Choosing a reporting channel used to be an open design question. After Directive (EU) 2019/1937 and the national laws that sit on top of it, the question has narrowed: which combination of channels satisfies the law and does not expose the reporter to identification along the way? Web forms keep coming out on top because they shoulder more of the directive's intake, retention, and audit obligations than the older alternatives ever did. They remain the best whistleblowing channel for most organisations.
Anonymity and confidentiality
A reporting channel only protects the reporter if it does not silently leak who they are. Phone hotlines record voices and capture caller IDs. Email keeps headers, signatures, and Outlook profile pictures whether the sender thinks about it or not. Postal mail carries handwriting and a return address. A web form built for whistleblowing is the one channel where identity disclosure is a deliberate choice rather than a side effect of the technology. When the form supports anonymous submission, two-way messaging through a case code, and strict access controls on the back end, the organisation can investigate a report without ever learning who filed it, which is the point.
What the Directive actually requires
Article 9 of Directive (EU) 2019/1937 is unusually specific for an EU instrument. Internal channels must accept reports in writing, orally, or both, and on the reporter's request, in a face-to-face meeting within a reasonable timeframe. The organisation has seven days to acknowledge receipt and three months to provide feedback on what has been done with the report. The threshold that triggers the obligation is 50 employees, with shared resources allowed for entities of 50 to 249. Member states have started enforcing actively: in 2025 the Court of Justice fined Germany EUR 34 million for late transposition, with one-off and daily penalties also imposed on the Czech Republic, Hungary, Estonia, and Luxembourg. Polish private and public entities sit under the same regime through the whistleblower act ; the European Commission's overview and the EUR-Lex summary both summarise the directive itself in plain language.
Audit trail and consistent intake
Once a report exists, regulators expect to see what happened to it. National guidance has filled in what an audit trail means in practice. Italy's ANAC Guidelines no. 1/2025, adopted in November 2025, lay out manager designation, conflict-of-interest checks, and case-handling records as concrete obligations rather than generalities. A web form generates the right artefacts by default: a case ID at submission, timestamps on every status change, attachments stored alongside the original report, and retention rules that can be tied to the underlying whistleblowing policy . An inbox cannot do this without a heroic amount of manual filing, and the moment one report ends up in the wrong PST file the organisation has both a GDPR problem and a directive problem at the same time.
Accessibility and 24/7 reach
The form sits on the public internet, which means employees, contractors, and former staff can reach it from any device, on their own schedule, in the language they prefer. For multinational teams this is not a nice-to-have. A reporter in Warsaw should not have to call a hotline that is staffed only during German office hours, and a reporter in Lisbon should not have to compose their account in a language they do not write fluently. The directive expects channels to be available, and available in practice means asynchronous, multilingual, and reachable from outside the corporate network.
The same property matters in the other direction. People who are no longer employees, contractors finishing an engagement, applicants who saw something during interviews, and shareholders are all explicitly in scope under the directive. None of them have a corporate VPN or an active mailbox to file through. A public web form is the only channel that takes them seriously without forcing the organisation to maintain extra plumbing for each group.
Where email and phone fall short
Email is the channel most organisations default to and the channel most likely to fail an audit. Mailboxes are not designed for confidentiality, retention controls, or restricted access. Forwarding chains, autoreplies, and shared assistants widen the circle of people who know about a report long before anyone signed off on that. Phone hotlines are legally fine on their own, since the directive treats voice as equivalent to writing, but the recordings and caller logs they generate become a retaliation surface unless they feed into a structured back end. Both channels work as supplements to a primary web form: a recorded callback line for reporters who would rather speak, an email address for follow-up correspondence on an existing case. They do not work well as the only channel a whistleblowing system offers.
The configuration most compliance teams converge on, after running an internal channel under the directive, is the same one: a secure web form as the primary intake, a documented oral option behind it, and a written procedure that ties both to the directive's seven-day and three-month clocks. WeMoral is built around exactly that pattern: the form handles intake, the timers and audit log run on top of it without manual upkeep. Pricing details live on the pricing page .
