Being an employer comes with a long list of obligations, many of them about how you treat the people who work for you. The moment somebody decides to report irregularities inside your company can be the most stressful one of the year. You learn, in a single conversation, that something has gone wrong in the workplace you manage, and that one of your people has been carrying that knowledge long enough to feel hurt, scared, or both. Before you do anything else, give yourself a moment, and then think carefully about the steps you have to take next. The law leaves very little to improvisation now.
Why the first report is different in 2026 than it was in 2021
The European baseline is set by EU Directive 2019/1937 on the protection of persons who report breaches of Union law. The transposition deadline for member states was 17 December 2021, but compliance was slow, and in March 2025 the Court of Justice of the EU ordered Germany, Luxembourg, Czechia, Estonia, and Hungary to pay financial penalties for failing to transpose it. By 2026 every Member State has legislation on the books, even if the European Commission still flags gaps in scope and protection.
Court of Justice of the European Union, Luxembourg / ©Cédric Puisney (CC BY 2.0)
Poland was one of the late arrivals. The Ustawa o ochronie sygnalistów of 14 June 2024 entered into force on 25 September 2024, with external state channels going live on 25 December 2024. Any private or public legal entity that employs at least 50 people on 1 January or 1 July of a given year is required to run a written internal reporting procedure. Entities operating in financial services, anti-money laundering, transport safety, and environmental protection are covered regardless of headcount. If your company has crossed that threshold and your procedure still lives in a draft folder, you are already exposed.
The reason this matters when a single report lands on your desk is that the report does not arrive in a vacuum. It arrives inside a regulated process, with deadlines that start ticking the moment your channel registers it. Treating the first one as an HR conversation, the way employers used to twenty years ago, is now a legal mistake.
Who is allowed to receive the report
Depending on the size of the organisation, reports may go to the owner, to a member of the management board, to HR, or to a person hired specifically as a contact for whistleblowers . Whoever it is, two things have to be true. They must have written authorisation from the legal entity to receive reports, take follow-up actions, and process the personal data involved, and they must be in a position to act impartially, free of conflict with the people or units the report concerns. Picking the line manager of the reported team is the textbook example of how not to design this.
ISO 37002:2021, the international standard on whistleblowing management systems, organises the work around three principles, Trust, Impartiality, Protection, and around a four-stage lifecycle: receive, assess, address, conclude. You do not have to certify against the standard to use its vocabulary, and the vocabulary is useful precisely because it forces you to separate intake (a relational task) from investigation (an analytical one). The same person can do both, but they cannot do both at the same moment.
The first 7 days
From the moment the report is registered, the authorised person has 7 days to acknowledge receipt to the reporter. This is not a confirmation that you believe them, and it is not a verdict. It is a signal that the report is in the system, that a real human being has it, and that the law has started running. Spell out who is handling the case (or which role, if anonymity is required), what happens next in broad strokes, and where the reporter can reach you with additional information. Avoid promises of outcome and avoid evaluative language. Most disasters at this stage come from acknowledgements that read like rebuttals.
The channel itself matters too. An oral report (a phone call, a recorded line, a face-to-face meeting) obliges you to produce a faithful written record and give the reporter a chance to verify it. An email report should never be answered with reply-all. A report submitted through a digital reporting platform should stay in that platform, not be duplicated onto a corporate ticketing system that the reported parties can read.
The 3-month feedback window
Within 3 months of acknowledging the report (six months in justified cases), you owe the reporter substantive feedback on the action envisaged or already taken, and the grounds for it. The clock is on the legal entity, not on the investigator. If the inquiry is genuinely complex, the reporter should be told that, and told why, before the deadline runs out, not after.
The first thing the receiver has to judge is whether the report describes a violation in scope. The Polish act covers a long but finite list: corruption, public procurement, financial-services rules, anti-money laundering, product safety, transport safety, environmental protection, public health, consumer protection, privacy and personal-data protection, and breaches of the Constitution. Strict labour-law disputes between an employee and the company were left out of the final text, which means an HR grievance is not automatically a protected report; the assessment has to look at substance, not at how angry the email is.
Personal animosity, score-settling, or reports recycled from a known dispute are part of the assessment too, but they are a reason to investigate carefully, not to dismiss. Article 57 of the Polish act only criminalises reports made knowingly to communicate a falsehood, with penalties of up to 2 years imprisonment; honest mistakes by the reporter remain protected, and treating an awkward report as malicious is one of the fastest ways for an employer to walk into a retaliation claim.
Sejm of the Republic of Poland, Warsaw, where the Whistleblower Protection Act was adopted on 14 June 2024 / ©Sandra Cohen-Rose and Colin Rose (CC BY-SA 2.0)
Recordkeeping and confidentiality
Every report goes into a register of internal reports. The register tracks the date of receipt, the subject of the report, the actions taken, and the result; it must be kept in a way that does not leak the reporter's identity to anyone who is not authorised to know it. Polish law requires retention for 3 years after the case is closed.
The confidentiality bar is high, and stricter than the loose "no one will find out" promises that older internal policies tend to make. The reporter's identity is protected, and may only be disclosed where disclosure is strictly necessary and lawful, for example to prosecutors or to a court order. Anyone with access to the case has to sign confidentiality undertakings, and the register itself is GDPR data, with all the access-control and minimisation duties that follow.
This is also where employers operating internationally need to look at their templates. In September 2024, the US Securities and Exchange Commission settled with seven public companies for over USD 3 million combined over employment and separation agreements that contained language the SEC read as discouraging whistleblowing, and with a separate financial-planning firm for USD 240,000 over confidentiality clauses with no regulator carveout. NDAs, severance agreements, and exit interviews drafted years ago for an entirely different purpose can be read by a regulator as evidence that the company impedes reporting. A sweep of those templates costs very little; finding out the hard way costs a lot.
Caring for the reporter
Often the work of the person receiving a report involves asking difficult, sometimes indiscreet questions. Reporters have to bring evidence, and you have to assess it without flattering or blaming. The way you ask matters as much as what you ask. Trauma-informed intake practice, now standard guidance in workplace investigations, comes down to a few useful habits: ask open questions, let the reporter use their own words, give them some control over format and timing where the law allows, and let them bring a support person if they want one. Investigators who come in with "did you really see that, are you sure?" do not get fewer false reports, they get fewer reports of any kind, and the channel goes silent.
Throughout assessment and resolution, it has to be safe for the reporter to keep working. Through the external communication channel they used to reach you, check in periodically. Confirm that their position is being protected, explain in honest terms which steps have been taken, and ask, plainly, how they are doing. The most common signal that a reporter is about to escalate to a regulator is silence on your side, not anger.
When to bring in outside help
Not every report can be resolved internally. A consultation with external counsel is often the right move, especially when the reported facts touch criminal law, large financial loss, regulated industries, or members of the board. External investigators are useful where impartiality cannot credibly be guaranteed in-house, and ISO 37002 explicitly recommends an outside investigator in cases where the management hierarchy is too close to the conduct.
The reporter also has the right to take the case outside your walls. In Poland, the central external channel is the Commissioner for Human Rights (RPO), supported by sector-specific public bodies. Public disclosure (going to the press, for instance) is protected only after internal and external channels have either failed or been bypassed for narrow reasons spelled out in the act. Internal handling that takes the report seriously usually keeps the case in-house; sloppy internal handling tends to give the reporter both a clear right and a strong motive to walk it out the door.
Office of the Polish Commissioner for Human Rights (RPO), Aleja Solidarności 77, Warsaw / ©Adrian Grycuk (CC BY-SA 3.0 PL)
What it costs to get this wrong
The Polish act treats retaliation, obstructing a report, and unmasking a reporter as criminal offences, punishable by fines of up to PLN 1,080,000, restriction of liberty, or imprisonment of up to 3 years. Failing to put a procedure in place in a covered organisation triggers separate administrative liability. In a retaliation case, the burden of proof is inverted: the employer has to prove that an adverse action against the reporter was not connected to the report. A whistleblower whose rights are breached is entitled to compensation of at least the average national monthly salary, with no cap on damages where the harm is greater.
The arithmetic is unforgiving. A first report handled cleanly costs you the time of a trained receiver and a few weeks of careful investigation. The same report handled badly costs the procedure, the people, the regulator's attention, and, frequently, the reporter, who walks straight to RPO, the prosecutor, or the press.
The honest version of the takeaway
Receiving a first report is, in almost every case, a stressful moment for the employer. It does not have to be a chaotic one. The legal framework around the receiver's role is now both detailed and humane, and the procedural basics ('acknowledge inside 7 days, give substantive feedback inside 3 months, write everything down, treat the reporter as a person, never alone') match what good investigators were already doing before the law caught up. If the law and the human instinct point in the same direction, the only thing left to do is build the muscle memory and use it the first time, not the third.
