Marketing & Editorial office

Business Keeper

EU Whistleblowing Directive

What companies need to know now

Whistleblowers are vital for maintaining an open and transparent society, as they expose misconduct or hidden threats. To ensure that they are better protected against negative consequences, EU Directive 2019/1937 on the protection of whistleblowers came into force on 16 December 2019. EU member states now have until 2021 to incorporate the directive into their own national laws.

The goals of the EU Whistleblowing Directive are:

§ To detect and prevent misconduct and breaches of laws and regulations,

§ Improve law enforcement by establishing effective, confidential and secure reporting channels to effectively protect whistleblowers from fear of retaliation,

§ To protect and enable whistleblowers by helping them to raise concerns confidently without fear of retaliation, including anonymity where required.


Download EU guide now

Are you also affected by the EU Whistleblowing Directive?

Companies with 50 or more employees or with annual revenue over 10 million euros, public institutions as well as local authorities of 10,000 inhabitants or more must provide secure internal reporting channels. Reports can be submitted in writing via an online system, by post and/or orally by telephone or voice messaging system. The following aspects must be taken into account:

  • Provide anonymity and information security

    For all reporting channels, the identity of the whistleblower must be protected. All data must be handled in accordance with the GDPR.


  • Who should handle the report on breaches?

    This could be the head of the compliance or human resources department, a compliance officer, a lawyer, a data protection officer, internal audit or a member of the board.

  • Internal or public reporting channels

    If internal reporting channels should not be implemented, it should be clear that whistleblowers will only be able to report to the public authorities or media according to the EU Whisleblower Directive - with incalculable risks for the organisations.

  • What happens after a report?

    Since all reports need to be documented, and follow up measures must be taken, each report needs to be easily accessible to, compliance officers for the management of the next steps.  

  • Implementation timing for the BKMS® Compliance System

    The implementation timing depends on the size and complexity of the organisational structure. In general this takes between a few weeks and a couple of months.



  • What is the status quo on the implementation in Europe?

    The Directive still has to be implemented in December 2021 into national law of the member states while the national developments in the transposition of the EU Directive are quite different. Some countries have started public consultations, other governments have been brought up first drafts for their whistleblowing law which has to be discussed.


The most important questions for you:

What kind of reporting channel should be implemented?
Show more
Which reporting channel is best suited to large companies and public institutions?
Show more
How long does implementation take?
Show more
Will my staff need special training to handle and process reports?
Show more
What happens after receiving a report?
Show more
How long do companies have time to react to the information?
Show more
Are loyalty and confidentiality clauses valid?
Show more
Does it matter how the information has been obtained?
Show more

Ulrike Dittmar is responsible for content marketing in the marketing department and takes care of the content of the corporate website, the compliance newsletter and Business Keeper's events.

Business Keeper


Ulrike Dittmar


A selection of the customers who already place their trust in us to protect them from damage to their reputation and liability risks.

Do you want to offer an incident reporting system in your company? Then schedule a software demo now and find out more about BKMS® Incident Reporting:

Get your personal demo