On 7 October 2019, the European Council of Ministers formally adopted the new Directive on the protection of persons who report breaches of Union law, commonly referred to as the ‘Whistleblower Directive’ . The new Directive will require all legal entities in EU Member States to adhere to certain minimum standards for protecting whistleblowers who report breaches of EU law, as well as of facilitators or anyone assisting a whistleblower, and obliges the creation of safe channels for reporting – both within an organization, private and public, and towards public authorities.

Although the legislation still needs to be transposed into national law over the next two years, the new Directive will most likely have a considerable impact on the private and public legal entities in scope as protective measures and reporting mechanisms will have to be implemented accordingly. This is true in particular for those organizations residing in countries where currently no legal framework on whistleblower protection is in place (such as Belgium).

Why this matters

The overall aim of the European Directive on the protection of persons who report breaches of Union law is to provide minimum standards of harmonization on whistleblower protection across all EU Member States. More concretely, the Directive aims to:

  • Protect whistleblowers (and those assisting) from retaliation in all forms (such as lawsuits that might arise from breaking confidentiality clauses in employment contracts); and
  • Oblige private firms as well as public authorities to set up formal internal processes and procedures for breach-reporting.


The definition of a ‘whistleblower’ in the Directive is broad, and thus companies will need to include and handle reports from not only current employees but also former employees, shareholders, members of the administrative, management or supervisory body, interns, volunteers and (sub)contractors.

Adding to the comprehensiveness of the Directive, a wide range of actions have been classified as retaliation, including, but not limited to:

  • Lay-off, demotion or withholding of promotion;
  • A reduction in wages of working hours, or failure to convert from temporary into permanent employment;
  • Withholding of training or a negative performance assessment;
  • Disciplinary or financial penalties, or discrimination.

What must businesses do?

Whereas the rules set forward by the Directive will apply to all private and public legal entities as far as protection against retaliation is concerned, the requirement of designing and setting up formal reporting mechanisms will be limited to:

  • Private enterprises:
    • With at least 50 employees; or
    • Financial services firms and organizations with an inherent vulnerability to money laundering or terrorist financing, irrespective of their number of employees.
  • Public enterprises, including:
    • State administration; or
    • Regional administration and departments; or
    • Municipalities with more than 10 000 inhabitants; or
    • Other entities governed by public law.
  • All micro- and small entities are exempt by the Directive from the requirements on setting up a whistleblowing reporting mechanism, although individual Member States are free to extend the rules to small companies in specific sectors.


In-scope organizations will have to facilitate reporting channels that allow reporting by:

  • Written report in electronic or paper format;
  • Oral report through telephone lines; and
  • Physical meeting between the whistleblower and a dedicated person or department responsible for handling reports.


The Directive sets forth that reporting channels may be operated by an internal person or department designated for that purpose or by an external third party, provided they offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy. In any case, organizations will need to make sure an adequate response is provided to any report within a three-month time frame. 

Implications, challenges and opportunities

Although the new legislation still needs to be transposed into national law, it is clear that the new Directive and its compliance requirements will have a considerable impact on in-scope organizations in all EU Member States. In addition to budgetary implications, the new Directive will also pose challenges to organizations’ internal expertise and capacity. The review of current policies and procedures, the setup of formal reporting mechanisms and the handling and follow-up of reports will require expertise in legal compliance, labor law, data protection law, IT infrastructure and forensic science. Furthermore, the requirement to provide an adequate response within a three-month time frame to any report received will put pressure on organizations to foresee additional capacity for handling these reports.

Despite the fact that the implications for in-scope organizations will be considerable and that both the initial and long-term investment should not be overlooked, the advent of the new Directive provides organizations the opportunity to rethink their approach to internal fraud and misconduct risk. Research by the Association of Certified Fraud Examiners shows that tips are by far the most common initial detection method (i.e. 40 percent of fraud cases investigated) and that frauds occurring in organizations with hotlines are on average 50 percent smaller than those in organizations without. A well-organized system of whistleblower protection and reporting can therefore help organizations strengthen their internal control framework, and – by extension – lead to a minimization of financial losses and reputation risks.


In light of the new Whistleblower Directive, KPMG Forensic and KPMG Law have joined forces to support our clients in reviewing and updating existing whistleblower and privacy policies as well as compliance frameworks in line with the upcoming regulatory requirements, and in designing and setting-up of internal reporting systems. If you have any questions with regards to the new Whistleblower Directive and the compliance requirements it entails, please do not hesitate to contact Wouter Monten (KPMG Forensic) or Gert Cauwenbergh (KPMG Law).

Connect with us