The Whistleblower Directive's transposition deadlines are years past. Companies with at least 50 workers had to comply by 17 December 2023. Financial firms, public bodies and listed companies were already in scope two years earlier. Two penalty regimes now run in parallel. The Court of Justice of the EU fines Member States that dragged their feet on transposition. National prosecutors and labour courts enforce whatever criminal, administrative and civil sanctions the resulting laws actually contain, on individuals and organisations alike.
Five Member States already paid for being late
On 6 March 2025, the Court of Justice of the EU ruled against five Member States that had taken too long, or in some cases not even started, to transpose Directive 2019/1937. Germany drew a lump sum of €34 million. The Czech Republic was fined €2.3 million, Hungary €1.75 million, Luxembourg €375,000. Estonia owes €500,000 plus a daily penalty of €1,500 that keeps running until the country complies.
These are sanctions on national treasuries paid by taxpayers, ordered by the same court that heard the European Commission's infringement complaints. The bill landed because the affected states either failed to notify the Commission of transposing measures, notified them late, or did so incompletely. Across the EU the gap between the deadline and full compliance is still being measured in months, and the Commission has signalled that it intends to keep policing late transpositions until every Member State is squared away.
Reading the rulings together, one principle is hard to miss.
"A Member State cannot plead provisions, practices or situations prevailing in its domestic legal order to justify failure to observe obligations arising under EU law."
Court of Justice of the EU, 6 March 2025
Penalties land on named people, not on "the company"
National transpositions vary in detail, but the design pattern repeats across most of the EU. Retaliation against a reporter is treated as a criminal offence of natural persons, not of the legal entity. Disclosing a whistleblower's identity is a separate offence. Filing a knowingly false report carries its own criminal penalty, on the principle that protection given to good-faith reporters has to be matched by sanctions on bad-faith ones.
Failing to set up an internal reporting channel sits on a different track. In most jurisdictions it is administrative or quasi-administrative, with fines aimed at the people in charge rather than the entity. The directive's language talks about natural persons responsible for the breach, and Member States have largely followed that wording. The result is that compliance officers, HR directors and named board members show up as defendants. The company itself is not the defendant.
Reverse burden of proof changes the game
The clause that compliance counsel pay closest attention to is buried in the directive's enforcement chapter. Once a reporter shows that they suffered detriment after making a report, the directive presumes the detriment was retaliation. The employer then has to prove the action would have happened anyway. That reversal applies to dismissal, demotion, performance reviews, withheld training, blocked promotion and any negative treatment connected to the reporting.
Combine that with the directive's broad personal scope and the burden gets heavier. Protection covers employees, contractors, suppliers, candidates turned down because of an earlier report, former employees, volunteers and trainees. A defence that "we never had a contract with this person" rarely survives the directive's own definitions.
The European Commission states the standard plainly.
"The directive enables persons working in or with public or private sector organisations to report on breaches of EU law in a confidential manner, without fearing retaliation."
European Commission, Protection for whistleblowers
A binder on a shelf does not count
Several Member States went further than the directive's minimum. Their statutes do not only sanction the absence of an internal channel, they also sanction one that exists in significant breach of statutory requirements. An unread inbox monitored by no one. A web form that routes complaints back to the manager being reported. A procedure circulated once at induction and never referenced again. Each of these can fall on the wrong side of the line.
The practical effect is that deploying a system is no longer where the work ends. Auditors expect to see access logs, response timelines, retaliation tracking and a clean separation between the reported manager and the channel reviewing the report. Implementing the channel itself is the easy part. Keeping it usable, confidential and visibly active is what stays out of the prosecution column.
The directive, the national transpositions and the cases now reaching national courts and labour tribunals all point to the same exposure. The maximum fines vary by jurisdiction, but the addressees are the same: the director who signed off the procedure, the manager who acted on a report, the HR officer who handled the file. Some statutes pull suppliers and contracting parties into the same frame.
The directive has acquired a body of case law to go with its rulebook: CJEU rulings against Member States, criminal records against individual managers, civil compensation orders against employers. For organisations sitting inside its scope, the question of what happens if they ignore it has a public docket of answers.
