European Union – New Measures for Protection of Whistleblowers

European Union – New Measures for Protection of Whistle

On 7 October 2019, the European Union (EU) Council approved a Directive aimed to protect persons who report breaches (the Whistleblowing Directive) of EU law. The Whistleblowing Directive introduces minimum standards for the protection of whistleblowers in the EU, which companies and authorities must follow. This will affect companies’ legal departments and HR departments and permeate the entire business entity.



Daida Hadzic


KPMG Meijburg & Co



To subscribe to GMS Flash Alert, fill out the subscription form.

On 7 October 2019, the European Union (EU) Council approved a Directive1 aimed to protect persons who report breaches (the Whistleblowing Directive) of EU law.  EU member states have two years to transpose the Directive into their national legislation.

Taking into account that only 10 EU countries (out of 28) have comprehensive legislation in place that protects whistleblowers, this Directive will introduce significant legislative changes in most EU countries.  


The Whistleblowing Directive introduces minimum standards for the protection of whistleblowers in the EU, which companies and authorities must follow.  In addition to having a channel for reporting breaches, the Directive focuses on how quickly a company deals with such reporting, how it investigates, and how information is processed until the case is closed.  Among the provisions of the Directive, the whistleblower must be duly informed about the process and any remedial actions must be undertaken by an impartial person.  

This Directive, for many EU member states, introduces new legal concepts and new rules that will:

  • alter company and employee behavior, in many instances;
  • require new policies and communications; and
  • provide employees with a framework for bringing wrong-doing and breaches of law and policy to light.

This will affect companies’ legal departments and HR departments and permeate the entire business entity. 


Oftentimes it has been a whistleblower who has shed light on a breach of law or policy, ethics, or general maltreatment or misconduct.

Newspapers and broadcast news have reported on several of the more notorious instances of whistleblowers pulling the curtain back on violations of the law, abuse, negligence, and/or misconduct.  What has also been revealed in some cases, is the inadequate protection of those individuals who expose wrongful behavior.  

Many businesses, non-profit organizations, and governments have whistleblower rules in place.

The existing instruments for the protection of whistleblowers at the EU level are limited and aimed at specific businesses, such as financial services, transport safety, and environmental protection.

Whistleblowing Directive in More Detail

What Must Businesses Do?

Businesses in the private sector that must establish internal channels and procedures for reporting and following up on reports are those:

  • that employ at least 50 employees;
  • with annual business turnover (balance sheet) totalling EUR 10 million or more;
  • of any size operating in the area of financial services or vulnerable to money-laundering or terrorist financing.

It should be noted that member states could include small businesses (e.g., fewer than 50 employees, turnover under EUR 10 million, etc.) in the scope of their respective national legislation and pose the same requirements for the protection of whistleblowers.

The reporting channels shall allow reporting by:

  • written report in electronic or paper format;
  • oral report through telephone lines; and
  • physical meeting with a dedicated person or department to receive such reports.

The appropriate channels and procedures for reporting and following-up on reports must:

  • guarantee the confidentiality of the reporting person;  
  • designate a person or department competent for following up on the reports;
  • ensure diligent follow up to the report by the designated person or department;
  • provide feedback to the reporting person about the follow-up to the report within a reasonable timeframe, which may not exceed three months following the report;
  • provide clear and easily accessible information about the procedures and information on how and under what conditions reports can be made externally to competent authorities.  

It should be noted that the EU member states are obliged to designate the authorities competent to receive and handle reports on breaches.  In this context, it is relevant to observe that the reporting person is not limited to using internal reporting channels.  A report about a breach can be made externally. 

Scope of Reporting

The Whistleblowing Directive is aimed at reporting breaches of EU law that are in the public interest.  This includes a wide range of EU law such as anti-money laundering, corporate taxation, data protection, product safety, financial interest, environmental protection, etc.

The member states are even encouraged by the EU Commission to extend these rules to other areas. 

Who Is a Whistleblower?

A whistleblower is a person who reports or discloses information about breaches identified in the context of work-related activities.  The interpretation of who a whistleblower is should be understood broadly, including current and former employees, job applicants, share-holders, trainees, volunteers, contractors, self-employed individuals, etc. 


The Whistleblowing Directive protects the reporting person, the whistleblower, from any threats of retaliatory measures and retaliatory actions.  It also protects the whistleblower’s identity – he or she cannot be “unmasked” and therefore his or her anonymity is protected.  Member states must provide legal support and advice in legal proceedings to the whistleblowers.

The whistleblowers will not be held responsible for having gained access to the information they disclose, unless the information was gained by committing an unlawful act.

The protection of whistleblowers in the Directive is rather far reaching in that by disclosing the information, whistleblowers cannot be held accountable for violating a company policy regarding the protection of information.   

Sanctions for Non-compliance

Those who attempt to hinder reporting, to reveal the identity of a whistleblower, to threaten or retaliate against a whistleblower, must be sanctioned.  The Directive supports an effective sanction regime in order to make sure that companies live up to the requirements. 


The Whistleblowing Directive introduces a minimal requirement for the protection of whistleblowers in the European Union.  Irrespective of how the national implementation of this Directive develops, companies can already begin assessing their existing policies for the protection of whistleblowers and introduce reporting channels, if such do not already exist.

Companies can also assess their General Data Protection Regulation (GDPR) compliance, as processing of personal data carried out pursuant to the Whistleblowing Directive must be aligned with GDPR.

The Whistleblowing Directive protects a whistleblower who reports breaches externally. 

Even though the member states have two years to transpose this Directive into national law, companies can already be focusing on revising their existing channels for reporting and policies for the protection of whistleblowers.  It could be deemed a positive step when a company communicates internally about openness and the commitment of its management to listen and follow up on reports brought by whistleblowers.

Introducing and fostering a healthy culture in terms of whistleblowing can support efforts to enhance ethics and integrity and generate increased business value, as companies demonstrate their commitment to preventing abuse and misconduct and act to build trust by complying with legislation that protects whistleblowing.   


1  For the text of the Whistleblowing Directive, click here.

* Please note that KPMG LLP (U.S.) does not provide any immigration services or labour law services.  However, KPMG Law LLP in Canada can assist clients with U.S. immigration matters.   


The information contained in this newsletter was submitted by the KPMG International member firm in the Netherlands. 

© 2024 Meijburg & Co Caribbean, Tax Lawyers, is an association of limited liability companies and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

GMS Flash Alert is a Global Mobility Services publication of the KPMG LLP Washington National Tax practice. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization. KPMG International Limited is a private English company limited by guarantee and does not provide services to clients. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today