A report has just landed in the dedicated mailbox, the secure portal, or a line manager's inbox. The instinct of a manager who has never seen one before is to schedule a quiet conversation and hope it resolves itself. That is not how a whistleblowing report is meant to be handled. Under current European law and ISO 37002 guidance, what comes next is a process: timed, documented, and ring-fenced from the people the allegation concerns.
Direct, designated, or anonymous: pick the right intake
Every employer covered by the EU Whistleblower Directive must run an internal channel and name a person or function responsible for following up on what comes through it. That designated handler is the default route; in larger organisations it is a small committee, in smaller ones a single trained officer.
Keep the line manager route open in parallel for low-stakes concerns the team can resolve in the room, but define where escalation is mandatory: anything involving the manager personally, anything criminal, anything that touches health and safety. The third route, the anonymous channel, exists because some employees will not put their name to a report under any circumstance, and removing that option silently filters out the most sensitive cases.
A safe and easy reporting channel only works when the workforce knows it is there and trusts that opening it does not start a paper trail back to them.
Triage in the first 48 hours
Once the report is in, the case manager grades it before anything else moves. The grading question is narrow: does this concern fall within the scope of the policy, what kind of breach is alleged (HR, fraud, safety, criminal, regulator-level), and what evidence already sits in the report.
A second screen runs in parallel. If the proposed handler has any reporting line, working relationship, or personal connection to the subject of the allegation, the case is reassigned. A handler with a conflict of interest does not survive contact with a tribunal later. Some reports close at this stage, with reasons written down; some go to a fact-finding meeting; others move straight into a formal investigation.
The seven-day, three-month clock
Two deadlines now sit in national law across the EU. The reporter has the right to an acknowledgement of receipt within 7 days, and to feedback on action taken or planned within 3 months of that acknowledgement. The clock runs whether the report came in named, pseudonymous, or fully anonymous, which is why the reporting tool itself has to carry the conversation when the inbox cannot.
Missing either deadline is a compliance breach in its own right, separate from whatever the underlying allegation turns out to be. Build the calendar reminders into the case file the moment it opens; the deadlines in Directive (EU) 2019/1937 exist to break the older pattern of reports that disappear into a drawer for a quarter and then go nowhere.
Investigation: impartial, documented, scoped
A formal investigation needs three things written down before the first interview: terms of reference, the scope of what is and is not in play, and the resourcing it has been given. ISO 37002 frames this as the principle of impartiality, and it is the part most internal teams cut corners on.
Investigators must have no reporting line to the subject and no stake in the outcome; where the subject is senior enough that no internal handler is genuinely independent, an external investigator is brought in for that case rather than retrofitted later. Every assessment decision goes into the file with a date and a name, in language that would survive a regulator reading it cold. The whistleblowing procedure should already prescribe this level of detail; the case manager's job is to keep to it.
Retaliation needs its own workstream after closure
The NAVEX 2025 benchmark flagged something boards should read carefully: retaliation reports rose again, and while global substantiation sits around 16%, in Europe it runs at 32%. Roughly one in three retaliation complaints filed by a European employee turns out to be valid on investigation. Treating the protection of the reporter as a one-line policy promise no longer fits that picture.
The control that does fit has three parts. Move the retaliation-monitoring inbox to a different person from the one handling the original case, so the reporter can flag a problem without reopening the original conversation. Run a structured check-in on a fixed cadence; three months and twelve months after closure are common. Treat any material change in the reporter's role, hours, location, or appraisal score during that window as a triggering event that opens its own case, with consequences for retaliators where the evidence supports it. Trends are also worth watching at the population level; the NAVEX benchmark publishes year-on-year movement that compliance teams use to calibrate what 'normal' looks like for a workforce of their size.
Behind the individual cases sits the management view: a register of every report received, classified by type, status, and outcome, with timestamps on every feedback message sent and every deadline met. The register tells leadership whether the channel is working, gives the auditor evidence that the timed obligations are being kept, and surfaces the small number of cases that escalate to an external reporting route, such as a national regulator, where the directive's external channel takes over.
