The European Union finalised its first bloc-wide whistleblower-protection regime with Directive (EU) 2019/1937 of the European Parliament and of the Council, on the protection of persons who report breaches of Union law. By the end of 2024 all 27 member states had transposed the directive into national law, but most arrived years late, several only after the Court of Justice fined them, and the European Commission has now opened a review of the directive itself that will run through Q4 2026. For any company with at least 50 employees the practical question stopped being "do we need a whistleblower channel?" some time ago. It is now: is what we built actually compliant with the national law that transposed it, and will that law still look the same a year from now?
The Berlaymont in Brussels, headquarters of the European Commission, the institution that authored the directive and now polices its transposition
© Matthias v.d. Elbe (CC BY-SA 3.0)
Who must run an internal reporting channel
The directive identifies three groups of organisations as obliged to set up confidential internal reporting channels and procedures. Public-sector entities are covered regardless of size, with a narrow carve-out that lets member states exempt municipalities of fewer than 10,000 inhabitants. Private-sector firms with 50 or more employees are covered regardless of activity. Smaller private firms (under 50 employees) are pulled in if they operate in regulated sectors where the cost of misconduct is structurally higher: financial services, anti-money-laundering, transport safety, environmental protection, and any company that competes for public-procurement contracts at scale.
The 50-employee threshold is the directive's floor, not its ceiling. Each member state was free to go further when transposing, and several did. Poland's transposing act applies to a broader catalogue of breaches than the directive's own list, including domestic corruption and certain constitutional rights violations. France's Sapin II framework, amended to align with the directive, kept stricter retaliation rules that reach firms below the EU threshold. Anyone reading the directive's text and assuming that text is the law in force in every member state is going to misread something.
Try your own Whistleblowing System for free
The deadline that nobody met
The directive set a transposition deadline of 17 December 2021 for the public sector and for private-sector firms with 250 or more employees. A staggered second deadline of 17 December 2023 applied to private-sector firms with 50 to 249 employees. The first deadline arrived and only three states (Denmark, Sweden and Portugal) had transposing laws on the books. Most of the other 24 missed it. By mid-2023 the European Commission had opened infringement proceedings against eight states, and by the end of 2024 it had finally pushed all 27 over the line. The late arrivals had taken on average two and a half extra years to do what they had committed to do by Christmas 2021.
The European Parliament hemicycle in Strasbourg, where the directive was co-adopted with the Council in October 2019
© jeffowenphotos (CC BY 2.0)
Poland is the canonical late case. The Polish parliament adopted the Act on the Protection of Whistleblowers on 14 June 2024; the act entered into force on 25 September 2024, almost three years after the original 2021 deadline. Public bodies got an extra grace period to 25 December 2024 to set up the external reporting channels they were already supposed to have running by Christmas 2021. Polish-headquartered companies that had built a directive-compliant channel during the wait then had to revisit it against the actual national text, which (as in many member states) broadened the catalogue of reportable breaches beyond the directive's own list.
The Commission's 2024 conformity review
On 3 July 2024 the European Commission published its statutory conformity report on the directive, COM(2024) 269 final. All 27 states had transposed by the time the report was finalised, and the headline finding was that all of them had transposed the directive's main provisions. The body of the report is more sober: non-conformity issues were identified in roughly half the member states, concentrated in four areas.
One concern is material scope, meaning the catalogue of what counts as a reportable breach. Several states transposed the directive's list narrowly and left out categories the directive was meant to cover. A second is the conditions for protection, the rules that decide when a reporter qualifies as a whistleblower at all. Some national laws set the bar higher than the directive does, for example by adding a public-interest test on top of reasonable belief, which makes it harder to qualify and easier to exclude marginal reports.
A third concern is retaliation safeguards. The directive's presumption of retaliation is an evidentiary tool that shifts the burden onto the employer when a whistleblower is dismissed soon after reporting; in some transpositions it has been watered down or omitted entirely. Finally, the report flags sanctions: some national penalty frameworks fall below the directive's "effective, proportionate and dissuasive" benchmark, with maximum fines that look more symbolic than dissuasive on the balance sheet of a mid-sized company.
The report does not name and shame state by state. It flags which provisions raise concern and signals that infringement proceedings remain on the table. The Commission has been clear that it intends to keep using them.
March 2025: the Court of Justice fines five states €38 million
On 6 March 2025 the Court of Justice of the European Union ruled in a cluster of joined cases (C-147/23 and C-149/23 through C-155/23) that five member states had failed to fulfil their obligations under the directive. The Court rejected each defence and imposed financial penalties totalling more than €38 million. Germany was hit with a €34 million lump sum, by far the largest. The Czech Republic received a €2.3 million lump sum, Hungary €1.75 million, Luxembourg €375,000. Estonia, where transposition was still incomplete on the day of judgment, received a €500,000 lump sum plus a daily penalty of €1,500 that continues to accrue until the Commission certifies full compliance.
Kirchberg in Luxembourg, seat of the Court of Justice of the European Union. On 6 March 2025 the Court fined five member states for late transposition of the directive
© Cayambe (CC BY-SA 4.0)
The rulings establish, beyond the headline numbers, that the directive's transposition deadlines are enforceable in cash. The Commission's own whistleblower-protection page now lists the rulings alongside its summary of the directive, a quiet signal that the institution intends to use them as precedent. A second wave of infringement actions, this time targeting non-conformity rather than non-transposition, has been openly contemplated since the 2024 report.
What the law actually requires inside companies
The directive's compliance obligations on a covered employer fall into four buckets, and a national transposing law cannot dilute any of them, only add to them. The headline obligation is a secure and confidential reporting channel: an internal route by which a worker can report a breach without their identity becoming known beyond the people designated to handle the report. The directive is technology-neutral; it does not mandate a specific tool, but the channel must accept written and oral reports, must acknowledge receipt within seven days, and must produce a substantive follow-up reply within three months.
Alongside the channel comes protection against retaliation. Dismissal, demotion, withholding of training, transfer of duties, change of work hours, withholding of references, disciplinary measures and any other negative consequences of having reported are all prohibited. The directive establishes a presumption of retaliation: if an adverse action is taken against a worker after they reported, the employer carries the burden of showing the action had nothing to do with the report. Contractual waivers of the right to report (the kind sometimes embedded in NDAs or settlement agreements) are unenforceable.
Then there is recordkeeping and follow-up. The recipient of a report must record it, assess it, take action where action is warranted, and inform the reporter of the outcome at the three-month mark. Retention rules are bounded by GDPR data-minimisation principles, so records cannot be kept indefinitely. The fourth obligation is access to external channels, typically a national authority designated by the transposing law, which the worker may use directly, without first going through the internal route, with no loss of protection.
Practically: a generic e-mail address routed to a company HR inbox is not a directive-compliant channel. Neither is a phone line that no-one is contractually obligated to monitor. A compliant set-up requires designated handlers, documented procedures, retention rules, and a clear escalation path, staffed by an internal team, an outsourced provider, or a Data Protection Officer with the bandwidth to actually do the work.
The 2026 evaluation and what could change
Article 27(3) of the directive itself required the European Commission to report to Parliament and Council by 17 December 2025 on how the directive has functioned and whether its scope should be extended. As part of that work the Commission opened a Have Your Say public consultation that ran from 25 August to 18 September 2025, feeding into a broader Action Plan on Whistleblower Protection whose full evaluation is due by Q4 2026.
One position taking shape in the consultation responses, articulated by civil-society observers such as the European Whistleblowing Institute, is that the directive's text is sound and the failures are in implementation. The institute's executive director, Vigjilenca Abazi, has noted that some of the very institutions tasked with protection have faced political interference that undermines their credibility, and has argued for independent national authorities empowered to monitor, sanction and enforce. On that reading, the answer is to push harder on conformity, rather than reopen a hard-won text.
The other line of argument anticipates pressure from the opposite direction. Civil-society commentators have flagged the risk that business actors push the evaluation toward weaker protections: raising the internal-channel threshold from 50 to 250 employees, narrowing the material scope of breaches that trigger protection, all framed as "simplification". None of this is a Commission proposal yet. But for any company that built a compliant channel under the current text, the possibility matters: a 60-person firm that today must run an internal channel could, on a different draft of the directive, be exempt, and the policy fight will run alongside the evaluation itself.
Member-state flags in front of the European Parliament in Brussels. By the end of 2024 all 27 had transposed the directive, into widely different national texts
© Marek Ślusarczyk (CC BY 3.0)
The transposing law that actually binds your organisation is the national act in your country, and it is almost certainly different from what the directive's headline summary describes. If you have not yet adopted a directive-compliant whistleblower system, the March 2025 fines should land as the unambiguous signal that enforcement is real and that "we are still working on it" is no longer a defensible position. We provide a fully directive-compliant whistleblower system with one-day implementation; see how the Whistleblowing System service works.
