Implementing Laws At-a-Glance
Implementing Laws At-a-Glance
1. Has the implementing law been adopted?
Yes, the Law on the Protection of Reporters of Irregularities (the “Law”) entered into force on April 23, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations employing at least 50 employees must establish an internal reporting channel. Organizations with fewer than 50 employees may establish an internal reporting channel if they wish to do so. Organizations carrying out the following activities must establish an internal reporting channel, irrespective of the number of employees: (i) financial services; (ii) financial products and markets; and (iii) prevention of money laundering and terrorist financing.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
All organizations with 50 or more employees must set up an internal reporting channel by June 23, 2022. The Law does not provide the additional time for private organizations with 50 to 249 employees to establish internal reporting channels that the Directive allowed for EU Member States.
4. Is the scope of reportable concerns the same as in the Directive?
Yes.
5. Does the implementing law permit anonymous reporting?
The Law does not explicitly permit anonymous reporting; however, it refers indirectly to persons making anonymous reports being entitled to protection irrespective of the fact that they have come forward anonymously, which would indicate that anonymous reporting is permitted. There is no specific regulatory guidance about anonymous reporting at this time.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations that are subject to the Law are required to designate (i) a “confidential person” and (ii) a deputy who will take on the role of the confidential person when the confidential person is not available. The confidential person and deputy can be individuals employed by the organization, or third-party individuals, who are to be responsible for overseeing whistleblowing compliance and the organization’s internal reporting channels. There is no information at this time about the eligibility requirements for a confidential person or deputy.
The confidential person must provide feedback to the whistleblower and “take action” to investigate the reported issue within 30 days where possible (or within 90 days at the latest). There is no definition in the Law for what constitutes “take action” and there is no regulatory guidance at this time.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Ombudswoman.
8. Does the Competent Authority have specific investigative and enforcement powers?
The Ombudswoman may only (i) refer matters relating to whistleblowing to the Misdemeanor Court for review or (ii) receive and forward whistleblowing reports to the relevant body for further investigation. The relevant body will depend on the subject matter of the report, although there is no direction in the Law as to which body is responsible for which types of reports. The Ombudswoman does not have any enforcement powers.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Organizations may be fined by the Misdemeanor Court between HRK 10,000 and 30,000 (approx. EUR 1,300 and 4,000) for failing to:
a) Implement the Law within two months of the Law going into force (i.e., by June 23, 2022);
b) Establish an internal reporting system;
c) Protect the personal data received via a whistleblowing report;
d) Appoint a confidential person within three months of the Law going into force (i.e., by July 23, 2022);
e) Keep adequate records; or
f) Take measures to remedy acts or omissions that are unlawful.
In addition, responsible persons at an organization (i.e., individuals responsible for conducting the business affairs of the organization, e.g., a director) or small business owners (i.e., individuals who run unincorporated companies, in accordance with the Trades and Crafts Act) may be fined between HRK 1,000 and 10,000 (approx. EUR 130 and 1,300) for failing to implement the Law within two months of the Law going into force.
Organizations may also be fined between HRK 30,000 and 50,000 (approx. EUR 1,300 and 6,600) if they:
a) Prevent or attempt to prevent individuals from reporting acts or omissions that are unlawful;
b) Initiate malicious proceedings against acts or omissions that are unlawful (malicious proceedings are proceedings with no real basis, e.g., discrimination or defamation);
c) Disclose or attempt to disclose the identity of a person making a report;
d) Retaliate against a person making a report;
e) Fail to protect a person making a report from retaliation; or
f) Influence or attempt to influence those taking action to protect a report or a reporting person (e.g., negatively influence those individuals who are tasked with keeping a whistleblower’s identity confidential and ensuring that they do not suffer retaliation).
In addition, responsible persons at an organization and small business owners may be fined between HRK 3,000 and 30,000 (approx. EUR 400 and 4,000) for preventing or attempting to prevent individuals from reporting acts or omissions that are unlawful.
The Law does not provide penalties against organizations that fail to set up an internal reporting channel; however, an organization may be fined up to EUR 30,000 if:
(i) Any person acting on behalf of it commits any of the following offenses:
The person may be acting individually or as a member of a department of the organization and/or exercising within the organization a managerial power (which includes any power of representation, decision-making, or exercise of control).
(ii) Through lack of supervision or control, it fails to prevent an individual from committing the offenses listed at (i) above. There is no regulatory guidance as to when an organization is deemed to have a “lack of supervision or control.”
Individuals may also be imprisoned for up to three years or fined up to EUR 30,000 for various offenses, including obstructing or attempting to prevent a report, or breaching confidentiality obligations regarding the whistleblower’s identity.
Yes, France has implemented the Directive in its national legislation by adopting two new laws to amend its existing law on transparency and fight against corruption (law n° 2016‑1691 “LOI relative à la transparence, à la lutte contre la corruption et à la modernisation de la vie économique,” referred to as the “Sapin II” law):
The Law will enter into force on September 1, 2022.
Implementing law not published yet. Awaiting further updates.
1. Has the implementing law been adopted?
Yes, Latvia adopted its implementing law (Trauksmes celšanas likumu) (the “Law”) on
January 20, 2022, and it will take effect on the day the Law is published in the Official Gazette (not yet published). This Law replaces the previous national whistleblowing law. All eligible organizations must comply with the Law by the date of publication in the Official Gazette. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.
2. Under the implementing law, which organizations must establish internal reporting channels?
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see the response to Q2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope of the Law is broader. A whistleblower may also report issues in respect of any violation that is prejudicial to the public interest, including topics such as negligence and abuse of official positions, corruption and violations of regulations on financing political parties, embezzlement of public funds or property, tax evasion, construction and occupational safety hazards, threats to public order, and human rights violations.
5. Does the implementing law permit anonymous reporting?
No, the Law requires that whistleblower reports contain sufficient information about the whistleblower in order to verify their identity, including the whistleblower’s full name and personal identification number, as well as their contact information (e.g., address or telephone number).
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations must:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Latvia has designated:
8. Does the Competent Authority have specific investigative and enforcement powers?
No.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide penalties against organizations that fail to set up an internal reporting channel. Organizations face administrative fines for:
Individuals may also be fined for (i) knowingly providing false information using a whistleblowing channel or via the media, (ii) acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., causing emotional distress), or (iii) obstructing whistleblowing reports in any way.
1. Has the implementing law been adopted?
Yes, the Law on the Protection of Whistleblowers No. XIII-804 (Pranešėjų apsaugos įstatymo Nr. XIII-804 pakeitimo įstatymo projektas) (the “Law”). It amends Lithuania’s existing whistleblowing law (Law 2018-18760), and will enter into effect on 15 February 2022. All eligible organizations must comply by this date. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations with 50 or more workers.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader. Reports can include, for example, concerns related to a threat to public safety or health, the life or health of a person, or the environment; obstructing or unduly influencing law enforcement investigations or the administration of justice; financing of illegal activities; illegal or non-transparent use of public funds or property; illegally acquired property; concealment of the consequences of a committed breach and obstruction to determining the extent of the consequences; and other breaches of law.
5. Does the implementing law permit anonymous reporting?
No. Whistleblowers are required to state their (i) full name and (ii) personal identification number or date of birth. The requirement to provide a personal identification number is specific to Lithuania, and used for legal processes (including the submission of whistleblowing reports).
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations must:
Whistleblowers may bypass an organization’s internal reporting channel under certain circumstances, including, but not limited to, when the infringement is of substantial importance for the public interest or when the whistleblower cannot use the internal channel because they do not have an employment, service, or other legal relationship with the organization.
Organizations may provide remuneration to whistleblowers who have provided valuable information. The remuneration is not limited to a specific amount.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Public Prosecutor’s Office.
8. Does the Competent Authority have specific investigative and enforcement powers?
The Competent Authority can investigate reports using its full prosecutorial powers, including the ability to initiate and carry out prosecution of the offending party or parties.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide for any sanctions against organizations. Only individuals who violate the Law may be found liable, in accordance with Code of Administrative Offences of the Republic of Lithuania. Where an organization does not comply with the Law, sanctions are likely to be applied to the CEO (or an equivalent person who has been formally designated to be in charge of the organization).
Yes, Malta adopted its implementing law by amending the Protection of the Whistleblower Act (the “Act”). The amendments were adopted on December 18, 2021 and entered into force on December 24, 2021.
The following organizations are required to establish internal reporting channels:
Yes, the Act also applies to certain voluntary organizations (see above).
No, the scope is broader. For example, reports can cover when:
The full list of reportable concerns (described in the Act as “improper practices”) is included in Article 2(1) of the Act.
Yes, but anonymous reports are not treated as “protected disclosures” under the Act. This means that the requirements for organizations to acknowledge receipt of the report and provide feedback do not apply to anonymous reports.
However, if after reporting to the public, the identity of the whistleblower is made public and they subsequently suffer retaliation, their disclosure will still be protected provided that:
The Act provides additional possibilities for whistleblowers to report externally without first using internal reporting channels, in addition to those set out in the Directive. For example, a whistleblower may report directly to a Competent Authority (as defined in Q7 below) where the head of the organization is (or may be) involved in the issue, or where reporting directly to a Competent Authority is justified by the urgency of the matter.
Malta has nominated various Competent Authorities, depending on the subject matter/context of the report (for a full list, see the table in the First Schedule of the Act).
No.
The Act does not provide penalties against organizations, e.g., in case an organization does not set up an internal reporting channel or otherwise does not comply with the Act. It is possible that penalties for organizations will be added to the Act in the future by means of an additional amendment. It is currently unclear whether the Maltese government intends to make such an amendment, and further regulatory guidance is needed on this matter.
The Act does, however, provide criminal sanctions against individuals who take certain actions (such as using or threatening to use violence) with the purpose of preventing a whistleblower from making a report under the Act.
Furthermore, if a whistleblower believes that they have been retaliated against for making a report under the Act, they are also entitled to file an application to the civil court to request an injunction or an order (including an order to pay damages) against an individual. The Act specifies that whistleblowers who have suffered retaliation for making a report are entitled to compensation, but it does not explain if or when organizations (rather than specific individuals) will be liable to pay such compensation.
1. Has the implementing law been adopted?
Yes, the Law on the Protection of Reporters of Irregularities (the “Law”) entered into force on April 23, 2022.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations employing at least 50 employees must establish an internal reporting channel. Organizations with fewer than 50 employees may establish an internal reporting channel if they wish to do so. Organizations carrying out the following activities must establish an internal reporting channel, irrespective of the number of employees: (i) financial services; (ii) financial products and markets; and (iii) prevention of money laundering and terrorist financing.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
All organizations with 50 or more employees must set up an internal reporting channel by June 23, 2022. The Law does not provide the additional time for private organizations with 50 to 249 employees to establish internal reporting channels that the Directive allowed for EU Member States.
4. Is the scope of reportable concerns the same as in the Directive?
Yes.
5. Does the implementing law permit anonymous reporting?
The Law does not explicitly permit anonymous reporting; however, it refers indirectly to persons making anonymous reports being entitled to protection irrespective of the fact that they have come forward anonymously, which would indicate that anonymous reporting is permitted. There is no specific regulatory guidance about anonymous reporting at this time.
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations that are subject to the Law are required to designate (i) a “confidential person” and (ii) a deputy who will take on the role of the confidential person when the confidential person is not available. The confidential person and deputy can be individuals employed by the organization, or third-party individuals, who are to be responsible for overseeing whistleblowing compliance and the organization’s internal reporting channels. There is no information at this time about the eligibility requirements for a confidential person or deputy.
The confidential person must provide feedback to the whistleblower and “take action” to investigate the reported issue within 30 days where possible (or within 90 days at the latest). There is no definition in the Law for what constitutes “take action” and there is no regulatory guidance at this time.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Ombudswoman.
8. Does the Competent Authority have specific investigative and enforcement powers?
The Ombudswoman may only (i) refer matters relating to whistleblowing to the Misdemeanor Court for review or (ii) receive and forward whistleblowing reports to the relevant body for further investigation. The relevant body will depend on the subject matter of the report, although there is no direction in the Law as to which body is responsible for which types of reports. The Ombudswoman does not have any enforcement powers.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
Organizations may be fined by the Misdemeanor Court between HRK 10,000 and 30,000 (approx. EUR 1,300 and 4,000) for failing to:
a) Implement the Law within two months of the Law going into force (i.e., by June 23, 2022);
b) Establish an internal reporting system;
c) Protect the personal data received via a whistleblowing report;
d) Appoint a confidential person within three months of the Law going into force (i.e., by July 23, 2022);
e) Keep adequate records; or
f) Take measures to remedy acts or omissions that are unlawful.
In addition, responsible persons at an organization (i.e., individuals responsible for conducting the business affairs of the organization, e.g., a director) or small business owners (i.e., individuals who run unincorporated companies, in accordance with the Trades and Crafts Act) may be fined between HRK 1,000 and 10,000 (approx. EUR 130 and 1,300) for failing to implement the Law within two months of the Law going into force.
Organizations may also be fined between HRK 30,000 and 50,000 (approx. EUR 1,300 and 6,600) if they:
a) Prevent or attempt to prevent individuals from reporting acts or omissions that are unlawful;
b) Initiate malicious proceedings against acts or omissions that are unlawful (malicious proceedings are proceedings with no real basis, e.g., discrimination or defamation);
c) Disclose or attempt to disclose the identity of a person making a report;
d) Retaliate against a person making a report;
e) Fail to protect a person making a report from retaliation; or
f) Influence or attempt to influence those taking action to protect a report or a reporting person (e.g., negatively influence those individuals who are tasked with keeping a whistleblower’s identity confidential and ensuring that they do not suffer retaliation).
In addition, responsible persons at an organization and small business owners may be fined between HRK 3,000 and 30,000 (approx. EUR 400 and 4,000) for preventing or attempting to prevent individuals from reporting acts or omissions that are unlawful.
The Law does not provide penalties against organizations that fail to set up an internal reporting channel; however, an organization may be fined up to EUR 30,000 if:
(i) Any person acting on behalf of it commits any of the following offenses:
The person may be acting individually or as a member of a department of the organization and/or exercising within the organization a managerial power (which includes any power of representation, decision-making, or exercise of control).
(ii) Through lack of supervision or control, it fails to prevent an individual from committing the offenses listed at (i) above. There is no regulatory guidance as to when an organization is deemed to have a “lack of supervision or control.”
Individuals may also be imprisoned for up to three years or fined up to EUR 30,000 for various offenses, including obstructing or attempting to prevent a report, or breaching confidentiality obligations regarding the whistleblower’s identity.
Yes, France has implemented the Directive in its national legislation by adopting two new laws to amend its existing law on transparency and fight against corruption (law n° 2016‑1691 “LOI relative à la transparence, à la lutte contre la corruption et à la modernisation de la vie économique,” referred to as the “Sapin II” law):
The Law will enter into force on September 1, 2022.
Implementing law not published yet. Awaiting further updates.
1. Has the implementing law been adopted?
Yes, Latvia adopted its implementing law (Trauksmes celšanas likumu) (the “Law”) on
January 20, 2022, and it will take effect on the day the Law is published in the Official Gazette (not yet published). This Law replaces the previous national whistleblowing law. All eligible organizations must comply with the Law by the date of publication in the Official Gazette. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.
2. Under the implementing law, which organizations must establish internal reporting channels?
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, see the response to Q2 above.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope of the Law is broader. A whistleblower may also report issues in respect of any violation that is prejudicial to the public interest, including topics such as negligence and abuse of official positions, corruption and violations of regulations on financing political parties, embezzlement of public funds or property, tax evasion, construction and occupational safety hazards, threats to public order, and human rights violations.
5. Does the implementing law permit anonymous reporting?
No, the Law requires that whistleblower reports contain sufficient information about the whistleblower in order to verify their identity, including the whistleblower’s full name and personal identification number, as well as their contact information (e.g., address or telephone number).
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations must:
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Latvia has designated:
8. Does the Competent Authority have specific investigative and enforcement powers?
No.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide penalties against organizations that fail to set up an internal reporting channel. Organizations face administrative fines for:
Individuals may also be fined for (i) knowingly providing false information using a whistleblowing channel or via the media, (ii) acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., causing emotional distress), or (iii) obstructing whistleblowing reports in any way.
1. Has the implementing law been adopted?
Yes, the Law on the Protection of Whistleblowers No. XIII-804 (Pranešėjų apsaugos įstatymo Nr. XIII-804 pakeitimo įstatymo projektas) (the “Law”). It amends Lithuania’s existing whistleblowing law (Law 2018-18760), and will enter into effect on 15 February 2022. All eligible organizations must comply by this date. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.
2. Under the implementing law, which organizations must establish internal reporting channels?
Organizations with 50 or more workers.
3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.
4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader. Reports can include, for example, concerns related to a threat to public safety or health, the life or health of a person, or the environment; obstructing or unduly influencing law enforcement investigations or the administration of justice; financing of illegal activities; illegal or non-transparent use of public funds or property; illegally acquired property; concealment of the consequences of a committed breach and obstruction to determining the extent of the consequences; and other breaches of law.
5. Does the implementing law permit anonymous reporting?
No. Whistleblowers are required to state their (i) full name and (ii) personal identification number or date of birth. The requirement to provide a personal identification number is specific to Lithuania, and used for legal processes (including the submission of whistleblowing reports).
6. Does the implementing law impose any other significant deviations from the Directive, relating to:
Organizations must:
Whistleblowers may bypass an organization’s internal reporting channel under certain circumstances, including, but not limited to, when the infringement is of substantial importance for the public interest or when the whistleblower cannot use the internal channel because they do not have an employment, service, or other legal relationship with the organization.
Organizations may provide remuneration to whistleblowers who have provided valuable information. The remuneration is not limited to a specific amount.
7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Public Prosecutor’s Office.
8. Does the Competent Authority have specific investigative and enforcement powers?
The Competent Authority can investigate reports using its full prosecutorial powers, including the ability to initiate and carry out prosecution of the offending party or parties.
9. What are the sanctions for non-compliance with the Directive and the implementing law?
The Law does not provide for any sanctions against organizations. Only individuals who violate the Law may be found liable, in accordance with Code of Administrative Offences of the Republic of Lithuania. Where an organization does not comply with the Law, sanctions are likely to be applied to the CEO (or an equivalent person who has been formally designated to be in charge of the organization).
Yes, Malta adopted its implementing law by amending the Protection of the Whistleblower Act (the “Act”). The amendments were adopted on December 18, 2021 and entered into force on December 24, 2021.
The following organizations are required to establish internal reporting channels:
Yes, the Act also applies to certain voluntary organizations (see above).
No, the scope is broader. For example, reports can cover when:
The full list of reportable concerns (described in the Act as “improper practices”) is included in Article 2(1) of the Act.
Yes, but anonymous reports are not treated as “protected disclosures” under the Act. This means that the requirements for organizations to acknowledge receipt of the report and provide feedback do not apply to anonymous reports.
However, if after reporting to the public, the identity of the whistleblower is made public and they subsequently suffer retaliation, their disclosure will still be protected provided that:
The Act provides additional possibilities for whistleblowers to report externally without first using internal reporting channels, in addition to those set out in the Directive. For example, a whistleblower may report directly to a Competent Authority (as defined in Q7 below) where the head of the organization is (or may be) involved in the issue, or where reporting directly to a Competent Authority is justified by the urgency of the matter.
Malta has nominated various Competent Authorities, depending on the subject matter/context of the report (for a full list, see the table in the First Schedule of the Act).
No.
The Act does not provide penalties against organizations, e.g., in case an organization does not set up an internal reporting channel or otherwise does not comply with the Act. It is possible that penalties for organizations will be added to the Act in the future by means of an additional amendment. It is currently unclear whether the Maltese government intends to make such an amendment, and further regulatory guidance is needed on this matter.
The Act does, however, provide criminal sanctions against individuals who take certain actions (such as using or threatening to use violence) with the purpose of preventing a whistleblower from making a report under the Act.
Furthermore, if a whistleblower believes that they have been retaliated against for making a report under the Act, they are also entitled to file an application to the civil court to request an injunction or an order (including an order to pay damages) against an individual. The Act specifies that whistleblowers who have suffered retaliation for making a report are entitled to compensation, but it does not explain if or when organizations (rather than specific individuals) will be liable to pay such compensation.