EU Whistleblower Protection Directive (EU 2019/1937)
The EU Whistleblower Protection Directive 2019/1937 establishes EU-wide minimum standards for protecting persons who report breaches of Union law.
Summary
The EU Whistleblower Protection Directive (Directive (EU) 2019/1937) establishes, for the first time, common minimum standards across the EU for the protection of persons who report breaches of Union law. It requires legal entities in the private and public sector to set up internal reporting channels and prohibits any form of retaliation against whistleblowers.
The directive covers reports of breaches in numerous areas of EU law, including public procurement, financial services, product safety, environmental protection, consumer protection, data protection, tax law, and competition law. Whistleblowers may choose between internal reporting channels, external authorities, and — under certain conditions — public disclosure.
Protection extends to a broad range of persons: employees, self-employed persons, shareholders, members of management bodies, volunteers, trainees, and persons who report during recruitment processes or after the termination of their employment. Member States were required to transpose the directive into national law by 17 December 2021. All 27 EU Member States have now adopted corresponding national legislation.
History
On 23 April 2018, the European Commission published its proposal for a directive on the protection of persons who report breaches of Union law (COM(2018) 218), accompanied by a communication on strengthening whistleblower protection at EU level. Various scandals — including LuxLeaks (2014), the Panama Papers (2016), and Cambridge Analytica (2018) — had previously highlighted the need for comprehensive European protection.
On 11 March 2019, the European Parliament and the Council reached a provisional agreement. The Council adopted the text on 25 September 2019, and the European Parliament signed the directive on 23 October 2019. It was published in the Official Journal on 26 November 2019 and entered into force on 16 December 2019. The transposition deadline for Member States expired on 17 December 2021.
Transposition into national law was significantly delayed in many Member States. Germany only transposed the directive through the Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG), which entered into force on 2 July 2023. The European Commission opened infringement proceedings against several Member States that had failed to transpose on time. On 3 July 2024, the Commission published its report on the transposition of the directive. On 6 March 2025, the Court of Justice of the European Union (CJEU) penalised five Member States — Czechia, Estonia, Germany, Luxembourg, and Hungary — for failing to transpose the directive on time and imposed financial penalties.
Scope
The directive applies to reports of breaches of EU law in the following areas and covers the following groups of persons:
- Subject areas covered: Public procurement, financial services, anti-money laundering, product safety, transport safety, environmental protection, radiation protection and nuclear safety, food safety, public health, consumer protection, data protection, competition law, corporate taxation, and the financial interests of the EU.
- Protected persons: Employees (including civil servants), self-employed persons, shareholders, members of administrative and supervisory bodies, volunteers, trainees, and persons working under the supervision of contractors or suppliers.
- Private organisations: Companies with 50 or more employees must establish internal reporting channels. Companies with 50 to 249 employees had an extended deadline until 17 December 2023.
- Public sector: All public-sector legal entities must establish internal reporting channels; Member States may exempt municipalities with fewer than 10,000 inhabitants or public bodies with fewer than 50 employees.
- Financial sector: Entities in the areas of financial services, anti-money laundering, and terrorist financing are required to establish internal reporting channels regardless of their size.
Key Requirements
- Internal reporting channels (Art. 7-9): Private-sector legal entities with 50 or more employees and public-sector entities must establish secure and confidential internal channels for receiving and processing reports.
- Confidentiality of identity (Art. 16): The identity of the whistleblower must not be disclosed without their explicit consent, unless there is a legal obligation in the context of investigations or court proceedings.
- Prohibition of retaliation (Art. 19-21): Any form of retaliation — including dismissal, demotion, intimidation, discrimination, and damage to reputation — is prohibited. The burden of proof lies with the employer.
- External reporting to authorities (Art. 10-14): Member States must designate competent authorities that operate external reporting channels. These authorities must provide feedback to the whistleblower within three months.
- Support for whistleblowers (Art. 20-21): Whistleblowers are entitled to free advice, legal aid, interim measures, and compensation. Member States must provide comprehensive information on available protection rights.
- Three-tier reporting system (Art. 7, 10, 15): Whistleblowers may choose between internal reporting, external reporting to competent authorities, and — as a last resort or in cases of imminent danger — public disclosure.
- Feedback obligation (Art. 9, 11): Both internal bodies and external authorities must acknowledge receipt of reports within seven days and inform the whistleblower of measures taken within three months.
Related Frameworks
Corrections & Errata
EU Whistleblower Directive had no connections. Linked to AMLD (AML reporting provisions).
Full details on the errata page →