How to implement whistleblowing system?

The EU Whistleblower Directive landed years ago, every Member State has a transposition law on the books, and the question on a compliance officer's desk is no longer whether to put a reporting channel in place but whether the one already running actually meets the obligations. Bringing the rules into the daily life of an organisation still breaks down into three movements: drafting the procedure, standing the system up, and keeping it running. Each one has stopped being abstract.

Map the entity before drafting the procedure

Before drafting the procedure, map the entity. Headcount decides whether the obligation kicks in: any private employer at 50 employees or more must operate an internal reporting channel since 17 December 2023. Group structure decides where the channel sits: holding companies cannot pool everything into one shared inbox without breaching the Commission's July 2024 conformity report finding.

A holding company with several legal entities has to keep separate confidentiality boundaries between them; the European Commission flagged the shared-inbox pattern as one of the most common transposition gaps.

Existing procedures decide what changes. An HR grievance route, a compliance hotline, or a code-of-conduct portal already in place can be folded in, but only if their confidentiality and recordkeeping match the Directive's bar. The output of this mapping stage is a list of named channels, named recipients, and a scope statement saying which categories of breach the channel covers.

What the internal channel must actually do

Article 9 of the Directive sets two operational gates: acknowledgement within 7 days and substantive feedback within 3 months. The channel must accept written and oral reports (phone, voicemail, in person on request), keep a confidential register under access controls, and designate an impartial unit. Missing any of these is how programmes fall over.

Beyond timings, the channel has to accept reports both in writing and orally, whether by phone, voicemail, or in person on request. It must keep a register of reports under retention limits and access controls. It must designate an impartial unit or person with no conflict of interest, and that designation has to be published internally so reporters know who they are speaking to.

Confidentiality of the reporter's identity is non-negotiable. Passing the name to anyone outside the impartial team without consent is itself a breach, and several national transpositions attach standalone fines (often up to €50,000 per violation) for that single failure.

Standing it up: people, training, and ISO 37002

Implementation turns paper procedure into something employees can use. The committee or person responsible for examining reports has to be selected, trained, and equipped; an HR generalist with a side-of-desk hotline rarely survives a real case. Training extends to every line manager who might be the first to hear something, because Directive protection attaches the moment someone speaks up, not the moment they file a form.

ISO 37002:2021 is the most useful scaffolding here. It is a guidance standard rather than a certifiable management standard, but it lays out what a working programme looks like (risk assessment, role assignments, intake, investigation, follow-up, monitoring) and it is built to plug into an ISO-aligned compliance stack an organisation may already run.

Living with the system: monitoring, retaliation, GDPR

Once a system is in place, three things keep it alive. Monitoring means checking whether operational gates are met each quarter, feedback letters go out, the register reconciles, and the channel is used at all. Retaliation protection flips the burden of proof to the employer once a report is filed. GDPR obligations sit over everything as personal-data rules.

Monitoring goes beyond measuring volume. A hotline that receives nothing across eighteen months is a signal, usually a bad one.

The retaliation regime rewrites HR procedure. Once a person has reported, any adverse action against them (dismissal, demotion, transfer, withheld promotion, disciplinary measure) is presumed retaliatory, and the burden of proof flips to the employer to show the action would have happened regardless. That presumption has to shape every personnel decision touching anyone with a known prior report.

Data protection sits over everything. Whistleblower data is personal data under the GDPR, so encryption in transit and at rest, role-based access, retention limits, and a documented purpose are not optional. They are the same article-by-article obligations that apply to any HR system.

The cost of getting it wrong

The penalty surface is wider than most boards realise. Member State transpositions impose fines on retaliation, breaches of confidentiality, and hindering reports, frequently in the €30,000 to €50,000 per violation band, stacked across counts. The Commission's slowest five Member States were fined a combined €40 million in early 2025 for missing the transposition deadline.

Beyond the headline fines, infringement proceedings ran against most Member States that missed the deadline, and the Commission has flagged confidentiality and retaliation as the two areas it is watching for follow-up enforcement.

The country-by-country picture remains uneven. Slovakia stepped back from disbanding its whistleblowing authority under EU pressure, Germany is testing the limits of external-disclosure protection in court, and Poland, the last Member State to transpose, brought its law into force on 25 September 2024.

None of this is impossible to run in-house, but it is rarely cheap, and the operational layer (meeting the 7-day clock, keeping the register clean, defending the impartiality of the committee) is where most programmes fall over. WeMoral covers that operational layer end to end, from drafting the procedure through running the channel to producing the audit trail an inspector will ask for.