What to look for in whistleblower compliance software #

The EU Whistleblower Protection Directive requires your organization to operate a secure internal reporting channel. But not all tools that claim Directive compliance actually deliver it.

Here’s how to evaluate what matters.

What a whistleblower reporting tool actually needs to do #

The Directive’s requirements translate into five core functions:

1. A reporter submits a report through a secure channel.
2. The report is stored confidentially in an encrypted system.
3. A designated case handler reviews it and responds.
4. The system tracks the 7-day acknowledgment and 3-month feedback deadlines.
5. Every action is recorded in an immutable audit trail.

These five functions are the compliance baseline. Any tool you evaluate should demonstrate how it handles each one.

Features that matter for compliance #

When evaluating platforms, focus on what the Directive actually requires:

• Anonymous reporting — Article 6(1) requires confidentiality. The strongest implementation means no IP logging, no tracking, and automatic stripping of file metadata (EXIF, GPS, author info) that could reveal identity.
• Two-way communication — Article 9(1)(b) requires follow-up with the reporter. This means secure messaging without requiring the reporter to create an account or reveal their identity.
• Deadline tracking — Articles 9(1)(b) and 9(1)(f) set the 7-day acknowledgment and 3-month feedback deadlines. Automated tracking with notifications prevents compliance failures.
• Audit trail — Article 18 requires documentation. An immutable log of all actions provides the evidence regulators and auditors expect.
• EU data residency — GDPR applies to all report data. Hosting within the EU simplifies compliance and avoids cross-border transfer questions.
• Data retention controls — Article 17(1)(d) requires defined retention periods. Configurable auto-deletion ensures data isn’t kept longer than necessary.

Features that sound impressive but aren’t in the Directive #

Some platforms emphasize capabilities that go beyond what compliance requires:

• “AI-powered risk scoring”
• “Sentiment analysis”
• “Predictive analytics dashboards”
• “Benchmarking against 10,000+ organizations”

These features may serve larger organizations with mature compliance programs. But they are not Directive requirements, and their presence doesn’t make a tool more compliant. Evaluate whether they serve your actual needs before paying for them.

Pricing transparency as a signal #

The Directive applies to organizations of very different sizes — from 50-person companies to multinational enterprises. The tool you choose should match your scale.

Some platforms publish their pricing openly. Others require a sales process to learn the cost. Neither approach is inherently better, but transparent pricing lets you evaluate fit faster and avoids committing time to demos before knowing whether the budget works.

What to ask during evaluation #

When reviewing any whistleblower platform, ask:

1. Where is data stored? Confirm EU hosting and data residency.
2. How are reporters protected? Verify IP anonymization and metadata stripping.
3. How are deadlines tracked? Confirm automatic 7-day and 3-month tracking with notifications.
4. Is the audit trail immutable? Ensure logs cannot be edited or deleted.
5. What happens when we cancel? Understand data export and deletion policies.
6. Is a DPA available? Required for GDPR compliance as a data processor relationship.

How EthicsPortal addresses these requirements #

EthicsPortal is built specifically for EU Directive 2019/1937 compliance:

• €49/month, all features included
• Anonymous reporting with IP anonymization and file metadata stripping
• Secure two-way messaging via access code
• Automatic deadline tracking with overdue notifications
• Immutable audit trail and PDF case export
• Hosted on Hetzner in Nuremberg, Germany — all data stays in the EU

See our article-by-article compliance breakdown for details on how each Directive requirement is met.