Whistleblower law in Luxembourg #
Luxembourg implemented Directive (EU) 2019/1937 through the Loi du 16 mai 2023 relative aux lanceurs d’alerte. The Luxembourg system is notable because it uses 22 competent authorities plus a central Reporting Office that helps identify the correct authority.
Applicable law #
Who must establish an internal channel #
- Private-sector entities with 50 or more workers and public-sector entities must establish an internal reporting channel.
- Luxembourg extended the material scope to the entire national law — one of the broadest transpositions in the EU, not limited to EU-law breaches.
Phased: entities with 250+ employees had an immediate obligation on entry into force (21 May 2023); 50-249 entities had until 17 December 2023. Municipalities under 10,000 residents are excluded.
Penalties and enforcement #
Luxembourg fixes a large explicit fine for not having a channel — the second-highest in the EU after Spain.
| Conduct | Penalty |
|---|---|
| Failing to establish internal channels (also: obstruction, withholding/false information, breach of confidentiality, refusing to remedy) | administrative fine €1,500–250,000, doubled to €500,000 for a repeat offence within 5 years |
| Retaliation (représailles) or abusive proceedings against a whistleblower | fine €1,250–25,000 |
| Knowingly reporting/disclosing false information | criminal: 8 days–3 months imprisonment + €1,500–50,000 + civil liability |
The no-channel band is confirmed verbatim on the official ITM page: “de 1.500 à 250.000 euros notamment si elles entravent un signalement, refusent de remédier à une violation ou n’ont pas mis en place les canaux de signalement interne requis (l’amende peut être doublée en cas de récidive).”
An honest assessment of enforcement. The on-paper exposure is serious (up to €500,000), but enforcement is remediation-first: the ITM examines a matter and only transmits it to the Office des signalements (OSIG) — operational since 1 September 2023, under the Minister of Justice — which can fine if the entity fails to regularise. No company has been documented as fined to date. Enforcement is split across ~22 competent authorities (the CSSF for financial-sector breaches, the CNPD for data-protection-scope reports). The high ceiling makes this especially relevant for the regulated fund-administration and financial sector.
External reporting authority #
Luxembourg does not rely on one universal authority. The CNPD guidance explains that there are 22 competent authorities and that anyone can contact the Reporting Office of the Ministry of Justice to identify the correct authority for a given type of report.
Data protection authority #
For data-protection matters, the relevant authority is the CNPD .
Key compliance points #
- Luxembourg is one of the clearest examples of why country-law pages matter: there is no single obvious external authority unless the organisation explains the competent-authority model.
- The CNPD itself is one of the competent whistleblowing authorities for data-protection matters, which makes the privacy angle unusually visible.
- Internal policies should make it easy for reporters to identify the correct external authority or the ministry reporting office.
Official sources #
- Loi du 16 mai 2023 — official law text (Legilux, a232)
- Ministry of Justice — lanceurs d’alerte dossier
- ITM — administrative fines for whistleblower-law breaches
- ITM — Office des signalements (OSIG)
- CSSF — whistleblower protection (financial sector)
- CNPD — whistleblowers
- CNPD — home page
Deploy your reporting channel →
Last updated: