Luxembourg whistleblower protection law "loi du 16 mai 2023"

Luxembourg's loi du 16 mai 2023 protects people who report a breach of EU law. It turns the EU directive 2019/1937 into national law. The country acted well after the Union's December 2021 deadline. Two things set the law apart. It creates an Office des signalements under the Minister of Justice, and it lets regulators fine a firm up to 250,000 euros.

Who does Luxembourg's whistleblower law protect?

The law protects the reporter who finds out about a breach at work, in the private and the public sector alike. It covers employees and civil servants, the self-employed, shareholders, and board members. Volunteers and trainees are in scope too, paid or not. What matters is the work setting that put the facts in front of you.

The cover does not stop at the reporter. It reaches facilitators, the people who help someone come forward, along with colleagues and relatives who could face payback over the link. The firms the reporter owns or works for are covered as well. The law even stands behind a job that has ended, and one that has not yet begun, such as during hiring.

Someone who reports with no name attached stays protected, even if they are later identified and targeted. The law sets one plain test. You must have had good reason to believe the facts were true when you spoke up. Some areas still fall outside the law. They include national security, medical secrecy, lawyer-client privilege, the secrecy a notary or bailiff must keep, court deliberations, and the rules of criminal procedure.

Which employers must set up an internal reporting channel?

The threshold is 50 workers. Any private or public body that reaches it over twelve months in a row must run an internal channel. Bodies with 50 to 249 workers may share the work of taking and handling reports. Towns under ten thousand people are exempt. So are bodies under fifty workers, though they may still set one up.

The internal procedure follows set rules. The channel must be secure and keep the reporter's name secret. The body confirms a report within seven days, names an impartial person or team to handle it, and gives feedback within three months at most. A report can be written or spoken. For bodies with 50 to 249 workers, this duty has applied since 17 December 2023.

One Luxembourg rule is about language. The channel must take reports in any of the three administrative languages. Those are Luxembourgish, French, and German. It can also take any other language the body allows.

"The channels [...] allow reports to be made in writing or orally [...] in one of the three administrative languages [...] or in any other language accepted by the legal entity."
Article 7, loi du 16 mai 2023

WeMoral takes reports in all three administrative languages, in one place. Each one lands encrypted and stays sealed to the impartial person you name, so no other colleague can open it. The tool keeps a time-stamped record of every step. That is the proof you want the day the Office des signalements asks how your channel runs, or when a regulator weighs a fine of up to 250,000 euros. It is multilingual whistleblowing software compliant with the loi du 16 mai 2023. You can put an internal channel into service without writing a line of code.

The Office des signalements, Luxembourg's whistleblower authority

The law sets up an Office des signalements under the Minister of Justice. It is a central point of contact. The office informs and helps anyone who wants to report, inside or outside their firm. It raises public awareness of whistleblower protection, draws up advice for the authorities, and publishes a yearly report.

"An office for reports is hereby created, hereafter the 'office'. It is placed under the authority of the minister responsible for Justice."
Article 8, loi du 16 mai 2023

A director runs the office. The Grand Duke appoints them for a five-year term, which can be renewed. The post calls for Luxembourg nationality, a clean record, a master's degree, command of the three administrative languages, and at least ten years of experience. The role is independent. The director cannot sit in the government, the Chamber of Deputies, or the European Parliament, and cannot hold a stake in a firm the office oversees.

The office does more than advise. For several fields, it takes the cases that other authorities pass on. It can then impose a fine itself. Its yearly report carries the numbers. They cover the reports received, the inquiries opened and how they ended, and the money lost and won back.

Where else can a whistleblower report?

A reporter need not go through their employer first. They can file straight with an outside authority, or start inside. The choice is theirs, and the law leaves the route open.

The law names twenty-two authorities, each one for its own field. They include:

• the Commission de surveillance du secteur financier (CSSF), the financial regulator;
• the Commissariat aux assurances, for insurance;
• the competition authority;
• the Commission nationale pour la protection des données (CNPD), for data protection;
• the labour and mines inspectorate (ITM).

Some of these authorities can fine a firm directly. Others pass the case to the Office des signalements, which decides. The outside channel must stay confidential and keep the file safe over time. It confirms a report within seven days. It gives feedback within three months, or six in hard cases.

Going public is a protected last resort. Someone who takes the facts to the press keeps the law's protection if a report inside or outside led nowhere. The same holds if there is an urgent danger, or a risk the evidence would be hidden or that payback would follow.

How does the law protect whistleblowers from retaliation?

The law protects reporters with a broad ban on payback. It forbids any harmful step tied to a report, and lists fourteen kinds, from dismissal and demotion to blacklisting, harm to a reputation, and being sent for psychiatric care. A threat or an attempt counts on its own. The reporter's name stays secret throughout.

"Any retaliatory measure referred to in Article 25, points 1 to 6, 9, 12 and 13, is null and void by operation of law."
Article 26, loi du 16 mai 2023

The remedy is quick. The worst measures, such as dismissal, are void by law. The reporter has fifteen days to ask the court to confirm that, and to order the measure stopped. The burden of proof flips. Once the reporter shows they reported and then suffered harm, the employer must prove the move had another cause. The reporter can also sue for damages.

The law adds an immunity. The reporter bears no blame for sharing the information. They bear none for getting it either, unless getting it was a crime on its own. They can use the report to have a defamation, secrecy, or data claim thrown out.

What are the penalties for breaking the law?

Administrative fines run from 1,500 to 250,000 euros. They hit anyone who blocks a report, breaks the reporter's confidence, or fails to set up channels. The top figure doubles for a repeat within five years.

"The fine may range from 1,500 euros to 250,000 euros. The maximum fine may be doubled in the event of a repeat offence within 5 years of the last sanction becoming final."
Article 18, loi du 16 mai 2023

The law does not only protect the reporter. It also punishes abuse. A knowingly false report can bring eight days to three months in prison, a fine of 1,500 to 50,000 euros, and a civil claim from the firm that was harmed. The protection is strong, but it rests on good faith.

Luxembourg is a busy financial centre. The CSSF alone watches thousands of funds and banks. The loi du 16 mai 2023 sends much of the reporting through these sector regulators. At the same time, it puts an Office des signalements at the centre to guide firms and hold the fines. The country did not just copy the directive's three channels. It built a state office to help and to punish. For an employer the task is plain: name an impartial handler, seal every report, and accept all three of the country's languages. To see how Luxembourg compares with the rest of Europe, read our guide to whistleblower laws by country.