Top whistleblower software for EU Directive 2019/1937 compliance #
EU Directive 2019/1937, now transposed into national law in all 27 member states (e.g., Loi Waserman in France, HinSchG in Germany, Ley 2/2023 in Spain), requires every organization with 50 or more employees to operate a secure internal reporting channel. The law is specific about what that channel must do: accept written and oral reports, protect reporter confidentiality, acknowledge receipt within 7 days, provide feedback within 3 months, and maintain records without exposing the reporter’s identity.
Here is what is strange about this market: whistleblower reporting is a simple tool. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and keeps an audit trail. That is the entire product.
Yet most vendors hide their pricing behind “contact us for a demo” forms, require weeks-long sales processes, and pad their feature lists with AI-powered analytics, sentiment analysis, and other additions that have nothing to do with what the Directive actually requires. The result is that a compliance officer at a 100-person company ends up on a sales call for a tool that should take ten minutes to set up.
This article ranks the top whistleblower software specifically by how well each platform meets the Directive’s legal requirements — not by brand recognition, AI feature count, or how impressive the sales deck looks.
How we scored #
Every platform was evaluated against the six core requirements of Directive 2019/1937:
| Requirement | Directive articles | What the law demands |
|---|---|---|
| Secure reporting channel | Art. 8 | Encrypted, accessible to all workers, no account required |
| Reporter confidentiality | Art. 16 | Identity not disclosed without consent, access restricted to authorized staff |
| Receipt acknowledgment | Art. 9(1)(b) | Written confirmation within 7 days |
| Feedback deadline | Art. 9(1)(f) | Substantive feedback within 3 months |
| Two-way communication | Art. 9(1)(b) | Ability to communicate with the reporter, including anonymous reporters |
| Record-keeping | Art. 18 | Reports stored securely, retained per legal requirements, deletable when no longer needed |
We also considered practical factors: pricing transparency, EU data residency, setup speed, and whether the platform requires a sales call to get started.
The ranking #
1. EthicsPortal — best for SMEs that need fast, affordable compliance #
Directive coverage: complete. EthicsPortal was built specifically for EU Directive 2019/1937. Every feature maps to an article.
| Directive requirement | How EthicsPortal handles it |
|---|---|
| Secure channel (Art. 8) | Encrypted web portal, unique URL per organization, no app required |
| Confidentiality (Art. 16) | No IP logging, file metadata stripping (EXIF, GPS, author), encrypted data at rest |
| 7-day acknowledgment (Art. 9) | Automatic deadline tracking with handler notifications |
| 3-month feedback (Art. 9) | Automatic deadline tracking with overdue alerts |
| Two-way communication (Art. 9) | Anonymous message thread via access code — handler names never revealed |
| Record-keeping (Art. 18) | Append-only audit trail, PDF export for auditors |
Pricing: €49/month flat. No per-employee fees, no add-ons. EU hosting: Yes — Hetzner, Nuremberg, Germany. Setup time: Minutes. Self-serve signup, no sales call.
Why it ranks first: Whistleblower reporting is not a complex problem. The Directive tells you exactly what the tool needs to do, and EthicsPortal does exactly that — nothing more, nothing less. No AI sentiment analysis, no “risk scoring,” no features that exist to justify a higher price tag. Full Art. 8–18 compliance at €49/month, visible on the website, no sales call required.
The trade-off is that EthicsPortal is newer and does not yet have ISO 27001 certification or phone hotline services.
EthicsPortal is our product. We designed it to deliver full Directive compliance with transparent pricing and immediate deployment.
2. Formalize (WhistleblowerSoftware.com) — best for mid-market companies wanting a polished product #
Directive coverage: complete. Built in Denmark with the EU Directive as the primary design driver.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — web portal with encryption |
| Confidentiality (Art. 16) | Yes — access controls, data encryption |
| 7-day acknowledgment (Art. 9) | Yes — automated tracking |
| 3-month feedback (Art. 9) | Yes — automated tracking |
| Two-way communication (Art. 9) | Yes — anonymous messaging |
| Record-keeping (Art. 18) | Yes — audit trail |
Pricing: Custom quote required. Previously published per-employee pricing; no longer public. EU hosting: Yes — Denmark. Setup time: Days — involves a demo/sales process.
Why it ranks here: Strong Directive compliance, ISO 27001 and ISAE 3000 certified, and 80+ languages. Formalize used to publish pricing on their website — they no longer do, which tells you something about the direction they are heading. You now need to request a quote and go through a sales process to learn what it costs. If you need certifications and a partner ecosystem (PwC, Baker McKenzie), Formalize is a strong choice — but be prepared to negotiate pricing you cannot see upfront.
3. Hintbox — best for German-speaking markets #
Directive coverage: complete. German platform with 1,000+ customers. Part of the lawcode suite.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — encrypted portal, hosted on Hetzner (Germany) |
| Confidentiality (Art. 16) | Yes — metadata stripping, 2FA, virus scanning |
| 7-day acknowledgment (Art. 9) | Yes — deadline tracking |
| 3-month feedback (Art. 9) | Yes — deadline tracking |
| Two-way communication (Art. 9) | Yes — anonymous messaging, optional voice bot (+€49/mo) |
| Record-keeping (Art. 18) | Yes — audit trail |
Pricing: Starting at €49/month. Scales to €149+/month with employee count. Add-ons: voice bot (+€49/mo), email integration (+€29/mo), custom domain (+€29/mo). EU hosting: Yes — Hetzner, Germany. ISO 27001 certified. Setup time: Days.
Why it ranks here: Mature product, large customer base (Rewe, s.Oliver, FC Bayern), ISO 27001 certified. The per-employee pricing and add-on costs mean the effective price is significantly higher than the €49 starting point for most organizations. DACH-focused — limited presence outside German-speaking markets.
4. LegalTegrity — best for German SMEs that want phone reporting included #
Directive coverage: complete. Frankfurt-based, hosted on Deutsche Telekom Open Telekom Cloud.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — encrypted portal, Deutsche Telekom hosting (Germany) |
| Confidentiality (Art. 16) | Yes — role-based access |
| 7-day acknowledgment (Art. 9) | Yes — deadline tracking with reminders |
| 3-month feedback (Art. 9) | Yes — deadline tracking |
| Two-way communication (Art. 9) | Yes — anonymous messaging, phone channel on all plans |
| Record-keeping (Art. 18) | Yes — audit trail, reporting |
Pricing: Essential €49/month (<50 employees), Professional €99/month (<250), Professional €166/month (<1,000), Enterprise on request. Annual billing. EU hosting: Yes — Deutsche Telekom Open Telekom Cloud, Germany. ISO 27001-certified hosting. Setup time: Days. 3-month money-back guarantee.
Why it ranks here: LegalTegrity includes a phone reporting channel on every plan, including the €49 Essential tier. That is unusual — most competitors charge extra for phone intake or do not offer it at all. 40+ languages available. The trade-off: per-employee tiered pricing means costs rise as your organisation grows, and additional languages cost €29/month each beyond the two included.
5. Vispato — best flat-rate alternative in DACH #
Directive coverage: complete. German platform, part of the HR WORKS group.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — encrypted portal, DATEV-hosted (Germany) |
| Confidentiality (Art. 16) | Yes — role-based access, ISO 27001 hosting |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes — anonymous messaging |
| Record-keeping (Art. 18) | Yes — audit trail |
Pricing: €79/month flat. Unlimited users, cases, and storage. Enterprise tier with SSO and custom domain is quote-based. EU hosting: Yes — DATEV-managed servers, Germany. Setup time: Days. No free trial, demo required.
Why it ranks here: Flat €79/month regardless of company size, with no add-on fees. 18 languages. WCAG 2.1 AA accessibility. For DACH-region companies that want predictable costs without employee-count tiers, Vispato is the cleanest alternative. The trade-off: fewer languages than competitors (18 vs. 30–80), and no free trial.
6. DigitalPA (Legality Whistleblowing) — best for Italy #
Directive coverage: complete. Italian platform with four ISO certifications.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — web, voice, phone, and in-person intake |
| Confidentiality (Art. 16) | Yes — 2FA, anonymous and confidential modes |
| 7-day acknowledgment (Art. 9) | Yes — deadline tracking |
| 3-month feedback (Art. 9) | Yes — deadline tracking |
| Two-way communication (Art. 9) | Yes — anonymous messaging with AI translation |
| Record-keeping (Art. 18) | Yes — audit trail, investigation reports |
Pricing: Standard from €29/month (<50 employees). Premium from €41/month. Medium/Large/Enterprise tiers require a quote. Annual billing only. EU hosting: Yes — Italy. Setup time: Days.
Why it ranks here: The cheapest starting price in this comparison (€29/month) and the most ISO certifications (27001, 37001, 37002, 37301). Multi-channel intake including phone and in-person meeting requests. 1,000+ customers. The trade-off: pricing beyond the small-business tier is quote-based, and the platform is Italian-market focused.
7. ithikios — best for Spanish SMEs #
Directive coverage: complete. Spanish modular compliance suite.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — encrypted cloud portal, ISO 27001 servers |
| Confidentiality (Art. 16) | Yes — anonymous and confidential modes |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes — anonymous messaging |
| Record-keeping (Art. 18) | Yes — case management with documentation |
Pricing: From €29/month. Free trial available. EU hosting: Yes — Spain. ISO 27001 certified. Setup time: Hours.
Why it ranks here: Budget-friendly at €29/month with ISO 27001 and a free trial. 1,000+ companies across 10 countries. Modular platform: buy the whistleblower channel now, add policy management or NIS2 modules later. 7 interface languages. The trade-off: primarily Spanish-focused, and 7 languages is limited for cross-border organisations.
8. FaceUp — best for multilingual organizations (113 languages) #
Directive coverage: complete.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes |
| Confidentiality (Art. 16) | Yes — access controls |
| 7-day acknowledgment (Art. 9) | Yes — automated |
| 3-month feedback (Art. 9) | Yes — automated |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes — audit trail |
Pricing: Not public. Three tiers (Starter, Professional, Enterprise) but all require “Get a Quote” — no prices shown on the website. Priced in USD. EU hosting: Yes — Czech Republic. Setup time: Hours.
Why it ranks here: FaceUp supports 113 languages — among the highest in the market — and offers a mobile app for reporters. Originally built for schools in the Czech Republic, they have expanded into corporate compliance across 70+ countries. Pricing is in US dollars and not publicly displayed — all three tiers (Starter, Professional, Enterprise) show “Get a Quote” buttons rather than prices, making it impossible to budget without a sales conversation.
9. Whistlelink — best for Nordic companies #
Directive coverage: complete.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes |
| Confidentiality (Art. 16) | Yes |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes |
Pricing: Starting at €79/month (billed annually). Scales by employee count: €79 → €99 → €149 → €199 → €299/month. 1,000+ employees: contact sales. EU hosting: Yes — Sweden. Setup time: Days. 30-day free trial available.
Why it ranks here: Solid Directive compliance with 50+ languages and good case management. All pricing tiers include the same feature set — no feature gating. Starting at €79/month, pricing is higher than the cheapest options but transparent. Strong regional presence in the Nordics.
10. SpeakUp (People Intouch) — best for outsourced case handling #
Directive coverage: complete. One of the longest-running European whistleblower platforms (Netherlands).
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — web + phone reporting |
| Confidentiality (Art. 16) | Yes |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes |
Pricing: Starting at ~€3,000/year for companies under 1,000 employees. Custom for larger. EU hosting: Yes — Netherlands. Setup time: Days.
Why it ranks here: Unique value proposition: outsourced case handling by trained professionals. If your organization does not have internal resources to manage reports, SpeakUp handles it for you. The trade-off is price — you are paying for human operators, not just software.
11. EQS Integrity Line — best for large enterprises #
Directive coverage: complete. The European enterprise standard.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — 70+ languages |
| Confidentiality (Art. 16) | Yes — enterprise-grade access controls |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes — integrates with GRC suites |
Pricing: Not published. Estimated €2,000+/month. Requires sales process. EU hosting: Yes. Setup time: Weeks.
Why it ranks here: If you are a bank, insurer, or listed company with 5,000+ employees, EQS is the safe enterprise choice. For everyone else, you are paying for features and scale you do not need. Implementation takes weeks, not minutes.
12. NAVEX Global — best for US multinationals with EU operations #
Directive coverage: complete, but EU compliance feels bolted on.
| Directive requirement | Coverage |
|---|---|
| Secure channel (Art. 8) | Yes — web + phone hotline |
| Confidentiality (Art. 16) | Yes |
| 7-day acknowledgment (Art. 9) | Yes |
| 3-month feedback (Art. 9) | Yes |
| Two-way communication (Art. 9) | Yes |
| Record-keeping (Art. 18) | Yes — strong analytics |
Pricing: Custom. Typically €5,000+/year. Requires sales process. EU hosting: Available as an option, not default. Setup time: Weeks.
Why it ranks here: NAVEX is the dominant US compliance platform with decades of history and thousands of clients. Their EthicsPoint product covers the Directive, but the platform was designed for US regulatory frameworks first. EU hosting is available but not the default. Enterprise pricing and long implementation cycles put it out of reach for SMEs.
Which platform should you choose? #
| Your situation | Best choice |
|---|---|
| SME or startup, need compliance fast, budget-conscious | EthicsPortal (€49/mo, minutes to set up) |
| German SME, want phone reporting included | LegalTegrity (€49+/mo, phone on all plans) |
| DACH region, want flat pricing with no add-ons | Vispato (€79/mo flat) |
| Italian company, need local certifications | DigitalPA (from €29/mo, ISO 27001/37001/37002) |
| Spanish company, need Ley 2/2023 compliance | ithikios (from €29/mo, ISO 27001) |
| Mid-market, want certifications and partner ecosystem | Formalize (custom pricing, ISO certified) |
| German-speaking market, need ISO 27001 at scale | Hintbox (€49+/mo, ISO 27001) |
| Need 113 languages or mobile reporting app | FaceUp (custom quote) |
| Nordic company, prefer regional vendor | Whistlelink (€79+/mo) |
| Need outsourced case handling | SpeakUp (~€3,000/yr) |
| Large enterprise (500+ employees), full GRC suite | EQS Integrity Line (custom pricing) |
| US multinational with EU subsidiary | NAVEX Global (custom pricing) |
Why most platforms are overpriced for what they do #
Every platform on this list covers the core requirements of Directive 2019/1937. That is worth repeating: the basic compliance functionality is the same across all of them. A reporter submits a report. A handler reads it and responds. The system tracks deadlines and logs an audit trail.
The price difference between €49/month and €5,000+/year is not explained by the Directive’s requirements. It is explained by sales teams, enterprise packaging, AI features that no compliance officer asked for, and the assumption that “compliance software” can be priced like enterprise SaaS.
Many platforms on this list do not publish their pricing. You have to fill out a form, get on a call, sit through a demo, and then — maybe — receive a quote. For a tool that does what a spreadsheet could do (badly), this is absurd.
If you are evaluating platforms, focus on three things:
- Does it cover Art. 8–18? All platforms above do, at their paid tiers.
- Is data hosted in the EU? Non-negotiable for GDPR and Directive compliance.
- Can you see the price and sign up today? If a vendor will not show you the price, ask yourself what they are optimizing for.
No whistleblower platform can make your organization compliant by itself. Compliance also requires internal policies, designated handlers, training, and documented procedures. The software is the reporting channel — one piece of a larger compliance framework. It should not be the most expensive or time-consuming piece.
For a detailed article-by-article breakdown of how EthicsPortal meets each requirement, see our Directive 2019/1937 coverage map .
Last updated: