The deadline for the whistleblower protection law looms for medium-sized companies

As of 17 December 2023, all legal entities operating in the private sector with a workforce of 50 to 249 employees will be required to adhere to the law on the protection of reporters of violations of Union or national law established within a legal entity in the private sector (the “Law”). This deadline follows the initial phase, which mandated compliance for organizations with over 249 employees as well as entities falling within the scope of the provisions on financial services, products and markets and the prevention of money laundering and terrorist financing (regardless of the number of persons employed) starting from 15 February 2023.

The primary requirement under the Law is to establish and operate an internal reporting mechanism along with a systematic process for handling reports related to infringements of (certain matters of) Union law and national law.

The Law outlines three distinct reporting channels to be implemented:

• Internal channel – the legal entity is obligated to, at the very least, provide employees with the ability to report. However, it has the discretion to broaden this scope and permit external stakeholders (such as suppliers) to utilize the internal reporting channel;
• External channel – set up by the government. The legal entities operating in the private sector are required to provide clear and accessible information outlining the procedure to be followed in case of external reporting to a competent authority; and
• Public disclosure – for example, via press releases.

Organizations falling within the scope of the Law must create policies to facilitate an internal reporting channel that accommodates reporting via written (electronic or paper format) and/or oral channels (e.g. via telephone lines or other messaging systems and, upon request, through a physical meeting). It is important to emphasize that the Law also stipulates that the operation of these reporting channels must be overseen by individuals or departments that can assure independence, data protection, and confidentiality of the identity of the whistleblower (and any third party mentioned in the report). These reporting channels can be managed internally by a designated person or department or outsourced to a third party.

Moreover, it is imperative to respect social dialogue during the process of establishing the internal reporting channel, ensuring that information and consultation takes place according to the cascade system.

Entities subject to the Law are obligated to actively pursue and address the received reports. In particular, they are obliged to provide a confirmation of receipt to the whistleblower within seven days and any report received must, in principle, be addressed within a maximum timeframe of three months. 

Failure to meet the obligations (such as the obligation to set up an appropriate channel or the obligation to refrain from retaliation) as outlined in the new Law could lead to severe penalties, including:

• Criminal sentence of imprisonment from six months to three years; and/or
• Criminal fines ranging from EUR 4,800 to EUR 48,000 (EUR 24,000 to EUR 576,000 for legal entities); and/or
• Administrative fines ranging from EUR 2,400 to EUR 24,000 (per employee, with a maximum of 100).

It is essential to note that the Law also sanctions individuals who knowingly file false reports or provide inaccurate information to the public. 

KPMG and KPMG Law can help your organization ensure that its whistleblowing program surpasses the minimum regulatory requirements and reaps the benefits of the new Law to create added value and to safeguard your business. We can support you throughout the entire process in the following ways:

• Current state assessment: we will assess your company’s current situation regarding whistleblower protection and reporting. We will identify the gaps between what is in place and what should be in place;
• Design and implementation of your whistleblowing program: we can offer a range of implementation options to address your company’s whistleblowing obligations; and
• Post-implementation support: it is essential that the program be effectively operated and maintained and that trust in the program is monitored and evaluated to ensure its success. In this respect, we can support your organization with a range of services, among which the provision of support with the assessment and handling of received reports and the conducting of forensic investigations.