Implementing Laws At-a-Glance

EU Member States are in various stages of drafting and finalizing national laws in preparation for the implementation of the EU’s Directive on the protection of persons who report breaches of European Union law (the “Whistleblowing Directive”). EU Member States need to adopt their implementing laws before December 17, 2021 deadline. As each EU Member State finalizes its implementing law, we will add below a brief Q&A-style summary of the main issues in each implementing act to keep you informed about the overall progress.

Last Updated: 11 November 2022

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Reporters of Irregularities (the “Law”) entered into force on April 23, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations employing at least 50 employees must establish an internal reporting channel. Organizations with fewer than 50 employees may establish an internal reporting channel if they wish to do so.  Organizations carrying out the following activities must establish an internal reporting channel, irrespective of the number of employees: (i) financial services; (ii) financial products and markets; and (iii) prevention of money laundering and terrorist financing.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

All organizations with 50 or more employees must set up an internal reporting channel by June 23, 2022. The Law does not provide the additional time for private organizations with 50 to 249 employees to establish internal reporting channels that the Directive allowed for EU Member States.

4. Is the scope of reportable concerns the same as in the Directive?

Yes.

5. Does the implementing law permit anonymous reporting?

The Law does not explicitly permit anonymous reporting; however, it refers indirectly to persons making anonymous reports being entitled to protection irrespective of the fact that they have come forward anonymously, which would indicate that anonymous reporting is permitted. There is no specific regulatory guidance about anonymous reporting at this time.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

  • How organizations should set up internal reporting channels?
  • Timelines for report management vis-à-vis the whistleblower?
  • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
  • Whistleblower rights and protections?
  • Any other key issues?

Organizations that are subject to the Law are required to designate (i) a “confidential person” and (ii) a deputy who will take on the role of the confidential person when the confidential person is not available. The confidential person and deputy can be individuals employed by the organization, or third-party individuals, who are to be responsible for overseeing whistleblowing compliance and the organization’s internal reporting channels. There is no information at this time about the eligibility requirements for a confidential person or deputy.

The confidential person must provide feedback to the whistleblower and “take action” to investigate the reported issue within 30 days where possible (or within 90 days at the latest). There is no definition in the Law for what constitutes “take action” and there is no regulatory guidance at this time.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Ombudswoman.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Ombudswoman may only (i) refer matters relating to whistleblowing to the Misdemeanor Court for review or (ii) receive and forward whistleblowing reports to the relevant body for further investigation. The relevant body will depend on the subject matter of the report, although there is no direction in the Law as to which body is responsible for which types of reports. The Ombudswoman does not have any enforcement powers.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

Organizations may be fined by the Misdemeanor Court between HRK 10,000 and 30,000 (approx. EUR 1,300 and 4,000) for failing to:

a) Implement the Law within two months of the Law going into force (i.e., by June 23, 2022);

b) Establish an internal reporting system;

c) Protect the personal data received via a whistleblowing report;

d) Appoint a confidential person within three months of the Law going into force (i.e., by July 23, 2022);

e) Keep adequate records; or

f) Take measures to remedy acts or omissions that are unlawful.

In addition, responsible persons at an organization (i.e., individuals responsible for conducting the business affairs of the organization, e.g., a director) or small business owners (i.e., individuals who run unincorporated companies, in accordance with the Trades and Crafts Act) may be fined between HRK 1,000 and 10,000 (approx. EUR 130 and 1,300) for failing to implement the Law within two months of the Law going into force.

Organizations may also be fined between HRK 30,000 and 50,000 (approx. EUR 1,300 and 6,600) if they:

a) Prevent or attempt to prevent individuals from reporting acts or omissions that are unlawful;

b) Initiate malicious proceedings against acts or omissions that are unlawful (malicious proceedings are proceedings with no real basis, e.g., discrimination or defamation);

c) Disclose or attempt to disclose the identity of a person making a report;

d) Retaliate against a person making a report;

e) Fail to protect a person making a report from retaliation; or

f) Influence or attempt to influence those taking action to protect a report or a reporting person (e.g., negatively influence those individuals who are tasked with keeping a whistleblower’s identity confidential and ensuring that they do not suffer retaliation).

In addition, responsible persons at an organization and small business owners may be fined between HRK 3,000 and 30,000 (approx. EUR 400 and 4,000) for preventing or attempting to prevent individuals from reporting acts or omissions that are unlawful.

  1. Has the implementing law been adopted?
    Yes, the Law on the Protection of Persons Reporting Violations of Union and National Law 2022 (ο περί της Προστασίας Προσώπων που Αναφέρουν Παραβάσεις του Ενωσιακού και Εθνικού Δικαίου Νόμος του 2022) (the “Law”) entered into force on February 4, 2022.
  2. Under the implementing law, which organizations must establish internal reporting channels?
    Private companies with 50 or more employees, and all public sector entities (excluding local authorities with fewer than 5,000 inhabitants or 25 employees), must establish internal reporting channels.

    Private organizations with between 50 to 249 employees have until December 17, 2023 to establish their internal reporting channels. All other eligible organizations are expected to comply starting on the date when the Law went into effect.
  3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
    No.
  4. Is the scope of reportable concerns the same as in the Directive?
    No, the scope is broader. Reports can also cover: (i) acts or omissions related to the commission or possible commission of criminal offenses, in particular corruption offenses, under national law; (ii) acts or omissions related to the non-compliance of a person with any legal obligation imposed on it under national law; (iii) infringements under national law which endanger or are likely to endanger the safety or health of any person; and (iv) infringements under national law that cause or are likely to cause damage to the environment.
  5. Does the implementing law permit anonymous reporting?
    The Law does not explicitly permit anonymous reporting; however, it refers indirectly to individuals anonymously making reports, which would indicate that anonymous reporting is contemplated. There is no specific regulatory guidance about anonymous reporting at this time.
  6. Does the implementing law impose any other significant deviations from the Directive, relating to:
    • How organizations should set up internal reporting channels?
    • Timelines for report management vis-à-vis the whistleblower?
    • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
    • Whistleblower rights and protections?
    • Any other key issues?
      Organizations must delete personal information contained within records of the reports (i) three months after the investigation is closed, or (ii) in the event of legal or disciplinary proceedings, one year after the completion of legal proceedings.
  7. Does the Competent Authority have specific investigative and enforcement powers?
    No.
  8. What are the sanctions for non-compliance with the Directive and the implementing law?
    The Law does not provide penalties against organizations that fail to set up an internal reporting channel; however, an organization may be fined up to EUR 30,000 if, through lack of supervision or control, it fails to prevent an individual from committing the following offenses:
    • Obstructing or attempting to prevent a report,
    • Retaliating or initiating malicious proceedings against a whistleblower, or
    • Breaching confidentiality obligations regarding the whistleblower’s identity.
      There is no regulatory guidance as to when an organization is deemed to have a “lack of supervision or control.
      Individuals may also be imprisoned for up to three years or fined up to EUR 30,000 for various offenses, including obstructing or attempting to prevent a report, or breaching confidentiality obligations regarding the whistleblower’s identity.
  9. What are the sanctions for non-compliance with the Directive and the implementing law?

    10. The Law does not provide penalties against organizations that fail to set up an internal reporting channel; however, an organization may be fined up to EUR 30,000 if:

    (i) Any person acting on behalf of it commits any of the following offenses:

    • Obstructing or attempting to prevent a report,
    • Retaliating or initiating malicious proceedings against a whistleblower, or
    • Breaching confidentiality obligations regarding the whistleblower’s identity.

    The person may be acting individually or as a member of a department of the organization and/or exercising within the organization a managerial power (which includes any power of representation, decision-making, or exercise of control).

    (ii) Through lack of supervision or control, it fails to prevent an individual from committing the offenses listed at (i) above. There is no regulatory guidance as to when an organization is deemed to have a “lack of supervision or control.”

    Individuals may also be imprisoned for up to three years or fined up to EUR 30,000 for various offenses, including obstructing or attempting to prevent a report, or breaching confidentiality obligations regarding the whistleblower’s identity.

  1. Has the implementing law been adopted?
    Yes, the Whistleblowers Protection Act (Lov om beskyttelse af whistleblowere) (the “Act”).
  2. Under the implementing law, which organizations must establish internal reporting channels?Public and private organizations with 50 or more employees.
  3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
    No.
  4. Is the scope of reportable concerns the same as in the Directive?
    No, the scope is broader. Reports can include, among other topics, concerns about serious breaches of Danish law (such as theft) or other serious matters (such as “MeToo” type complaints).
  5. Does the implementing law permit anonymous reporting?
    Not addressed in the Act.
  6. Does the implementing law impose any other significant deviations from the Directive relating to:
    • How organizations should set up internal reporting channels;
    • Timelines for report management vis-à-vis the whistleblower;
    • The content of the required communications (such as privacy notices, report receipts, and investigation updates);
    • Whistleblower rights and protections; or
    • Any other key issues?
      No.
  7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
    Datatilsynet, the Danish data protection authority.
  8. Does the Competent Authority have specific investigative and enforcement powers?
    Not addressed in the Act.
  9. What are the sanctions for non-compliance with the Directive and the implementing law?
  • Undefined fines for organizations that do not:
    • Maintain the confidentiality of whistleblowers’ identity,
    • Provide clear information to affected individuals,
    • Keep records, and
    • Set up an internal reporting channel; and
  • Criminal liability for organizations (under the Danish Criminal Code).

1. Has the implementing law been adopted?

Yes, France has implemented the Directive in its national legislation by adopting two new laws to amend its existing law on transparency and fight against corruption (law n° 2016‑1691 “LOI relative à la transparence, à la lutte contre la corruption et à la modernisation de la vie économique,” referred to as the “Sapin II” law):

as well as an implementing decree concerning the procedures for collecting and processing whistleblower reports and establishing the list of external authorities (decree n° 2022-1284 relatif aux procédures de recueil et de traitement des signalements émis par les lanceurs d’alerte et fixant la liste des autorités externes instituées par la loi n° 2022-401 visant à améliorer la protection des lanceurs d’alerte) (the “Decree”).

The Law entered into force on September 1, 2022, and the Decree on October 5, 2022.

2. Under the implementing law, which organizations must establish internal reporting channels?

Public and private organizations with 50 or more employees. The Decree clarifies that the threshold of whether an organization has 50 or more employees is to be assessed by calculating the monthly average number of employees across the organization’s previous two financial years. The procedures for calculating these thresholds are set out in Article L. 130 1 of the Social Security Code.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

The Law encourages organizations with fewer than 50 employees to establish internal reporting channels, by stating that individuals may report to their direct or indirect supervisor, employer, or other point of contact designated by the organization, even if the organization is not required to establish internal reporting channels.

4. Is the scope of reportable concerns the same as in the Directive?

The scope of reportable concerns is broader than the Directive. In addition to allowing reports about violations of EU law, the Law also allows whistleblowers to report about: (i) actual and attempted violations of international law applicable in France; (ii) crimes or offenses under national law; and (iii) threats or harm to the public interest.

5. Does the implementing law permit anonymous reporting?

Yes.

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

  • How organizations should set up internal reporting channels?
  • Timelines for report management vis-à-vis the whistleblower?
  • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
  • Whistleblower rights and protections?
  • Any other key issues?

Whistleblowers can choose to report directly to an external authority (including a Competent Authority as defined below), without first using internal reporting channels.

The Decree clarifies that organizations (including private organizations) must consult with the relevant “social dialogue bodies” before establishing their internal reporting procedures. In practice, for private organizations, this will involve consulting with employees’ representatives or works councils.

If the whistleblower requests a videoconference or an in-person meeting, the meeting should take place no later than 20 working days following the request.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

The Défenseur des droits (“Defender of Rights”) is the key Competent Authority, although others have also been appointed for specific sectors (see a full list in the Annex to the Decree ) under law n° 2017-55 “LOIportant statut général des autorités administratives indépendantes et des autorités publiques indépendantes”.

If the Defender of Rights receives reports under the remit of another Competent Authority, it is required to direct such reports to the appropriate Competent Authority.

8. Does the Competent Authority have specific investigative and enforcement powers?

Under the Law, the Defender of Rights is expressly tasked with supporting whistleblowers. The Defender of Rights has the power to issue an official opinion to “certify” whistleblowers (this would involve verifying that the whistleblower’s report was valid and that the individual should be protected as a whistleblower). This certification may be used if a whistleblower suffered retaliation for making a report and then later commences legal proceedings against the individual or organization who retaliated against them.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties against organizations that fail to set up an internal reporting channel.

The Law increases the fine that may be levied against an individual who retaliates against a whistleblower to EUR 60,000 and against an organization to EUR 300,000 in addition to any supplemental measures to publicize the decision condemning any retaliation. In addition, any person who obstructs a whistleblower’s report may be sanctioned up to one year’s imprisonment.

The Law also permits imposing: (i) a fine of up to EUR 30,000 against an individual or EUR 150,000 against an organization; or (ii) a sanction of two years’ imprisonment against any person who discloses the confidential aspects of a whistleblower’s report (including the identity of the whistleblower and any implicated individuals).

  1. Has the implementing law been adopted?

    Yes, Ireland has implemented the Directive in its national legislation by adopting the Protected Disclosures (Amendment) Act 2022 on July 21, 2022, to amend its existing whistleblowing law, the Protected Disclosures Act 2014 (together, the “Act”); the Act will not go into effect until January 1st, 2023 (by virtue of a commencement order, dated October 12, 2022).

  2. Under the implementing law, which organizations must establish internal reporting channels? 

    Organizations with 50 or more employees and public bodies must establish internal reporting channels. Private organizations with 250 or more employees are expected to comply with the Act as of the date that it goes into effect (i.e., January 1, 2023). Private organizations with between 50 to 249 employees have until December 17, 2023 to establish their internal reporting channels.

  3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels? 

    Yes, the Minister for Public Expenditure and Reform has the power to order organizations with fewer than 50 employees to establish internal reporting channels, taking into consideration the activities of the employers concerned and the potential levels of risk for areas of public interest such as the environment and public health.

  4. Is the scope of reportable concerns the same as in the Directive? 

    No, the scope of the implementing law is broader. Reports can include, for example, concerns about a person failing to comply with a legal obligation or employment contract obligation, concerns about a miscarriage of justice occurring or likely to occur, or concerns that a criminal offence or violation of law has occurred or is likely to occur.

  5. Does the implementing law permit anonymous reporting? 

    Yes. Under the Act, organizations are given the discretion (but not the obligation) to decide if it is appropriate to accept and follow up on anonymous reports.

  6. Does the implementing law impose any other significant deviations from the Directive, relating to:
    • How organizations should set up internal reporting channels?
    • Timelines for report management vis-à-vis the whistleblower?
    • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
    • Whistleblower rights and protections?
    • Any other key issues?
      • Upon receiving a report, organizations must carry out an initial assessment, including seeking further information from the reporting person if required, to assess whether there is enough evidence that a relevant wrongdoing may have occurred. If there is no prima facie evidence that a relevant wrongdoing may have occurred, the report should be closed and the whistleblower notified in writing.

    The Act allows the whistleblower to request further feedback at intervals of three months until the report is closed. This is in addition to the requirement under the Directive for organizations to provide feedback to the whistleblower within three months from when the report was received.

  7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

    The Office of the Protected Disclosures Commissioner (OPDC).

  8. Does the Competent Authority have specific investigative and enforcement powers?

    Yes, only in relation to where the Competent Authority receives a report via its own reporting channel. In that case, the Competent Authority may request and examine any record, book, or document, and order on-site inspections. The Competent Authority can also request a warrant if an authorised officer is prevented from entering any premises as part of investigations into a report.

  9. What are the sanctions for non-compliance with the Directive and the implementing law?

    The Act provides the following penalties against individuals and organizations:

    • A Fine up to EUR 250,000 and/or imprisonment for a term not exceeding 2 years: for any individual or organization who (a) hinders or attempts to hinder a whistleblower, (b) penalises or threatens penalisation against a whistleblower, facilitator, third party connected with the whistleblower or a legal entity for whom the whistleblower works, (c) brings vexatious proceedings (i.e., proceedings that are without merit or have little chance of success), or (d) fails to maintain and operate internal reporting channels and procedures.
    • Fine up to EUR 75,000 and/or imprisonment for a term not exceeding 2 years: for any individual or organization who violates the duty of confidentiality regarding the identity of reporting persons.
    • Fine of up to €50,000 and/or to imprisonment for a term not exceeding 2 years: for any individual or organization who (a) withholds, destroys, conceals or refuses to provide any information or record, book, document or other thing required by the Competent Authority, (b) fails or refuses to comply with any requirement imposed by the Competent Authority, or (c) otherwise obstructs or hinders the Competent Authority in the performance of its functions.

1. Has the implementing law been adopted?

Yes, Latvia adopted its implementing law (Trauksmes celšanas likumu) (the “Law”) on
January 20, 2022, and it will take effect on the day the Law is published in the Official Gazette (not yet published). This Law replaces the previous national whistleblowing law. All eligible organizations must comply with the Law by the date of publication in the Official Gazette. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.

2. Under the implementing law, which organizations must establish internal reporting channels?

  • Private legal entities with 50 or more employees;
  • Private legal entities operating in the financial and capital markets sectors and in the field of prevention of money laundering and financing of terrorism and proliferation, irrespective of the number of employees (even with fewer than 50 employees);
  • Public entities of any size; and
  • Legal entities governed by EU law, which are designated by Latvia’s Cabinet of Ministers Regulations (note that no entities have been designated under these Regulations as yet).

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

Yes, see the response to Q2 above.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope of the Law is broader. A whistleblower may also report issues in respect of any violation that is prejudicial to the public interest, including topics such as negligence and abuse of official positions, corruption and violations of regulations on financing political parties, embezzlement of public funds or property, tax evasion, construction and occupational safety hazards, threats to public order, and human rights violations.

5. Does the implementing law permit anonymous reporting?

No, the Law requires that whistleblower reports contain sufficient information about the whistleblower in order to verify their identity, including the whistleblower’s full name and personal identification number, as well as their contact information (e.g., address or telephone number).

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

  • How organizations should set up internal reporting channels?
  • Timelines for report management vis-à-vis the whistleblower?
  • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
  • Whistleblower rights and protections?
  • Any other key issues?

Organizations must:

  • First assess whether or not the report should be deemed a whistleblower’s report (and therefore benefit from corresponding protections under the Law) and inform the whistleblower within three days of the decision. There is no further regulatory guidance on how organizations should make this assessment or what they should factor in.
  • Pseudonymize the whistleblower’s personal data from the start of the investigation so that the whistleblower’s identity is only known to certain authorized individuals within the organization. No additional regulatory guidance is provided as to how organizations should carry out the pseudonymization.
  • Inform the whistleblower of the status of the investigation within two months from receipt of the report (regardless of whether or not the investigation has closed).
  • Once the investigation has closed, inform the whistleblower of the results of the investigation and action taken upon completion. The Law does not explicitly state how much detail should be provided to the whistleblower about the results.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

Latvia has designated:

  • Various Competent Authorities, depending on the subject matter of the report. View full list of all Competent Authorities.
  • The State Chancellery as a centralized contact point for whistleblowers. Within seven days from the receipt of a report, the Chancellery must identify the relevant Competent Authority and forward the report.

8. Does the Competent Authority have specific investigative and enforcement powers?

No.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide penalties against organizations that fail to set up an internal reporting channel. Organizations face administrative fines for:

  • Acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., instigating retaliation), up to EUR 14,000; and
  • Obstructing whistleblowing reports, including preventing the submission or consideration of whistleblowing reports, up to EUR 7,000.

Individuals may also be fined for (i) knowingly providing false information using a whistleblowing channel or via the media, (ii) acting in a way that imposes adverse effects on the whistleblower, the whistleblower’s relatives, or someone connected to the whistleblower or the investigator (e.g., causing emotional distress), or (iii) obstructing whistleblowing reports in any way.

1. Has the implementing law been adopted?

Yes, the Law on the Protection of Whistleblowers No. XIII-804 (Pranešėjų apsaugos įstatymo Nr. XIII-804 pakeitimo įstatymo projektas) (the “Law”). It amends Lithuania’s existing whistleblowing law (Law 2018-18760), and will enter into effect on 15 February 2022. All eligible organizations must comply by this date. There is no staggered deadline for compliance that depends on the organization’s size, as there is under the Directive.

2. Under the implementing law, which organizations must establish internal reporting channels?

Organizations with 50 or more workers.

3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

No.

4. Is the scope of reportable concerns the same as in the Directive?

No, the scope is broader. Reports can include, for example, concerns related to a threat to public safety or health, the life or health of a person, or the environment; obstructing or unduly influencing law enforcement investigations or the administration of justice; financing of illegal activities; illegal or non-transparent use of public funds or property; illegally acquired property; concealment of the consequences of a committed breach and obstruction to determining the extent of the consequences; and other breaches of law.

5. Does the implementing law permit anonymous reporting?

No. Whistleblowers are required to state their (i) full name and (ii) personal identification number or date of birth. The requirement to provide a personal identification number is specific to Lithuania, and used for legal processes (including the submission of whistleblowing reports).

6. Does the implementing law impose any other significant deviations from the Directive, relating to:

  • How organizations should set up internal reporting channels?
  • Timelines for report management vis-à-vis the whistleblower?
  • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
  • Whistleblower rights and protections?
  • Any other key issues?

Organizations must:

  • Acknowledge receipt of the report within two working days. This is quicker than the Directive, which requires receipt within seven days.
  • Inform the whistleblower of the progress of the investigation (the investigative steps envisaged or carried out by the organization and the organization’s justification for doing this) within 10 working days from the acknowledgment of receipt of the report, including if an investigation is still ongoing.
  • Inform the whistleblower of the results of the investigation upon completion; this is not a requirement under the Directive. The Law does not explicitly state how much detail should be provided to the whistleblower about the results, and further regulatory guidance will help in this matter.
  • Keep a record of the investigation for at least five years from the last decision made by the organization in relation to the investigation.

Whistleblowers may bypass an organization’s internal reporting channel under certain circumstances, including, but not limited to, when the infringement is of substantial importance for the public interest or when the whistleblower cannot use the internal channel because they do not have an employment, service, or other legal relationship with the organization.

Organizations may provide remuneration to whistleblowers who have provided valuable information. The remuneration is not limited to a specific amount.

7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?

The Public Prosecutor’s Office.

8. Does the Competent Authority have specific investigative and enforcement powers?

The Competent Authority can investigate reports using its full prosecutorial powers, including the ability to initiate and carry out prosecution of the offending party or parties.

9. What are the sanctions for non-compliance with the Directive and the implementing law?

The Law does not provide for any sanctions against organizations. Only individuals who violate the Law may be found liable, in accordance with Code of Administrative Offences of the Republic of Lithuania. Where an organization does not comply with the Law, sanctions are likely to be applied to the CEO (or an equivalent person who has been formally designated to be in charge of the organization).

  1. Has the implementing law been adopted?

    Yes, Malta adopted its implementing law by amending the Protection of the Whistleblower Act (the “Act”). The amendments were adopted on December 18, 2021 and entered into force on December 24, 2021.

  2. Under the implementing law, which organizations must establish internal reporting channels?

    The following organizations are required to establish internal reporting channels:

    • Any private-sector organization with 50 or more workers;
    • Any voluntary organization that annually raises more than €500,000 from public collections and other donations; and
    • Each ministry of the government of Malta.
  3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?

    Yes, the Act also applies to certain voluntary organizations (see above).

  4. Is the scope of reportable concerns the same as in the Directive?

    No, the scope is broader. For example, reports can cover when:

    • An individual fails to comply (or is likely to fail to comply) with any legal obligation to which they are subject;
    • The health or safety of any individual is (or is likely to be) endangered;
    • The environment is (or is likely to be) damaged; or
    • A corrupt practice has occurred (or is likely to have occurred).

    The full list of reportable concerns (described in the Act as “improper practices”) is included in Article 2(1) of the Act.

  5. Does the implementing law permit anonymous reporting?

    Yes, but anonymous reports are not treated as “protected disclosures” under the Act. This means that the requirements for organizations to acknowledge receipt of the report and provide feedback do not apply to anonymous reports.

    However, if after reporting to the public, the identity of the whistleblower is made public and they subsequently suffer retaliation, their disclosure will still be protected provided that:

    • The whistleblower has reasonable grounds to believe the report is true and that it falls within the scope of the Act; and
    • The whistleblower has the right to report to the public under the Act.
  6. Does the implementing law impose any other significant deviations from the Directive, relating to:
    • How organizations should set up internal reporting channels?
    • Timelines for report management vis-à-vis the whistleblower?
    • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
    • Whistleblower rights and protections?
    • Any other key issues?

    The Act provides additional possibilities for whistleblowers to report externally without first using internal reporting channels, in addition to those set out in the Directive. For example, a whistleblower may report directly to a Competent Authority (as defined in Q7 below) where the head of the organization is (or may be) involved in the issue, or where reporting directly to a Competent Authority is justified by the urgency of the matter.

  7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?

    Malta has nominated various Competent Authorities, depending on the subject matter/context of the report (for a full list, see the table in the First Schedule of the Act).

  8. Does the Competent Authority have specific investigative and enforcement powers?

    No.

  9. What are the sanctions for non-compliance with the Directive and the implementing law?

    The Act does not provide penalties against organizations, e.g., in case an organization does not set up an internal reporting channel or otherwise does not comply with the Act. It is possible that penalties for organizations will be added to the Act in the future by means of an additional amendment. It is currently unclear whether the Maltese government intends to make such an amendment, and further regulatory guidance is needed on this matter.

    The Act does, however, provide criminal sanctions against individuals who take certain actions (such as using or threatening to use violence) with the purpose of preventing a whistleblower from making a report under the Act.

    Furthermore, if a whistleblower believes that they have been retaliated against for making a report under the Act, they are also entitled to file an application to the civil court to request an injunction or an order (including an order to pay damages) against an individual. The Act specifies that whistleblowers who have suffered retaliation for making a report are entitled to compensation, but it does not explain if or when organizations (rather than specific individuals) will be liable to pay such compensation.

  1. Has the implementing law been adopted?
    Yes, the General regime for the protection of persons who report violations (Regime geral de proteção de denunciantes de infrações) (the “Act”), which is now in force.
  2. Under the implementing law, which organizations must establish internal reporting channels?Organizations located in Portugal employing 50 or more workers.
  3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
    No.
  4. Is the scope of reportable concerns the same as in the Directive?
    No, the scope is broader. Reports can cover, for example, violent crimes, as set out in Crimes under Law no. 5/2002 of 11 January, such as trafficking of narcotics and weapons, terrorism, corruption, embezzlement, money laundering, smuggling, vehicle theft, solicitation, and forgery.
  5. Does the implementing law permit anonymous reporting?
    Yes.
  6. Does the implementing law impose any other significant deviations from the Directive, relating to:
    • How organizations should set up internal reporting channels?
    • Timelines for report management vis-à-vis the whistleblower?
    • The content of the required communications (such as privacy notices, report receipts and investigation updates)?
    • Whistleblower rights and protections?
    • Any other key issues?
      Organizations must keep a record of the reports received for at least five years or while legal proceedings relating to the concern are pending (whichever is longer).

      Whistleblowers may bypass an organization’s internal reporting channel when they want to report about crimes or administrative offenses that are punishable by a fine greater than EUR 50,000 (a threshold that we understand is a regular feature in other Portuguese laws). While whistleblowers are not expected to know which offenses or violations could qualify under this exception, they will nevertheless enjoy this protection, should they wish to circumvent the internal process and instead report directly to the external channels.
  7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaint (“Competent Authority”)?
    Portugal has nominated various Competent Authorities, depending on the subject-matter/context of the report (for a full list, see Article 12 of the Act, in Portuguese only).

    Where no Competent Authority has been assigned to deal with the report or where a report implicates a Competent Authority, such report must be addressed to the National Anti-Corruption Mechanism (Mecanismo Nacional Anticorrupção), an independent administrative entity.
  8. Does the Competent Authority have specific investigative and enforcement powers?
    Yes. The National Anti-Corruption Mechanism is responsible for prosecuting violations of the Act and imposing the relevant administrative fines, except where sector-specific legislation designates another enforcement authority (e.g., the Securities Market Commission under national financial services regulations).
  9. What are the sanctions for non-compliance with the Directive and the implementing law?
    Varying administrative fines, depending on the seriousness of the violation.
  • Very serious offenses: obstructing the reporting or follow-up on a report, engaging in retaliatory acts, failing to comply with the duty of confidentiality, and communicating or publicly disclosing false information.
    • Fines range from EUR 10,000 - 250,000 for organizations.
  • Serious offenses: among others, failing to have an internal reporting channel, not managing reports in an independent and impartial manner, and refusing a face-to-face meeting with the whistleblower.
    • Fines range from EUR 1,000 - 125,000 for organizations.
      Individuals may also be fined for serious and very serious offenses (such as communicating or publicly disclosing false information), in keeping with a separate penalty structure.
  1. Has the implementing law been adopted?
    Yes, the Law on the protection of persons who report misconduct (Lag om skydd för personer som rapporterar om missförhållanden) (the “Act”).
  2. Under the implementing law, which organizations must establish internal reporting channels?Organizations that at the beginning of the calendar year had 50 or more workers.
  3. Does the implementing law in any way deviate from the Directive in terms of which organizations must establish internal reporting channels?
    No.
  4. Is the scope of reportable concerns the same as in the Directive?
    No, the scope appears to be broader. Individuals may, for example, also report violations of laws or other regulations covered in Chapter 8 of the Instrument of Government.
  5. Does the implementing law permit anonymous reporting?
    The Act’s legislative history/preparatory works allows for anonymous reporting.
  6. Does the implementing law impose any other significant deviations from the Directive relating to:
    • How organizations should set up internal reporting channels;
    • Timelines for report management vis-à-vis the whistleblower;
    • The content of the required communications (such as privacy notices, report receipts, and investigation updates);
    • Whistleblower rights and protections; or
    • Any other key issues?
      Both oral and written reporting must be made available to the whistleblowers, while the Directive gives organizations a choice in this regard.
  7. Which national authority has been designated as the competent authority for receiving and investigating whistleblowing concerns and complaints (“Competent Authority”)?
    Sweden has nominated a total of 30 competent authorities to handle whistleblowing reports (see the regulation in Swedish only). However, the Swedish Work Environment Authority has been appointed as the authority with overall oversight.
  8. Does the Competent Authority have specific investigative and enforcement powers?
    • Power to issue injunctions to force organizations to comply with their legal obligations.
    • Power to accompany injunction by a recurrent pecuniary penalty.
  9. What are the sanctions for non-compliance with the Directive and the implementing law?
    • See response to previous question; the Act does not mention any further sanctions.
    • Organization violating the prohibition against retaliation will have to pay compensation for the losses incurred (Employment Protection Act (1982:80) referenced).