Whistleblowing Implementing Laws At-a-Glance

EU Member States are in various stages of drafting and finalizing national laws which will implement the EU’s Directive on the protection of persons who report breaches of European Union law (the “Directive”), which needed to be adopted by EU Member States by December 17, 2021. As EU Member States finalize their implementing laws, we will add below a brief Q&A-style summary of the main issues in each implementing act to keep you informed about the overall progress.

Last Updated: 27 July 2023

Austria

1. Has the implementing law been adopted?

Yes, the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz) (the “Act”) was adopted on February 16, 2023. It will enter into force one day after it has been published in the Official Gazette (not yet published).

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with at least 50 employees or civil servants must establish internal reporting channels. Private organizations in the following sectors must establish internal reporting channels, irrespective of the number of employees or civil servants: (i) financial services, products, and markets, (ii) prevention of money laundering and terrorist financing, (iii) transport safety, and (iv) protection of the environment.

Private organizations with 50 to 249 employees have until December 17, 2023 to establish their channels. All other eligible organizations are expected to establish internal reporting channels within a period of six months after the Act enters into force.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the response to Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Act also includes criminal corruption offenses, such as bribery.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations are required to retain personal information processed in relation to the operation of its internal reporting channel for five years and beyond that for as long as the information is necessary for administrative or judicial proceedings.
Organizations are required to keep records/protocols of all processing operations that relate to the operation of their internal reporting channels and to retain such records/protocols for three years after the expiration of the respective retention period.
The Act establishes a specific condition to permit the processing of sensitive personal information contained in reports; such personal information may only be processed if the processing is in the substantial public interest to provide evidence or indications of violations of law or to verify the validity of such evidence.
The Act clarifies that the data processing operations under the Act do not require a data protection impact assessment under Article 35 of the GDPR.
Within 14 days upon request of the whistleblower, the organization must organize a physical meeting to discuss the report. The Directive only requires organizations to organize a physical meeting within a “reasonable timeframe.”
Organizations may share reporting channels with other organizations, including between entities within corporate groups.
Organizations must review each report for its validity. An organization does not need to investigate or follow up on a report which does not provide any indication or evidence of its validity. The Act does not provide further explanation on what indication or evidence is needed for a report to be sufficiently substantive or valid and this may become clearer once guidance is issued.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Federal Office for Preventing and Combating Corruption (Bundesamt zur Korruptionsprävention und Korruptionsbekämpfung) is the Competent Authority, although other authorities have also been appointed for specific sectors under the Act:

Auditor Supervisory Authority (Abschlussprüferaufsichtsbehörde)
Financial Reporting Authority (Bilanzbuchhaltungsbehörde)
Federal Competition Authority (Bundeswettbewerbsbehörde)
Financial Market Authority (Finanzmarktaufsichtsbehörde)
Money Laundering Reporting Office (Geldwäschemeldestelle)
Notarial chambers
Bar associations
Chamber of Tax Advisors and Certified Public Accountants (Kammer der Steuerberater und Wirtschaftsprüfer)

If a Competent Authority receives reports under the remit of another Competent Authority, the former is required to direct such reports to the appropriate Competent Authority after informing the whistleblower.

8. Does the Competent Authority have specific investigative and enforcement powers?

Under the Act, the Competent Authority is required to conduct any necessary further investigations within its competence itself or request the appropriate Competent Authority, the public prosecutor’s office, or the competent court to investigate the matter. Further, the Competent Authority may take any follow-up measures it deems appropriate.

If the whistleblower’s report creates a suspicion that a crime has been committed, the Competent Authority has specific investigative and enforcement powers under the Austrian Code of Criminal Procedure and the Act on the Federal Office for Preventing and Combating Corruption.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The following non-compliance with the Act is subject to a fine of up to EUR 20,000, or EUR 40,000 in case of a repeated offense:

Hindering or attempting to hinder whistleblowers from reporting violations;
Putting pressure on whistleblowers by bringing vexatious administrative or court proceedings against them;
Retaliating against whistleblowers;
Breaching the duty of maintaining the confidentiality of the identity of the whistleblower; and
Knowingly making a false or misleading report.

Belgium

1. Has the implementing law been adopted?

Yes, the Law on the protection of persons who report violations of Union or national law found within a legal entity of the private sector (Loi sur la protection des personnes qui signalent des violations au droit de l’Union ou au droit national constatées au sein d’une entité juridique du secteur privé – available in French and Dutch) (the “Law”) was published in the Official Gazette on December 15, 2022 and entered into force on February 15, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations in the private sector with at least 50 workers must establish internal reporting channels.

Private organizations with between 50 to 249 workers have until December 17, 2023 to establish their internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, the Law is addressed to organizations in the private sector only.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report tax and other matters as specified in the Law.

5. Does the implementing law permit anonymous reporting?

Yes; however, organizations with fewer than 250 workers are not required to accept anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Reports must be kept for the duration of the work-related relationship between the whistleblower and the organization. It is not currently clear how organizations should comply with this obligation for reports received from any individual with whom the organization has no contractual relationship.

Organizations must consult with applicable “social partners” before establishing internal reporting channels, which ‒ depending on the specific circumstances ‒ may include works councils or workers’ representatives.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Competent Authority will vary depending on the field in which the violation is committed. The Belgian government will designate the Competent Authority for each sector. Where the government has not done so, the Federal Ombudsmen will be the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Competent Authority has the power to impose administrative measures (or criminal sanctions if the Competent Authority is a judicial body). Administrative measures involve fines, suspensions, injunctions to engage in certain activities, or withdrawal of permits/authorizations. The specific measures will depend on the remit of the Competent Authority appointed in that specific field.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be subject to criminal fines from EUR 24,000 to 576,000 or administrative fines from EUR 2,400 to 24,000 under Article 101 of the Social Criminal Code for failing to meet the requirements of the Law that relate to their internal reporting channels. Note that both sets of fines can be further increased depending on the number of employees involved with the infringement, in accordance with specific formulae set out under Belgian law.

Criminal sanctions are also applicable if organizations (or their personnel) (i) obstruct or attempt to obstruct reporting, (ii) retaliate against reporting individuals, (iii) initiate unnecessary/vexatious proceedings against reporting individuals, or (iv) breach the confidentiality of a reporting individual. In such cases:

Individuals may be subject to a maximum of three years’ imprisonment and/or a fine from EUR 4,800 to 48,000; and
Legal entities may be subject to a fine from EUR 24,000 to 576,000.

Bulgaria

1.Has the implementing law been adopted?

Yes, Bulgaria has implemented the Directive by adopting the Law on the Protection of Whistleblowers or Public Disclosures of Infringements(Закон за защита на лицата, подаващи сигнали или публично оповестяващи информация за нарушения) (the “Law”).

The Law shall enter into force on May 2, 2023.

2.Under the implementing law, which organizations must establish internal reporting channels?

Public organizations and private organizations with 50 or more workers must establish internal reporting channels. Private organizations with 50 to 249 workers have until December 17, 2023, to establish their channels. All other eligible organizations are expected to comply starting on the date when the Law enters into effect (i.e., May 2, 2023).

3.Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4.Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law allows reports to cover violations about areas of the law such as general criminal law and employment law.

5.Does the implementing law permit anonymous reporting?

While an organization may choose to accept, and initiate an investigation based on, anonymous reports, the Law does not provide protections for anonymous reporting, and organizations are not required to investigate anonymous reports. However, persons who have submitted anonymous reports not under this Law (but under another legal act) will be afforded protection against retaliation.

6.Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Proceedings cannot be initiated on reports relating to violations committed more than two years prior to the time of the report.
Whistleblowers may choose to report using one or a combination of the three possible reporting methods simultaneously. This is a deviation from the Directive that limits the circumstances in which a whistleblower will qualify for protection if they do not use internal or external channels before reporting publicly.
Organizations must review their internal reporting rules and follow-up at least once every three years, carry out an analysis of the practice on the application of the Law, and, if necessary, update their rules.
Organizations must use specific forms (approved by the Competent Authority (as defined below)) to register reports, which shall include, among other things: (i) full name; (ii) address; (iii) telephone number; (iv) email address; (v) the names of the person against whom the report is filed; (vi) his/her place of work (if the report concerns known persons); and (vii) details regarding the specific violation. Before a whistleblower can be deemed to have “reasonable grounds” to make a whistleblowing report and therefore benefit from protection under the Law, they must provide the information in (i) – (vii).
Organizations must appoint one or more responsible persons for handling reports. The Law states that, if the organization has a data protection officer (“DPO”), the DPO would be the appropriate responsible persons, but organizations without DPOs may appoint other individuals to manage reports.
Organizations must establish and maintain a non-public register of submitted reports, containing information about: (i) the person who received the report; (ii) the date of submission of the report; (iii) the person concerned (if available); (iv) a summary of the alleged violation; (v) any connection between the report and other reports made; (vi) information provided as feedback to the whistleblower; (vii) follow-up actions taken; (viii) the results of report checks; and (ix) the period of storage of the report. The Competent Authority is required to specify the procedure for keeping this register and may prescribe specific retention periods for the register (which are currently undetermined). Organizations must also regularly submit statistical information from this register to the Competent Authority (although the process for this has not yet been established by the Competent Authority).
Organizations must provide implicated individuals with: (i) the opportunity to provide their own explanations and evidence; and (ii) the opportunity to object to collected evidence within seven days (subject to the protection of the whistleblower). Organizations must balance protecting the identity of the whistleblower and complying with this obligation on a case-by-case basis.
The Law permits entities of all sizes within corporate groups to share a common internal reporting channel.

7.Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Commission for Personal Data Protection has been designated as the Competent Authority.

8.Does the Competent Authority have specific investigative and enforcement powers?

Yes.

9.What are the sanctions for non-compliance with the Directive and the implementing law?

Sanctions vary depending on the type and nature of the non-compliance in question.

Administrative fines may be imposed where organizations:

Either (i) take action for the purpose of retaliation against the whistleblower or against a person related to them or (ii) initiate legal proceedings if they are carried out only with the intention of harming the whistleblower (ranging from BGN 2,000 – 8,000 (approx. EUR 1,000 – 4000)); and
Fail to establish internal channels for reporting (ranging from BGN 5,000 – 20,000 (approx. EUR 2,500 – 10,000) (or BGN 10,000 – 30,000 (approx. EUR 5,000 – 15,000) for repeated violations)); and

Administrative fines ranging from BGN 400 – 4,000 (approx. EUR 200 to 2,000) may also be imposed for:

Obstructing or attempting to impede the submission of a report;
Failing to take or deliberately delaying the necessary follow-up actions on the report
Failing to provide to the whistleblower (within three months of acknowledging receipt) information on the follow-up actions taken; and/or
Violating confidentiality obligations.

Croatia

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Reporters of Irregularities (the “Law”) entered into force on April 23, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations employing at least 50 employees must establish an internal reporting channel. Organizations with fewer than 50 employees may establish an internal reporting channel if they wish to do so. Organizations carrying out the following activities must establish an internal reporting channel, irrespective of the number of employees: (i) financial services; (ii) financial products and markets; and (iii) prevention of money laundering and terrorist financing.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

All organizations with 50 or more employees must set up an internal reporting channel by June 23, 2022. The Law does not provide the additional time for private organizations with 50 to 249 employees to establish internal reporting channels that the Directive allowed for EU Member States.

4. Is the scope of reportable concerns the same as in the Directive?

Yes.

5. Does the implementing law permit anonymous reporting?

The Law does not explicitly permit anonymous reporting; however, it refers indirectly to persons making anonymous reports being entitled to protection irrespective of the fact that they have come forward anonymously, which would indicate that anonymous reporting is permitted. There is no specific regulatory guidance about anonymous reporting at this time.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations that are subject to the Law are required to designate (i) a “confidential person” and (ii) a deputy who will take on the role of the confidential person when the confidential person is not available. The confidential person and deputy can be individuals employed by the organization, or third-party individuals, who are to be responsible for overseeing whistleblowing compliance and the organization’s internal reporting channels. There is no information at this time about the eligibility requirements for a confidential person or deputy.

The confidential person must provide feedback to the whistleblower and “take action” to investigate the reported issue within 30 days where possible (or within 90 days at the latest). There is no definition in the Law for what constitutes “take action” and there is no regulatory guidance at this time.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Ombudswoman.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Ombudswoman may only (i) refer matters relating to whistleblowing to the Misdemeanor Court for review or (ii) receive and forward whistleblowing reports to the relevant body for further investigation. The relevant body will depend on the subject matter of the report, although there is no direction in the Law as to which body is responsible for which types of reports. The Ombudswoman does not have any enforcement powers.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be fined by the Misdemeanor Court between HRK 10,000 and 30,000 (approx. EUR 1,300 and 4,000) for failing to:

a) Implement the Law within two months of the Law going into force (i.e., by June 23, 2022);

b) Establish an internal reporting system;

c) Protect the personal data received via a whistleblowing report;

d) Appoint a confidential person within three months of the Law going into force (i.e., by July 23, 2022);

e) Keep adequate records; or

f) Take measures to remedy acts or omissions that are unlawful.

In addition, responsible persons at an organization (i.e., individuals responsible for conducting the business affairs of the organization, e.g., a director) or small business owners (i.e., individuals who run unincorporated companies, in accordance with the Trades and Crafts Act) may be fined between HRK 1,000 and 10,000 (approx. EUR 130 and 1,300) for failing to implement the Law within two months of the Law going into force.

Organizations may also be fined between HRK 30,000 and 50,000 (approx. EUR 1,300 and 6,600) if they:

a) Prevent or attempt to prevent individuals from reporting acts or omissions that are unlawful;

b) Initiate malicious proceedings against acts or omissions that are unlawful (malicious proceedings are proceedings with no real basis, e.g., discrimination or defamation);

c) Disclose or attempt to disclose the identity of a person making a report;

d) Retaliate against a person making a report;

e) Fail to protect a person making a report from retaliation; or

f) Influence or attempt to influence those taking action to protect a report or a reporting person (e.g., negatively influence those individuals who are tasked with keeping a whistleblower’s identity confidential and ensuring that they do not suffer retaliation).

In addition, responsible persons at an organization and small business owners may be fined between HRK 3,000 and 30,000 (approx. EUR 400 and 4,000) for preventing or attempting to prevent individuals from reporting acts or omissions that are unlawful.

Cyprus

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Persons Reporting Violations of Union and National Law 2022 (ο περί της Προστασίας Προσώπων που Αναφέρουν Παραβάσεις του Ενωσιακού και Εθνικού Δικαίου Νόμος του 2022) (the “Law”) entered into force on February 4, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Private companies with 50 or more employees, and all public sector entities (excluding local authorities with fewer than 5,000 inhabitants or 25 employees), must establish internal reporting channels.

Private organizations with between 50 to 249 employees have until December 17, 2023 to establish their internal reporting channels. All other eligible organizations are expected to comply starting on the date when the Law went into effect.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also cover acts or omissions related to criminal offenses, non-compliance with any legal obligation, and other matters as specified in the Law.

5. Does the implementing law permit anonymous reporting?

The Law does not explicitly permit anonymous reporting; however, it refers indirectly to individuals anonymously making reports, which would indicate that anonymous reporting is contemplated. There is no specific regulatory guidance about anonymous reporting at this time.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must delete personal information contained within records of the reports (i) three months after the investigation is closed, or (ii) in the event of legal or disciplinary proceedings, one year after the completion of legal proceedings.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

A Competent Authority has not been appointed at this time.

8. Does the Competent Authority have specific investigative and enforcement powers?

No.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties against organizations that fail to set up an internal reporting channel; however, an organization may be fined up to EUR 30,000 if, through lack of supervision or control, it fails to prevent an individual from committing the following offenses:

Obstructing or attempting to prevent a report,
Retaliating or initiating malicious proceedings against a whistleblower, or
Breaching confidentiality obligations regarding the whistleblower’s identity.

There is no regulatory guidance as to when an organization is deemed to have a “lack of supervision or control.”

Individuals may also be imprisoned for up to three years or fined up to EUR 30,000 for various offenses, including obstructing or attempting to prevent a report, or breaching confidentiality obligations regarding the whistleblower’s identity.

Czech Republic

Prepared with assistance from Michal Nulicek of Rowan Legal in Prague, Czech Republic.

1. Has the implementing law been adopted?

The law on the protection of whistleblowers (the “Law”) was published in the Collection of Laws on June 20, 2023, and will enter into force on August 1, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations in the private or public sector with at least 50 workers on 1 January of the relevant calendar year must establish internal reporting channels. In addition, organizations subject to specific anti-money laundering requirements under the Act on Certain Measures against the Legalization of Proceeds of Crime and Terrorist Financing must establish such channels regardless of the number of their workers. Municipalities with at least 10,000 inhabitants are also required to established internal reporting channels.

Organizations with at least 50 but no more than 249 workers must establish an internal reporting system by December 15, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the response to Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, under the Law, whistleblowers can also report any criminal offence, certain misdemeanours, and other violations of the Law.

5. Does the implementing law permit anonymous reporting?

Yes, although organizations are not required to investigate anonymous reports and anonymous whistleblowers are not entitled to protection from retaliation under the Law, unless their identity is subsequently revealed after they issue an anonymous report.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

The Law requires that organizations designate an impartial competent person to be responsible for the internal reporting channel (the “Competent Person”).

The Competent Person shall be responsible for assessing the validity of reports and proposing ways to remediate the identified breach of law to the organization, among other responsibilities.
The Competent Person must be deemed to be a person of good character who has not been convicted of certain criminal offenses as set out in the Law.
The Competent Person is responsible for ensuring that the organization acknowledges receipt of a whistleblowing report within seven days, unless (i) the whistleblower has expressly requested not to be notified about the receipt of the report; or (ii) it is clear that acknowledging receipt of a report would reveal the identity of the whistleblower to another person.
The Competent Person shall assess the validity of a report and inform the whistleblower in writing of the results of the assessment within 30 days from the date of receipt of the notification, unless the case is factually or legally complex, in which case this period may be extended by up to 30 days. This 30-day extension may be initiated twice, as long as the Competent Person informs the notifier in writing of the extension of the time limit and the reasons for it before expiry of the time limit. This deviates from the Directive which only requires organizations to provide feedback to a whistleblower three months after acknowledging receipt of a report (or when an acknowledgment should have been provided).
The Competent Person must retain the reports submitted through the reporting channel and any related documents for a period of five years from the date of receipt of the report.
In addition, penalties apply if the Competent Person commits any administrative offense under the Act. See the response to Q9 below.

Organizations must enable notifications to be made both orally and in writing or, at the request of the whistleblower, in person. The Directive gives organizations a choice to provide either oral or written reporting channels.
The list of retaliatory measures that whistleblowers should be protected from states that it includes, but is not limited to, the measures included in the Directive (e.g., withholding training, blacklisting a supplier, demotion, or withholding a promotion). This suggests that the Law’s scope of what amounts to retaliation seems to be wider than the scope of the Directive and that the list in the Law is not exhaustive.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Ministry of Justice (the “Ministry”) is the designated Competent Authority in most cases, except for the imposition of fines on employers for breaches of the Law, in which case the Competent Authority is the Work Inspectorate.

The Ministry will (i) act as an external reporting channel for whistleblowers; (ii) provide assistance in whistleblower protection matters; and (iii) perform other tasks that are included under the Law (e.g., imposing fines on Competent Persons).
8. Does the Competent Authority have specific investigative and enforcement powers?

Both the Ministry and Work Inspectorate have the ability to issue fines. However, only the Ministry has the ability to fine a Competent Person or a municipality directly. The Ministry is not responsible for conducting investigations, rather, it shall refer cases to other applicable public authorities (e.g., to the data protection authority in the event of a data breach).

The Work Inspectorate has the ability to fine employers as well as to conduct investigations relating to breaches of employment law (reports about such offenses fall within the scope of the Law. See the response to Q4 above).

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be fined:

Up to CZK 400,000 (approx. EUR 16,770 as of July 11, 2023) for failing to:

Ensure that information about how to report to the organization and to the Ministry is published; or
Comply with corrective measures imposed by the Ministry.

Up to CZK 1,000,000 (approx. EUR 41,930 as of July 11, 2023) for:

Allowing a whistleblower to be subjected to retaliation;
Not designating a Competent Person to carry out the activities required under the Law;
Failing to ensure that the whistleblower is able to submit a report orally and in writing or, at their request, in person;
Failing to ensure that only relevant persons are allowed to view submitted reports, or that the organization breached the requirement to protect the identity of the whistleblower or disclosed information that would undermine the report;
Failing to ensure that the reasonableness of the report is assessed by the Competent Person;
Failing to ensure that the whistleblower receives an acknowledgment of receipt of their report and feedback on the validity of the report;
Failing to ensure that appropriate measures are taken to remedy or prevent a violation of law following a report; or
Penalizing the Competent Person for properly complying with their obligations under the Law.

Competent Persons may be fined by the Ministry:

Up to CZK 20,000 (approx. EUR 840 as of July 11, 2023) for failing to:

Notify that they no longer meet the requirements for having good character; or
Inform the whistleblower of the outcome of the report’s assessment within the time limit.

Up to CZK 50,000 (approx. EUR 2,100 as of July 11, 2023) for:

Failing to consider the validity of a report or refusing to accept a report;
Providing information which could defeat or undermine the purpose of the report; or
Disclosing information about the identity of the whistleblower without their written consent.

Up to CZK 100,000 (approx. EUR 4,190 as of July 11, 2023) for:

Intentionally providing information which could defeat or undermine the purpose of the report; or
Intentionally disclosing information about the identity of the whistleblower without their written consent.

Denmark

1. Has the implementing law been adopted?
Yes, the Whistleblowers Protection Act (Lov om beskyttelse af whistleblowere) (the “Act”).

2. Under the implementing law, which organizations must establish internal reporting channels?Public and private organizations with 50 or more employees.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.

4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also include, among other topics, concerns about serious breaches of Danish law (such as theft) or other serious matters (such as “MeToo”-type complaints).

5. Does the implementing law permit anonymous reporting?
Not addressed in the Act.

6. Does the implementing law impose any other significant deviations from the Directive relating to:

How organizations should set up internal reporting channels;
Timelines for report management vis-à-vis the whistleblower;
The content of the required communications (such as privacy notices, report receipts, and investigation updates);
Whistleblower rights and protections; or
Any other key issues?
No.

8. Does the Competent Authority have specific investigative and enforcement powers?
Not addressed in the Act.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Undefined fines for organizations that do not:

Maintain the confidentiality of whistleblowers’ identity,
Provide clear information to affected individuals,
Keep records, and
Set up an internal reporting channel; and

Criminal liability for organizations (under the Danish Criminal Code).

Finland

1. Has the implementing law been adopted?

Yes, the Act on the protection of persons reporting violations of European Union and national law (Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta) (the “Act”) entered into force on January 1, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations that regularly have 50 or more employees must establish channels.

Private organizations with at least 250 employees and public sector organizations with at least 50 employees must establish internal reporting channels within three months of the Act entering into force (by April 1, 2023). Private organizations which regularly have 50 to 249 employees have until December 17, 2023, to establish their internal reporting channels.

The Act does not specify what “regularly” means in this context and it would have to be determined on a case-by-case basis under Finnish law.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. The Act also allows whistleblowers to report certain violations of national legislation based on the issues set out in Article 2 of the Directive (e.g., product safety and compliance) and any matters that can seriously endanger the goals and broader aims of such legislation.

5. Does the implementing law permit anonymous reporting?

Yes, although organizations are not required to accept anonymous reports. In addition, the external reporting channel operated by the Office of the Chancellor of Justice does not accept anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

The Act requires that any relevant personal information (received through notification channels) must be deleted five years after receipt of the report, unless (i) otherwise required under law or (ii) in circumstances where the information is used to prepare or defend a legal claim. If the reports are appropriately anonymized, they can be retained indefinitely.

The Act permits entities of all sizes within corporate groups to share a common internal reporting channel, provided there is a close operational and administrative link between the entities.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Act does not specifically name any Competent Authority, although the Office of the Chancellor of Justice is responsible for managing the external reporting channel. The Office of the Chancellor of Justice must forward reports that it receives to the relevant authority responsible for the issues described in the whistleblower’s report that fall within the scope of the Act.

8. Does the Competent Authority have specific investigative and enforcement powers?

No.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Act imposes undefined civil sanctions (also known as “community fines”) for breaches of the Act. These sanctions will be determined on a case-by-case basis by the Competent Authority.

France

1. Has the implementing law been adopted?

Yes, France has implemented the Directive in its national legislation by adopting two new laws to amend its existing law on transparency and fight against corruption (law n° 2016‑1691 “LOI relative à la transparence, à la lutte contre la corruption et à la modernisation de la vie économique,” referred to as the “Sapin II” law):

Improving the protection of whistleblowers (law n° 2022-401 “LOI visant à améliorer la protection des lanceurs d’alerte”);
Strengthening the role of the public authority tasked with protecting whistleblowers’ rights (law n° 2022-400 “LOI organique visant à renforcer le rôle du Défenseur des droits en matière de signalement d’alerte”) (together, the “Law”)

as well as an implementing decree concerning the procedures for collecting and processing whistleblower reports and establishing the list of external authorities (decree n° 2022-1284 relatif aux procédures de recueil et de traitement des signalements émis par les lanceurs d’alerte et fixant la liste des autorités externes instituées par la loi n° 2022-401 visant à améliorer la protection des lanceurs d’alerte) (the “Decree”).

The Law entered into force on September 1, 2022, and the Decree on October 5, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more employees. The Decree clarifies that the threshold of whether an organization has 50 or more employees is to be assessed by calculating the monthly average number of employees across the organization’s previous two financial years. The procedures for calculating these thresholds are set out in Article L. 130 1 of the Social Security Code.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

The Law encourages organizations with fewer than 50 employees to establish internal reporting channels, by stating that individuals may report to their direct or indirect supervisor, employer, or other point of contact designated by the organization, even if the organization is not required to establish internal reporting channels.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report concerns relating to crimes and offenses under national law and other specified matters.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?

Timelines for report management vis-à-vis the whistleblower?

The content of the required communications (such as privacy notices, report receipts and investigation updates)?

Whistleblower rights and protections?

Any other key issues?

Whistleblowers can choose to report directly to an external authority (including a Competent Authority as defined below), without first using internal reporting channels.

The Decree clarifies that organizations (including private organizations) must consult with the relevant “social dialogue bodies” before establishing their internal reporting procedures. In practice, for private organizations, this will involve consulting with employees’ representatives or works councils.

If the whistleblower requests a videoconference or an in-person meeting, the meeting should take place no later than 20 working days following the request.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Défenseur des droits (“Defender of Rights”) is the key Competent Authority, although others have also been appointed for specific sectors (see a full list in the Annex to the Decree ) under law n° 2017-55 “LOIportant statut général des autorités administratives indépendantes et des autorités publiques indépendantes”.

If the Defender of Rights receives reports under the remit of another Competent Authority, it is required to direct such reports to the appropriate Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Under the Law, the Defender of Rights is expressly tasked with supporting whistleblowers. The Defender of Rights has the power to issue an official opinion to “certify” whistleblowers (this would involve verifying that the whistleblower’s report was valid and that the individual should be protected as a whistleblower). This certification may be used if a whistleblower suffered retaliation for making a report and then later commences legal proceedings against the individual or organization who retaliated against them.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties against organizations that fail to set up an internal reporting channel.

The Law increases the fine that may be levied against an individual who retaliates against a whistleblower to EUR 60,000 and against an organization to EUR 300,000 in addition to any supplemental measures to publicize the decision condemning any retaliation. In addition, any person who obstructs a whistleblower’s report may be sanctioned up to one year’s imprisonment.

The Law also permits imposing: (i) a fine of up to EUR 30,000 against an individual or EUR 150,000 against an organization; or (ii) a sanction of two years’ imprisonment against any person who discloses the confidential aspects of a whistleblower’s report (including the identity of the whistleblower and any implicated individuals).

Germany

1. Has the implementing law been adopted?

Yes, the Whistleblower Protection Act (Gesetz für einen besseren Schutz hinweisgebender Personen sowie zur Umsetzung der Richtlinie zum Schutz von Personen, die Verstöße gegen das Unionsrecht melden - Hinweisgeberschutzgesetz) has been adopted by the German parliament (Bundestag) on May 11, 2023 and by the German Council (Bundesrat) on May 12, 2023. The Whistleblower Protection Act (the “Act”) will enter into force on July 2, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more workers, as well as “highly regulated companies,” regardless of their number of workers. These highly regulated companies are listed in the Act and are comprised of:

Securities services companies, as defined in Section 2(10) of the Securities Trading Act;
Data provision services, as defined in Section 2(40) of the Securities Trading Act;
Exchange operating companies, as defined in the Stock Exchange Act;
Institutions, as defined in Section 1(1b) of the Banking Act and institutions as defined in Section 2(1) of the Securities Institutions Act;
Counterparties, as defined in Article 3, No. 2 of Regulation (EU) 2015/2365:
Capital management companies, as defined in Section 17(1) of the German Investment Code (Kapitalanlagegesetzbuch); and
Companies, as defined in Section 1(1) of the Insurance Supervision Act, with the exception of companies operating pursuant to Sections 61 to 66a of the Insurance Supervision Act and having their registered office in another European Economic Area Member State.

Private organizations with 50 to 249 workers have until December 17, 2023, to establish their channels. All other eligible organizations are expected to comply when the Act enters into force on July 2, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the answer to Question 2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Act also allows whistleblowers to report all violations that are punishable by law, as well as certain violations that are subject to fines, insofar as the violated regulation serves to protect (i) life, limb, or health of individuals; or (ii) the rights of employees or their representatives.

5. Does the implementing law permit anonymous reporting?

Yes. Although there is no obligation to set up anonymous reporting channels, companies are required to accept any anonymous reports that they receive.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

According to Section 16 of the Act, internal reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports and the persons assisting them in fulfilling these tasks have access to the incoming reports. The identity of the whistleblower may only be known to the persons responsible for processing a report. Information about the identity of a whistleblower or a person who is the subject of a report may only be disclosed in exceptional cases, such as in criminal proceedings at the request of the prosecuting authorities.

Oral reports must be possible by telephone or by means of another type of voice transmission.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

A central external reporting office will be established at the Federal Office of Justice (Bundesamt für Justiz). In addition, the authorities which are competent to oversee the regulated financial sector, the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (Bundeskartellamt), are designated as further external reporting offices with special responsibilities for the financial sector.

The Act does not specify which authorities are responsible for enforcement; therefore, general principles under German law will apply, which means that authorities will vary from state to state. For example, in Bavaria, the Competent Authorities listed will enforce violations of the Act.

8. Does the Competent Authority have specific investigative and enforcement powers?

The external reporting offices are required to establish and operate reporting channels, check the validity of reports, and carry out procedures described in Section 28 of the Act. They can also impose follow-up measures such as requesting information from involved persons, the employer, third parties, or other authorities, and they may also refer a case to another authority.

Penalties for non-compliance with the Act are enforced by the applicable administrative authority which has jurisdiction in accordance with the German Act on Misdemeanours (OWiG).

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Preventing a report and the subsequent communication, retaliating against a whistleblower, or intentionally or recklessly disregarding the confidentiality requirements in the Act is punishable by a fine of up to EUR 50,000.
A negligent breach of the confidentiality requirements in the Act is punishable by a fine of up to EUR 10,000.
Companies that do not comply with their obligations to set up and operate an internal reporting channel may be fined up to EUR 20,000.

The references in the Act to Sections 30 and 130 of the German Act on Misdemeanours mean that the maximum limit for fines can be increased tenfold in the case of serious violations.

Greece

1. Has the implementing law been adopted?

Yes, the Law on the protection of persons reporting violations of Union law (Προστασία προσώπων που αναφέρουν παραβιάσεις ενωσιακού δικαίου) (the “Law”) entered into force on November 11, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

All private organizations in the following sectors must establish internal reporting channels regardless of the number of workers:

Financial services, products, and markets;
Transport and environment;
Entities that have a specific purpose relating to environmental conditions as sanctioned under an official decision; and
Entities that engage in activities, which by their nature may cause harm to the environment or public health.

All other organizations (both public and private) with 50 or more workers must also establish internal reporting channels.

Private organizations with 250 or more workers and public sector organizations with at least 50 workers must establish internal reporting channels within six months of the Law entering into force (i.e., by May 11, 2023). Private organizations with 50 to 249 workers have until December 17, 2023, to establish their internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

Yes.

5. Does the implementing law permit anonymous reporting?

Yes, this is implied as the Law offers protection for individuals who report anonymously and are identified at a later stage (provided that they have met the necessary criteria).

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?

Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Private organizations with 250 or more workers and public sector organizations with at least 50 workers must appoint a responsible person for receiving and monitoring reports (“Responsible Person”)within six months of the Law entering into force (i.e., by May 11, 2023). Private organizations with 50 to 249 workers have until December 17, 2023, to appoint a Responsible Person. The Responsible Person may be a worker or a third party and is responsible for maintaining the internal reporting channel and its procedures (including receipt, confirmation of, and response to such reports). All private organizations must notify the Labour Inspectorate or the Competent Authority within two months of appointing their Responsible Person.

The requirement to designate a Responsible Person is triggered when an organization reaches 50 workers. Organizations must maintain a Responsible Person for two years after the year in which they trigger this requirement. For example, organizations with 50 or more workers in 2023 must maintain their Responsible Person until at least the end of 2025. After this two-year period, organizations can decide whether or not to continue having a Responsible Person if they no longer have 50 workers. For private organizations, the term of a Responsible Person should last at least one year, unless there are just and proper grounds to terminate their position earlier.

7. Which National Authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The National Transparency Authority has been designated as the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Competent Authority can determine the criteria for calculating the relevant fine amount when imposing fines on organizations that have failed to implement internal reporting channels.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law sets out criminal sanctions (including imprisonment) and monetary fines against infringing individuals and organizations for the following acts:

Obstructing or attempting to obstruct the submission of a report within the scope of protection;
Retaliating against protected individuals;
Breaching the duty to maintain confidentiality; and
Knowingly making false reports or false public disclosures.

Failure to implement the necessary internal reporting channels can result in a fine being imposed on an organization by the Labour Inspectorate or the Competent Authority.

For any breaches committed for the benefit of or on behalf of an organization, the minimum fine is EUR 10,000 and the maximum fine is EUR 500,000. The final amount will take into account the seriousness of the infringement and the level of culpability involved.

Hungary

Prepared with assistance from Ádám Liber and Tamás Bereczki, Provaris Varga & Partners in Budapest, Hungary

1. Has the implementing law been adopted?

Yes, the Act XXV of 2023 on complaints, public interest disclosures, and the rules on reporting abuse regulating the protection of persons who report breaches of the law and on combating corruption (the “Law” (available in Hungarian) was published in the Official Gazette on May 25, 2023. The Law enters into force on July 24, 2023, 60 days after its publication in the Official Gazette.

2. Under the implementing law, which organizations must establish internal reporting channels?

The following organizations must establish internal reporting channels when the Law enters into force:

All organizations employing at least 250 persons;
Organizations covered by certain legislation, including, but not limited to:

Articles 1(1) and (1a) of Act LIII of 2017 on the Prevention Combating of Money Laundering and Terrorist Financing (which applies to, among others, financial service providers, banks, and law firms);
Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on occurrence reporting, analysis, and monitoring in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007;

All organizations registered in Hungary and carrying out offshore oil and gas activities as a licensee or operator outside the borders of the European Union; and
All organizations that are operators of a Hungarian and non-Hungarian flagged floating installation operating in the territory of Hungary.

The following organizations must establish internal reporting channels by December 17, 2023:

Organizations employing at least 50, but not more than 249 persons.

The following organizations must establish internal reporting channels by January 1, 2025:

All state and local municipal entities and the budgetary bodies directed or controlled by them; and
All organizations and companies owned by the state or local municipalities or under the ownership of state or local municipal entities and budgetary authorities.

However, local municipal entities and budgetary authorities employing fewer than 50 persons or local municipalities with fewer than 10,000 inhabitants are exempt.

Local municipalities and the budgetary bodies under their control may also set up joint internal reporting channels.

For the purposes of the Law, a person is employed if they are performing an activity for and under the direction of an organization for consideration or for their own account.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see Q2.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also be made about any illegal acts, omissions, or other misconduct. However, whistleblowers will only be protected under the Law if their concern is included in the Directive.

5. Does the implementing law permit anonymous reporting?

Reports may be made anonymously; however, an investigation is not legally required if a report is submitted anonymously.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

The operator of the internal reporting channel must investigate the allegations as quickly as possible, but in any event no later than thirty days from the receipt of the report. In certain justified cases, the time limit for examination of the allegation may be extended to three months.
Reports do not have to be investigated if:

They are made by a repeat reporter with the same content;
They are made by an anonymous reporter; or
The harm to public interests or to overriding private interests would not be proportionate to the restriction of the rights of the person concerned, resulting from the investigation of the report.

If a person who is the subject of a report submits a data subject access request, the person who submitted the report must not be disclosed to the requester.

When transferring personal data processed under the internal whistleblowing system to a third party, such as a law firm or service provider, the organization must require the recipient to warrant that it will comply with the Law.
Certain public authorities are identified in the Law as being required to set up separate reporting systems, to which anyone may report. The authorities will be required to, among other requirements, share statistical data on reports with the Commissioner for Fundamental Rights.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Labour and Occupational Health and Safety Department of County and Government Offices is the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Competent Authority has specific powers that are included in the provisions of Act CXXXV of 2020 on services and subsidies to promote employment and on the supervision of employment.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Competent Authority may issue public reprimands to organizations that do not comply with the law but it does not currently have the power to issue monetary fines or prohibitions from engaging in activities.

Ireland

Has the implementing law been adopted?
Yes, Ireland has implemented the Directive in its national legislation by adopting the Protected Disclosures (Amendment) Act 2022 on July 21, 2022, to amend its existing whistleblowing law, the Protected Disclosures Act 2014 (together, the “Act”); the Act went into effect on January 1, 2023 (by virtue of a commencement order, dated October 12, 2022).
Under the implementing law, which organizations must establish internal reporting channels?
Organizations with 50 or more employees and public bodies must establish internal reporting channels. Private organizations with 250 or more employees are expected to comply with the Act as of the date that it goes into effect (i.e., January 1, 2023). Private organizations with between 50 to 249 employees have until December 17, 2023 to establish their internal reporting channels.
Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, the Minister for Public Expenditure and Reform has the power to order organizations with fewer than 50 employees to establish internal reporting channels, taking into consideration the activities of the employers concerned and the potential levels of risk for areas of public interest such as the environment and public health.
Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also include concerns about a person failing to comply with a legal obligation under an employment contract and certain other specified matters under the Law.
Does the implementing law permit anonymous reporting?
Yes. Under the Act, organizations are given the discretion (but not the obligation) to decide if it is appropriate to accept and follow up on anonymous reports.
Does the implementing law impose any other significant deviations from the Directive, relating to:
- How organizations should set up internal reporting channels?
- Timelines for report management vis-à-vis the whistleblower?
- The content of the required communications (such as privacy notices, report receipts and investigation updates)?
- Whistleblower rights and protections?
- Any other key issues?
The Act allows the whistleblower to request further feedback at intervals of three months until the report is closed. This is in addition to the requirement under the Directive for organizations to provide feedback to the whistleblower within three months from when the report was received.
Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
The Office of the Protected Disclosures Commissioner (OPDC).
Does the Competent Authority have specific investigative and enforcement powers?
Yes, only in relation to where the Competent Authority receives a report via its own reporting channel. In that case, the Competent Authority may request and examine any record, book, or document, and order on-site inspections. The Competent Authority can also request a warrant if an authorised officer is prevented from entering any premises as part of investigations into a report.
What are the sanctions for non-compliance with the Directive and the implementing law?
The Act provides the following penalties against individuals and organizations:
- A Fine up to EUR 250,000 and/or imprisonment for a term not exceeding 2 years: for any individual or organization who (a) hinders or attempts to hinder a whistleblower, (b) penalises or threatens penalisation against a whistleblower, facilitator, third party connected with the whistleblower or a legal entity for whom the whistleblower works, (c) brings vexatious proceedings (i.e., proceedings that are without merit or have little chance of success), or (d) fails to maintain and operate internal reporting channels and procedures.
- Fine up to EUR 75,000 and/or imprisonment for a term not exceeding 2 years: for any individual or organization who violates the duty of confidentiality regarding the identity of reporting persons.
- Fine of up to €50,000 and/or to imprisonment for a term not exceeding 2 years: for any individual or organization who (a) withholds, destroys, conceals or refuses to provide any information or record, book, document or other thing required by the Competent Authority, (b) fails or refuses to comply with any requirement imposed by the Competent Authority, or (c) otherwise obstructs or hinders the Competent Authority in the performance of its functions.

Italy

1. Has the implementing law been adopted?

Yes, the Italian Legislative Decree 24/2023 (the “Decree”) was published in the Official Gazette on March 15, 2023. The Decree will enter into effect on July 15, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

The following organizations must establish internal reporting channels by July 15, 2023:

Private organizations with an average of 250 or more employees on permanent or fixed-term contracts, based on the employee headcount from the previous year.
Private organizations of any size who have voluntarily adopted a compliance program under Legislative Decree 231/2001 (which requires volunteering companies to approve a code of conduct and organizational model to prevent corporate crime).
Private organizations operating in specific sectors that are required to comply with the EU laws listed in Parts I.B. and II of the Annex to the Decree (for example, some of these laws may be applicable to companies in the financial services, pharmaceutical, and shipping industries).
All public organizations.

Private organizations that do not fall within any of the other criteria above with an average of 50 to 249 employees on permanent or fixed-term contracts (based on the employee headcount from the previous year) have until December 17, 2023 to establish internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see Q2.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also cover administrative, accounting, civil and criminal offences, as well as certain other types of unlawful conduct set out under the Decree.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations can (but are not required to) retain personal information processed in relation to the operation of their internal reporting channels for five years.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The National Anti-Corruption Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Competent Authority can receive communications relating to retaliation suffered by whistleblowers and/or other persons protected under the Decree and exercising investigative powers in this regard.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Non-compliance with the Decree is subject to a fine of between EUR 10,000 and EUR 50,000 (depending on the gravity of the infringement) if the organization is found to have:

Retaliated against a whistleblower (including bringing vexatious administrative or court proceedings against the whistleblower);
Obstructed, or attempted to obstruct, a whistleblower from reporting, or breached the obligation of confidentiality; or
Failed to (i) set up reporting channels, (ii) adopt procedures for making and managing reports, or (iii) investigate reports properly.

Latvia

1. Has the implementing law been adopted?

Latvia adopted its implementing law (Trauksmes celšanas likumu) (the “Law”) on January 20, 2022, and it entered into force on February 4, 2022 after the Law was published in the Official Gazette on February 3, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Private legal entities with 50 or more employees;
Private legal entities operating in the financial and capital markets sectors and in the field of prevention of money laundering and financing of terrorism and proliferation, irrespective of the number of employees (even with fewer than 50 employees);
Public entities of any size; and
Legal entities governed by EU law, which are designated by Latvia’s Cabinet of Ministers Regulations (note that no entities have been designated under these Regulations as yet).

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the response to Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, a whistleblower may also report issues in respect of violations that are prejudicial to the public interest.

5. Does the implementing law permit anonymous reporting?

No, the Law requires that whistleblower reports contain sufficient information about the whistleblower in order to verify their identity, including the whistleblower’s full name and personal identification number, as well as their contact information (e.g., address or telephone number).

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must:

First assess whether or not the report should be deemed a whistleblower’s report (and therefore benefit from corresponding protections under the Law) and inform the whistleblower within three days of the decision. There is no further regulatory guidance on how organizations should make this assessment or what they should factor in.
Pseudonymize the whistleblower’s personal data from the start of the investigation so that the whistleblower’s identity is only known to certain authorized individuals within the organization. No additional regulatory guidance is provided as to how organizations should carry out the pseudonymization.
Inform the whistleblower of the status of the investigation within two months from receipt of the report (regardless of whether or not the investigation has closed).
Once the investigation has closed, inform the whistleblower of the results of the investigation and action taken upon completion. The Law does not explicitly state how much detail should be provided to the whistleblower about the results.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

Latvia has designated:

Various Competent Authorities, depending on the subject matter of the report. View full list of all Competent Authorities.
The State Chancellery as a centralized contact point for whistleblowers. Within seven days from the receipt of a report, the Chancellery must identify the relevant Competent Authority and forward the report.

8. Does the Competent Authority have specific investigative and enforcement powers?

No.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties against organizations that fail to set up an internal reporting channel. Organizations face administrative fines for:

Acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., instigating retaliation), up to EUR 14,000; and
Obstructing whistleblowing reports, including preventing the submission or consideration of whistleblowing reports, up to EUR 7,000.

Individuals may also be fined for (i) knowingly providing false information using a whistleblowing channel or via the media, (ii) acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., causing emotional distress), or (iii) obstructing whistleblowing reports in any way.

Lithuania

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Whistleblowers No. XIII-804 (Pranešėjų apsaugos įstatymo Nr. XIII-804 pakeitimo įstatymo projektas) (the “Law”). It amends Lithuania’s existing whistleblowing law (Law 2018-18760), and entered into effect on February 15, 2022. All eligible organizations must comply by this date. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations with 50 or more workers.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also include concerns related to violations of law, as well as certain other specified matters under the Law.

5. Does the implementing law permit anonymous reporting?

No. Whistleblowers are required to state their (i) full name and (ii) personal identification number or date of birth. The requirement to provide a personal identification number is specific to Lithuania, and used for legal processes (including the submission of whistleblowing reports).

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must:

Acknowledge receipt of the report within two working days. This is quicker than the Directive, which requires receipt within seven days.
Inform the whistleblower of the progress of the investigation (the investigative steps envisaged or carried out by the organization and the organization’s justification for doing this) within 10 working days from the acknowledgment of receipt of the report, including if an investigation is still ongoing.
Inform the whistleblower of the results of the investigation upon completion; this is not a requirement under the Directive. The Law does not explicitly state how much detail should be provided to the whistleblower about the results, and further regulatory guidance will help in this matter.
Keep a record of the investigation for at least five years from the last decision made by the organization in relation to the investigation.

Whistleblowers may bypass an organization’s internal reporting channel under certain circumstances, including, but not limited to, when the infringement is of substantial importance for the public interest or when the whistleblower cannot use the internal channel because they do not have an employment, service, or other legal relationship with the organization.

Organizations may provide remuneration to whistleblowers who have provided valuable information. The remuneration is not limited to a specific amount.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Public Prosecutor’s Office.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Competent Authority can investigate reports using its full prosecutorial powers, including the ability to initiate and carry out prosecution of the offending party or parties.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide for any sanctions against organizations. Only individuals who violate the Law may be found liable, in accordance with Code of Administrative Offences of the Republic of Lithuania. Where an organization does not comply with the Law, sanctions are likely to be applied to the CEO (or an equivalent person who has been formally designated to be in charge of the organization).

Luxembourg

1. Has the implementing law been adopted?

Yes, the Law of May 16, 2023, transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019 on the protection of persons who report violations of Union law (Loi du 16 mai 2023 portant transposition de la directive (UE) 2019/1937 du Parlement européen et du Conseil du 23 octobre 2019 sur la protection des personnes qui signalent des violations du droit de l’Union) (the “Law”) was published in the Official Gazette on May 17, 2023, and entered into force on May 21, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Private organizations with more than 50 workers for a period of 12 consecutive months and all public entities, except for municipalities with less than 10,000 inhabitants, must establish channels. Private organizations with 50 to 249 workers have until December 17, 2023, to establish their channels. All other eligible organizations were expected to be in compliance starting on the date when the Law entered into effect on May 21, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law includes any unlawful act or omission which is contrary to national or EU law.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Private organizations with between 50 and 249 workers may share resources with respect to receiving and following up on reports. This does not preclude the obligations of such entities under the Law to maintain confidentiality, provide feedback, and remedy the reported violation.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Office des Signalements (the “Reporting Office”) is the key Competent Authority, although others have also been appointed for specific sectors, such as the supervisory authorities for the banking sector (Commission de Surveillance du secteur financier) and for the insurance sector (Commissariat aux assurances), the labour and mines inspection authority (Inspection du travail et des mines), and tax administrations, as well as professional associations (the full list of Competent Authorities is listed in Article 18 of the Law).

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Reporting Office has the power to issue investigate violations and issue administrative fines.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Anyone who retaliates or brings vexatious proceedings against a whistleblower may incur a fine between EUR 1,250 to EUR 25,000.

Organizations may face a fine between EUR 1,500 and EUR 250,000, which may be doubled in cases of repeat offenders, for the following activities:

Obstructing a whistleblower’s report;
Refusing to comply with requests from the Competent Authority;
Undermining the confidentiality of whistleblowers;
Refusing to remedy the identified violation of law; and
Failing to establish internal reporting channels.

A whistleblower who reports false information will be liable to a prison sentence between eight days to three months and/or a fine between EUR 1,500 to EUR 50,000.

Malta

Has the implementing law been adopted?
Yes, Malta adopted its implementing law by amending the Protection of the Whistleblower Act (the “Act”). The amendments were adopted on December 18, 2021 and entered into force on December 24, 2021.
Under the implementing law, which organizations must establish internal reporting channels?
The following organizations are required to establish internal reporting channels:
- Any private-sector organization with 50 or more workers;
- Any voluntary organization that annually raises more than €500,000 from public collections and other donations; and
- Each ministry of the government of Malta.
Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, the Act also applies to certain voluntary organizations (see above).
Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover damage to the environment and corrupt practices as well as certain other specified matters in the Law.
Does the implementing law permit anonymous reporting?
Yes, but anonymous reports are not treated as “protected disclosures” under the Act. This means that the requirements for organizations to acknowledge receipt of the report and provide feedback do not apply to anonymous reports.
However, if after reporting to the public, the identity of the whistleblower is made public and they subsequently suffer retaliation, their disclosure will still be protected provided that:
- The whistleblower has reasonable grounds to believe the report is true and that it falls within the scope of the Act; and
- The whistleblower has the right to report to the public under the Act.
Does the implementing law impose any other significant deviations from the Directive, relating to:
- How organizations should set up internal reporting channels?
- Timelines for report management vis-à-vis the whistleblower?
- The content of the required communications (such as privacy notices, report receipts and investigation updates)?
- Whistleblower rights and protections?
- Any other key issues?
The Act provides additional possibilities for whistleblowers to report externally without first using internal reporting channels, in addition to those set out in the Directive. For example, a whistleblower may report directly to a Competent Authority (as defined in Q7 below) where the head of the organization is (or may be) involved in the issue, or where reporting directly to a Competent Authority is justified by the urgency of the matter.
Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Malta has nominated various Competent Authorities, depending on the subject matter/context of the report (for a full list, see the table in the First Schedule of the Act).
Does the Competent Authority have specific investigative and enforcement powers?
No.
What are the sanctions for non-compliance with the Directive and the implementing law?
The Act does not provide penalties against organizations, e.g., in case an organization does not set up an internal reporting channel or otherwise does not comply with the Act. It is possible that penalties for organizations will be added to the Act in the future by means of an additional amendment. It is currently unclear whether the Maltese government intends to make such an amendment, and further regulatory guidance is needed on this matter.
The Act does, however, provide criminal sanctions against individuals who take certain actions (such as using or threatening to use violence) with the purpose of preventing a whistleblower from making a report under the Act.
Furthermore, if a whistleblower believes that they have been retaliated against for making a report under the Act, they are also entitled to file an application to the civil court to request an injunction or an order (including an order to pay damages) against an individual. The Act specifies that whistleblowers who have suffered retaliation for making a report are entitled to compensation, but it does not explain if or when organizations (rather than specific individuals) will be liable to pay such compensation.

Portugal

1. Has the implementing law been adopted?
Yes, the General regime for the protection of persons who report violations (Regime geral de proteção de denunciantes de infrações) (the “Act”), which is now in force.

2. Under the implementing law, which organizations must establish internal reporting channels?Organizations located in Portugal employing 50 or more workers.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.

4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover violent crimes such as trafficking of narcotics and weapons.

5. Does the implementing law permit anonymous reporting?
Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations must keep a record of the reports received for at least five years or while legal proceedings relating to the concern are pending (whichever is longer).

Whistleblowers may bypass an organization’s internal reporting channel when they want to report about crimes or administrative offenses that are punishable by a fine greater than EUR 50,000 (a threshold that we understand is a regular feature in other Portuguese laws). While whistleblowers are not expected to know which offenses or violations could qualify under this exception, they will nevertheless enjoy this protection, should they wish to circumvent the internal process and instead report directly to the external channels.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Portugal has nominated various Competent Authorities, depending on the subject-matter/context of the report (for a full list, see Article 12 of the Act, in Portuguese only).

Where no Competent Authority has been assigned to deal with the report or where a report implicates a Competent Authority, such report must be addressed to the National Anti-Corruption Mechanism (Mecanismo Nacional Anticorrupção), an independent administrative entity.

8. Does the Competent Authority have specific investigative and enforcement powers?
Yes. The National Anti-Corruption Mechanism is responsible for prosecuting violations of the Act and imposing the relevant administrative fines, except where sector-specific legislation designates another enforcement authority (e.g., the Securities Market Commission under national financial services regulations).

9. What are the sanctions for non-compliance with the Directive and the implementing law?
Varying administrative fines, depending on the seriousness of the violation.

Very serious offenses: obstructing the reporting or follow-up on a report, engaging in retaliatory acts, failing to comply with the duty of confidentiality, and communicating or publicly disclosing false information.

Fines range from EUR 10,000 - 250,000 for organizations.

Serious offenses: among others, failing to have an internal reporting channel, not managing reports in an independent and impartial manner, and refusing a face-to-face meeting with the whistleblower.

Fines range from EUR 1,000 - 125,000 for organizations.
Individuals may also be fined for serious and very serious offenses (such as communicating or publicly disclosing false information), in keeping with a separate penalty structure.

Romania

1. Has the implementing law been adopted?

Yes, Romania has implemented the Directive by adopting the Law regarding the protection of whistleblowers in the public interest (Lege privind protecția avertizorilor în interes public) (the “Law”).

The Law entered into force on December 16, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more employees must establish internal reporting channels. Private organizations with 50 to 249 employees have until December 17, 2023, to establish their channels. All other eligible organizations are expected to comply starting on the date when the Law went into effect.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also cover actions or omissions that constitute violations of legal provisions.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Reporting individuals have the discretion on whether to report internally or externally to the Competent Authority (as defined in Question 7 below). This is a departure from the Directive which requires reporting individuals to exhaust internal options first before reporting externally.

Reports, unless made anonymously, must contain the following information: (i) the name and contact details of the reporting individual, (ii) the work-related context in which the information was obtained, (iii) the implicated individuals (if known), (iv) a description of the facts, (v) any evidence in support of the report, and (vi) a date and signature. Any reports that do not contain the name, contact details, or signature of the whistleblower should still be examined if they contain substantial indications of violations of law. However, if the reports do not contain a name, contact details, or the whistleblower’s signature, or if the information set out in clauses (ii)–(v) above has not been included, the report may be closed without carrying out an investigation, provided the whistleblower is informed of the reason for closing the report.

Records of reports must be kept for five years and then destroyed at the end of the five-year period.

In addition to providing an update to reporting individuals three months after the date that the report was acknowledged or should have been acknowledged, organizations must also provide subsequent updates on the investigation of a whistleblowing report.

If an organization ultimately decides to hold a disciplinary meeting to impose a sanction against the whistleblower (as a result of the whistleblower’s report), the whistleblower may request that the organization invite the press, a representative of a trade union or professional association, or an employee representative to the meeting. Upon a whistleblower’s request, the organization must announce the meeting on its website at least three working days before the meeting takes place. If disciplinary action is taken by an organization without complying with these requirements, the action against the whistleblower will be void.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The National Integrity Agency is the Competent Authority and it may allocate reports to other public authorities for investigation.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law contains civil and criminal penalties:

An organization may be fined 2,000–20,000 lei (approx. EUR 400–4,000) if it prevents an individual from issuing a report.
An organization that fails to respond to requests from the Competent Authority or fails to set up internal reporting channels may be fined 3,000–30,000 lei (approx. EUR 600–6,000).
An organization that fails to manage reports in a way that protects the confidentiality of the whistleblower or any third party mentioned in the report may be fined 4,000–40,000 lei (approx. EUR 800–8,000).
Any individual who fails to maintain the confidentiality of the reporting individual or any third party mentioned in the report may be fined 4,000–40,000 lei (approx. EUR 800–8,000).

Courts can also (i) award damages if a whistleblower has suffered retaliation and/or (ii) where a court order has been issued in relation to the same whistleblowing report more than two times, issue supplementary orders to stop or remediate the retaliatory conduct and/or issue a fine of up to 40,000 lei (approx. EUR 8,000).

If an individual claims that they have been retaliated against, the burden of proof will rest with the organization that allegedly committed the retaliatory conduct. In such a case, a court can also order the organization to publish an extract of the judgment which found that the organization retaliated against the whistleblower in a local or national newspaper at its own expense.

Slovakia

Prepared with assistance from Peter Oravec and Elena Cervenova at PRK Partners in Slovakia.

1. Has the implementing law been adopted?

Yes, on May 10, 2023, the National Council of the Slovak Republic approved Act No. 189/2023 Coll. (the “Act”) which amends Act No. 54/2019 on the Protection of Whistleblowers (the “WPA”). It was published in the Official Law Journal on June 1, 2023, and will enter into force on July 1, 2023, with certain provisions entering into effect on September 1, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations that employ at least 50 employees;
Organizations that provide financial, transport safety, or environmental services (regardless of the number of employees); and
Public authorities with at least five employees.

While the obligation to establish internal reporting channels already applies to employers with at least 50 employees and public authorities under the WPA, the obligation to set up internal reporting channels for employers that provide financial, transport safety, or environmental services only becomes effective on September 1, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the answer to Question 2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, whistleblowers can report any anti-social activities.

The Act distinguishes between “anti-social activities” and “serious anti-social activities.” While there is no definition of “anti-social activities,” the term is broad and will likely include unethical practices in the workplace and any issues that have a negative impact on society.

When whistleblowers are reporting “serious anti-social activities,” the Act provides additional protections. Serious anti-social activities are defined to include various administrative and criminal offenses.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must appoint a person or department to be responsible for internal reporting channels.

If an organization suspects that a crime has been committed, it must refer the case to the law enforcement authorities. Failure to do so is a criminal offense under Slovakian law. The organization is also required to inform the whistleblower in advance of such referment, unless this could impact the investigation. To the extent permitted by law, the organization is required to request the results of the investigation from the law enforcement authority and to inform the whistleblower of the results within 10 days of receipt.

Organizations are required to take action (e.g., disciplinary action) against employees who hinder a whistleblower from making a report or keeping records of whistleblower reports.

When investigating a report, the Competent Authority (as defined in Question 7 below) can require the relevant organization to share its own investigation findings.

Whistleblowers who are employees receive additional protections from retaliation if they file a report about serious anti-social activities. Specifically, organizations are required to seek approval from the Competent Authority prior to taking any employment measure that could be perceived as retaliation (such as dismissal or a demotion) against an employee whistleblower who issued a report about serious anti-social activities. The request for approval must include information prescribed by the Act.

7. Whistleblowers also have the right to ask the Competent Authority to suspend any measure that could amount to retaliation within 15 days from the day that they learned of the measure.Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Competent Authority is theWhistleblower Protection Office.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes. The Competent Authority may request documents and records as well as warn and advise organizations about how to proceed. The Competent Authority can also issue fines, as set out below in Question 9.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Fines of up to EUR 30,000 can be imposed on organizations that:

Fail to take measures to remedy violations of law identified in a whistleblower’s report, or
Fail to submit to the Competent Authority a written report on the measures taken to remedy the identified violations of law.

Fines of up to EUR 50,000 may be imposed on organizations that employ fewer than 250 employees and that violate the requirements to establish internal reporting channels.

Fines of up to EUR 100,000 may be imposed on organizations that:

Employ 250 or more employees and that violate the requirements to establish internal reporting channels;
Take disciplinary action against an employee whistleblower without the permission of the Competent Authority (where permission is required); or
Threaten to retaliate against, or attempt to retaliate against, a whistleblower.

Fines of up to EUR 6,000 can be imposed for an offense committed by any person who:

Threatens to, attempts to, or sanctions a whistleblower for making a report;
Breaches the duty of confidentiality regarding the identity of the whistleblower or the identity of the implicated individuals; or
Attempts to prevent or obstruct whistleblowers from making reports.

Slovenia

Prepared with assistance from Alenka Antloga, State Supervisor for Personal Data Protection at the Information Commissioner of the Republic of Slovenia.

1. Has the implementing law been adopted?

Yes, the law on the protection of persons who report violations of EU law listed in the Directive (Zakon o zaščiti prijaviteljev – available in Slovenian) (the “Law”) was published in the Official Gazette on February 7, 2023, and entered into force on February 22, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations in the private or public sector with at least 50 workers must establish internal reporting channels.

Organizations in the private or public sector between 10 and 50 workers must also establish internal reporting channels if they perform their main registered activity in the field of healthcare or in the areas of water collection, purification and distribution, handling of sewage, assembly, and removal of waste and handling it and obtaining secondary raw materials and in the fields of environmental remediation and other waste management.

Irrespective of the number of workers, internal reporting channels must also be established by certain ministries and administrative department units, governmental services, public agencies, and self-governing local communities (municipalities).

Organizations with more than 250 workers must establish internal reporting channels within 90 days after the Law enters into force. Organizations in the private sector with up to 249 workers have until December 17, 2023, to establish internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the Law allows individuals to report on all violations of the national legislation in Slovenia, in addition to the scope of reportable concerns included within the Directive.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations required to establish internal reporting channels must appoint one or more “trustworthy persons or an organizational unit” among workers to receive and process reports.
In judicial proceedings that concern the termination of a whistleblower’s employment, the whistleblower will be able to receive injunctions faster, such proceedings will also be considered urgent, and the whistleblower will be exempt from paying court fees. The Law also establishes the presumption that the damage that the whistleblower suffers in such proceedings is a consequence of any retaliation measures from their employer.
A whistleblower is not entitled to protection under the Law if the report is submitted two or more years after the violation ceased.
Organizations will be required to report statistics on the reports that they receive each year to the Commission for the Prevention of Corruption (the “Commission”) (Komisija za preprečevanje korupcije: https://www.kpk-rs.si/en/), who will publish statistics about the number of reports received from all organizations responsible for internal and external reporting channels. The annual report from the Commission will be published by April 1 of each year.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

Several Competent Authorities have been established, as set out in Chapter 5 and Article 14 of the Law. The Commission has specific powers to advise whistleblowers under the Law.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, and they have the power to issue fines.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Legal entities may be fined by Competent Authorities:

Between EUR 2,000 and EUR 6,000 for failing to:

Provide information to whistleblowers about internal reporting channels;
Appoint an organizational unit to receive a report;
Attempting to identify the whistleblower, related persons, or an intermediary or attempting to retaliate against such persons; or
Report data about the reports that it has received to the Commission;

Between EUR 20,000 and EUR 60,000 for:

Disclosing the identity of a whistleblower, related persons, or an intermediary; or
Retaliating against a whistleblower, related persons, or an intermediary.

Spain

Prepared with assistance from Claudia Gálvez Correa, Gómez-Acebo & Pombo Abogados, S.L.P., in Madrid, Spain.

1. Has the implementing law been adopted?

Yes, Law 2/2023 of 20 February, on the protection of persons who report breaches of the law and on combating corruption (the “Law” (available here in Spanish)) was published in the Official State Gazette on February 21, 2023. The Law entered into force 20 days after its publication (i.e., March 13, 2023).

2. Under the implementing law, which organizations must establish internal reporting channels?

Private organizations with 50 or more workers.
Legal entities falling within the scope of European Union laws on financial services, products and markets, prevention of money laundering and terrorist financing, transportation safety, and environmental protection.
Political parties, trade unions, and business organizations as well as foundations created by public funds.
Public entities.

Private organizations with 50 to 249 workers and municipalities with less than 10,000 inhabitants must establish their channels by December 1, 2023. Private organizations with 250 or more workers and all other public entities must establish their channels within three months of the Law entering into force.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the Law also allows whistleblowers to report acts or omissions that may constitute a criminal offense or a serious or very serious administrative offense under Spanish law. The Law does not include a specific list of these offenses but gives as an example offenses involving financial loss to the Public Treasury and to the Social Security system and violations in the area of health and safety at work.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must implement a policy regarding the general principles of their internal reporting channels, the protections in place for whistleblowers, and the procedures in place regarding the management of communications within the internal reporting channels.
Organizations must appoint an individual who will be independently responsible for their internal reporting channels and the organizations must notify the Competent Authority about the appointment of that individual. The Law does not specify if this individual needs to be in Spain or employed by the local Spanish entity, but this person must be a manager of the company, independent, and have sufficient resources to carry out the tasks entrusted to them.
The Law also allows the appointment of a collegiate body to be responsible for an organization’s internal reporting channel, provided that it delegates the management of the internal reporting channel to one of its members.
Organizations must consult (but not seek approval from) workers’ representatives before establishing their internal reporting channels.
Organizations’ management in Spain (e.g., their board of directors) must formally approve the internal reporting channels.
The Law confirms that a corporate group can share a single internal reporting channel, and that the corporate group can share responsibility to oversee this internal reporting channel. While the Law states that reporting channels must be independent, organizations are not required to set up separate whistleblowing channels for each entity in their group.
Organizations must provide a notice to individuals about the use of internal reporting channels, as well as about the essential principles of their reporting procedures in the Spanish language. If an organization’s internal reporting channel is hosted on a website, this information must appear on the organization’s home page, in a separate and easily identifiable section.
Whistleblowers may issue reports directly to the Competent Authority without first using internal reporting channels.
Reports may only be kept in an internal reporting channel’s system for the time necessary to decide whether or not to initiate an investigation. If a decision is not made within three months, the communication must be deleted from the system, except for personal data required to maintain evidence of the system’s operation. In this case, information regarding communications that have not been admitted for investigation must be anonymized.
Personal data contained in whistleblowing reports (outside the internal reporting channels) may be retained by the organization for 10 years.
Organizations must implement privacy policies for their internal reporting channels, aligned with the requirements set out in the Law and Spanish personal data protection law.
Whistleblowers are protected from retaliation for two years; however, extended protection from an organization’s retaliation may be requested by the whistleblower from the Competent Authority.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

La Autoridad Independiente de Protección del Informante, A.A.I. (the “Independent Authority for the Protection of Informants” or AAI) will be the Competent Authority. However, the Competent Authority has not yet been officially established by the Spanish government.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Competent Authority has the power to penalize organizations for non-compliance with the Law. The Law provides that decisions of the Competent Authority may only be appealed before courts.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law prescribes sanctions for “very serious infractions,” “serious infractions,” and “minor infractions”:

Very serious infractions include, among others, organizations taking retaliatory action against a whistleblower, breaching the confidentiality or anonymity of a whistleblower’s identity, and breaching the obligation to have an internal reporting channel.
Serious infractions include, among others, organizations hindering a whistleblower’s ability to issue a report when it is not deemed to be “very serious” and violating the secrecy of a report when is not deemed to be “very serious.”
Minor infractions include, among others, organizations deliberately submitting incomplete information to the Competent Authority, and any other breach of the Law which is not considered a serious or very serious infraction.

If individuals are responsible for the infraction, they can be fined EUR 1,001‒10,000 for minor infractions, EUR 10,001‒30,000 for serious infractions and EUR 30,001‒300,000 for very serious infractions.

If organizations are responsible for the infraction, they can be fined up to EUR 100,001 for minor infractions, EUR 100,001‒600,000 for serious infractions and EUR 600,001‒1,000,000 for very serious infractions.

For very serious infractions, the Competent Authority may also impose a penalty, including: (i) releasing a public reprimand or publishing the infraction in the Official State Gazette; (ii) prohibiting new subsidiaries or other tax benefits for a maximum term of four years; and (iii) prohibiting contracts with the public sector for a maximum of three years.

Sweden

1. Has the implementing law been adopted?
Yes, the Law on the protection of persons who report misconduct (Lag om skydd för personer som rapporterar om missförhållanden) (the “Act”).

2. Under the implementing law, which organizations must establish internal reporting channels?Organizations that at the beginning of the calendar year had 50 or more workers.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.

4. Is the scope of reportable concerns the same as in the Directive?
No, the scope appears to be broader. Individuals may, for example, also report violations of laws or other regulations covered in Chapter 8 of the Instrument of Government.

5. Does the implementing law permit anonymous reporting?
The Act’s legislative history/preparatory works allows for anonymous reporting.

6. Does the implementing law impose any other significant deviations from the Directive relating to:

How organizations should set up internal reporting channels;
Timelines for report management vis-à-vis the whistleblower;
The content of the required communications (such as privacy notices, report receipts, and investigation updates);
Whistleblower rights and protections; or
Any other key issues?
Both oral and written reporting must be made available to the whistleblowers, while the Directive gives organizations a choice in this regard.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
Sweden has nominated a total of 30 competent authorities to handle whistleblowing reports (see the regulation in Swedish only). However, the Swedish Work Environment Authority has been appointed as the authority with overall oversight.

8.Does the Competent Authority have specific investigative and enforcement powers?

Power to issue injunctions to force organizations to comply with their legal obligations.
Power to accompany injunction by a recurrent pecuniary penalty.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

See response to previous question; the Act does not mention any further sanctions.
Organization violating the prohibition against retaliation will have to pay compensation for the losses incurred (Employment Protection Act (1982:80) referenced).

The Netherlands

1. Has the implementing law been adopted?

Yes, the law updating the Whistleblowers Protection Act to implement the Directive (Wet van 25 januari 2022 tot wijziging van de Wet Huis voor klokkenluiders en enige andere wetten ter implementatie van Richtlijn (EU) 2019/1937 van het Europees Parlement en de Raad van 23 oktober 2019 – available in Dutch) was published in the Official Gazette on February 3, 2023. The law entered into force on February 18, 2023. A consolidated version of the Whistleblowers Protection Act (the “Law”) is available in Dutch.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more workers must establish internal reporting channels. Private organizations with 50 to 249 workers have until December 17, 2023, to comply with the Law and establish their channels. All other eligible organizations are expected to comply when the Law enters into force.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report acts or omissions having an impact on the public interest, as well as certain other matters as specified in the Law.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

An organization that is required to establish internal reporting channels, but which has not set up a works council or staff representational association (and is not obliged to do so), must obtain the consent of more than half of its workers when setting up its internal reporting channels. This consent is not required if internal reporting channels are already regulated by a collective labor agreement.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Huis voor klokkenluiders (“Whistleblowers’ House”) is the key Competent Authority, although other authorities have also been appointed for specific sectors under the Law:

Consumer and Market Authority (Autoriteit Consument en Markt)

Financial Markets Authority (Autoriteit Financiële Markten)
Data Protection Authority (Autoriteit persoonsgegevens)
Netherlands Central Bank (Nederlandsche Bank)
Health Care and Youth Inspectorate (Inspectie Gezondheidszorg en Jeugd)
Dutch Health Care Authority (Nederlandse Zorgautoriteit)
Nuclear Safety and Radiation Protection Authority (Autoriteit Nucleaire Veiligheid en Stralingsbescherming)

If a Competent Authority receives reports under the remit of another Competent Authority, it is required to direct such reports to the appropriate Competent Authority, provided that it first obtains the prior consent of the whistleblower to do so.

8. Does the Competent Authority have specific investigative and enforcement powers?

Under the Law, the Whistleblowers’ House is expressly tasked with informing and supporting whistleblowers. In addition, the Whistleblowers’ House also has the power to launch ex officio investigations.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be fined by the Whistleblowers’ House if they (a) fail to implement an internal reporting channel, (b) fail to provide information regarding the reporting procedures, (c) fail to act on the recommendations of the Whistleblowers’ House, or (d) retaliate against a whistleblower. The Law does not currently determine the amount of the fines, this shall be determined by a decree, which will be incorporated in the Law as an annex.