Estonian whistleblower protection law "TÕRTKS"

Estonia's whistleblower law was one of the last to arrive in the EU. The country missed the December 2021 deadline. The European Commission took it to the Court of Justice. Parliament passed the TÕRTKS only on 15 May 2024, and it came into force on 1 September 2024.

What is the TÕRTKS, and why did it take so long?

The TÕRTKS is Estonia's version of the EU Whistleblowing Directive. Its full name is the Act on the Protection of Persons Reporting Work-Related Breaches of European Union Law. It sets the rules for reporting a breach of EU law found at work, and it stops anyone from punishing the reporter for it.

"The purpose of this Act is to ensure protection for a person who reports a breach of European Union law that became known through their work-related activity."
Section 1(2) of the TÕRTKS

The delay defined the law. Estonia was one of the last countries in the bloc to act. The Commission had already taken it to court by the time the bill passed. A later change, in force from 18 May 2025, widened the scope to cover breaches of EU sanctions.

The rollout came in two steps. State bodies and large private employers were bound from 1 September 2024. Private firms with 50 to 249 workers had until 1 January 2025 to open a channel. Both deadlines have passed, so every covered employer should already run one.

Who is protected, and which breaches count?

The people the law shields

Protection reaches far past the payroll. The act lists ten kinds of reporter, so the cover does not stop at staff on a contract. It includes:

• employees and public officials;
• the self-employed;
• board and supervisory-body members, and company shareholders;
• volunteers and trainees;
• job candidates in talks for a role, and former workers whose job has ended;
• people working for a contractor or supplier of the organisation.

The shield against payback also reaches people tied to the reporter, such as a colleague or relative. It covers any unit that handles a report for the employer, too.

The breaches that fall in scope

The act tracks EU law, not every kind of wrongdoing. It applies to breaches of European Union rules in 13 fields:

• public procurement;
• financial services and anti-money-laundering;
• product and transport safety;
• the environment, plus nuclear and radiation safety;
• food, feed and animal welfare;
• public health and consumer rights;
• privacy and network security;
• the EU's financial interests and single market, including corporate-tax abuse.

The 2025 change added breaches of EU restrictive measures to that list.

"A breach for the purposes of this Act is an act or omission that is unlawful or that defeats the object of a legal norm."
Section 4(1) of the TÕRTKS

Some areas fall outside it. The law steps aside for national security and state secrets, criminal procedure, and the professional secrecy of lawyers, doctors and clergy. The courts' own rulings stay outside it, too. There the sector's own secrecy rules win.

How can someone report a breach?

The act opens four routes. A reporter can pick the internal channel, their own manager, an external channel at a competent authority, or, in set cases, going public. They do not have to try the internal channel first.

"An external reporting channel may be chosen for reporting a breach even without first using an internal channel."
Section 4(4) of the TÕRTKS

Many employers must run an internal channel. The duty covers all state bodies and financial-supervision subjects. Local-government bodies must run one if they have 50 or more staff, as must municipalities of 10,000 or more residents. So must any legal person with 50 or more workers. The channel must take reports in writing, by voice, or both, and keep them confidential. Firms with up to 249 staff may share one channel.

The clock starts at once. An employer must confirm a report within 7 days. If it is the wrong body to act, it passes the report on within 5 working days. It gives the reporter feedback within 3 months, and it keeps the report on file for 3 years.

WeMoral encrypts every report and shows it only to the handler you name. As GDPR-ready whistleblowing software, it matches what the TÕRTKS asks of the internal channel and handles the data under the GDPR the act points to. Lose a reporter's name and the Police and Border Guard Board can fine you up to €100,000, so its time-stamped log earns its place. You can bring the internal channel live yourself, or hand the channel to WeMoral as the outside party the act allows. A firm of up to 249 staff can share one setup. Either way the reporter stays sealed off from the day it goes on.

Who runs the external channel?

Estonia chose not to build a single watchdog. The law leans on the regulators that already exist. The competent authority for a report is the state or local body that already supervises that field. So a data-protection breach goes to the Data Protection Inspectorate, while a financial one goes to the Financial Supervision Authority.

That body runs the external channel for its sector. It must take reports by voice message, at an in-person meeting, and in writing, and it publishes its own handling rules. For an external report it can take up to 6 months to give feedback in a complex case, rather than the usual three.

Going public is the last resort. A reporter keeps the law's protection for a public disclosure only in narrow cases:

• the external channel did not act in time;
• the breach is an urgent threat to the public interest; or
• there is fair reason to fear payback or a cover-up.

The protection does not depend on naming the wrongdoer in the press first.

How are whistleblowers shielded from payback?

Retaliation is banned outright. The act forbids any work-related act, or failure to act, that flows from a report and harms the reporter without good cause. The ban also catches the attempt and the threat of payback, not just the act itself.

The burden of proof sits with the employer. A reporter does not have to prove they were punished for speaking up. Once they show they reported and then came to harm, the law assumes the two are linked. The employer must then prove the measure had a fair, unrelated reason.

"Where reprisals are applied against a person who reports a breach and that person proves that they reported the breach, the reprisals are deemed to have been applied because of the report, unless the person who applied them proves that it was justified."
Section 16(2) of the TÕRTKS

Confidentiality runs through the act. The handler may reveal who the reporter is only with their written consent. The reporter is also freed from liability for sharing the information. That holds as long as they had fair reason to believe it was needed to expose the breach. Disclosing a trade secret that way counts as lawful, too, and the same cover extends to how the reporter obtained the information.

What are the penalties?

The act treats four acts as offences. Fines for a person are set in fine units, and one fine unit is €4, so the 300-unit ceiling works out at €1,200. Organisations face a flat cap of €100,000.

The Police and Border Guard Board enforces the fines. It is the out-of-court body for these offences, though the Internal Security Service steps in when it finds one during its own work. Hindering a report and retaliating against a reporter are punishable even as an attempt, not only when the act is complete.

Estonia's law is in full force for every covered employer, large and small. Because the country spread enforcement across its sector regulators, the first thing to learn is which one supervises your field. That regulator is the external authority your staff can turn to. To see how the Estonian rules sit beside the rest of the bloc, browse our list of whistleblowing laws by country. A working internal channel keeps a report, and the problem it raises, inside the company first.