Whistleblowing Implementing Laws At-a-Glance

EU Member States are in various stages of drafting and finalizing national laws which will implement the EU’s Directive on the protection of persons who report breaches of European Union law (the “Directive”), which needed to be adopted by EU Member States by December 17, 2021. As EU Member States finalize their implementing laws, we will add below a brief Q&A-style summary of the main issues in each implementing act to keep you informed about the overall progress.

Last Updated: 07 August 2024

Austria

1. Has the implementing law been adopted?

Yes, the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz) (the “Act”) was adopted on February 16, 2023. It entered into force on February 25, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with at least 50 employees or civil servants must establish internal reporting channels. Private organizations in the following sectors must establish internal reporting channels, irrespective of the number of employees or civil servants: (i) financial services, products, and markets, (ii) prevention of money laundering and terrorist financing, (iii) transport safety, and (iv) protection of the environment.

Private organizations with 50 to 249 employees had until December 17, 2023, to establish their channels. All other eligible organizations were expected to establish internal reporting channels within a period of six months after the Act entered into force.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the response to Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Act also includes criminal corruption offenses, such as bribery.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations are required to retain personal information processed in relation to the operation of its internal reporting channel for five years and beyond that for as long as the information is necessary for administrative or judicial proceedings.
Organizations are required to keep records/protocols of all processing operations that relate to the operation of their internal reporting channels and to retain such records/protocols for three years after the expiration of the respective retention period.
The Act establishes a specific condition to permit the processing of sensitive personal information contained in reports; such personal information may only be processed if the processing is in the substantial public interest to provide evidence or indications of violations of law or to verify the validity of such evidence.
The Act clarifies that the data processing operations under the Act do not require a data protection impact assessment under Article 35 of the GDPR.
Within 14 days upon request of the whistleblower, the organization must organize a physical meeting to discuss the report. The Directive only requires organizations to organize a physical meeting within a “reasonable timeframe.”
Organizations may share reporting channels with other organizations, including between entities within corporate groups.
Organizations must review each report for its validity. An organization does not need to investigate or follow up on a report which does not provide any indication or evidence of its validity. The Act does not provide further explanation on what indication or evidence is needed for a report to be sufficiently substantive or valid and this may become clearer once guidance is issued.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Federal Office for Preventing and Combating Corruption (Bundesamt zur Korruptionsprävention und Korruptionsbekämpfung) is the Competent Authority, although other authorities have also been appointed for specific sectors under the Act:

Auditor Supervisory Authority (Abschlussprüferaufsichtsbehörde)
Financial Reporting Authority (Bilanzbuchhaltungsbehörde)
Federal Competition Authority (Bundeswettbewerbsbehörde)
Financial Market Authority (Finanzmarktaufsichtsbehörde)
Money Laundering Reporting Office (Geldwäschemeldestelle)
Notarial chambers
Bar associations
Chamber of Tax Advisors and Certified Public Accountants (Kammer der Steuerberater und Wirtschaftsprüfer)

If a Competent Authority receives reports under the remit of another Competent Authority, the former is required to direct such reports to the appropriate Competent Authority after informing the whistleblower.

8. Does the Competent Authority have specific investigative and enforcement powers?

Under the Act, the Competent Authority is required to conduct any necessary further investigations within its competence itself or request the appropriate Competent Authority, the public prosecutor’s office, or the competent court to investigate the matter. Further, the Competent Authority may take any follow-up measures it deems appropriate.

If the whistleblower’s report creates a suspicion that a crime has been committed, the Competent Authority has specific investigative and enforcement powers under the Austrian Code of Criminal Procedure and the Act on the Federal Office for Preventing and Combating Corruption.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The following non-compliance with the Act is subject to a fine of up to EUR 20,000, or EUR 40,000 in case of a repeated offense:

Hindering or attempting to hinder whistleblowers from reporting violations;
Putting pressure on whistleblowers by bringing vexatious administrative or court proceedings against them;
Retaliating against whistleblowers;
Breaching the duty of maintaining the confidentiality of the identity of the whistleblower; andKnowingly making a false or misleading report.

Belgium

1. Has the implementing law been adopted?

Yes, the Law on the protection of persons who report violations of Union or national law found within a legal entity of the private sector (Loi sur la protection des personnes qui signalent des violations au droit de l’Union ou au droit national constatées au sein d’une entité juridique du secteur privé – available in French and Dutch) (the “Law”) was published in the Official Gazette on December 15, 2022 and entered into force on February 15, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations in the private sector with at least 50 workers must establish internal reporting channels.

Private organizations with between 50 to 249 workers had until December 17, 2023, to establish their internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, the Law is addressed to organizations in the private sector only.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report tax and other matters as specified in the Law.

5. Does the implementing law permit anonymous reporting?

Yes; however, organizations with fewer than 250 workers are not required to accept anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Reports must be kept for the duration of the work-related relationship between the whistleblower and the organization. It is not currently clear how organizations should comply with this obligation for reports received from any individual with whom the organization has no contractual relationship.

Organizations must consult with applicable “social partners” before establishing internal reporting channels, which—depending on the specific circumstances—may include works councils or workers’ representatives.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Competent Authority will vary depending on the field in which the violation is committed. The Belgian government will designate the Competent Authority for each sector. Where the government has not done so, the Federal Ombudsmen will be the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Competent Authority has the power to impose administrative measures (or criminal sanctions, if the Competent Authority is a judicial body). Administrative measures involve fines, suspensions, injunctions to engage in certain activities, or withdrawal of permits/authorizations. The specific measures will depend on the remit of the Competent Authority appointed in that specific field.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be subject to criminal fines from EUR 24,000 to 576,000 or administrative fines from EUR 2,400 to 24,000 under Article 101 of the Social Criminal Code for failing to meet the requirements of the Law that relate to their internal reporting channels. Note that both sets of fines can be further increased depending on the number of employees involved with the infringement, in accordance with specific formulae set out under Belgian law.

Criminal sanctions are also applicable if organizations (or their personnel) (i) obstruct or attempt to obstruct reporting, (ii) retaliate against reporting individuals, (iii) initiate unnecessary/vexatious proceedings against reporting individuals, or (iv) breach the confidentiality of a reporting individual. In such cases:

Individuals may be subject to a maximum of three years’ imprisonment and/or a fine from EUR 4,800 to 48,000; and
Legal entities may be subject to a fine from EUR 24,000 to 576,000.

Bulgaria

Prepared with the assistance of Deyan Terziev from Boyanov & Co. in Sofia, Bulgaria

1. Has the implementing law been adopted?

Yes, Bulgaria has implemented the Directive by adopting the Law on the Protection of Whistleblowers or Public Disclosures of Infringements, last amended on October 20, 2023 (Закон за защита на лицата, подаващи сигнали или публично оповестяващи информация за нарушения) (the “Law”).

The Law entered into force on May 4, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public organizations and private organizations with 50 or more workers, as well as organizations falling within the scope outlined in Parts I.B and II of the Annex to the Law (e.g., entities providing certain financial services and entities with anti-money laundering obligations, etc.), must establish internal reporting channels. Private organizations with 50 to 249 workers had until December 17, 2023, to establish their channels. All other eligible organizations were expected to comply starting on the date when the Law entered into effect (i.e., May 4, 2023).

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law allows reports to cover violations about areas of the law such as general criminal law and employment law.

5. Does the implementing law permit anonymous reporting?

The Law provides that organizations shall not initiate proceedings based on anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Proceedings cannot be initiated on reports relating to violations committed more than two years prior to the time of the report.

Organizations must review their internal reporting rules and follow up at least once every three years, carry out an analysis of the practice on the application of the Law, and, if necessary, update their rules.

Organizations must use specific forms (approved by the Competent Authority (as defined below)) to register reports, which shall include, among other things: (i) full name; (ii) address; (iii) telephone number; (iv) email address; (v) the names of the person(s) against whom the report is filed; (vi) their place of work (if the report concerns known persons); and (vii) details regarding the specific violation. In addition, reports must be dated and signed. A whistleblower must provide the information required by the Law; otherwise, organizations must refuse the report on the grounds of it being non-compliant.

Organizations must appoint one or more employees as responsible persons for handling reports. According to the Competent Authority, this employee is the only person permitted to investigate reports (with limited assistance by other employees on a need-to-know basis), to receive and register oral reports, and to have access to the internal register of reports. It is possible to outsource the function of receipt and registration of written reports to a third party.

The Competent Authority has established rules on the public registration of reports. The responsible person for handling reports must generate a unique identification number (UIN) for every report that is within the scope of reportable concerns of the Law. The UIN is generated at the website of the Competent Authority.

Organizations must establish and maintain a non-public register of submitted reports, containing information about: (i) the person who received the report; (ii) the date of submission of the report;

(iii) the person concerned (if available); (iv) a summary of the alleged violation; (v) any connection between the report and other reports made; (vi) information provided as feedback to the whistleblower; (vii) follow-up actions taken; (viii) the results of report checks; (ix) the period of storage of the report;

(x) the entry number from the internal document registration system of the obliged organization; (xi) the UIN generated from the website of the Competent Authority. This register, any reports, and any related documentation must be retained by the organization for five years.

Each organization must also annually submit statistical information from its register to the Competent Authority, by January 31 each year. The person who is responsible for handling reports is required to provide the Competent Authority with information about the number of received reports, their UINs, the subject matter of the report, the number of investigations, and their results.

Organizations must provide implicated individuals with: (i) the opportunity to provide their own explanations and evidence; and (ii) the opportunity to object to collected evidence within seven days (subject to the whistleblower protections). Organizations must balance protecting the identity of the whistleblower and complying with this obligation on a case-by-case basis.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Commission for Personal Data Protection is the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Sanctions vary depending on the type and nature of the non-compliance in question.

Administrative fines may be imposed where organizations:

Either (i) take actions for the purpose of retaliation against the whistleblower or against a person related to them or (ii) initiate legal proceedings if they are carried out only with the intention of harming the whistleblower (ranging from BGN 2,000–8,000 (approx. EUR 1,000–4000)); and
Fail to establish internal channels for reporting (ranging from BGN 5,000–20,000 (approx. EUR 2,500–10,000) or BGN 10,000–30,000 (approx. EUR 5,000–15,000) for repeated violations)); and

Administrative fines ranging from BGN 400–4,000 (approx. EUR 200–2,000) may also be imposed for:

Obstructing or attempting to impede the submission of a report;
Failing to take or deliberately delaying the necessary follow-up actions on the report;
Failing to provide to the whistleblower (within three months of acknowledging receipt) information on the follow-up actions taken; and/or
Violating confidentiality obligations.

Croatia

Prepared with the assistance of Zrinka Vrtarić and Ana Romić from Kobsa, Zornada & Partners, in cooperation with Deloitte Legal, in Zagreb, Croatia

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Reporters of Irregularities (the “Law”) entered into force on April 23, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations employing at least 50 employees must establish an internal reporting channel. Organizations with fewer than 50 employees may establish an internal reporting channel if they wish to do so. Organizations carrying out the following activities must establish an internal reporting channel, irrespective of the number of employees: (i) financial services; (ii) financial products and markets; and (iii) prevention of money laundering and terrorist financing.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

All organizations with 50 or more employees must have set up an internal reporting channel by June 23, 2022. The Law does not provide the additional time for private organizations with 50 to 249 employees to establish internal reporting channels that the Directive allowed for EU Member States.

4. Is the scope of reportable concerns the same as in the Directive?

Yes.

5. Does the implementing law permit anonymous reporting?

The Law does not explicitly permit anonymous reporting; however, it refers indirectly to persons making anonymous reports being entitled to protection irrespective of the fact that they have come forward anonymously, in case their identity was subsequently revealed, and they suffer retaliation. There is no specific regulatory guidance about anonymous reporting at this time.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations that are subject to the Law are required to designate (i) a “confidential person” and (ii) a deputy who will take on the role of the confidential person when the confidential person is not available. The confidential person and deputy can be individuals employed by the organization, or third-party individuals, who are to be responsible for overseeing whistleblowing compliance and the organization’s internal reporting channels. There is no information at this time about the eligibility requirements for a confidential person or deputy.

The confidential person must provide feedback to the whistleblower and “take action” to investigate the reported issue within 30 days where possible (or within 90 days at the latest). There is no definition in the Law for what constitutes “take action” and there is no regulatory guidance at this time.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Ombuds(wo)man is the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Ombudswoman may only (i) refer matters relating to whistleblowing to the Misdemeanor Court for review or (ii) receive and forward whistleblowing reports to the relevant body for further investigation. The relevant body will depend on the subject matter of the report, although there is no direction in the Law as to which body is responsible for which types of reports. The Ombudswoman does not have any enforcement powers.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be fined by the Misdemeanor Court between HRK 10,000–30,000 (EUR 1327.23–3981.68) for failing to:

a) Adopt a notice regulating the procedure for the organization’s internal reporting system and the procedure for appointing a confidential person and a deputy;

b) Make the notice available to all persons in the work environment in a suitable manner, together with all the information required for filing a report;

c) Establish an internal reporting system;

d) Protect the personal data received via a whistleblowing report;

e) Appoint a confidential person or a deputy within three months of the Law going into force (i.e., by

July 23, 2022);

f) Keep adequate records; or

g) Take measures to remedy acts or omissions that are unlawful.

In addition, responsible persons at an organization (i.e., individuals responsible for conducting the business affairs of the organization, e.g., a director) or small business owners (i.e., individuals who run unincorporated companies, in accordance with the Trades and Crafts Act) may be fined between HRK 1,000–10,000 (EUR 132.72–1327.23) for failing to implement the Law within two months of the Law going into force (i.e., by June 23, 2022).

Organizations may also be fined between HRK 30,000–50,000 (EUR 3981.68–6636.14) if they:

a) Prevent or attempt to prevent individuals from reporting acts or omissions that are unlawful;

b) Initiate malicious proceedings against acts or omissions that are unlawful (malicious proceedings are proceedings with no real basis, e.g., discrimination or defamation);

c) Disclose or attempt to disclose the identity of a person making a report;

d) Retaliate against a person making a report;

e) Fail to protect a person making a report from retaliation; or

f) Influence or attempt to influence those taking action to protect a report or a reporting person (e.g., negatively influence those individuals who are tasked with keeping a whistleblower’s identity confidential and ensuring that they do not suffer retaliation).

In addition, responsible persons at an organization and small business owners may be fined between HRK 3,000–30,000 (EUR 398.17–3981.68) for preventing or attempting to prevent individuals from reporting acts or omissions that are unlawful.

Cyprus

Prepared with the assistance of Natasa Iakovou from Lellos P. Demetriades Law Office LLC.

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Persons Reporting Violations of Union and National Law 2022 (ο περί της Προστασίας Προσώπων που Αναφέρουν Παραβάσεις του Ενωσιακού και Εθνικού Δικαίου Νόμος του 2022) (the “Law”) entered into force on February 4, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Private companies with 50 or more employees, and all public sector entities (excluding local authorities with fewer than 5,000 inhabitants or 25 employees), must establish internal reporting channels.

The threshold of 50 employees does not apply to private organizations falling within the scope of Union acts referred to in the Law.

Private organizations with between 50 to 249 employees had until December 17, 2023, to establish their internal reporting channels. All other eligible organizations were expected to comply starting on the date when the Law went into effect.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also cover violations of national law, such as acts or omissions related to criminal offenses, non-compliance with any legal obligation, an action which might endanger the security or health of a person, or which could cause damage to the environment, and other matters as specified in the Law.

5. Does the implementing law permit anonymous reporting?

The Law does not exclude nor explicitly require anonymous reporting; it refers indirectly to individuals anonymously making reports, which would indicate that anonymous reporting is contemplated.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must delete personal information contained within records of the reports (i) three months after the investigation is closed, or (ii) in the event of legal or disciplinary proceedings, one year after the completion of legal proceedings.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Ministry of Justice and Public Order has published a comprehensive list of Competent Authorities, available on its website.

8. Does the Competent Authority have specific investigative and enforcement powers?

No.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties against organizations that fail to set up an internal reporting channel; however, an organization may be fined up to EUR 30,000 if, through lack of supervision or control, it fails to prevent an individual from committing the following offenses:

Obstructing or attempting to prevent a report,
Retaliating or initiating malicious proceedings against a whistleblower, or
Breaching confidentiality obligations regarding the whistleblower’s identity.

Individuals may also be imprisoned for up to three years or fined up to EUR 30,000 for various offenses, including obstructing or attempting to prevent a report, or breaching confidentiality obligations regarding the whistleblower’s identity.

Czech Republic

Prepared with assistance from Michal Nulicek of Rowan Legal in Prague, Czech Republic.

1. Has the implementing law been adopted?

The law on the protection of whistleblowers (the “Law”) was published in the Collection of Laws on June 20, 2023, and entered into force on August 1, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations in the private or public sector with at least 50 workers on January 1 of the relevant calendar year must establish internal reporting channels. In addition, organizations subject to specific anti-money laundering requirements under the Act on Certain Measures against the Legalization of Proceeds of Crime and Terrorist Financing must establish such channels regardless of the number of their workers. Municipalities with at least 10,000 inhabitants are also required to establish internal reporting channels.

Organizations with at least 50 but no more than 249 workers were required establish an internal reporting system by December 15, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the response to Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, under the Law, whistleblowers can also report any criminal offence, certain misdemeanours, and other violations of the Law.

5. Does the implementing law permit anonymous reporting?

Yes, although organizations are not required to investigate anonymous reports and anonymous whistleblowers are not entitled to protection from retaliation under the Law, unless their identity is subsequently revealed after they issue an anonymous report.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

The Law requires that organizations designate an impartial competent person to be responsible for the internal reporting channel (the “Competent Person”).

The Competent Person shall be responsible for assessing the validity of reports and proposing ways to remediate the identified breach of law to the organization, among other responsibilities.
The Competent Person must be deemed to be a person of good character who has not been convicted of certain criminal offenses as set out in the Law.
The Competent Person is responsible for ensuring that the organization acknowledges receipt of a whistleblowing report within seven days, unless (i) the whistleblower has expressly requested not to be notified about the receipt of the report; or (ii) it is clear that acknowledging receipt of a report would reveal the identity of the whistleblower to another person.
The Competent Person shall assess the validity of a report and inform the whistleblower in writing of the results of the assessment within 30 days from the date of receipt of the notification, unless the case is factually or legally complex, in which case this period may be extended by up to 30 days. This 30-day extension may be initiated twice, as long as the Competent Person informs the notifier in writing of the extension of the time limit and the reasons for it before expiry of the time limit. This deviates from the Directive, which only requires organizations to provide feedback to a whistleblower three months after acknowledging receipt of a report (or when an acknowledgment should have been provided).
The Competent Person must retain the reports submitted through the reporting channel and any related documents for a period of five years from the date of receipt of the report.
In addition, penalties apply if the Competent Person commits any administrative offense under the Act. See the response to Q9 below.

Organizations must enable notifications to be made both orally and in writing or, at the request of the whistleblower, in person. The Directive gives organizations a choice to provide either oral or written reporting channels.
The list of retaliatory measures that whistleblowers should be protected from states that it includes, but is not limited to, the measures included in the Directive (e.g., withholding training, blacklisting a supplier, demotion, or withholding a promotion). This suggests that the Law’s scope of what amounts to retaliation seems to be wider than the scope of the Directive and that the list in the Law is not exhaustive.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Ministry of Justice (the “Ministry”) is the designated Competent Authority in most cases, except for the imposition of fines on employers for breaches of the Law, in which case the Competent Authority is the Work Inspectorate.

The Ministry will (i) act as an external reporting channel for whistleblowers; (ii) provide assistance in whistleblower protection matters; and (iii) perform other tasks that are included under the Law (e.g., imposing fines on Competent Persons).

8. Does the Competent Authority have specific investigative and enforcement powers?

Both the Ministry and Work Inspectorate have the ability to issue fines. However, only the Ministry has the ability to fine a Competent Person or a municipality directly. The Ministry is not responsible for conducting investigations; rather, it shall refer cases to other applicable public authorities (e.g., to the data protection authority in the event of a data breach).

The Work Inspectorate has the ability to fine employers as well as to conduct investigations relating to breaches of employment law (reports about such offenses fall within the scope of the Law; see the response to Q4 above).

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be fined:

Up to CZK 400,000 (approx. EUR 16,770 as of July 11, 2023) for failing to:

Ensure that information about how to report to the organization and to the Ministry is published; or
Comply with corrective measures imposed by the Ministry.

Up to CZK 1,000,000 (approx. EUR 41,930 as of July 11, 2023) for:

Allowing a whistleblower to be subjected to retaliation;
Not designating a Competent Person to carry out the activities required under the Law;
Failing to ensure that the whistleblower is able to submit a report orally and in writing or, at their request, in person;
Failing to ensure that only relevant persons are allowed to view submitted reports, or that the organization breached the requirement to protect the identity of the whistleblower or disclosed information that would undermine the report;
Failing to ensure that the reasonableness of the report is assessed by the Competent Person;
Failing to ensure that the whistleblower receives an acknowledgment of receipt of their report and feedback on the validity of the report;
Failing to ensure that appropriate measures are taken to remedy or prevent a violation of law following a report; or
Penalizing the Competent Person for properly complying with their obligations under the Law.

Competent Persons may be fined by the Ministry:

Up to CZK 20,000 (approx. EUR 840 as of July 11, 2023) for failing to:

Notify that they no longer meet the requirements for having good character; or
Inform the whistleblower of the outcome of the report’s assessment within the time limit.

Up to CZK 50,000 (approx. EUR 2,100 as of July 11, 2023) for:

Failing to consider the validity of a report or refusing to accept a report;
Providing information that could defeat or undermine the purpose of the report; or
Disclosing information about the identity of the whistleblower without their written consent.

Up to CZK 100,000 (approx. EUR 4,190 as of July 11, 2023) for:

Intentionally providing information which could defeat or undermine the purpose of the report; orIntentionally disclosing information about the identity of the whistleblower without their written consent.

Denmark

Prepared with assistance from Malene Nyegaard and Jacob Falsner, of Plesner, in Denmark.

1. Has the implementing law been adopted?
Yes, the Danish Act on Protection of Whistleblowers (in Danish: “Lov om beskyttelse af whistleblowere”) (hereinafter referred to as the “Act”).

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more employees.

Further, the Act supplements the obligations for employers in certain regulated sectors, such as the financial and insurance sectors, to establish internal reporting channels pursuant to sector-specific legislation, such as the Danish Money Laundering Act, which obliges employers with more than five (5) employees to establish an internal whistleblowing compliance program.

Note also that whistleblowers may be entitled to protection under other laws in Denmark, such as the Danish Equal Treatment Act and the Danish Anti-Discrimination Act.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.

4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also include, among other topics, concerns about serious breaches of Danish law (such as theft) or other serious matters (such as “MeToo”-type complaints).

5. Does the implementing law permit anonymous reporting?
The Act permits anonymous reports. However, it is not a legal requirement to receive such reports. Employers are free to decide whether or not they wish to accept anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive relating to:

How organizations should set up internal reporting channels;
Timelines for report management vis-à-vis the whistleblower;
The content of the required communications (such as privacy notices, report receipts, and investigation updates);
Whistleblower rights and protections; or
Any other key issues?

The Act permits group companies to share internal reporting channels as well as investigations into whistleblowing reports, instead of requiring each entity within the group to have separate internal reporting channels and investigation processes.

The Act states that an organization may rely on the legal basis of compliance with a legal obligation to process personal data for the purpose of managing internal reporting channels.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
The Danish Data Protection Agency (Datatilsynet) has been designated as the external reporting channel. However, the Ministry of Justice is responsible for issuing guidance and with supervising compliance with the Act.

8. Does the Competent Authority have specific investigative and enforcement powers?
No public authority has enforcement powers under the Act. The Danish Ministry of Justice must file a report to the police if it finds there has been non-compliance with the Act, and it is up to the Danish policy to investigate the matter and to the Danish prosecuting authority to take enforcement action.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

A person who is in breach of the confidentiality requirements of the Act or who deliberately reports incorrect information may be punished with a fine, unless a higher penalty is warranted according to other applicable Danish legislation.

Further, legal entities may be fined if they fail to establish and operate internal reporting channels in accordance with the Act or fail to investigate whistleblowing reports in accordance with the Act. Any fines imposed will be determined by the Danish courts.

In addition, legal entities may be subject to criminal liability under the Danish Criminal Code for failing to comply with the Act.

Estonia

Prepared with the assistance of Merlin Liis-Toomela and Hegle Pärna from Ellex Raidla Law Firm in Estonia.

1. Has the implementing law been adopted?

Yes, Estonia has implemented the Directive into its national legislation by adopting the Act on the Protection of Whistleblowers of Work-Related Breach of European Union Law (Tööalasest Euroopa Liidu õiguse rikkumisest teavitaja kaitse seadus) (the “Act”); the Act will come into effect on September 1, 2024.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations located in Estonia that employ 50 or more workers. Private organizations with between 50 and 249 workers have until January 1, 2025, to establish their internal reporting channels.

Pursuant to the Act, the obligation to create an internal reporting channel applies to the following legal entities in the private and public sectors:

Government agencies, constitutional institutions, and other state agencies;
Local government authorities or agencies under their control, where there are 50 or more workers, or local governments where there are 10,000 or more residents;
Legal entities with 50 or more workers; and
Entities subject to state financial supervision under the Financial Supervision Authority Act.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, all entities subject to national financial supervision (regardless of the number of workers that they have) under the Financial Supervision Act must also establish internal reporting channels. This includes entities that have been granted the right to operate in certain financial fields by the Estonian Financial Supervision and Resolution Authority, for example, credit institutions, lenders, credit intermediaries, investment and pension funds, etc.

4. Is the scope of reportable concerns the same as in the Directive?

Yes.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

The Act states that a whistleblower will be protected under the Act if they issue a report through their manager, in addition to reports issued through internal or external reporting channels or to the public. Further, whistleblowers are allowed to report to Competent Authorities (defined below) without initially going through internal reporting channels under any circumstances.

Organizations must keep a record of the reports received for at least three years from the date of the feedback.

The Act allows organizations to share an internal reporting channel within their corporate group, even if they have more than 250 workers.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Act specifies that a Competent Authority is any state authority or local government unit in Estonia that has the competence to carry out state or administrative powers or that has the power to prosecute an offense of an infringement within the scope of the Act.

No specific authorities have been designated as such yet.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes; however, this will depend on the powers of the existing Competent Authority to enforce violations of the laws within the scope of the Act.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations face fines of up to EUR 100,000 for taking retaliatory measures against a whistleblower, obstructing the report, or breaching the duty of confidentiality regarding the whistleblower’s identity.

Individuals may also be fined up to EUR 1,200 for the same offenses.

The Estonian Police and Border Guard Board will be responsible for prosecuting offenses under the Act.

Finland

Prepared with the assistance of Eija Warma-Lehtinen and Lisa Litvin from Castrén & Snellman Attorneys in Finland.

1. Has the implementing law been adopted?

Yes, the Act on the protection of persons reporting violations of European Union and national law (Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta) (the “Act”) entered into force on January 1, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations that regularly have 50 or more employees must establish channels.

Private organizations with at least 250 employees and public sector organizations with at least 50 employees must have established internal reporting channels within three months of the Act entering into force (by April 1, 2023). Private organizations which regularly have 50 to 249 employees had until December 17, 2023, to establish their internal reporting channels.

The Act does not specify what “regularly” means in this context and it would have to be determined on a case-by-case basis under Finnish law, considering the typical or average number of employees over a certain period.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. The Act also allows whistleblowers to report certain violations of national legislation based on the issues set out in Article 2 of the Directive (e.g., product safety and compliance) and any matters that can seriously endanger the goals and broader aims of such legislation.

5. Does the implementing law permit anonymous reporting?

Yes, although organizations are not required to accept anonymous reports. In addition, the external reporting channel operated by the Office of the Chancellor of Justice does not accept anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

The Act requires that any relevant personal information (received through notification channels) must be deleted five years after receipt of the report, unless (i) otherwise required under law or (ii) in circumstances where the information is used to prepare or defend a legal claim. If the reports are appropriately anonymized, they can be retained indefinitely.

The Act permits entities of all sizes within corporate groups to share a common internal reporting channel, provided there is a close operational and administrative link between the entities.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Act does not specifically name any Competent Authority, although the Office of the Chancellor of Justice is responsible for managing the external reporting channel. The Office of the Chancellor of Justice must forward reports that it receives to the relevant authority responsible for the issues described in the whistleblower’s report that fall within the scope of the Act.

8. Does the Competent Authority have specific investigative and enforcement powers?

No.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Act includes provisions for various forms of recourse and penalties, some of which are summarized below:

Compensation: A whistleblower who faces retaliation has a right to compensation from their employer or the organization responsible for such retaliatory actions. This also includes individuals who have been subject to measures intended to prevent them from reporting.
Penal provisions: Penalties such as community fines for breaching confidentiality as specified in the Act, false reporting, violations of privacy and data protection, defamation, and breach of communication secrecy are determined in accordance with the Finnish Criminal Code.

France

Prepared with assistance of Holger Ellenberger from Giraud Naud Amiot Associés in France.

1. Has the implementing law been adopted?

Yes, France has implemented the Directive in its national legislation by adopting two new laws to amend its existing law on transparency and fight against corruption (law n° 2016‑1691 “LOI relative à la transparence, à la lutte contre la corruption et à la modernisation de la vie économique,” referred to as the “Sapin II law”):

Improving the protection of whistleblowers (law n° 2022-401 “LOI visant à améliorer la protection des lanceurs d’alerte”); and
Strengthening the role of the public authority tasked with protecting whistleblowers’ rights (law n° 2022-400 “LOI organique visant à renforcer le rôle du Défenseur des droits en matière de signalement d’alerte”) (together, the “Law”),

as well as an implementing decree concerning the procedures for collecting and processing whistleblower reports and establishing a list of external authorities (decree n° 2022-1284 relatif aux procédures de recueil et de traitement des signalements émis par les lanceurs d’alerte et fixant la liste des autorités externes instituées par la loi n° 2022-401 visant à améliorer la protection des lanceurs d’alerte) (the “Decree”).

The Law entered into force on September 1, 2022, and the Decree on October 5, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more employees must establish internal reporting channels. The Decree clarifies that the threshold of whether an organization has 50 or more employees is to be assessed by calculating the monthly average number of employees across the organization’s previous two financial years. The procedures for calculating these thresholds are set out in Article L. 130 1 of the Social Security Code.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

The Law encourages organizations with fewer than 50 employees to establish internal reporting channels by stating that individuals may report to their direct or indirect supervisor, employer, or other point of contact designated by the organization, even if the organization is not required to establish internal reporting channels.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report concerns relating to crimes and offenses under national law and other specified matters.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Whistleblowers can choose to report directly to an external authority (including a Competent Authority as defined below), without first using internal reporting channels.

The Decree clarifies that organizations (including private organizations) must consult with the relevant “social dialogue bodies” before establishing their internal reporting procedures. In practice, for private organizations, this will involve consulting with employees’ representatives or works councils.

If the whistleblower requests a videoconference or an in-person meeting, the meeting should take place no later than 20 working days following the request.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Défenseur des droits (“Defender of Rights”) is the key Competent Authority, although others have also been appointed for specific sectors (see a full list in the Annex to the Decree) under law n° 2017-55 “Loi portant statut général des autorités administratives indépendantes et des autorités publiques indépendantes”.

If the Defender of Rights receives reports under the remit of another Competent Authority, it is required to direct such reports to the appropriate Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Under the Law, the Defender of Rights is expressly tasked with supporting whistleblowers. The Defender of Rights has the power to issue an official opinion to “certify” whistleblowers (this would involve verifying that the whistleblower’s report is valid and that the individual should be protected as a whistleblower). This certification may be used if a whistleblower suffered retaliation for making a report and then later commences legal proceedings against the individual or organization who retaliated against them.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties for organizations that fail to set up an internal reporting channel.

The Law increases the fine that may be levied against an individual who retaliates against a whistleblower to EUR 60,000 and against an organization to EUR 300,000 in addition to any supplemental measures to publicize the decision condemning any retaliation. In addition, any person who obstructs a whistleblower’s report may be sanctioned with up to one year of imprisonment or a fine of up to EUR 15,000 (EUR 75,000 in the case of an organization).

The Law also permits imposing: (i) a fine of up to EUR 30,000 against an individual or EUR 150,000 against an organization; or (ii) a sanction of two years of imprisonment against any person who discloses the confidential aspects of a whistleblower’s report (including the identity of the whistleblower and any implicated individuals).

Germany

1. Has the implementing law been adopted?

Yes, the Whistleblower Protection Act (Gesetz für einen besseren Schutz hinweisgebender Personen sowie zur Umsetzung der Richtlinie zum Schutz von Personen, die Verstöße gegen das Unionsrecht melden – Hinweisgeberschutzgesetz) was adopted by the German parliament (Bundestag) on May 11, 2023 and by the German Council (Bundesrat) on May 12, 2023. The Whistleblower Protection Act (the “Act”) entered into force on July 2, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more workers, as well as “highly regulated companies,” regardless of their number of workers. These highly regulated companies are listed in the Act and are comprised of:

Securities services companies, as defined in Section 2(10) of the Securities Trading Act;
Data provision services, as defined in Section 2(40) of the Securities Trading Act;
Exchange operating companies, as defined in the Stock Exchange Act;
Institutions, as defined in Section 1(1b) of the Banking Act and institutions as defined in Section 2(1) of the Securities Institutions Act;
Counterparties, as defined in Article 3, No. 2 of Regulation (EU) 2015/2365;
Capital management companies, as defined in Section 17(1) of the German Investment Code (Kapitalanlagegesetzbuch); and
Companies, as defined in Section 1(1) of the Insurance Supervision Act, with the exception of companies operating pursuant to Sections 61 to 66a of the Insurance Supervision Act and having their registered office in another European Economic Area Member State.

Private organizations with 50 to 249 workers had until December 17, 2023, to establish their channels. All other eligible organizations were expected to comply when the Act entered into effect, i.e., July 2, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the answer to Question 2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Act also allows whistleblowers to report all violations that are punishable by law, as well as certain violations that are subject to fines, insofar as the violated regulation serves to protect (i) life, limb, or health of individuals; or (ii) the rights of employees or their representatives.

5. Does the implementing law permit anonymous reporting?

Yes. Although there is no obligation to set up anonymous reporting channels, companies are required to accept any anonymous reports that they receive.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

According to Section 16 of the Act, internal reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports and the persons assisting them in fulfilling these tasks have access to the incoming reports. The identity of the whistleblower may only be known to the persons responsible for processing a report. Information about the identity of a whistleblower or a person who is the subject of a report may only be disclosed in exceptional cases, such as in criminal proceedings at the request of the prosecuting authorities.

Oral reports must be possible by telephone or by means of another type of voice transmission.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

A central external reporting office will be established at the Federal Office of Justice (Bundesamt für Justiz). In addition, the authorities that are competent to oversee the regulated financial sector, the Federal Financial Supervisory Authority (BaFin) and the Federal Cartel Office (Bundeskartellamt), are designated as further external reporting offices with special responsibilities for the financial sector.

The Act does not specify which authorities are responsible for enforcement; therefore, general principles under German law will apply, which means that authorities will vary from state to state. For example, in Bavaria, the Competent Authorities listed will enforce violations of the Act.

8. Does the Competent Authority have specific investigative and enforcement powers?

The external reporting offices are required to establish and operate reporting channels, check the validity of reports, and carry out procedures described in Section 28 of the Act. They can also impose follow-up measures such as requesting information from involved persons, the employer, third parties, or other authorities, and they may also refer a case to another authority.

Penalties for non-compliance with the Act are enforced by the applicable administrative authority that has jurisdiction in accordance with the German Act on Misdemeanours (OWiG).

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Preventing a report and the subsequent communication, retaliating against a whistleblower, or intentionally or recklessly disregarding the confidentiality requirements in the Act is punishable by a fine of up to EUR 50,000.
A negligent breach of the confidentiality requirements in the Act is punishable by a fine of up to EUR 10,000.
Companies that do not comply with their obligations to set up and operate an internal reporting channel may be fined up to EUR 20,000.

The references in the Act to Sections 30 and 130 of the German Act on Misdemeanours mean that the maximum limit for fines can be increased tenfold in the case of serious violations.

Greece

Prepared with the assistance of Stavros Karageorgiou and Natassa Kollia from Karageorgiou & Associates in Greece.

1. Has the implementing law been adopted?

Yes, Law 4990/2022 on the protection of persons reporting violations of Union law (Προστασία προσώπων που αναφέρουν παραβιάσεις ενωσιακού δικαίου) (the “Law”) entered into force on November 11, 2022, as amended by Article 20 of Law 5095/2024.

2. Under the implementing law, which organizations must establish internal reporting channels?

All organizations in the public and private sector which have at least 50 employees are obliged to establish internal reporting channels. However, certain private organizations operating in the following sectors are also obliged to establish internal reporting channels regardless of their number of employees:

Financial services, products, and markets;
Transport and environment;
Entities that have a specific purpose relating to environmental conditions as sanctioned under an official decision; and
Entities that engage in activities, which by their nature may cause harm to the environment or public health.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Act also includes concerning bribery and influence trading offenses.

5. Does the implementing law permit anonymous reporting?

Yes, it is implied as the Law offers protection for individuals who report anonymously and are identified at a later stage (provided that they have met the necessary criteria).

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

There are no major deviations from the Directive regarding whistleblowers’ rights and protections. However, the Law provides for two additional measures regarding the protection against retaliation, such as if an employer terminates an employee’s employment contract as a form of retaliation, the termination will be invalid.

The Law requires that in-scope organizations appoint an Officer for Receipt and Follow up on Reports (the “Responsible Officer”), who will be responsible for the internal reporting channel. Organizations must notify the Labour Inspectorate or the National Transparency Authority within two months of appointing the Responsible Officer. Once appointed, a Responsible Officer shall be maintained for two years after the year in which the organization crosses the 50+ employee threshold (even if the organization subsequently reduces its number of employees to below 50 after appointing a Responsible Officer). The term of any Responsible Officer should last at least one year unless there are proper grounds to terminate their position earlier.

7. Which National Authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The National Transparency Authority has been designated as the external reporting channel for Greece and it also has investigative powers for reports under its competency. However, the Law provides that a Ministerial Decision will designate additional authorities with investigative and enforcement powers. This Ministerial Decision has not been finalized yet.

8. Does the Competent Authority have specific investigative and enforcement powers?

The National Transparency Authority has investigative powers for reports under its competency; however, as noted above, further authorities will be designated with additional investigative and enforcement powers.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law sets out criminal sanctions (including imprisonment) and monetary fines against infringing individuals and organizations for the following acts:

Obstructing or attempting to obstruct the submission of a report within the scope of protection;
Retaliating against protected individuals;
Breaching the duty to maintain confidentiality; and
Knowingly making false reports or false public disclosures.

Failure to implement the necessary internal reporting channels can result in a fine being imposed on an organization by the Labour Inspectorate or an applicable authority when such authorities have been determined.

For any breaches of the Law committed for the benefit of or on behalf of an organization, the minimum administrative fine may not be less than EUR 10,000 and the maximum administrative fine that may be imposed is EUR 500,000. The final amount will take into account the seriousness of the infringement and the level of culpability involved.

Hungary

Prepared with the assistance of Ádám Liber and Tamás Bereczki from Provaris Varga & Partners in Budapest, Hungary.

1. Has the implementing law been adopted?

Yes, Act XXV of 2023 on complaints, public interest disclosures, and the rules on reporting abuse regulating the protection of persons who report breaches of the law and on combating corruption (the “Law” (available in Hungarian)) was published in the Official Gazette on May 25, 2023. The Law entered into force on July 24, 2023, 60 days after its publication in the Official Gazette.

2. Under the implementing law, which organizations must establish internal reporting channels?

The following organizations must establish internal reporting:

All organizations employing at least 250 persons;
Organizations covered by certain legislation, including, but not limited to:
Articles 1(1) and (1a) of Act LIII of 2017 on the Prevention Combating of Money Laundering and Terrorist Financing (which applies to financial service providers, banks, and law firms, among others);
Regulation (EU) No. 376/2014 of the European Parliament and of the Council of April 3, 2014 on occurrence reporting, analysis, and monitoring in civil aviation, amending Regulation (EU) No. 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No. 1321/2007 and (EC) No. 1330/2007;
All organizations registered in Hungary and carrying out offshore oil and gas activities as a licensee or operator outside the borders of the European Union; and
All organizations that are operators of a Hungarian and non-Hungarian flagged floating installation operating in the territory of Hungary.

The following organizations were required to establish internal reporting channels by December 17, 2023:

Organizations employing at least 50, but not more than 249 persons.

The following organizations must establish internal reporting channels by January 1, 2025:

All state and local municipal entities and the budgetary bodies directed or controlled by them; and
All organizations and companies owned by the state or local municipalities or under the ownership of state or local municipal entities and budgetary authorities.

However, local municipal entities and budgetary authorities employing fewer than 50 persons or local municipalities with fewer than 10,000 inhabitants are exempt.

Local municipalities and the budgetary bodies under their control may also set up joint internal reporting channels.

For the purposes of the Law, a person is employed if they are performing an activity for and under the direction of an organization for consideration or for their own account.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the answer to Question 2.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also be made about any illegal acts, omissions, or other misconduct. Reports can also be made to private organizations concerning violations of rules which the organization has put in place to protect public interests or overriding private interests for its employees in accordance with local law. For example, this may include violations of any workplace rules and misconduct.

5. Does the implementing law permit anonymous reporting?

Reports may be made anonymously; however, an investigation is not legally required if a report is submitted anonymously.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
The operator of the internal reporting channel must investigate the allegations as quickly as possible, but in any event no later than 30 days from the receipt of the report. In certain exceptionally justified cases, the time limit for examination of the allegation may be extended to three months.
Reports do not have to be investigated in certain situations, such as when they are made by a repeat reporter with the same content or the report is submitted by a non-protected person (e.g., someone who is not an employee, supplier, shareholder, or job applicant) who is not authorized to make such a report.
If the report is not rejected, the operator of the whistleblowing system is legally obligated to investigate the report. If a person who is the subject of a report submits a data subject access request, the person who submitted the report must not be disclosed to the requester.
Certain public authorities are identified in the Law as being required to set up separate reporting systems, to which anyone may report. The authorities will be required to, among other requirements, share statistical data on reports with the Commissioner for Fundamental Rights.
External outsourcing to a third party is generally permitted under certain conditions and subject to some limitations.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Labour and Occupational Health and Safety Department of County and Government Offices is the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Competent Authority has specific powers that are included in the provisions of Act CXXXV of 2020 on services and subsidies to promote employment and on the supervision of employment.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Competent Authority may issue public reprimands to organizations that do not comply with the Law, but it does not currently have the power to issue monetary fines or prohibitions from engaging in activities.

Ireland

Prepared with the assistance of Colin Rooney and Sonam Gaitonde from Arthur Cox in Ireland.

1. Has the implementing law been adopted?

Yes, Ireland has implemented the Directive in its national legislation by adopting the Protected Disclosures (Amendment) Act 2022 on July 21, 2022, to amend its existing whistleblowing law, the Protected Disclosures Act 2014 (together, the “Act”); the Act went into effect on January 1, 2023 (by virtue of a commencement order, dated October 12, 2022).

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations with 50 or more employees and public bodies must establish internal reporting channels. Private organizations with 250 or more employees are expected to comply with the Act as of the date that it went into effect (i.e., January 1, 2023). Private organizations with between 50 and 249 employees had until December 17, 2023, to establish their internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, the Minister for Public Expenditure and Reform has the power to order organizations with fewer than 50 employees to establish internal reporting channels, taking into consideration the activities of the employers concerned and the potential levels of risk for areas of public interest, such as the environment and public health.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also include concerns about a person failing to comply with a legal obligation under an employment contract and certain other specified matters under the Law.

5. Does the implementing law permit anonymous reporting?

Yes. Under the Act, organizations are given the discretion (but not the obligation) to decide if it is appropriate to accept and follow up on anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Upon receiving a report, organizations must carry out an initial assessment, including seeking further information from the reporting person if required, to assess whether there is enough evidence that a relevant wrongdoing may have occurred. If there is no prima facie evidence that a relevant wrongdoing may have occurred, the report should be closed and the whistleblower notified in writing.

The Act allows the whistleblower to request further feedback at intervals of three months until the report is closed. This is in addition to the requirement under the Directive for organizations to provide feedback to the whistleblower within three months from when the report was received.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Office of the Protected Disclosures Commissioner (OPDC) is the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, only in relation to where the Competent Authority receives a report via its own reporting channel. In that case, the Competent Authority may request and examine any record, book, or document, and order on-site inspections. The Competent Authority can also request a warrant if an authorized officer is prevented from entering any premises as part of the investigation into a report.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Act provides the following penalties against individuals and organizations:

A fine up to EUR 250,000 and/or imprisonment for a term not exceeding two years: for any individual or organization who (a) hinders or attempts to hinder a whistleblower; (b) penalizes or threatens penalization against a whistleblower, facilitator, third party connected with the whistleblower, or legal entity for whom the whistleblower works; (c) brings vexatious proceedings (i.e., proceedings that are without merit or have little chance of success); or (d) fails to maintain and operate internal reporting channels and procedures.
A fine up to EUR 75,000 and/or imprisonment for a term not exceeding two years: for any individual or organization who violates the duty of confidentiality regarding the identity of reporting persons.
A fine up to EUR 50,000 and/or imprisonment for a term not exceeding two years: for any individual or organization who (a) withholds, destroys, conceals, or refuses to provide any information or record, book, document, or other thing required by the Competent Authority; (b) fails or refuses to comply with any requirement imposed by the Competent Authority; or (c) otherwise obstructs or hinders the Competent Authority in the performance of its functions.

Italy

Prepared with the assistance of Domenico Colella and Cesare De Falco from Orsingher Ortu – Avvocati Associati, in Italy.

1. Has the implementing law been adopted?

Yes, the Italian Legislative Decree 24/2023 (the “Decree”) was published in the Official Gazette on March 15, 2023. The Decree entered into effect on July 15, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

The following organizations must have established internal reporting channels by July 15, 2023:

Private organizations with an average of 250 or more employees with permanent or fixed-term contracts, based on the employee headcount from the previous year.
Private organizations of any size that have voluntarily adopted a compliance program under Legislative Decree 231/2001 (which requires volunteering companies to approve a code of conduct and organizational model to prevent corporate crime).
Private organizations of any size operating in specific sectors that are required to comply with the EU laws listed in Parts I.B. and II of the Annex to the Decree (for example, some of these laws may be applicable to companies in the financial services, pharmaceutical, and shipping industries).
All public organizations.

Private organizations that do not fall within any of the criteria above with an average of 50 to 249 employees on permanent or fixed-term contracts (based on the employee headcount from the previous year, except for newly incorporated companies for which the current year is taken into account) had until December 17, 2023, to establish internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the answer to Question 2.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also cover administrative, accounting, civil, and criminal offenses, as well as certain other types of unlawful conduct set out under the Decree.

5. Does the implementing law permit anonymous reporting?

The Decree does not expressly permit anonymous reporting; however, it refers indirectly to persons making anonymous reports being entitled to protection (if and when identified)—irrespective of the fact that they have come forward anonymously—which would indicate that anonymous reporting is permitted.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations can (but are not required to) retain personal information processed in relation to the operation of their internal reporting channels for five years.

Organizations must inform workers’ representatives or works councils before establishing their internal reporting channels.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The National Anti-Corruption Authority (ANAC) is the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Competent Authority can receive communications relating to retaliation suffered by whistleblowers and/or other persons protected under the Decree and exercise its investigative powers in this regard.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Non-compliance with the Decree is subject to a fine of between EUR 10,000 and EUR 50,000 (depending on the gravity of the infringement) if the organization is found to have:

Retaliated against a whistleblower (e.g., brought disciplinary measures against the whistleblower, including dismissal, or wrongfully failed to promote them);
Obstructed, or attempted to obstruct, a whistleblower from reporting, or breached the obligation of confidentiality; or
Failed to (i) set up reporting channels, (ii) adopt procedures for making and managing reports, or (iii) investigate reports properly.

Latvia

Prepared with assistance from Andis Burkevics of Sorainen, Latvia

1. Has the implementing law been adopted?

On January 20, 2022, Latvia adopted its implementing law (Trauksmes celšanas likums) (the “Law”), which entered into force on February 4, 2022 after the Law was published in the Official Gazette on February 3, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Private legal entities with 50 or more employees;
Private legal entities operating in the financial and capital markets sectors and in the field of prevention of money laundering and financing of terrorism and proliferation, irrespective of the number of employees (even with fewer than 50 employees);
Public entities of any size; and
Legal entities of any size that are governed by EU law. The relevant EU legal acts governing the entities are specified by Latvia’s Cabinet of Ministers Regulations.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the response to Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, a whistleblower may also report issues in respect of violations that are prejudicial to the public interest.

5. Does the implementing law permit anonymous reporting?

No, the Law requires that whistleblower reports contain sufficient information about the whistleblower in order to verify their identity, including the whistleblower’s full name and personal identification number, as well as their contact information (e.g., address or telephone number).

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must:

First assess whether or not the report should be deemed a whistleblower’s report (and therefore benefit from corresponding protections under the Law) and inform the whistleblower within three days of the decision. There is no further regulatory guidance on how organizations should make this assessment or what they should factor in.
Pseudonymize the whistleblower’s personal data from the start of the investigation so that the whistleblower’s identity is only known to certain authorized individuals within the organization. No additional regulatory guidance is provided as to how organizations should carry out the pseudonymization.
Inform the whistleblower of the status of the investigation within two months from receipt of the report (regardless of whether or not the investigation has closed).

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

Latvia has designated:

Various Competent Authorities, depending on the subject matter of the report. View full list of all Competent Authorities.
The State Chancellery as a centralized contact point for whistleblowers. Within seven days from the receipt of a report, the Chancellery must identify the relevant Competent Authority and forward the report.

8. Does the Competent Authority have specific investigative and enforcement powers?

No.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties against organizations that fail to set up an internal reporting channel. Organizations face administrative fines for:

Acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., instigating retaliation), up to EUR 14,000; and
Obstructing whistleblowing reports, including preventing the submission or consideration of whistleblowing reports, up to EUR 7,000.

Individuals may also be fined for (i) knowingly providing false information using a whistleblowing channel or via the media, (ii) acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., causing emotional distress), or (iii) obstructing whistleblowing reports in any way.

Lithuania

Prepared with the assistance of Julius Zaleskis, CEO of Dataistic.io, a GDPR & data privacy compliance company in Lithuania.

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Whistleblowers No. XIII-804 (Pranešėjų apsaugos įstatymo Nr. XIII-804 pakeitimo įstatymo projektas) amends Lithuania’s existing whistleblowing law (Law 2018-18760), and entered into effect on February 15, 2022. All eligible organizations must have complied by that date. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive. The Directive is further implemented by the new version of the Description of the Procedures for Setting up and Ensuring the Functioning of Internal Whistleblowing Channels adopted by 14 February 2022 Resolution No. 129 of the Government of the Republic of Lithuania, which together with the implementing law is defined as the “Law”.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations with 50 or more workers.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive and includes concerns specified under the Law; for example, related to dangers to public security, dangers to an individual’s life or health, obstructing or improperly influencing investigations by law enforcement authorities or the administration of justice by the courts, as well as other violations of law.

5. Does the implementing law permit anonymous reporting?

Whistleblowers are required to state their (i) full name and (ii) personal identification number or date of birth. The requirement to provide a personal identification number is specific to Lithuania, and used for legal processes (including the submission of whistleblowing reports). However, the Law is not clear (and there is no additional regulatory guidance yet) on the consequences of handling anonymous reports.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must:

Acknowledge receipt of the report within two working days. This is faster than the Directive, which requires receipt within seven days.
Inform the whistleblower of the progress of the investigation (the investigative steps envisaged or carried out by the organization and the organization’s justification for doing this) within 10 working days from the acknowledgment of receipt of the report, including if an investigation is still ongoing.
Inform the whistleblower, upon completion of the investigation, of the results/outcome, the action taken or planned, and the liability imposed on the perpetrators of the infringement.
Keep a record of the investigation for at least five years from the last decision made by the organization in relation to the investigation.

Whistleblowers may bypass an organization’s internal reporting channel under certain circumstances, including, but not limited to, when the infringement is of substantial importance to the public interest or when the whistleblower cannot use the internal channel because they do not have an employment, service, or other legal relationship with the organization.

Organizations may provide remuneration to whistleblowers who have provided valuable information. The remuneration is not limited to a specific amount.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Public Prosecutor’s Office is the Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Competent Authority can investigate reports using its full prosecutorial powers, including the ability to initiate and carry out prosecution of the offending party or parties.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide for any sanctions against organizations. Only individuals who violate the Law may be found liable, in accordance with Code of Administrative Offences of the Republic of Lithuania. Where an organization does not comply with the Law, sanctions are likely to be applied to the CEO (or an equivalent person who has been formally designated to be in charge of the organization).

Luxembourg

1. Has the implementing law been adopted?

Yes, the Law of May 16, 2023, transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019 on the protection of persons who report violations of Union law (Loi du 16 mai 2023 portant transposition de la directive (UE) 2019/1937 du Parlement européen et du Conseil du 23 octobre 2019 sur la protection des personnes qui signalent des violations du droit de l’Union) (the “Law”) was published in the Official Gazette on May 17, 2023, and entered into force on May 21, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Private organizations with more than 50 workers for a period of 12 consecutive months and all public entities, except for municipalities with less than 10,000 inhabitants, must establish channels. Private organizations with 50 to 249 workers have until December 17, 2023, to establish their channels. All other eligible organizations were expected to be in compliance starting on the date when the Law entered into effect on May 21, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law includes any unlawful act or omission which is contrary to national or EU law.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Private organizations with between 50 and 249 workers may share resources with respect to receiving and following up on reports. This does not preclude the obligations of such entities under the Law to maintain confidentiality, provide feedback, and remedy the reported violation.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Office des Signalements (the “Reporting Office”) is the key Competent Authority, although others have also been appointed for specific sectors, such as the supervisory authorities for the banking sector (Commission de Surveillance du secteur financier) and for the insurance sector (Commissariat aux assurances), the labour and mines inspection authority (Inspection du travail et des mines), and tax administrations, as well as professional associations (the full list of Competent Authorities is listed in Article 18 of the Law).

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Reporting Office has the power to issue investigate violations and issue administrative fines.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Anyone who retaliates or brings vexatious proceedings against a whistleblower may incur a fine between EUR 1,250 to EUR 25,000.

Organizations may face a fine between EUR 1,500 and EUR 250,000, which may be doubled in cases of repeat offenders, for the following activities:

Obstructing a whistleblower’s report;
Refusing to comply with requests from the Competent Authority;
Undermining the confidentiality of whistleblowers;
Refusing to remedy the identified violation of law; and
Failing to establish internal reporting channels.

A whistleblower who reports false information will be liable to a prison sentence between eight days to three months and/or a fine between EUR 1,500 to EUR 50,000.

Malta

Prepared with assistance from Martina Bonnici and Christine Calleja of Mamo TCV Advocates, Malta.

Has the implementing law been adopted?
Yes, Malta adopted its implementing law by amending the Protection of the Whistleblower Act (the “Act”). The amendments were adopted on December 18, 2021 and entered into force on December 24, 2021.
Under the implementing law, which organizations must establish internal reporting channels?
The following organizations are required to establish internal reporting channels:
- Any private-sector organization with 50 or more workers;
- Any nonprofit organization, as defined in the Act, that annually raises more than €500,000 from public collections and other donations;
- Each ministry of the government of Malta; and
- Organizations falling within the scope of Part I(B) and II of the Annex to the Directive.
Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
Yes, the Act also applies to certain voluntary organizations (see above).
Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover damage to the environment and corrupt practices, as well as certain other specified matters in the Act, including a report that a person has failed, is failing, or is likely to fail to comply with any legal obligation to which they are subject.
Does the implementing law permit anonymous reporting?
Yes, but anonymous reports are not treated as “protected disclosures” under the Act. This means that the requirements for organizations to acknowledge receipt of the report and provide feedback do not apply to anonymous reports.
However, if after anonymously reporting to the public, the identity of the whistleblower is disclosed and they subsequently suffer retaliation, their disclosure shall be deemed to be a protected one, provided that:
- The whistleblower had reasonable grounds to believe the information on breaches disclosed was true at the time of the disclosure and that such information fell within the scope of the Act; and
- The whistleblower had the right to report to the public under the Act.
Does the implementing law impose any other significant deviations from the Directive, relating to:
- How organizations should set up internal reporting channels?
- Timelines for report management vis-à-vis the whistleblower?
- The content of the required communications (such as privacy notices, report receipts and investigation updates)?
- Whistleblower rights and protections?
- Any other key issues?
The Act provides additional possibilities for whistleblowers to report externally without first using internal reporting channels, in addition to those set out in the Directive. For example, a whistleblower may report directly to a Competent Authority (as defined in Q7 below) where the head of the organization is (or may be) involved in the issue, or where reporting directly to a Competent Authority is justified by the urgency of the matter.
Whistleblowers are also protected against unjustified detriment for issuing a whistleblowing report, including disciplinary actions or changes to the terms and conditions of their employment.
Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Malta has nominated various Competent Authorities, depending on the subject matter/context of the report (for a full list, see the table in the First Schedule of the Act, as may be amended from time to time).
Does the Competent Authority have specific investigative and enforcement powers?
Competent Authorities are generally vested with investigative and enforcement powers with respect to violations of laws reported.
What are the sanctions for non-compliance with the Directive and the implementing law?
The Act does not provide penalties against organizations, e.g., in case an organization does not set up an internal reporting channel or otherwise does not comply with the Act. It is possible that penalties for organizations will be added to the Act in the future by means of an additional amendment. It is currently unclear whether the Maltese government intends to make such an amendment.
The Act, however, does provide criminal sanctions against individuals who take certain actions (such as using or threatening to use violence) with the purpose of preventing a whistleblower from making a report under the Act.
Furthermore, if a whistleblower believes that they have been retaliated against for making a report under the Act, they are also entitled to file an application to the civil court to request an injunction or an order (including an order to pay damages) against the person who has retaliated against the whistleblower. The Act specifies that whistleblowers who have suffered retaliation for making a report are entitled to compensation for damage caused.

Poland

Prepared with the assistance of Marcin Serafin, partner, and Wojciech Piszewski, counsel, of Rymarz Zdort Maruta.

1. Has the implementing law been adopted?
Yes, Poland has implemented the Directive into its national legislation by adopting the Act of June 14, 2024, on the protection of whistleblowers (USTAWA z dnia 14 czerwca 2024 r. o ochronie sygnalistów) (the “Law”); the Law will come into effect on September 25, 2024 (however, some provisions—for example, provisions regarding the establishment of external reporting channels—will come into effect on December 25, 2024).

2. Under the implementing law, which organizations must establish internal reporting channels?

Legal entities and local government units that, as of January 1 or July 1 of a given year, employed at least 50 paid workers must establish internal reporting channels.

Local government units with a population of less than 10,000 individuals are not required to establish internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.

4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, the Law allows reports to cover violations of constitutional rights and freedoms.

5. Does the implementing law permit anonymous reporting?
Yes, but establishing anonymous reporting is not obligatory.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Any personal information within the whistleblower’s report that is not relevant to the processing of the report must be deleted within 14 days.

Organizations must retain personal information processed in relation to whistleblowing reports for three years after the end of the calendar year in which any follow-up action was completed or after the completion of any proceedings initiated by these actions (whichever is later).

Organizations must consult workers’ representatives or the applicable trade union before establishing their internal reporting channels.

Organizations must establish and maintain a non-public register of submitted reports containing specific information prescribed by the Law. The information should be retained for three years after the end of the calendar year in which the follow-up actions were completed or after the completion of the proceedings initiated by the actions.

The Law allows organizations to share an internal reporting channel within their corporate group, even if they have more than 250 workers.

Whistleblowers are allowed to report to Competent Authorities and other public authorities without initially going through internal reporting channels under any circumstances.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Poland has designated the Ombudsman as Competent Authority, although the Law also appoints other public authorities to follow up on reports, depending on the subject of the specific concern or complaint.

8. Does the Competent Authority have specific investigative and enforcement powers?
Yes. The powers of the authority depend on the subject of the whistleblowing report and which public authority is competent. For example, the Office on Competition and Consumer Protection has specific investigative and enforcement powers under consumer protection laws.

9. What are the sanctions for non-compliance with the Directive and the implementing law?
Preventing a whistleblower from making a report or breaching the duty of confidentiality regarding the whistleblower’s identity is punishable by a fine or up to one year of imprisonment.

Retaliating against a whistleblower is punishable by a fine or up to two years of imprisonment.

Failing to set up an internal reporting channel is subject to a fine.

Fines will be calculated according to the rules of the Polish Misdemeanor Code (Kodeks wykroczeń).

Portugal

1. Has the implementing law been adopted?
Yes, Portugal has implemented the Directive into its national legislation by adopting Law n. 93/2021 of 20 December, on the general regime for the protection of persons who report violations (Lei n. 93/2021 de 20 de dezembro sobre Regime geral de proteção de denunciantes de infrações) (the “Law”); the Law went into effect on June 18, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations located in Portugal employing 50 or more workers.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
No.

4. Is the scope of reportable concerns the same as in the Directive?
No, the scope is broader than the Directive. For example, reports can also cover violent crimes such as trafficking of narcotics and weapons.

5. Does the implementing law permit anonymous reporting?
Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations must keep a record of the reports received for at least five years or while legal proceedings relating to the concern are pending (whichever is longer).

Whistleblowers may bypass an organization’s internal reporting channel when they want to report crimes or administrative offences that are punishable by a fine greater than EUR 50,000 (a threshold that we understand is a regular feature in other Portuguese laws). While whistleblowers are not expected to know which offenses or violations could qualify under this exception, they will nevertheless enjoy this protection, should they wish to circumvent the internal process and instead report directly to the external channels.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
Portugal has nominated various Competent Authorities, depending on the subject-matter/context of the report. For a full list, see Article 12 of the Law, in Portuguese only.

Where no Competent Authority has been assigned to deal with the report or where a report implicates a Competent Authority, such report must be addressed to the National Anti-Corruption Mechanism (Mecanismo Nacional Anticorrupção), an independent administrative entity.

8. Does the Competent Authority have specific investigative and enforcement powers?
Yes. The National Anti-Corruption Mechanism is responsible for prosecuting violations of the Law and imposing the relevant administrative fines, except where sector-specific legislation designates another enforcement authority (e.g., the Securities Market Commission under national financial services regulations).

9. What are the sanctions for non-compliance with the Directive and the implementing law?
Varying administrative fines, depending on the seriousness of the violation.

Very serious offenses: obstructing the reporting or follow-up on a report, engaging in retaliatory acts, failing to comply with the duty of confidentiality, and communicating or publicly disclosing false information.

Fines range from EUR 10,000 to 250,000 for organizations.

Serious offenses: among others, failing to have an internal reporting channel, not managing reports in an independent and impartial manner, and refusing a face-to-face meeting with the whistleblower.

Fines range from EUR 1,000 to 125,000 for organizations.

Individuals may also be fined for serious and very serious offenses (such as communicating or publicly disclosing false information), in keeping with a separate penalty structure.

Romania

Prepared with the assistance of Alexandru Ambrozie and Ana Stoenescu from Popovici Nitu Stoica & Asociatii in Bucharest, Romania.

1. Has the implementing law been adopted?

Yes, Romania has implemented the Directive by adopting the Law regarding the protection of whistleblowers in the public interest (Lege privind protecția avertizorilor în interes public) (the “Law”).

The Law entered into force on December 16, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more employees must establish internal reporting channels. Organizations of any size operating in specific sectors that are required to comply with national laws (e.g., anti-money laundering law) must also establish internal reporting channels.

Private organizations with 50 to 249 employees had until December 17, 2023, to establish their channels. All other eligible organizations were expected to comply starting on the date when the Law went into effect.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, reports can also cover actions or omissions that constitute violations of national legal provisions.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Reporting individuals have the discretion to decide whether to report internally or externally to the Competent Authority (as defined in Question 7 below). This is a departure from the Directive which requires reporting individuals to exhaust internal options first before reporting externally.

Reports, unless made anonymously, must contain the following information: (i) the name and contact details of the reporting individual, (ii) the work-related context in which the information was obtained, (iii) the implicated individuals (if known), (iv) a description of the facts, (v) any evidence in support of the report, and (vi) a date and signature. Any anonymous reports that do not contain the name, contact details, or signature of the whistleblower should still be examined if they contain substantial indications of violations of law.

If the report contains the individual’s name and contact details, but does not sufficiently cover elements (iii)–(v), organizations have the ability to request further information within 15 days. If additional clarification is not provided within 15 days, the report may be closed without further investigation. Similarly, if the report is submitted anonymously and does not contain sufficient information regarding elements (iii)–(iv), the report may be closed without further investigation. In both cases, the whistleblower must be informed of the reason for closing the report (unless the whistleblower is anonymous and there is no way to update them).

Records of reports must be kept for five years and then destroyed at the end of the five-year period.

In addition to providing an update to reporting individuals three months after the date that the report was acknowledged or should have been acknowledged, organizations must also provide subsequent updates on the investigation of a whistleblowing report.

If an organization ultimately decides to hold a disciplinary meeting to impose a sanction against the whistleblower (as a result of the whistleblower’s report), the whistleblower may request that the organization invite the press, a representative of a trade union or professional association, or an employee representative to the meeting. Upon a whistleblower’s request, the organization must announce the meeting on its website at least three working days before the meeting takes place. If disciplinary action is taken by an organization without complying with these requirements, the action against the whistleblower will be void.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The National Integrity Agency is the Competent Authority and it may allocate reports to other public authorities for investigation.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law contains civil and criminal penalties:

An organization may be fined 2,000–20,000 lei (approx. EUR 400–4,000) if it prevents an individual from issuing a report.
An organization that fails to respond to requests from the Competent Authority or fails to set up internal reporting channels may be fined 3,000–30,000 lei (approx. EUR 600–6,000).
An organization that fails to manage reports in a way that protects the confidentiality of the whistleblower or any third party mentioned in the report may be fined 4,000–40,000 lei (approx. EUR 800–8,000).
Any individual who fails to maintain the confidentiality of the reporting individual or any third party mentioned in the report may be fined 4,000–40,000 lei (approx. EUR 800–8,000).

Courts can also award damages if a whistleblower has suffered retaliation. Further, where a court ascertains that retaliation was applied at least two times in relation to the same whistleblowing report, the court could issue supplementary orders to stop or remediate the retaliatory conduct and/or issue a fine of up to 40,000 lei (approx. EUR 8,000).

If an individual claims that they have been retaliated against, the burden of proof will rest with the organization that allegedly committed the retaliatory conduct. In such a case, a court can also order that the organization must at its own expense publish in a local or national newspaper an extract of the judgment which found that the organization retaliated against the whistleblower.

Slovakia

Prepared with the assistance of Peter Oravec and Elena Červenová from PRK Partners in Bratislava, Slovakia.

1. Has the implementing law been adopted?

Yes, on May 10, 2023, the National Council of the Slovak Republic approved Act No. 189/2023 Coll., which has amended the existing Act No. 54/2019 Coll., on the Protection of Whistleblowers (the amendment and the existing act, together being the WPA). It was published in the Official Law Journal on June 1, 2023, and entered into force on July 1, 2023, with certain provisions entering into effect on September 1, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations that employ at least 50 employees;
Organizations that provide financial, transport safety, or environmental services (regardless of the number of employees); and
Public authorities with at least five employees.

While the obligation to establish internal reporting channels had already applied to employers with at least 50 employees and public authorities under the WPA, the obligation to set up internal reporting channels for employers that provide financial, transport safety, or environmental services became effective on September 1, 2023.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the answer to Question 2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, whistleblowers can report any anti-social activities.

The WPA distinguishes between “anti-social activities” and “serious anti-social activities.” The definition of “anti-social activities” is broad (the WPA refers to a definition contained in a different piece of legislation) and includes any misdemeanor or other administrative offense, and any conduct that has a negative impact on society. While “such conduct with a negative impact on society” is not defined, it will likely include unethical practices in the workplace.

When whistleblowers are reporting “serious anti-social activities,” the WPA provides additional protections. Serious anti-social activities are defined to include various administrative and criminal offenses.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must appoint a person or department to be responsible for internal reporting channels.

If an organization suspects that a crime has been committed, it must refer the case to the law enforcement authorities. Failure to do so is a criminal offense under Slovak law. The organization is also required to inform the whistleblower in advance of such referral unless this could impact the investigation. To the extent permitted by law, the organization is required to request the results of the investigation from the law enforcement authority and to inform the whistleblower of the results within 10 days of receipt.

Organizations are required to take actions (e.g., disciplinary action) against employees who hinder a whistleblower from making a report or keeping records of whistleblower reports.

When investigating a report, the Competent Authority (as defined in Question 7 below) can require the relevant organization to share its own investigation findings.

Whistleblowers who are employees receive additional protections from retaliation if they file a report about serious anti-social activities and are granted the status of “protected whistleblower” by the respective authority (i.e., a prosecutor or an administrative authority). Specifically, organizations are required to seek approval from the Competent Authority prior to taking any employment measure that could be perceived as retaliation (such as dismissal or a demotion) against an employee whistleblower with the status of “protected whistleblower” who issued a report about serious anti-social activities. The request for approval must include information prescribed by the WPA.

Whistleblowers also have the right to ask the Competent Authority to suspend any measure that could amount to retaliation within 15 days from the day that they learned of the measure.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Competent Authority is the Whistleblower Protection Office.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes. The Competent Authority may request documents and records as well as warn and advise organizations about how to proceed. The Competent Authority can also issue fines, as set out below in the answer to Question 9.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Fines of up to EUR 30,000 can be imposed on organizations that:
Fail to take measures to remedy violations of law identified in the course of the inspection performed by the Competent Authority, or
Fail to submit to the Competent Authority a written report on the measures taken to remedy the identified violations of law.
Fines of up to EUR 50,000 may be imposed on organizations that employ fewer than 250 employees and that violate the requirements to establish internal reporting channels.
Fines of up to EUR 100,000 may be imposed on organizations that:
Employ 250 or more employees and violate the requirements to establish internal reporting channels;
Take any employment measure against an employee whistleblower with the status of “protected whistleblower” without the approval of the Competent Authority (where approval is required); or
Threaten to retaliate against, or attempt to retaliate against, a whistleblower.
Fines of up to EUR 6,000 can be imposed for an offense committed by any person who:
Threatens to, attempts to, or sanctions a whistleblower for making a report;
Breaches the duty of confidentiality regarding the identity of the whistleblower or the identity of the implicated individuals; or
Attempts to prevent or obstruct whistleblowers from making reports.

Slovenia

Prepared with assistance from Alenka Antloga, State Supervisor for Personal Data Protection at the Information Commissioner of the Republic of Slovenia.

1. Has the implementing law been adopted?

Yes, the law on the protection of persons who report violations of EU law listed in the Directive (Zakon o zaščiti prijaviteljev – available in Slovenian) (the “Law”) was published in the Official Gazette on February 7, 2023, and entered into force on February 22, 2023.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations in the private or public sector with at least 50 workers must establish internal reporting channels.

Organizations in the private or public sector between 10 and 50 workers must also establish internal reporting channels if they perform their main registered activity in the field of healthcare or in the areas of water collection, purification and distribution, handling of sewage, assembly, and removal of waste and handling it and obtaining secondary raw materials and in the fields of environmental remediation and other waste management.

Irrespective of the number of workers, internal reporting channels must also be established by certain ministries and administrative department units, governmental services, public agencies, and self-governing local communities (municipalities).

Organizations with more than 250 workers must establish internal reporting channels within 90 days after the Law enters into force. Organizations in the private sector with up to 249 workers have until December 17, 2023, to establish internal reporting channels.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the Law allows individuals to report on all violations of the national legislation in Slovenia, in addition to the scope of reportable concerns included within the Directive.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?
Organizations required to establish internal reporting channels must appoint one or more “trustworthy persons or an organizational unit” among workers to receive and process reports.
In judicial proceedings that concern the termination of a whistleblower’s employment, the whistleblower will be able to receive injunctions faster, such proceedings will also be considered urgent, and the whistleblower will be exempt from paying court fees. The Law also establishes the presumption that the damage that the whistleblower suffers in such proceedings is a consequence of any retaliation measures from their employer.
A whistleblower is not entitled to protection under the Law if the report is submitted two or more years after the violation ceased.
Organizations will be required to report statistics on the reports that they receive each year to the Commission for the Prevention of Corruption (the “Commission”) (Komisija za preprečevanje korupcije: https://www.kpk-rs.si/en/), who will publish statistics about the number of reports received from all organizations responsible for internal and external reporting channels. The annual report from the Commission will be published by April 1 of each year.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

Several Competent Authorities have been established, as set out in Chapter 5 and Article 14 of the Law. The Commission has specific powers to advise whistleblowers under the Law.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, and they have the power to issue fines.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Legal entities may be fined by Competent Authorities:

Between EUR 2,000 and EUR 6,000 for failing to:

Provide information to whistleblowers about internal reporting channels;
Appoint an organizational unit to receive a report;
Attempting to identify the whistleblower, related persons, or an intermediary or attempting to retaliate against such persons; or
Report data about the reports that it has received to the Commission;

Between EUR 20,000 and EUR 60,000 for:

Disclosing the identity of a whistleblower, related persons, or an intermediary; or
Retaliating against a whistleblower, related persons, or an intermediary.

Spain

Prepared with assistance from Claudia Gálvez Correa, Gómez-Acebo & Pombo Abogados, S.L.P., in Madrid, Spain.

1. Has the implementing law been adopted?

Yes, Law 2/2023 of February 20, 2023, on the protection of persons who report breaches of the law and on combating corruption (the “Law” (available here in Spanish)) was published in the Official State Gazette on February 21, 2023. The Law entered into force 20 days after its publication (i.e., March 13, 2023).

2. Under the implementing law, which organizations must establish internal reporting channels?

Private organizations with 50 or more workers.
Legal entities falling within the scope of European Union laws on financial services, products and markets, prevention of money laundering and terrorist financing, transportation safety, and environmental protection.
Political parties, trade unions, and business organizations, as well as foundations created by public funds.
Public entities.

Private organizations with 50 to 249 workers and municipalities with less than 10,000 inhabitants were required to establish their channels by December 1, 2023. Private organizations with 250 or more workers and all other public entities were required establish their channels within three months of the Law entering into force.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the Law also allows whistleblowers to report acts or omissions that may constitute a criminal offense or a serious or very serious administrative offense under Spanish law. The Law does not include a specific list of these offenses but gives as an example offenses involving financial loss to the Public Treasury and to the Social Security system and violations in the area of health and safety at work.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

Organizations must implement a policy regarding the general principles of their internal reporting channels, the protections in place for whistleblowers, and the procedures in place regarding the management of communications within the internal reporting channels.
Organizations must appoint an individual who will be independently responsible for their internal reporting channels and the organizations must notify the Competent Authority about the appointment of that individual. The Law does not specify if this individual needs to be in Spain or employed by the local Spanish entity, but this person must be a manager of the company, be independent, and have sufficient resources to carry out the tasks entrusted to them.
The Law also allows the appointment of a collegiate body to be responsible for an organization’s internal reporting channel, provided that it delegates the management of the internal reporting channel to one of its members.
Organizations must consult (but not seek approval from) workers’ representatives before establishing their internal reporting channels.
Organizations’ management in Spain (e.g., their board of directors) must formally approve the internal reporting channels.
The Law confirms that a corporate group can share a single internal reporting channel, and that the corporate group can share responsibility to oversee this internal reporting channel. While the Law states that reporting channels must be independent, organizations are not required to set up separate whistleblowing channels for each entity in their group.
Organizations must provide a notice to individuals about the use of internal reporting channels, as well as about the essential principles of their reporting procedures in the Spanish language. If an organization’s internal reporting channel is hosted on a website, this information must appear on the organization’s home page, in a separate and easily identifiable section.
Whistleblowers may issue reports directly to the Competent Authority without first using internal reporting channels.
Reports may only be kept in an internal reporting channel’s system for the time necessary to decide whether or not to initiate an investigation. If a decision is not made within three months, the communication must be deleted from the system, except for personal data required to maintain evidence of the system’s operation. In this case, information regarding communications that have not been admitted for investigation must be anonymized.
Personal data contained in whistleblowing reports (outside the internal reporting channels) may be retained by the organization for 10 years.
Organizations must implement privacy policies for their internal reporting channels, aligned with the requirements set out in the Law and Spanish personal data protection law.
Whistleblowers are protected from retaliation for two years; however, extended protection from an organization’s retaliation may be requested by the whistleblower from the Competent Authority.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

La Autoridad Independiente de Protección del Informante, A.A.I. (the “Independent Authority for the Protection of Informants” or AAI) will be the Competent Authority. However, the Competent Authority has not yet been officially established by the Spanish government.

8. Does the Competent Authority have specific investigative and enforcement powers?

Yes, the Competent Authority has the power to penalize organizations for non-compliance with the Law. The Law provides that decisions of the Competent Authority may only be appealed before courts.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law prescribes sanctions for “very serious infractions,” “serious infractions,” and “minor infractions”:

Very serious infractions include, among others, organizations taking retaliatory action against a whistleblower, breaching the confidentiality or anonymity of a whistleblower’s identity, and breaching the obligation to have an internal reporting channel.
Serious infractions include, among others, organizations hindering a whistleblower’s ability to issue a report when it is not deemed to be “very serious” and violating the secrecy of a report when is not deemed to be “very serious.”
Minor infractions include, among others, organizations deliberately submitting incomplete information to the Competent Authority, and any other breach of the Law that is not considered a serious or very serious infraction.

If individuals are responsible for the infraction, they can be fined EUR 1,001‒10,000 for minor infractions, EUR 10,001‒30,000 for serious infractions, and EUR 30,001‒300,000 for very serious infractions.

If organizations are responsible for the infraction, they can be fined up to EUR 100,001 for minor infractions, EUR 100,001‒600,000 for serious infractions, and EUR 600,001‒1,000,000 for very serious infractions.For very serious infractions, the Competent Authority may also impose a penalty, including: (i) releasing a public reprimand or publishing the infraction in the Official State Gazette; (ii) prohibiting new subsidiaries or other tax benefits for a maximum term of four years; and (iii) prohibiting contracts with the public sector for a maximum of three years.

Sweden

Prepared with the assistance of Erica Wiking Häger and Tova Winsten from Mannheimer Swartling Advokatbyrå in Sweden.

1. Has the implementing law been adopted?

Yes, the Law on the protection of persons who report misconduct (Sw. Lag (2021:890) om skydd för personer som rapporterar om missförhållanden) (the “Act”) entered into force on December 17, 2021. The obligation under the Act to establish internal reporting channels became effective as of July 17, 2022, for organizations with 250 or more employees, and as of December 17, 2023, for organizations with 50 to 249 employees.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations that at the beginning of the calendar year have 50 or more workers.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader. Individuals may, for example, also report misconduct that is in the public interest to be disclosed and violations of laws or other regulations covered in Chapter 8 of the Instrument of Government (Sw. Regeringsformen).

5. Does the implementing law permit anonymous reporting?

The Act’s legislative history/preparatory works allow for anonymous reporting. While the Act does not explicitly require organizations to allow for anonymous reporting, the supervisory authority, the Swedish Work Environment Authority (Sw. Arbetsmiljöverket), has stated that organizations must allow for such reporting.

6. Does the implementing law impose any other significant deviations from the Directive relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts, and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

The Act states that organizations with 250 or more employees cannot share a centrally run common internal reporting channel; however, group companies are permitted to outsource the management of internal reporting channels to a third party, and it is possible for all companies in a corporate group to outsource their internal reporting channel to the same third party. Further, the Act allows for some deviations from the setup and operation of the internal reporting channel stipulated in Act (including the prohibition on having centrally run internally reporting channels), when concluded or approved by a central employees’ organization in a collective bargaining agreement.

Both oral and written reporting must be made available to the whistleblowers, while the Directive gives organizations a choice in this regard.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

Sweden has nominated a total of 33 competent authorities to handle whistleblowing reports (see the regulation in Swedish only). The Swedish Work Environment Authority (Sw. Arbetsmiljöverket) has been appointed as the authority with overall oversight under the Act.

8. Does the Competent Authority have specific investigative and enforcement powers?

Power to issue injunctions to force organizations to comply with their legal obligations.
Power to accompany injunction by a recurrent pecuniary penalty.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

See response to the previous question; the Act does not mention any further sanctions.
Organizations violating the prohibition against retaliation will have to pay compensation for the losses incurred (Sw. Employment Protection Act (1982:80) referenced).

The Netherlands

1. Has the implementing law been adopted?

Yes, the law updating the Whistleblowers Protection Act to implement the Directive (Wet van 25 januari 2022 tot wijziging van de Wet Huis voor klokkenluiders en enige andere wetten ter implementatie van Richtlijn (EU) 2019/1937 van het Europees Parlement en de Raad van 23 oktober 2019 – available in Dutch) was published in the Official Gazette on February 3, 2023. The law entered into force on February 18, 2023. A consolidated version of the Whistleblowers Protection Act (the “Law”) is available in Dutch.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more workers must establish internal reporting channels. Private organizations with 50 to 249 workers have until December 17, 2023, to comply with the Law and establish their channels. All other eligible organizations are expected to comply when the Law enters into force.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader than the Directive. For example, the Law also allows whistleblowers to report acts or omissions having an impact on the public interest, as well as certain other matters as specified in the Law.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

How organizations should set up internal reporting channels?
Timelines for report management vis-à-vis the whistleblower?
The content of the required communications (such as privacy notices, report receipts and investigation updates)?
Whistleblower rights and protections?
Any other key issues?

An organization that is required to establish internal reporting channels, but which has not set up a works council or staff representational association (and is not obliged to do so), must obtain the consent of more than half of its workers when setting up its internal reporting channels. This consent is not required if internal reporting channels are already regulated by a collective labor agreement.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Huis voor klokkenluiders (“Whistleblowers’ House”) is the key Competent Authority, although other authorities have also been appointed for specific sectors under the Law:

Consumer and Market Authority (Autoriteit Consument en Markt)

Financial Markets Authority (Autoriteit Financiële Markten)
Data Protection Authority (Autoriteit persoonsgegevens)
Netherlands Central Bank (Nederlandsche Bank)
Health Care and Youth Inspectorate (Inspectie Gezondheidszorg en Jeugd)
Dutch Health Care Authority (Nederlandse Zorgautoriteit)
Nuclear Safety and Radiation Protection Authority (Autoriteit Nucleaire Veiligheid en Stralingsbescherming)

If a Competent Authority receives reports under the remit of another Competent Authority, it is required to direct such reports to the appropriate Competent Authority, provided that it first obtains the prior consent of the whistleblower to do so.

8. Does the Competent Authority have specific investigative and enforcement powers?

Under the Law, the Whistleblowers’ House is expressly tasked with informing and supporting whistleblowers. In addition, the Whistleblowers’ House also has the power to launch ex officio investigations.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be fined by the Whistleblowers’ House if they (a) fail to implement an internal reporting channel, (b) fail to provide information regarding the reporting procedures, (c) fail to act on the recommendations of the Whistleblowers’ House, or (d) retaliate against a whistleblower. The Law does not currently determine the amount of the fines, this shall be determined by a decree, which will be incorporated in the Law as an annex.