A whistleblower is the person who tells you what is going wrong before it lands in court, in the press, or on the regulator's desk. The promise of any internal channel is the same thing in reverse: if your organisation makes it safe to raise the concern, the concern reaches you first. That promise is what employees actually buy into when they walk past the "Speak Up" poster in the kitchen, and it is what most reporting hotlines still fail to deliver.
The point of this post is the employee side of that bargain. There is plenty written about why a whistleblowing system protects companies from fines, fraud, and reputational fallout. There is much less about the specific things an employee gains when the system above them is built on something stronger than a posted email address. Five years ago that question was largely cultural. Today it is also legal: the EU Whistleblower Directive, the ISO 37002 standard, and a hardening case law on retaliation have all redrawn the line between "we have a hotline" and "people use it."
The legal floor: EU Directive 2019/1937
Directive (EU) 2019/1937 is now in force across all 27 EU Member States. It obliges every private and public-sector organisation with 50 or more employees to operate an internal reporting channel that accepts written or oral reports, follows up within three months, and protects the reporter from retaliation. The list of breaches the channel must cover is broad: financial services, anti-money-laundering, public procurement, environmental protection, product safety, food safety, public health, consumer protection, data protection, and cybersecurity.
The transposition deadline was 17 December 2021. Compliance was uneven, and the European Commission did not let it slide. On 25 April 2024 the Court of Justice fined Poland for late transposition. On 6 March 2025 the Court ruled against Germany, the Czech Republic, Hungary, Estonia, and Luxembourg in a related cluster of cases. Germany alone was hit with €34 million; the Czech Republic €2.3 million, Hungary €1.75 million, Luxembourg €375,000, Estonia €500,000 plus a daily €1,500 penalty until the law was passed.
"A Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under EU law such as failure to transpose a directive."
Court of Justice of the European Union, judgment of 6 March 2025
The ruling matters for an employee in Hamburg or Tallinn for a more practical reason than the headline number: it puts every Member State's national whistleblower law on the same legal footing. The Directive sets a floor, not a ceiling, so individual countries can be stricter, but they cannot be slacker. Combined with the European Commission's open consultation on the forthcoming Action Plan on Whistleblower Protection, the legal protection an employee has when raising a concern is going up rather than down. For a country-by-country picture of how the Directive lands in national law, see our whistleblower law across Europe overview.
Court of Justice of the European Union, Luxembourg
© Cédric Puisney (CC BY 2.0)
From compliance hotline to speak-up culture
A hotline on its own does very little. The EY Global Integrity Report 2024 found that 93% of organisations now run a whistleblowing hotline, up from 86% two years earlier. That is the box ticked. But in the same survey, 54% of the people who actually reported misconduct said they had felt pressure not to report; 40% of board members said they had personally seen retaliation against a whistleblower; and only 25% of employees said they knew what whistleblower protections were available to them. The hotline exists; the conditions for someone to use it without fearing the consequences mostly do not.
That is the difference between a compliance hotline and a speak-up culture. A compliance hotline is a number nobody calls. A speak-up culture is a workplace where the channel is one of several normal options and where every level of management, line manager, HR, ethics officer, anonymous tooling, treats a report as useful information rather than a personnel problem to manage. The Institute of Business Ethics' 2024 international survey found that willingness to report to a line manager has actually gone down since 2020, from 46% to 40%. The legal scaffolding has improved; the trust scaffolding has not kept up.
The implication for employers is that the work is not finished when the system is procured. The work is finished when the people who would use the system know it exists, know what it covers, and trust that using it will not cost them their career. That is also where good whistleblowing software stops looking like a checkbox and starts looking good for the business: every concern surfaced internally is one less concern that walks out of the building toward a regulator or a journalist.
"Organizations should regularly communicate, potentially to the point of over-communicating, the importance of speaking up."
Jonathan Feig, EY Forensic & Integrity Services
The trust standard: ISO 37002
The same year this post was first written, the International Organization for Standardization published ISO 37002:2021, Whistleblowing management systems: Guidelines. The standard is voluntary and not certifiable, but it has quickly become the reference point that compliance frameworks, sector regulators, and large-buyer procurement teams point at when they want to define what "good" looks like.
The structural choice ISO made matters for the reader of this post. ISO 37002 is built on three principles: trust, impartiality, and protection of the reporter. Speed of investigation, compliance defensibility, and case-management efficiency are all downstream of those three; they fail without them and follow once the trust piece is in place. An employee who does not trust the channel does not put a report into it, and an organisation without reports does not detect misconduct early enough to deal with it.
The shift compared to a 2010-era ethics hotline is that the system is now designed from the reporter outward. Anonymity is preserved by default, not as an exception. The reporter receives mandatory feedback inside the legal three-month window. Investigations have to be impartial of the line of business in which the alleged conduct happened. The reporter has to be protected against retaliation that can take much subtler forms than a firing: reassignment, promotion freezes, contract non-renewal, withholding of training. ISO 37002 names all of those explicitly.
The retaliation gap
Retaliation is the biggest single reason that good systems still under-perform. The Ethics & Compliance Initiative's 2023 Global Business Ethics Survey is the most rigorous data we have on it. It found that 65% of employees observed misconduct at work in the survey period, up from 60% in 2020. Of those who observed it, 72% reported it internally or externally: the reporting rate is actually high. But of those who reported, 46% then experienced retaliation. The number has held roughly stable across surveys: roughly half of the people who do the right thing get punished for it.
The ECI's bigger structural finding is that only 13% of employees work in what the survey defines as a strong ethical culture. The other 87% sit in workplaces where the ethical signals from leadership are mixed, weak, or actively contradicted by what is rewarded. EY's finding that 64% of board members felt pressure to ignore misconduct comes from the same place: the pressure flows from the top down, and a hotline at the bottom of an organisation that is squeezing its directors to look the other way is not a hotline that gets called.
What an effective system does is shrink the gap between the 72% who would report and the 46% who get hurt for it. That happens through real anonymity options for sensitive reports, mandatory tracking of post-report treatment of the reporter, an independent investigation route for cases where the line manager is the subject, and visible enforcement when retaliation is found. The reader's natural follow-up question, is it safe to be a whistleblower, has a different answer depending on whether the system above them is one of these or just a contact form.
What employees actually gain
When the legal floor and the cultural infrastructure both hold, the protections the employee walks away with are concrete and worth naming.
A protected channel they did not have to invent. Under the Directive every covered organisation has to provide one. The reporter does not have to find a friendly journalist or a sympathetic regulator on their own; the first step is internal and is required to be confidential. Anonymity is available as a default option, not as a favour granted on appeal. Modern systems implement encrypted, identity-blind reporting end-to-end. The reporter can be reached for follow-up questions through the same anonymous case thread without ever being unmasked, and good whistleblower software gives them the cryptographic guarantee in writing rather than the legal team's promise.
The Directive's three-month follow-up rule is not a service-level agreement, it is a legal obligation. The reporter cannot be left in silence; they have to be told what is happening with their report. Alongside the timeline sits legal cover against retaliation: most national transpositions implement reverse burden of proof, so if the reporter is fired, demoted, or sanctioned within a defined window after a report, the employer has to prove the action was unrelated. That is a meaningful change from the 2010-era position where the reporter had to prove causation themselves.
Beyond the legal mechanics, the policy itself sends a signal. The point of a whistleblowing policy is not the document; it is what the document tells employees about whose voice carries weight inside the organisation. An employee who has used the system once, watched it function, and seen the issue addressed becomes a different kind of employee inside the organisation: more committed, not less. Voice and exit are the only two ways a person can respond to a problem at work; a system that makes voice work makes exit unnecessary.
A whistleblowing channel built on the principles the Directive and ISO 37002 set out is a piece of workplace infrastructure that rewires who can talk to whom, on what terms, with what protection. The organisation gets better information and the reporter gets cover, which turns out to be the same project rather than two competing ones.
