How to implement whistleblowing system?
The EU Whistleblower Directive is now law across Europe. Companies no longer ask if they need a reporting channel. Instead, they check if their current system follows the rules. Setting up these channels involves three clear steps: planning, building, and running. These steps are now a daily reality for businesses.
Key Takeaways
- Any private employer with 50 or more staff must have an internal reporting channel.
- Holding companies cannot share one inbox across different legal entities.
- You must acknowledge reports within 7 days and give feedback within 3 months.
- Whistleblowers get legal protection the moment they first speak up.
- Fines for breaking confidentiality or revenge can reach €50,000 per case.
Map the entity before drafting the procedure
First, you must map your company. Your headcount matters most. Any private employer with 50 employees or more has had to run a channel since late 2023. Group structure also plays a part. Holding companies can't just use one shared inbox. A July 2024 report from the Commission found this often breaks the rules.
A holding company with many units must keep data separate. The European Commission says shared inboxes are a common mistake. Each legal entity needs its own boundaries to protect the reporter.
Check what systems you already have. You might use an HR route or a code-of-conduct portal. You can keep these, but only if they meet the Directive's high bar. You must have a clear list of channels and fair recipients. You also need a scope that says which laws the channel covers.
What the internal channel must actually do
Article 9 of the Directive has two main rules. You must reply within 7 days and give a full answer within 3 months. The channel must take reports in writing and by voice. This includes phone calls or meetings. If you miss these steps, your program will fail.
| Aspect | Internal channel | External channel (regulator) |
|---|---|---|
| Operated by | Employer's impartial unit or designated person | National authority designated by the transposing law |
| Acknowledgement | Within 7 days | Within 7 days |
| Substantive feedback | Within 3 months | Within 3 months |
| Reporter's choice | First route, but not mandatory | May be used directly without loss of protection |
Your channel must be easy to use. It should accept reports through phone, voicemail, or in person. You must keep a safe log of every report. You also need to name a neutral team to handle them. Tell your staff who these people are so they know who to trust.
Keeping the reporter’s name secret is vital. If you share it without consent, you're breaking the law. Some countries now issue fines of up to €50,000 for this single mistake.
Standing it up: people, training, and ISO 37002
Now you must turn your paper plan into a real tool. You need to pick and train the people who will check the reports. An HR staffer doing this as extra work isn't enough. You must also train every manager. Protection starts the moment a staffer speaks up, even if they don't fill out a form.
ISO 37002:2021 is a great guide for this. It isn't a badge you win, but it shows what a good program looks like. It covers risk, intake, and how to investigate. It fits well with other ISO rules your firm might already follow.
Living with the system: monitoring, retaliation, GDPR
Once the system is live, three things keep it running. Monitoring means checking your reply times and log files each quarter. Retaliation rules mean you must prove that any action against a reporter was fair. GDPR rules apply to every bit of data you collect.
Monitoring is about more than counting reports. If a hotline stays silent for eighteen months, something is wrong. It usually means people don't trust the system or don't know it exists.
The rules on revenge change how HR works. If a person reports a breach, you can't just fire or move them. Any bad move is assumed to be payback. The burden of proof sits with you to show the move was fair. This must shape every HR choice involving a reporter.
Data rules are not optional. Every report contains personal data under the GDPR. You must use encryption and limit who can see the files. You also need a clear reason for keeping the data. These are the same duties that apply to any HR tool.
The cost of getting it wrong
The cost of failure is high. Many countries fine firms for revenge or breaking secrecy. These fines often range from €30,000 to €50,000 per case. Five countries that were slow to act were even fined a total of €40 million in 2025.
Fines are just the start. The Commission is also watching how firms handle secrecy and payback. They have flagged these two areas for closer checks in the future.
The map of Europe still looks different in each country. Slovakia kept its whistleblower office after EU pressure. Germany is still testing its rules in court. Poland brought its law into force on 25 September 2024.
You can run these systems yourself, but it's not easy or cheap. Meeting the 7-day clock and keeping the log clean is where most firms fail. WeMoral handles this work for you. We help with the plans, the channel, and the audit logs you need for inspectors.
Compliance specialist focused on policy roll-out and internal information flow. Writes on EU rule-making, landmark cases, and implementing reporting systems.
