td>EU data hosting</td> <td>Avoid international transfer complications (Chapter V)</td> </tr> <tr> <td>Privacy notice on the reporting form</td> <td>Transparency (Art. 13/14)</td> </tr> </tbody> </table> <hr> <h2 id="how-ethicsportal-handles-gdpr"> How EthicsPortal handles GDPR <a href="#how-ethicsportal-handles-gdpr" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal was designed with both the Directive and GDPR as constraints from day one:</p> <ul> <li><strong>Legal basis:</strong> Processing is based on legal obligation (Art. 6(1)(c)) — compliance with EU Directive 2019/1937.</li> <li><strong>Anonymity by default:</strong> No IP logging, no accounts, no tracking. File metadata (EXIF, GPS, author) stripped automatically.</li> <li><strong>Data minimization:</strong> Reporter name and contact are optional fields. Only essential data is collected.</li> <li><strong>Encryption at rest:</strong> All report descriptions, names, contact details, and messages encrypted in the database.</li> <li><strong>Configurable retention:</strong> Organizations set their own retention period (12, 24, 36, or 60 months). Expired closed cases are deleted automatically.</li> <li><strong>EU hosting for core report data:</strong> Report content and attachments are stored on Hetzner servers in Nuremberg, Germany. The marketing site is delivered via Cloudflare (CDN, United States); the reporting and handler portals are not. Transfer safeguards for the marketing site are documented in the published subprocessor list and DPA.</li> <li><strong>Access controls:</strong> Only admins and assigned handlers can view reports. Handler names are never revealed to reporters.</li> <li><strong>Audit trail:</strong> Append-only log of every action for accountability and regulatory review.</li> <li><strong>DPA available:</strong> GDPR Article 28 <a href="/dpa/">Data Processing Agreement</a> available for all customers.</li> </ul> <p>For the full article-by-article breakdown, see our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/whistleblower-policy-template/Sun, 15 Mar 2026 00:00:00 +0000https://ethicsportal.eu/blog/whistleblower-policy-template/A ready-to-use whistleblower policy template that meets EU Directive 2019/1937 requirements. Copy, adapt, and implement in your organization.<h1 id="free-whistleblower-policy-template-for-eu-directive-20191937"> Free whistleblower policy template for EU Directive 2019/1937 <a href="#free-whistleblower-policy-template-for-eu-directive-20191937" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Every organization with 50 or more employees in the EU needs a written whistleblower policy. This is not optional — it is required under national transposition laws like <a href="/whistleblower-laws/france/">Loi Waserman</a> (France), <a href="/whistleblower-laws/germany/">HinSchG</a> (Germany), <a href="/whistleblower-laws/spain/">Ley 2/2023</a> (Spain), and the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> (Poland), all implementing EU Directive 2019/1937. Penalties for non-compliance vary by country — see our <a href="/penalties/">penalties page</a> for details.</p> <p>A whistleblower policy does two things: it tells employees how to report wrongdoing, and it tells your organization how to handle those reports. Without a clear policy, reports fall through the cracks, handlers improvise, and your organization risks both legal exposure and reputational damage.</p> <p>Below is a complete policy template you can copy and adapt. Replace the bracketed placeholders with your organization’s details. The template covers every element the Directive requires.</p> <hr> <h2 id="whistleblower-policy-template"> Whistleblower policy template <a href="#whistleblower-policy-template" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <hr> <p><strong>[ORGANIZATION NAME]</strong></p> <p><strong>Whistleblower protection policy</strong></p> <p><strong>Effective date:</strong> [DATE]</p> <p><strong>Approved by:</strong> [NAME / TITLE]</p> <p><strong>Version:</strong> 1.0</p> <hr> <h3 id="1-purpose-and-scope"> 1. Purpose and scope <a href="#1-purpose-and-scope" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>This policy establishes a framework for reporting suspected breaches of law, regulation, or internal rules within [ORGANIZATION NAME]. It implements the requirements of EU Directive 2019/1937 on the protection of persons who report breaches of Union law, as transposed into [MEMBER STATE] national law.</p> <p>This policy applies to all operations, subsidiaries, and business units of [ORGANIZATION NAME] within the European Union.</p> <h3 id="2-who-can-report"> 2. Who can report <a href="#2-who-can-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>In accordance with Article 4 of the Directive, the following persons may submit a report through the channels described in this policy:</p> <ul> <li>Current and former employees, including those on probation or notice periods</li> <li>Job applicants who obtained information during the recruitment process</li> <li>Contractors, subcontractors, and suppliers</li> <li>Shareholders and members of the administrative, management, or supervisory body</li> <li>Volunteers and trainees, whether paid or unpaid</li> <li>Any person working under the supervision and direction of contractors, subcontractors, or suppliers</li> <li>Persons whose work-based relationship has not yet begun, where information on breaches was acquired during the recruitment process or pre-contractual negotiations</li> </ul> <p>Protection also extends to facilitators, third persons connected with the reporting person (such as colleagues or relatives), and legal entities that the reporting person owns, works for, or is otherwise connected with in a work-related context (Article 4(4)).</p> <h3 id="3-what-can-be-reported"> 3. What can be reported <a href="#3-what-can-be-reported" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Reports may concern breaches of Union law in the areas covered by the Directive (Article 2), including but not limited to:</p> <ul> <li>Public procurement irregularities</li> <li>Financial services, anti-money laundering, and counter-terrorist financing violations</li> <li>Product safety and compliance breaches</li> <li>Transport safety violations</li> <li>Environmental protection breaches</li> <li>Radiation protection and nuclear safety issues</li> <li>Food and feed safety, animal health and welfare concerns</li> <li>Public health violations</li> <li>Consumer protection breaches</li> <li>Privacy and personal data protection violations</li> <li>Security of network and information systems</li> <li>Competition and state aid rule breaches</li> <li>Corporate tax arrangements that undermine the object or purpose of applicable tax law</li> <li>Fraud, corruption, or other criminal offenses affecting the financial interests of the EU</li> </ul> <p>Reports may also concern breaches of internal company policies, codes of conduct, and applicable national law, provided [MEMBER STATE] national transposition law extends protection to such reports.</p> <h3 id="4-how-to-report"> 4. How to report <a href="#4-how-to-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <h4 id="internal-reporting-channel"> Internal reporting channel <a href="#internal-reporting-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h4> <p>[ORGANIZATION NAME] provides a secure, confidential internal reporting channel:</p> <ul> <li><strong>Online portal:</strong> [URL OF REPORTING PORTAL]</li> <li><strong>Designated person:</strong> [NAME / TITLE OF DESIGNATED PERSON OR DEPARTMENT]</li> <li><strong>Alternative methods:</strong> [POSTAL ADDRESS / EMAIL / IN-PERSON MEETING REQUEST PROCESS, as applicable]</li> </ul> <p>Reports can be submitted anonymously. Reporters who choose to remain anonymous will receive an access code to check the status of their report and communicate securely with the case handler.</p> <p>[ORGANIZATION NAME] encourages the use of the internal reporting channel as a first step, as this allows the organization to investigate and address breaches promptly.</p> <h4 id="external-reporting-to-competent-authorities"> External reporting to competent authorities <a href="#external-reporting-to-competent-authorities" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h4> <p>Reporting persons have the right to report externally to the relevant competent authority at any time, as provided under Article 10 of the Directive. Reporting persons are not required to use the internal channel before reporting externally.</p> <p>The competent authority in [MEMBER STATE] is: [NAME AND CONTACT DETAILS OF NATIONAL AUTHORITY].</p> <h4 id="public-disclosure"> Public disclosure <a href="#public-disclosure" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h4> <p>In exceptional circumstances defined in Article 15 of the Directive, reporting persons may make a public disclosure and still receive protection — for example, where they have reasonable grounds to believe that the breach constitutes an imminent or manifest danger to the public interest, or where there is a risk of retaliation.</p> <h3 id="5-confidentiality"> 5. Confidentiality <a href="#5-confidentiality" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The identity of the reporting person will not be disclosed to anyone beyond the authorized staff members competent to receive or follow up on reports, without the explicit consent of the reporting person (Article 16).</p> <p>This confidentiality obligation applies to all information from which the identity of the reporting person may be directly or indirectly deduced.</p> <p>The identity of the reporting person may only be disclosed where this is a necessary and proportionate obligation imposed under Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defense of the person concerned.</p> <p>Any person who discloses the identity of a reporting person in violation of this policy will be subject to disciplinary action.</p> <h3 id="6-prohibition-of-retaliation"> 6. Prohibition of retaliation <a href="#6-prohibition-of-retaliation" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>[ORGANIZATION NAME] strictly prohibits any form of retaliation against reporting persons, in accordance with Articles 19 to 21 of the Directive. Retaliation includes, but is not limited to:</p> <ul> <li>Suspension, dismissal, or equivalent measures</li> <li>Demotion, withholding of promotion, or change of duties or work location</li> <li>Reduction of wages or changes to working hours</li> <li>Withholding of training</li> <li>Negative performance assessment or employment reference</li> <li>Coercion, intimidation, harassment, or ostracism</li> <li>Discrimination or unfavorable treatment</li> <li>Failure to convert a temporary employment contract into a permanent one</li> <li>Non-renewal or early termination of a temporary employment contract</li> <li>Harm, including to reputation or financial loss</li> <li>Blacklisting</li> <li>Early termination or cancellation of a contract for goods or services</li> <li>Cancellation of a license or permit</li> <li>Psychiatric or medical referrals</li> </ul> <p>The burden of proof in retaliation proceedings is reversed: where a reporting person establishes that they made a report and subsequently suffered a detriment, it is presumed that the detriment was made in retaliation. The person who took the detrimental action must prove it was based on duly justified grounds unrelated to the report (Article 21(5)).</p> <p>Any employee found to have engaged in retaliation will be subject to disciplinary action, up to and including termination.</p> <h3 id="7-investigation-process"> 7. Investigation process <a href="#7-investigation-process" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Upon receipt of a report, [ORGANIZATION NAME] will:</p> <ol> <li><strong>Acknowledge receipt</strong> within seven calendar days of receiving the report (Article 9(1)(b)).</li> <li><strong>Assess the report</strong> to determine whether it falls within the scope of this policy and warrants investigation.</li> <li><strong>Investigate diligently</strong> by gathering relevant information, interviewing witnesses as necessary, and reviewing documents, while maintaining confidentiality throughout.</li> <li><strong>Provide feedback</strong> to the reporting person within three months of acknowledgment. Feedback will include information on the status of the investigation and, where possible, the outcome and any measures taken or envisaged (Article 9(1)(f)).</li> <li><strong>Close the case</strong> with documented findings and, where appropriate, recommend corrective actions, disciplinary measures, or referral to competent authorities.</li> </ol> <p>Where a report is assessed as falling outside the scope of this policy, the reporting person will be informed and, where appropriate, redirected to the relevant procedure.</p> <h3 id="8-data-protection"> 8. Data protection <a href="#8-data-protection" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Reports and all related data will be processed in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection law.</p> <p>Personal data that is manifestly not relevant to the handling of a specific report will not be collected or, if accidentally collected, will be deleted without undue delay (Article 17(3)).</p> <p>Report data will be retained for no longer than is necessary and proportionate to comply with the requirements of this policy and applicable law. [ORGANIZATION NAME] will define and document specific retention periods in accordance with national transposition law.</p> <h3 id="9-training-and-awareness"> 9. Training and awareness <a href="#9-training-and-awareness" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>[ORGANIZATION NAME] will:</p> <ul> <li>Train all designated case handlers on their obligations under this policy and applicable law</li> <li>Inform all employees and other persons covered by Section 2 about the availability and use of the internal reporting channel</li> <li>Make this policy easily accessible, including on the company intranet and as part of the onboarding process for new employees</li> </ul> <h3 id="10-review"> 10. Review <a href="#10-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>This policy will be reviewed at least annually and updated as necessary to reflect changes in applicable law, organizational structure, or best practices.</p> <h3 id="11-contact"> 11. Contact <a href="#11-contact" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>For questions about this policy or the reporting channel:</p> <ul> <li><strong>Designated person:</strong> [NAME / TITLE]</li> <li><strong>Email:</strong> [EMAIL ADDRESS]</li> <li><strong>Reporting portal:</strong> [URL]</li> </ul> <hr> <p><em>End of policy document.</em></p> <hr> <h2 id="using-this-template"> Using this template <a href="#using-this-template" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Copy the text above into your company’s document format, replace every bracketed placeholder, and have it reviewed by your legal team. The template covers the requirements of Directive 2019/1937, but national transposition laws in your member state may impose additional obligations — check with local counsel.</p> <p>Once your policy is in place, you need a technical channel to receive reports. <a href="/">EthicsPortal</a> provides a secure, anonymous reporting portal that meets the Directive’s requirements for internal channels — set up in minutes, starting at €49/month.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/who-must-comply-eu-whistleblower-directive/Sun, 15 Mar 2026 00:00:00 +0000https://ethicsportal.eu/blog/who-must-comply-eu-whistleblower-directive/Which companies need a whistleblowing channel under EU Directive 2019/1937? The 50-employee threshold, who counts as a worker, deadlines, and what "comply" actually means in practice.<h1 id="who-must-comply-with-the-eu-whistleblower-directive"> Who must comply with the EU Whistleblower Directive? <a href="#who-must-comply-with-the-eu-whistleblower-directive" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Short answer: if your organization has 50 or more employees and operates in the EU, you almost certainly need an internal whistleblower reporting channel. This is not optional. It is law in all 27 EU member states.</p> <p>Here is everything you need to know to determine whether you must comply, what compliance actually requires, and what happens if you do not.</p> <hr> <h2 id="the-threshold-50-employees"> The threshold: 50 employees <a href="#the-threshold-50-employees" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EU Directive 2019/1937, Article 8(3)-(4), establishes the obligation:</p> <ul> <li><strong>250+ employees:</strong> Must have had an internal reporting channel since December 17, 2021 (the original transposition deadline per <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019L1937" rel="nofollow">Art. 26(1)</a> ).</li> <li><strong>50–249 employees:</strong> Must have had an internal reporting channel since December 17, 2023 (extended deadline per <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32019L1937" rel="nofollow">Art. 26(2)</a> ).</li> </ul> <p>If you have 50 or more employees in the EU, the deadline has already passed. You should have a channel in place now.</p> <h3 id="how-employees-are-counted"> How employees are counted <a href="#how-employees-are-counted" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Directive does not define “employee” narrowly. Member states count:</p> <ul> <li>Full-time and part-time employees (part-time may be counted proportionally in some countries)</li> <li>Fixed-term and temporary workers</li> <li>In some member states: posted workers, trainees, and apprentices</li> </ul> <p>The count is based on your legal entity, not your group. If you are part of a corporate group, each entity with 50+ employees needs its own channel — though entities of 50–249 employees may share resources for receiving and investigating reports (Art. 8(6)).</p> <hr> <h2 id="who-is-covered-beyond-headcount"> Who is covered beyond headcount <a href="#who-is-covered-beyond-headcount" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Several categories of organizations must comply regardless of employee count:</p> <h3 id="financial-services-art-84"> <a href="/industries/financial-services/">Financial services</a> (Art. 8(4)) <a href="#financial-services-art-84" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>All entities operating in financial services — banks, investment firms, insurance companies, payment institutions, crypto-asset providers — must have a reporting channel irrespective of size. This applies even if you have 5 employees. The Directive defers to the sector-specific EU legislation listed in Part I.B and Part II of the Annex.</p> <h3 id="public-sector-art-89"> <a href="/industries/public-sector/">Public sector</a> (Art. 8(9)) <a href="#public-sector-art-89" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Member states may require municipalities and other public bodies to establish internal channels. Many have done so, often with lower thresholds or no threshold at all.</p> <h3 id="national-extensions"> National extensions <a href="#national-extensions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Some member states go beyond the Directive’s minimum:</p> <ul> <li><strong><a href="/whistleblower-laws/italy/">Italy</a> :</strong> Organizations with a “Model 231” compliance program must comply regardless of size. <a href="https://www.nortonrosefulbright.com/en-it/knowledge/publications/5ff4d59b/whistleblowing-i-nuovi-obblighi-per-le-imprese" rel="nofollow">Source: Norton Rose Fulbright</a> </li> <li><strong><a href="/whistleblower-laws/belgium/">Belgium</a> :</strong> Companies with 250+ employees must accept anonymous reports (stricter than the Directive’s baseline). <a href="https://www.vow.be/en/node/358" rel="nofollow">Source: Van Olmen & Wynant</a> </li> <li><strong><a href="/whistleblower-laws/france/">France</a> :</strong> The <a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">Loi Waserman (2022-401)</a> transposing the Directive removed the requirement to use internal channels before going to external authorities — reporters can now choose either path. <a href="https://www.legifrance.gouv.fr/loda/id/JORFTEXT000033558528" rel="nofollow">Sapin II’s</a> broader anti-corruption compliance obligations (separate from the whistleblower channel) still apply to companies with 500+ employees and €100M+ revenue.</li> </ul> <hr> <h2 id="who-can-report"> Who can report <a href="#who-can-report" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The Directive protects a broad category of “reporting persons” — not just employees. Under Article 4, the following people are protected when they report through your channel:</p> <ul> <li><strong>Workers</strong> (employees, civil servants, interns, trainees)</li> <li><strong>Self-employed persons</strong> (contractors, freelancers)</li> <li><strong>Shareholders and board members</strong></li> <li><strong>Volunteers</strong></li> <li><strong>Suppliers and their workers</strong> (anyone in your supply chain)</li> <li><strong>Job applicants</strong> (people who learned of wrongdoing during the recruitment process)</li> <li><strong>Former workers</strong> (people who learned of wrongdoing during a previous employment)</li> </ul> <p>Your reporting channel must be accessible to all of these groups, not just current employees.</p> <hr> <h2 id="what-compliance-actually-requires"> What compliance actually requires <a href="#what-compliance-actually-requires" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Having a channel means meeting the requirements in Articles 8, 9, and 16 of the Directive. Here is the minimum:</p> <h3 id="1-a-secure-reporting-channel-art-8"> 1. A secure reporting channel (Art. 8) <a href="#1-a-secure-reporting-channel-art-8" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>An internal channel that allows reporting in writing (and optionally orally). It must:</p> <ul> <li>Be accessible to all persons covered by the Directive (employees, contractors, suppliers, etc.)</li> <li>Protect the confidentiality of the reporter’s identity</li> <li>Not require the reporter to identify themselves (anonymous reporting is permitted in most member states)</li> </ul> <h3 id="2-a-documented-procedure-art-9"> 2. A documented procedure (Art. 9) <a href="#2-a-documented-procedure-art-9" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The channel must follow a defined procedure:</p> <table> <thead> <tr> <th>Requirement</th> <th>Deadline</th> <th>Article</th> </tr> </thead> <tbody> <tr> <td>Acknowledge receipt of the report</td> <td>Within 7 days</td> <td>Art. 9(1)(b)</td> </tr> <tr> <td>Assign an impartial person or department to handle it</td> <td>Upon receipt</td> <td>Art. 9(1)(a)</td> </tr> <tr> <td>Follow up diligently</td> <td>Ongoing</td> <td>Art. 9(1)(c)</td> </tr> <tr> <td>Provide feedback to the reporter</td> <td>Within 3 months</td> <td>Art. 9(1)(f)</td> </tr> <tr> <td>Inform the reporter of external reporting options</td> <td>At submission</td> <td>Art. 9(1)(g)</td> </tr> </tbody> </table> <h3 id="3-confidentiality-protections-art-16"> 3. Confidentiality protections (Art. 16) <a href="#3-confidentiality-protections-art-16" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The reporter’s identity must not be disclosed to anyone beyond the staff handling the report, without the reporter’s explicit consent. This means:</p> <ul> <li>Access controls: only authorized handlers see reports</li> <li>No IP logging or tracking that could identify anonymous reporters</li> <li>Data encrypted at rest</li> </ul> <h3 id="4-record-keeping-art-18"> 4. Record-keeping (Art. 18) <a href="#4-record-keeping-art-18" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Reports must be stored securely and retained in compliance with national law. You need an audit trail that can demonstrate compliance to regulators.</p> <h3 id="5-anti-retaliation-measures-art-1921"> 5. Anti-retaliation measures (Art. 19–21) <a href="#5-anti-retaliation-measures-art-1921" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>You must not retaliate against reporters. This includes dismissal, demotion, withholding promotion, changing duties, or any other form of disadvantage. Reporters must be informed of this protection.</p> <hr> <h2 id="what-does-not-count-as-compliance"> What does NOT count as compliance <a href="#what-does-not-count-as-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Some things organizations try that do not meet the Directive’s requirements:</p> <ul> <li><strong>A generic email address</strong> (e.g., <a href="mailto:compliance@company.com">compliance@company.com</a> ). This does not protect confidentiality, does not track deadlines, and does not create an audit trail.</li> <li><strong>An anonymous suggestion box.</strong> No two-way communication, no acknowledgment, no feedback mechanism.</li> <li><strong>A page in the employee handbook.</strong> The channel must be operational, not just documented.</li> <li><strong>A third-party hotline with no case management.</strong> If reports come in by phone but are not tracked through a system with deadlines and audit trails, you are not compliant with Art. 9.</li> </ul> <hr> <h2 id="what-happens-if-you-do-not-comply"> What happens if you do not comply <a href="#what-happens-if-you-do-not-comply" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Every member state has defined penalties. They vary widely:</p> <table> <thead> <tr> <th>Country</th> <th>Penalty for no reporting channel</th> <th>Source</th> </tr> </thead> <tbody> <tr> <td>Spain</td> <td>Up to €1,000,000</td> <td><a href="https://www.boe.es/buscar/act.php?id=BOE-A-2023-4513" rel="nofollow">Law 2/2023</a> </td> </tr> <tr> <td>Belgium</td> <td>€24,000–€576,000 + up to 3 years prison</td> <td><a href="https://cms.law/en/int/expert-guides/whistleblower-protection-and-reporting-channels/belgium" rel="nofollow">CMS Expert Guide</a> </td> </tr> <tr> <td>Germany</td> <td>€20,000–€500,000 (legal entities)</td> <td><a href="https://www.gesetze-im-internet.de/hinschg/" rel="nofollow">HinSchG §40</a> </td> </tr> <tr> <td>Italy</td> <td>€10,000–€50,000</td> <td><a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">D.Lgs. 24/2023</a> </td> </tr> <tr> <td>Poland</td> <td>Up to PLN 1,080,000 (~€250,000)</td> <td><a href="https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20240000928" rel="nofollow">Act of 14 June 2024</a> </td> </tr> </tbody> </table> <p>Enforcement is not theoretical. In March 2025, the <a href="https://eucrim.eu/news/ecj-ordered-several-member-states-to-financial-penalties-for-failing-to-transpose-whistleblowers-directive/" rel="nofollow">EU Court of Justice fined five member states a combined €39 million</a> for being late to transpose the Directive. National enforcement authorities are now operational in most countries and actively issuing fines.</p> <p>See our full <a href="/penalties/">penalties by country</a> page for all 27 member states.</p> <hr> <h2 id="the-fastest-path-to-compliance"> The fastest path to compliance <a href="#the-fastest-path-to-compliance" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If your organization has 50+ employees, the deadline has passed. Here is how to get compliant:</p> <ol> <li><strong>Set up a reporting channel.</strong> <a href="https://secure.ethicsportal.eu/session/new" rel="nofollow">EthicsPortal</a> takes minutes — sign up, configure your portal, share the link. €49/month, everything included.</li> <li><strong>Designate a handler.</strong> Assign at least one impartial person to receive and investigate reports.</li> <li><strong>Inform employees.</strong> Share the portal URL and QR code via posters, onboarding materials, and internal communications.</li> <li><strong>Document your procedure.</strong> Adopt an internal whistleblower protection policy that describes the process, deadlines, and anti-retaliation protections.</li> </ol> <p>The software is the easy part. The entire setup — channel, configuration, QR code — can be done in a lunch break. The organizational steps (handler designation, policy, training) take longer but are straightforward.</p> <p>For an article-by-article breakdown of how EthicsPortal meets the Directive’s requirements, see our <a href="/directive-coverage/">Directive 2019/1937 coverage map</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/anonymous-vs-confidential-reporting/Sun, 15 Feb 2026 00:00:00 +0000https://ethicsportal.eu/blog/anonymous-vs-confidential-reporting/Understand the difference between anonymous and confidential whistleblower reporting, what the EU Directive requires, and how to support both.<h1 id="anonymous-vs-confidential-whistleblower-reporting-whats-the-difference"> Anonymous vs. confidential whistleblower reporting: what’s the difference? <a href="#anonymous-vs-confidential-whistleblower-reporting-whats-the-difference" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Compliance officers frequently use “anonymous” and “confidential” interchangeably when discussing whistleblower reporting. They are not the same thing, and the distinction matters — both legally and practically.</p> <p>Getting this wrong can undermine trust in your reporting channel, expose your organization to liability, or make investigations harder than they need to be. Here is what each term means, what the EU Directive says, and how to handle both in practice.</p> <hr> <h2 id="definitions"> Definitions <a href="#definitions" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="anonymous-reporting"> Anonymous reporting <a href="#anonymous-reporting" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The reporter’s identity is unknown to everyone, including the case handler. The organization receives the report but has no way to determine who submitted it. The reporter does not provide their name, email, or any identifying information.</p> <p>True anonymity means that even if the organization wanted to identify the reporter, it could not — the system is designed to prevent it.</p> <h3 id="confidential-reporting"> Confidential reporting <a href="#confidential-reporting" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The reporter’s identity is known to the case handler (or a limited number of authorized persons), but it is protected from disclosure to anyone else. The handler knows who made the report but is legally and organizationally obligated not to reveal that identity.</p> <p>Confidentiality is a promise backed by legal protections. Anonymous reporting removes the need for that promise entirely.</p> <hr> <h2 id="what-the-eu-directive-says"> What the EU Directive says <a href="#what-the-eu-directive-says" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EU Directive 2019/1937 addresses both concepts, though it gives member states flexibility on anonymous reporting.</p> <p><strong>Confidentiality (Article 16):</strong> The Directive is unambiguous here. The identity of the reporting person must not be disclosed to anyone beyond authorized staff without the reporter’s explicit consent. This applies to all reports, whether the reporter identifies themselves or not. Confidentiality is mandatory.</p> <p><strong>Anonymous reporting (Article 6(2–3), Recital 34):</strong> The Directive does not require member states to accept anonymous reports through internal channels. However, it explicitly states that member states <em>may</em> decide to allow or require anonymous reporting. Where anonymous reports are accepted, they must be handled with the same diligence as identified reports.</p> <p>In practice, the majority of member states that have transposed the Directive now require or strongly encourage anonymous reporting. <a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045388745" rel="nofollow">France</a> , <a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">Germany</a> , <a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">Italy</a> , and several others mandate it. Even where it is not legally required, allowing anonymity is considered best practice because it increases reporting rates.</p> <p><strong>Two-way communication (Article 9(1)(b)):</strong> The Directive requires that reporting channels allow communication with the reporter, including providing acknowledgment and feedback. For anonymous reporters, this means the channel must support two-way messaging without requiring identity disclosure — typically through an access code or case reference number.</p> <hr> <h2 id="pros-and-cons"> Pros and cons <a href="#pros-and-cons" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="anonymous-reporting-1"> Anonymous reporting <a href="#anonymous-reporting-1" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Pros:</strong></p> <ul> <li>Removes the fear barrier entirely — reporters do not risk being identified</li> <li>Higher reporting rates, especially for sensitive issues like fraud by senior management</li> <li>Protects reporters even if the organization’s confidentiality measures fail</li> <li>Builds trust in the reporting channel</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>Follow-up is harder — the handler cannot call the reporter for clarification unless two-way messaging is available</li> <li>Risk of lower-quality reports if the reporter knows they cannot be contacted</li> <li>Some organizations worry about frivolous or malicious reports (in practice, the <a href="https://www.acfe.com/report-to-the-nations/2024/" rel="nofollow">ACFE Report to the Nations</a> and <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD:2018:0116:FIN" rel="nofollow">EU Commission impact assessment</a> found this is rare)</li> <li>Investigation may be more difficult without knowing the reporter’s vantage point</li> </ul> <h3 id="confidential-reporting-1"> Confidential reporting <a href="#confidential-reporting-1" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Pros:</strong></p> <ul> <li>Easier follow-up — the handler can contact the reporter directly for additional information</li> <li>The reporter’s perspective and role can help focus the investigation</li> <li>Reports tend to be more detailed when the reporter knows they can be contacted</li> <li>The handler can assess credibility more easily</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>Requires the reporter to trust that confidentiality will be maintained</li> <li>A single data breach, careless email, or unauthorized access can expose the reporter</li> <li>Some reporters will not use the channel if identification is required</li> <li>The organization bears the legal risk of maintaining confidentiality</li> </ul> <hr> <h2 id="how-anonymous-reporting-works-in-practice"> How anonymous reporting works in practice <a href="#how-anonymous-reporting-works-in-practice" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Anonymous reporting does not mean the reporter submits a message into a void and never hears back. Modern whistleblower platforms solve the communication problem with access codes.</p> <p>Here is how it typically works:</p> <ol> <li><strong>The reporter submits a report</strong> through the portal without entering any personal information.</li> <li><strong>The system generates a unique access code</strong> (or case reference number) and displays it to the reporter.</li> <li><strong>The reporter saves the access code.</strong> This is their key to the case.</li> <li><strong>The case handler reviews the report</strong> and can post follow-up questions or status updates to the case.</li> <li><strong>The reporter returns to the portal</strong>, enters the access code, and sees any messages from the handler. They can reply, provide additional documents, or answer questions — all without revealing who they are.</li> </ol> <p>This approach satisfies the Directive’s two-way communication requirement while preserving anonymity. The handler gets the information they need for the investigation; the reporter stays protected.</p> <p>The access code model also supports the seven-day acknowledgment and three-month feedback requirements, because the reporter can check the portal at any time to see if acknowledgment or feedback has been provided.</p> <hr> <h2 id="why-offering-both-options-is-the-right-approach"> Why offering both options is the right approach <a href="#why-offering-both-options-is-the-right-approach" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The strongest reporting channels give reporters the choice: submit anonymously, or provide your identity with the assurance of confidentiality.</p> <p>Here is why:</p> <ul> <li><strong>Different situations call for different approaches.</strong> A junior employee reporting a senior executive’s fraud may choose anonymity. A department head flagging a safety issue may prefer to identify themselves so the investigation can move faster.</li> <li><strong>Choice builds trust.</strong> When reporters see that anonymity is genuinely available, they trust the channel more — even the ones who ultimately choose to identify themselves.</li> <li><strong>Legal coverage.</strong> In member states that require anonymous reporting, you are compliant. In those that do not, you exceed the minimum standard.</li> <li><strong>Better reporting rates.</strong> The <a href="https://www.acfe.com/report-to-the-nations/2024/" rel="nofollow">ACFE Report to the Nations (2024)</a> found that tips are the most common fraud detection method (43% of cases), and anonymous hotlines significantly increase tip volume.</li> </ul> <p>The EU Directive’s own recitals acknowledge this: allowing anonymous reporting <em>encourages</em> reporting and makes channels more effective.</p> <hr> <h2 id="how-ethicsportal-handles-this"> How EthicsPortal handles this <a href="#how-ethicsportal-handles-this" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal supports both anonymous and confidential reporting:</p> <ul> <li><strong>Anonymous by default.</strong> Reporters are never required to provide their identity. No name, no email, no account.</li> <li><strong>Optional identity disclosure.</strong> Reporters can choose to share their name or contact information if they want to. This is entirely voluntary.</li> <li><strong>Access code messaging.</strong> Every report generates a unique access code. The reporter uses it to check for updates and communicate with the case handler, without revealing who they are.</li> <li><strong>Confidentiality enforced.</strong> When a reporter does share their identity, access controls ensure only designated case handlers can see it.</li> </ul> <p>This gives reporters full control over their level of exposure, while giving case handlers the tools they need to investigate effectively.</p> <hr> <h2 id="the-bottom-line"> The bottom line <a href="#the-bottom-line" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Anonymous means the handler does not know who you are. Confidential means the handler knows but is legally bound not to tell anyone else. Both serve the goal of protecting reporters, but they do so differently.</p> <p>The EU Directive mandates confidentiality. It leaves anonymous reporting to member states, most of which now require or recommend it. The safest approach — for your reporters and your compliance posture — is to offer both.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/how-to-implement-whistleblower-channel/Sun, 01 Feb 2026 00:00:00 +0000https://ethicsportal.eu/blog/how-to-implement-whistleblower-channel/A step-by-step guide to setting up a compliant whistleblower reporting channel quickly, without weeks of onboarding or enterprise sales calls.<h1 id="how-to-set-up-a-whistleblower-reporting-channel-in-5-minutes"> How to set up a whistleblower reporting channel in 5 minutes <a href="#how-to-set-up-a-whistleblower-reporting-channel-in-5-minutes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>Every EU member state now requires organizations with 50 or more employees to operate an internal whistleblower reporting channel — through national laws like <a href="/whistleblower-laws/france/">Loi Waserman</a> (France), <a href="/whistleblower-laws/germany/">HinSchG</a> (Germany), <a href="/whistleblower-laws/spain/">Ley 2/2023</a> (Spain), and the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> (Poland), all transposing EU Directive 2019/1937. The requirement is clear, but most implementations take far longer than they should.</p> <p>This guide explains what the law actually requires from the channel itself, why enterprise tools make the process unnecessarily slow, and how to get a working channel live in minutes.</p> <hr> <h2 id="what-the-directive-requires"> What the Directive requires <a href="#what-the-directive-requires" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Article 8 and Article 9 specify what an internal reporting channel must do:</p> <ul> <li>Accept reports in writing or orally</li> <li>Allow anonymous reporting (required in some member states, strongly recommended everywhere)</li> <li>Enable two-way communication with the reporter, even if they are anonymous</li> <li>Ensure only authorized persons can access reports</li> <li>Acknowledge receipt within seven calendar days</li> <li>Provide feedback within three months</li> </ul> <p>That is the legal minimum. No specific technology is mandated — the Directive is technology-neutral. A web portal, a phone line, or even a locked physical mailbox can qualify, as long as the requirements above are met.</p> <hr> <h2 id="why-most-implementations-take-weeks"> Why most implementations take weeks <a href="#why-most-implementations-take-weeks" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>Enterprise whistleblower platforms are designed for large organizations with complex procurement processes. A typical implementation looks like this:</p> <ol> <li><strong>Request a demo</strong> — fill out a form, wait for a sales rep to call you back</li> <li><strong>Attend the demo</strong> — a 30–60 minute call where the vendor walks you through features you may not need</li> <li><strong>Receive a proposal</strong> — custom pricing based on employee count, modules, and add-ons</li> <li><strong>Negotiate the contract</strong> — legal review, DPA signing, procurement approval</li> <li><strong>Onboarding kickoff</strong> — a project manager is assigned, another call is scheduled</li> <li><strong>Configuration</strong> — the vendor configures your portal, categories, and branding (or trains you to do it)</li> <li><strong>Testing and launch</strong> — review, approve, and go live</li> </ol> <p>For a 100-person company that just needs a compliant channel, this process is weeks of elapsed time and hours of meetings. It is designed for enterprises where a six-week procurement cycle is normal. For an SME, it is friction that delays compliance.</p> <hr> <h2 id="the-5-minute-setup-with-ethicsportal"> The 5-minute setup with EthicsPortal <a href="#the-5-minute-setup-with-ethicsportal" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>EthicsPortal is built for the opposite scenario: you need a compliant channel, and you need it today.</p> <h3 id="step-1-sign-up-1-minute"> Step 1: Sign up (1 minute) <a href="#step-1-sign-up-1-minute" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Go to <a href="/">ethicsportal.eu</a> and create an account. No demo request, no sales call, no “contact us for pricing.” You enter your email, set a password, and you are in.</p> <h3 id="step-2-configure-your-portal-2-minutes"> Step 2: Configure your portal (2 minutes) <a href="#step-2-configure-your-portal-2-minutes" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>From the dashboard, set up your reporting portal:</p> <ul> <li><strong>Organization name</strong> — appears on the portal so reporters know they are in the right place</li> <li><strong>Report categories</strong> — define what types of issues can be reported (fraud, harassment, safety violations, etc.). Sensible defaults are provided.</li> <li><strong>Welcome text</strong> — the message reporters see when they land on the portal. A clear, reassuring default is pre-filled.</li> <li><strong>Logo</strong> — match your organization’s visual identity</li> <li><strong>Language</strong> — choose the portal language for your reporters</li> </ul> <p>The portal is live at a unique URL as soon as you save. No deployment, no waiting.</p> <h3 id="step-3-share-the-portal-with-employees-1-minute"> Step 3: Share the portal with employees (1 minute) <a href="#step-3-share-the-portal-with-employees-1-minute" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Every portal gets a shareable link and a QR code. You can:</p> <ul> <li>Email the link to all employees</li> <li>Print the QR code and post it in break rooms, offices, or common areas</li> <li>Add the link to your intranet or employee handbook</li> <li>Include it in your written whistleblower policy</li> </ul> <h3 id="step-4-start-receiving-and-managing-reports-1-minute"> Step 4: Start receiving and managing reports (1 minute) <a href="#step-4-start-receiving-and-managing-reports-1-minute" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>When someone submits a report through the portal, you receive a notification. From the dashboard, you can:</p> <ul> <li>Read the report</li> <li>Communicate with the reporter via secure two-way messaging (even if they are anonymous — they use an access code)</li> <li>Track the seven-day acknowledgment deadline</li> <li>Track the three-month feedback deadline</li> <li>Update the case status and add internal notes</li> <li>Close the case with a documented outcome</li> </ul> <p>That is it. Your channel is live, compliant, and ready to receive reports.</p> <hr> <h2 id="what-to-do-after-setup"> What to do after setup <a href="#what-to-do-after-setup" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>A reporting channel is the technical foundation, but compliance requires organizational steps too:</p> <h3 id="designate-a-case-handler"> Designate a case handler <a href="#designate-a-case-handler" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Appoint one or more persons to receive and investigate reports. This person should be impartial and not likely to be the subject of reports. A compliance officer, legal counsel, or senior HR person typically fills this role. For small organizations, the managing director can serve as handler.</p> <h3 id="train-your-handlers"> Train your handlers <a href="#train-your-handlers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Case handlers need to understand: how to use the platform, confidentiality obligations, the seven-day and three-month deadlines, basics of conducting an internal investigation, and anti-retaliation rules.</p> <h3 id="write-a-whistleblower-policy"> Write a whistleblower policy <a href="#write-a-whistleblower-policy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>Document how your organization handles reports. Cover scope, who can report, confidentiality, anti-retaliation, and the investigation process. See our <a href="/blog/whistleblower-policy-template/">free policy template</a> for a ready-to-use document.</p> <h3 id="inform-employees"> Inform employees <a href="#inform-employees" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p>The Directive requires you to proactively tell employees about the channel. Send an email, post on the intranet, mention it in team meetings, and include it in onboarding. The QR code makes this easy — print it and put it where people will see it.</p> <hr> <h2 id="common-mistakes-to-avoid"> Common mistakes to avoid <a href="#common-mistakes-to-avoid" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><strong>Using a generic email address.</strong> An email like <a href="mailto:compliance@company.com">compliance@company.com</a> does not meet the Directive’s requirements in most cases. Email lacks encryption, does not support anonymous reporting, and does not provide two-way communication with anonymous reporters.</p> <p><strong>Requiring reporters to identify themselves.</strong> While the Directive does not uniformly require anonymous reporting, several national laws do (e.g., <a href="/whistleblower-laws/belgium/">Belgium</a> mandates anonymous reporting for companies with 250+ employees). Making identification mandatory discourages reporting. Allow anonymity by default.</p> <p><strong>Forgetting the deadlines.</strong> Seven days for acknowledgment, three months for feedback. These are not suggestions — they are legal requirements. Missing them is a compliance failure. Use a system that tracks these deadlines automatically.</p> <p><strong>Not designating a handler.</strong> The channel is a mailbox. Someone needs to open it, read the reports, and act on them. If no one is designated, reports go unanswered and deadlines pass.</p> <p><strong>Over-engineering the setup.</strong> You do not need a full GRC suite, custom integrations, or a six-month rollout to comply. A working channel with anonymous reporting, two-way communication, and deadline tracking covers the legal requirements. Start simple, add complexity only if you need it.</p> <hr> <h2 id="get-started"> Get started <a href="#get-started" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p><a href="/">EthicsPortal</a> is €49/month flat — no per-employee pricing, no annual contracts, no sales calls. Set up your compliant reporting channel in minutes and focus on what matters: protecting the people who speak up.</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/compliance-checklist/Thu, 15 Jan 2026 00:00:00 +0000https://ethicsportal.eu/blog/compliance-checklist/A practical 12-step checklist to comply with EU Directive 2019/1937 and national transposition laws, with article references, tips, and implementation guidance.<h1 id="eu-whistleblower-directive-compliance-checklist-for-companies"> EU whistleblower directive compliance checklist for companies <a href="#eu-whistleblower-directive-compliance-checklist-for-companies" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>All 27 EU member states have transposed EU Directive 2019/1937 into national law — including <a href="/whistleblower-laws/france/">Loi Waserman</a> (France), <a href="/whistleblower-laws/germany/">HinSchG</a> (Germany), <a href="/whistleblower-laws/spain/">Ley 2/2023</a> (Spain), <a href="/whistleblower-laws/italy/">D.Lgs. 24/2023</a> (Italy), and the <a href="/whistleblower-laws/poland/">Act of 14 June 2024</a> (Poland). Your organization must comply with the national law in your country of operation, and enforcement is active.</p> <p>This checklist walks you through the twelve steps to full compliance. For each item, we cite the relevant Directive article, share practical tips, and note where tooling can help. See our <a href="/whistleblower-laws/">whistleblower laws by country</a> reference for your country’s specific requirements.</p> <hr> <h2 id="the-checklist"> The checklist <a href="#the-checklist" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <h3 id="1-determine-if-your-organization-is-in-scope"> 1. Determine if your organization is in scope <a href="#1-determine-if-your-organization-is-in-scope" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 8(3–4)</p> <p>All legal entities in the private sector with 50 or more workers must establish internal reporting channels. <a href="/industries/public-sector/">Public sector</a> entities, municipalities, and entities in certain regulated sectors (<a href="/industries/financial-services/">financial services</a> , aviation safety, maritime, etc.) are in scope regardless of size.</p> <p><strong>Practical tip:</strong> Count all workers, not just full-time employees. Part-time staff, contractors working on-site, and temporary agency workers may count toward the threshold depending on your national law. Some countries go further — <a href="/whistleblower-laws/italy/">Italy</a> requires a channel for all companies with a Model 231 compliance program regardless of size, and <a href="/whistleblower-laws/spain/">Spain</a> covers all public entities.</p> <hr> <h3 id="2-establish-an-internal-reporting-channel"> 2. Establish an internal reporting channel <a href="#2-establish-an-internal-reporting-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 8(1), Article 9(1)(a)</p> <p>The channel must allow reporting in writing (online form, email, postal) or orally (phone, voice messaging system), or both. On request, it must also allow in-person meetings within a reasonable timeframe.</p> <p><strong>Practical tip:</strong> A web-based portal is the most practical option — it is accessible 24/7, creates an automatic record, and supports anonymous two-way communication. Avoid using generic email addresses; they lack encryption, anonymity, and audit trails.</p> <p><strong>How EthicsPortal helps:</strong> Provides a branded web portal with encrypted anonymous reporting and two-way messaging, ready in minutes.</p> <hr> <h3 id="3-designate-an-impartial-person-or-department-to-handle-reports"> 3. Designate an impartial person or department to handle reports <a href="#3-designate-an-impartial-person-or-department-to-handle-reports" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(c)</p> <p>You must designate a person or department competent to follow up on reports. This person must be impartial — they should not have a conflict of interest with the subject matter of reports.</p> <p><strong>Practical tip:</strong> Common choices include a compliance officer, a legal counsel, an HR director, or an external ombudsperson. For smaller organizations, the managing director can serve this role if they are not likely to be the subject of reports. Consider designating a backup handler.</p> <hr> <h3 id="4-set-up-the-acknowledgment-process-7-day-deadline"> 4. Set up the acknowledgment process (7-day deadline) <a href="#4-set-up-the-acknowledgment-process-7-day-deadline" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(b)</p> <p>You must acknowledge receipt of a report within seven calendar days. This applies to all reports, including anonymous ones.</p> <p><strong>Practical tip:</strong> Automate this. A manual process risks missing the seven-day window during holidays or absences.</p> <p><strong>How EthicsPortal helps:</strong> Tracks the acknowledgment deadline for each report and shows case handlers which reports need attention.</p> <hr> <h3 id="5-define-the-feedback-process-3-month-deadline"> 5. Define the feedback process (3-month deadline) <a href="#5-define-the-feedback-process-3-month-deadline" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(f)</p> <p>You must provide feedback to the reporting person within three months of the acknowledgment. Feedback includes: whether the report is being assessed, is under investigation, or has been closed, and the outcome of any investigation.</p> <p><strong>Practical tip:</strong> “Feedback” does not require disclosing the full investigation outcome. Informing the reporter that the matter was investigated and appropriate action was taken is sufficient. For anonymous reporters, feedback must be available through the reporting channel (for example, via an access code).</p> <p><strong>How EthicsPortal helps:</strong> Tracks the three-month feedback deadline per case and supports two-way messaging with anonymous reporters via access codes.</p> <hr> <h3 id="6-implement-confidentiality-measures"> 6. Implement confidentiality measures <a href="#6-implement-confidentiality-measures" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 16</p> <p>The identity of the reporting person must not be disclosed to anyone beyond authorized case handlers without the reporter’s explicit consent. This also covers information from which the reporter’s identity could be indirectly deduced.</p> <p><strong>Practical tip:</strong> Limit access to reports strictly. Do not share report details in meetings where unauthorized persons are present. When referring cases internally, redact identifying information about the reporter. Ensure your IT systems enforce access controls.</p> <p><strong>How EthicsPortal helps:</strong> Role-based access ensures only designated case handlers can view reports. Reporter identity is never exposed unless the reporter voluntarily shares it.</p> <hr> <h3 id="7-establish-anti-retaliation-protections"> 7. Establish anti-retaliation protections <a href="#7-establish-anti-retaliation-protections" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Articles 19, 20, 21</p> <p>Reporting persons, facilitators, and connected third parties must be protected from retaliation. The Directive defines retaliation broadly: dismissal, demotion, intimidation, blacklisting, and more. The burden of proof is reversed — if a reporter suffers a detriment after reporting, the employer must prove the detriment was unrelated to the report.</p> <p><strong>Practical tip:</strong> Document this protection in your whistleblower policy. Train managers on what constitutes retaliation. Track personnel actions involving anyone who has made a report, so you can demonstrate that decisions were made on legitimate grounds.</p> <hr> <h3 id="8-train-case-handlers"> 8. Train case handlers <a href="#8-train-case-handlers" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(c–f) (implied)</p> <p>The Directive does not prescribe specific training, but case handlers must be competent to fulfill the obligations it creates: maintaining confidentiality, providing acknowledgment within seven days, conducting diligent follow-up, and providing feedback within three months.</p> <p><strong>Practical tip:</strong> At a minimum, train case handlers on: how to use the reporting channel, confidentiality obligations, investigation basics, anti-retaliation rules, and data protection. Document the training. Refresh annually.</p> <hr> <h3 id="9-inform-employees-about-the-reporting-channel"> 9. Inform employees about the reporting channel <a href="#9-inform-employees-about-the-reporting-channel" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 9(1)(g)</p> <p>You must provide clear and easily accessible information about how to use the internal reporting channel. You must also inform employees about their right to report externally to competent authorities.</p> <p><strong>Practical tip:</strong> Publish the information on your intranet, include it in onboarding materials, and display it in common areas. A QR code linking to the reporting portal is an effective way to make the channel discoverable.</p> <p><strong>How EthicsPortal helps:</strong> Generates a QR code and shareable link for your portal that you can print and distribute.</p> <hr> <h3 id="10-set-up-data-retention-and-deletion"> 10. Set up data retention and deletion <a href="#10-set-up-data-retention-and-deletion" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 17(1–3)</p> <p>Personal data in reports must not be kept longer than necessary. Data that is manifestly not relevant must be deleted promptly. Specific retention periods depend on your member state’s law, but the principle is: retain as long as needed for the investigation and any resulting proceedings, then delete.</p> <p><strong>Practical tip:</strong> Define a retention period in your policy. National laws vary — for example, <a href="/whistleblower-laws/france/">France</a> <a href="https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000046357368" rel="nofollow">requires 5 years</a> , <a href="/whistleblower-laws/germany/">Germany</a> <a href="https://www.gesetze-im-internet.de/englisch_hinschg/englisch_hinschg.html" rel="nofollow">requires 3 years</a> (HinSchG §11), and <a href="/whistleblower-laws/italy/">Italy</a> <a href="https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg" rel="nofollow">requires 5 years</a> (D.Lgs. 24/2023). See our <a href="/blog/gdpr-and-whistleblower-reporting/">GDPR and whistleblower reporting guide</a> for a full comparison. Set calendar reminders to review and delete closed cases.</p> <hr> <h3 id="11-prepare-a-written-whistleblower-policy"> 11. Prepare a written whistleblower policy <a href="#11-prepare-a-written-whistleblower-policy" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Articles 8, 9 (implied), plus most national transposition laws</p> <p>While the Directive does not explicitly mandate a standalone policy document, most national transposition laws do, and it is practically necessary to fulfill the information obligations in Article 9(1)(g).</p> <p><strong>Practical tip:</strong> Your policy should cover: scope, who can report, what can be reported, how to report, confidentiality, anti-retaliation, investigation process, feedback timelines, and data protection. See our <a href="/blog/whistleblower-policy-template/">free whistleblower policy template</a> for a ready-to-use document.</p> <hr> <h3 id="12-document-compliance-for-regulatory-review"> 12. Document compliance for regulatory review <a href="#12-document-compliance-for-regulatory-review" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h3> <p><strong>Directive reference:</strong> Article 11(2) (external channels), national transposition laws (internal)</p> <p>Several member states require organizations to document that they have fulfilled their obligations and to make this documentation available to regulators on request.</p> <p><strong>Practical tip:</strong> Keep records of: when the reporting channel was established, who the designated case handlers are, training records, the whistleblower policy (with version history), and aggregate statistics on reports received and handled. Do not store individual case details longer than your retention period allows.</p> <hr> <h2 id="next-steps"> Next steps <a href="#next-steps" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>If you have checked every box above, your organization is compliant with the core requirements of the Directive and its national transposition. Compliance is not a one-time event — review your setup annually, retrain handlers, and update your policy as national law evolves. Check our <a href="/whistleblower-laws/">whistleblower laws by country</a> reference for country-specific requirements that may go beyond the Directive’s baseline.</p> <p>Need a reporting channel? <a href="/">EthicsPortal</a> gives you a compliant, anonymous reporting portal in minutes — €49/month flat, no per-employee pricing, no sales calls. <a href="/">Get started today</a> .</p>support@ethicsportal.eu (EthicsPortal)https://ethicsportal.eu/blog/eu-whistleblower-directive-2019-1937-adopted/Wed, 23 Oct 2019 00:00:00 +0000https://ethicsportal.eu/blog/eu-whistleblower-directive-2019-1937-adopted/The European Parliament and the Council formally adopt Directive (EU) 2019/1937, establishing EU-wide protection for persons who report breaches of Union law.<h1 id="eu-directive-20191937-on-whistleblower-protection-adopted"> EU Directive 2019/1937 on whistleblower protection adopted <a href="#eu-directive-20191937-on-whistleblower-protection-adopted" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h1> <p>On 23 October 2019, the European Parliament and the Council formally adopted <a href="https://eur-lex.europa.eu/eli/dir/2019/1937/oj/eng" rel="nofollow">Directive (EU) 2019/1937</a> on the protection of persons who report breaches of Union law. The plenary vote passed with 591 votes in favour, 29 against, and 33 abstentions.</p> <p>The Directive requires every organization with 50 or more employees to establish secure internal reporting channels, protect reporters from retaliation, and provide feedback within three months. Member states had until 17 December 2021 to transpose it into national law.</p> <a href="https://multimedia.europarl.europa.eu/en/video/protecting-democracy-by-protecting-whistleblowers_N01-PUB-190408-BLOW" style="display: block; padding: 1.5rem; border: 1px solid #ddd; border-radius: 0.5rem; text-decoration: none; color: inherit; margin: 2rem 0;"> <strong>▶ Watch: Protecting democracy by protecting whistleblowers</strong><br> <span style="color: #666; font-size: 0.875rem;">European Parliament Multimedia Centre · 1:28</span> </a> <h2 id="what-the-directive-requires"> What the directive requires <a href="#what-the-directive-requires" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><strong>Internal reporting channels</strong> (Art. 8) — secure, confidential channels accessible to all workers, including contractors and suppliers</li> <li><strong>7-day acknowledgment</strong> (Art. 9) — organizations must confirm receipt of a report within seven calendar days</li> <li><strong>3-month feedback deadline</strong> (Art. 9) — reporters must receive feedback on actions taken within three months</li> <li><strong>Anti-retaliation protection</strong> (Art. 19–21) — dismissal, demotion, intimidation, and other forms of retaliation are prohibited</li> <li><strong>Reversed burden of proof</strong> (Art. 21(5)) — once a reporter shows they made a report and suffered a detriment, the employer must prove the measure was unrelated</li> <li><strong>External and public reporting</strong> (Art. 10, 15) — reporters retain protection when reporting to competent authorities or, as a last resort, making public disclosures</li> </ul> <hr> <h2 id="plenary-debate"> Plenary debate <a href="#plenary-debate" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <p>The European Parliament debated the directive during its plenary session in Strasbourg. Extracts from the debate are available on the European Parliament Multimedia Centre:</p> <p><a href="https://multimedia.europarl.europa.eu/en/video/protection-of-whistle-blowers-extracts-from-the-debate_I123987" rel="nofollow">Watch the plenary debate on whistleblower protection</a> </p> <hr> <h2 id="official-resources"> Official resources <a href="#official-resources" class="ml-1 text-base-content/30 hover:text-base-content/60 no-underline" aria-label="Link to this section">#</a> </h2> <ul> <li><a href="https://eur-lex.europa.eu/eli/dir/2019/1937/oj/eng" rel="nofollow">Full text of Directive (EU) 2019/1937</a> — EUR-Lex</li> <li><a href="https://commission.europa.eu/aid-development-cooperation-fundamental-rights/your-fundamental-rights-eu/protection-whistleblowers_en" rel="nofollow">Protection for whistleblowers</a> — European Commission</li> <li><a href="https://www.europarl.europa.eu/news/en/press-room/20190410IPR37529/protecting-whistle-blowers-new-eu-wide-rules-approved" rel="nofollow">New EU-wide rules approved</a> — European Parliament press release</li> <li><a href="https://multimedia.europarl.europa.eu/en/topic/protection-of-whistleblowers-8th-parliamentary-term_9901" rel="nofollow">All whistleblower protection multimedia</a> — European Parliament Multimedia Centre</li> <li><a href="https://www.europarl.europa.eu/legislative-train/theme-area-of-justice-and-fundamental-rights/file-whistle-blower-protection-proposal" rel="nofollow">Legislative train schedule</a> — European Parliament</li> </ul>support@ethicsportal.eu (EthicsPortal)