The teeth of the EU Whistleblowing Directive are in Article 23. Reporting channels, deadlines, the catalogue of protected reporters, all of it ultimately depends on whether someone actually gets hurt for breaking the rules. Most public discussion of Directive 2019/1937 still focuses on the operational obligations and skips the penalty regime, which is the part employers should care about because it decides who pays, how much, and whether the manager who retaliates ends up personally on the hook rather than the company.
Justitia at the Antwerp city hall
© belgianchocolate (CC BY 2.0)
What Article 23 actually punishes
The directive is unusually concrete about what counts as a sanctionable act. It names four categories on the employer side and one on the reporter side. The text is short enough to read in full:
"Member States shall provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons that: (a) hinder or attempt to hinder reporting; (b) retaliate against persons referred to in Article 4; (c) bring vexatious proceedings against persons referred to in Article 4; (d) breach the duty of maintaining the confidentiality of the identity of reporting persons, as referred to in Article 16."
Article 23(1), Directive (EU) 2019/1937
Paragraph 2 closes the loop in the other direction. A person who knowingly reports or publicly discloses false information also has to face an effective and dissuasive penalty, plus a route for the falsely accused to recover damages. The four limbs of paragraph 1 cover the bulk of the day-to-day risk for an employer. Hindering is broader than outright blocking. It includes pressure, manipulated procedures, manufactured workload, and anything else that makes filing a report substantively harder. Retaliation reaches not just the reporter but also facilitators, colleagues, and relatives. Vexatious proceedings covers SLAPP-style defamation suits and harassing labour-court claims aimed at the reporter. Breach of confidentiality applies even to a single careless disclosure of who filed. The full text is on EUR-Lex.
The directive also requires the burden of proof to flip in retaliation cases. Once the reporter shows a prima facie link between the report and a detriment, the employer has to prove the action would have happened anyway. National implementations vary on the procedural detail, but the underlying mechanic is unambiguous and the Commission has chased compliance hard on this specific point. The practical effect is that a labour-court case about a "performance-based" dismissal that lands two months after a report becomes the employer's case to lose, not the reporter's case to win.
"Effective, proportionate and dissuasive" is doing real work
The three-adjective formula in Article 23 is not boilerplate. Each word is a separate compliance test, and the Court of Justice has knocked back national implementations that fail any one of them in other directives. Effective means the penalty has to actually be applied, not just exist on paper. Proportionate means it has to scale with the gravity of the conduct, so a fixed token fine for a corporate retaliation campaign fails. Dissuasive means a rational employer has to prefer compliance over the expected cost of the penalty. The directive is explicit about why this matters:
"Where retaliation occurs undeterred and unpunished, it has a chilling effect on potential whistleblowers. A clear legal prohibition of retaliation would have an important dissuasive effect, and would be further strengthened by provisions for personal liability and penalties for the perpetrators of retaliation."
Recital 88, Directive (EU) 2019/1937
The recital is the reason most national transpositions reach personal liability for individuals, not only administrative fines on the company. A company can absorb a fine. A manager who retaliates and ends up personally named in a criminal proceeding faces a very different calculation. ISO 37002:2021, the international guidance standard for whistleblowing management systems, builds on the same logic. Its three principles of trust, impartiality, and protection only function if the consequences of breaking them are visible inside the organisation. The published version sits on the ISO website.
Member State penalty regimes are uneven
The directive sets the floor and lets each Member State pick the architecture, which has produced very uneven results. Germany's HinSchG, in force since July 2023, caps administrative fines at EUR 50,000 for the worst categories of conduct, failing to set up a reporting channel, retaliation, and breach of confidentiality. The fine maps to legal entities and to responsible individuals, not to the reporter.
France pushed harder. Sapin II, as amended after the 2022 transposition, makes obstructing a report a criminal offence punishable by two years of imprisonment and a EUR 30,000 fine. Disclosing the identity of a reporter without consent carries the same criminal penalties. A separate provision creates a one-year sentence and a EUR 15,000 fine for any person who obstructs the transmission of an alert "in any way whatsoever". On the corporate side, companies that fall short of the Sapin II compliance obligations can face fines of up to EUR 10 million.
Italy sits in the middle. The administrative penalty band for retaliation, obstruction, breach of confidentiality, or failure to set up channels is EUR 10,000 to EUR 50,000, enforced by ANAC. The Italian regulator also coordinated its 2025 whistleblowing guidelines with the data-protection authority Garante, which means a single mishandled report can trigger parallel proceedings on whistleblower grounds and on GDPR grounds. Luxembourg, at the lower end, runs a EUR 1,500 to EUR 25,000 band for retaliatory action and abusive proceedings against reporters. A country-by-country snapshot of Member State regimes shows how inconsistent the floors actually are, and the gap between the cheapest and most expensive jurisdictions is wide enough that multinational employers now treat the question as a deliberate operating-cost choice rather than a procedural footnote.
The Commission's 2024 verdict: too soft to deter
The European Commission published its conformity report on the directive in July 2024. The findings on penalties were sharp:
"Several Member States: (i) defined the sanctioned conduct in vague terms, e.g. by penalising breaches or abuses of the national transposition law in general; or (ii) introduced penalties that appear too low to be considered dissuasive."
Report from the Commission to the European Parliament and the Council, COM(2024) 269 final
The report flagged three specific failure modes. Penalties for "attempts" to hinder reporting were sometimes missing or narrowed by exhaustive lists. Retaliation penalties sometimes reached only the reporter and not facilitators or related persons. And vexatious-proceedings penalties were sometimes left without a specific cross-reference to enforcement legislation. The Commission committed to keep monitoring and to launch infringement proceedings where transposition is not corrected.
When Member States don't transpose, the bill comes from Luxembourg
Member States that do not transpose at all pay before any of their employers do. On 6 March 2025, the Court of Justice fined five states for failing to bring the directive into national law on time. Germany was hit with a EUR 34 million lump sum, the Czech Republic with EUR 2.3 million, Hungary with EUR 1.75 million, Luxembourg with EUR 375,000, and Estonia with a EUR 500,000 lump sum plus a EUR 1,500 daily penalty for ongoing non-compliance.
Poland had already been through the same procedure on 25 April 2024, ordered to pay a EUR 7 million lump sum plus EUR 40,000 per day until transposition. The court rejected Poland's argument that COVID-19 disruption and the influx of refugees from Ukraine justified the delay. The rule is that domestic political circumstances cannot excuse a missed transposition deadline. The eucrim summary of the March 2025 judgments walks through each case.
The European Court of Justice in Luxembourg
© Cédric Puisney (CC BY 2.0)
What this means for an employer in practice
A domestic compliance audit that only checks whether the company "has a reporting channel" is no longer enough. The audit has to test whether the channel is impartial, whether confidentiality holds in operation, and whether the procedure penalises any of its own staff who breach it. The Commission's findings on vague transposition mean several national laws will be tightened in the next round, and the audit baseline moves with them.
The personal-liability layer also changes who actually bears the risk. A line manager who retaliates against a reporter, an HR director who shares the reporter's name with the named subject, a board member who blocks an investigation, each is now exposed to a national criminal or administrative track in their own name. Insurance does not cover criminal liability, and corporate indemnification does not extend to bad-faith conduct. What an organisation does with a report is now a personal-risk question for the people involved.
The case for handing intake to an external operator gets stronger every time a Member State raises its penalty floor. Article 8 explicitly permits the arrangement, ISO 37002 endorses external investigators in contested cases, and the audit posture is cleaner because the operator's obligations are written into a contract instead of inferred from internal procedure. There are several reasons to invest in dedicated whistleblower software, and the penalty regime is one of them.
Wooden gavel and court minutes
© Jonathunder (CC BY-SA 4.0)
The cheapest penalty regime to operate under is the one a company never triggers. Whistleblowing System supports its clients in implementing the platform and in handling reports through cooperation with specialists from SPG Legal Sawicki i Wspólnicy sp.k.
