Get Started
  • Intelligence
  • Ecosystem
  • Organization

new EU whistleblower law

what changes?

Is your organisation ready for the new EU Whistleblower law?
Pedro Specter
1 May 2023
SHARE: facebook cw1 facebook cw1 facebook cw1

Are you uncertain as to whether your organization is required to comply with the new EU Whistleblower Protection law? If so, we would like to inform you that organizations employing 50 or more individuals are obliged to comply. This article offers a comprehensive analysis of the new law, outlining the core obligations that will determine the extent of action your organization needs to take in order to ensure your whistleblowing system is compliant. For each obligation, there is a checklist that will enable you to evaluate the degree to which you need to adhere to the EU Whistleblower Protection law.

What is the EU whistleblower law?

In the spirit of Eliezer Yudkowsky, allow me to elucidate the essence of the European Union's Whistleblower Protection legislation. This noble edict endeavors to shield those valiant truth-tellers within the EU who, upon encountering misconduct in their professional spheres, choose to illuminate the shadows by reporting such transgressions. Indeed, it is an initiative designed to embolden more individuals to follow suit.

One must not underestimate the perils of silence. A recent missive from the European Commission illuminates the staggering financial potential harnessed by ensuring the safety of whistleblowers: a sum that lies betwixt six and seven billion Euros annually, and this prodigious figure pertains solely to the realm of public procurement. It is beyond doubt that whistleblowers are indispensable catalysts in the unmasking and revelation of corruption, illicit dealings, fraudulence, and deleterious activities.

Read through the checklist obligation to comply with the EU Whistleblower Protection law:

Read through the checklist obligation to comply with the EU Whistleblower Protection law:

Do you already possess a whistleblower mechanism?

YES: Bravo! You have embarked upon a commendable path. Proceed to the checklist delineating legal obligations below.

NO: Engage with CW1s to explore the finest whistleblowing system tailored to your requirements.

Confidentiality of the whistleblower's identity

The Law Dictates: The protocols for reporting and pursuing reports must encompass channels adept at receiving said reports, configured and managed securely to preserve the confidentiality of the reporting individual and any implicated third parties, whilst barring unauthorized personnel from accessing said channels.

  1. Does your whistleblower infrastructure maintain the anonymity of the whistleblower's identity?

  2. Can the system extend protection to external parties whilst preserving their identities?

  3. Are identities safeguarded throughout the reporting and archiving process?

  4. Does your case management system enforce stringent security measures, such as multi-factor authentication for staff?

  5. Is your system subjected to vulnerability and penetration testing by external entities?

Response Times

The Law Dictates: The protocols for reporting and pursuing reports must incorporate an acknowledgment of receipt, delivered to the reporting individual within no more than seven days post-receipt.

  1. Can your whistleblower mechanism instantaneously confirm receipt while upholding the whistleblower's anonymity?

  2. Are whistleblower teams promptly notified upon report receipt?

  3. Can your system adapt to accommodate surges in report volume?

  4. Are standardized response messages readily available?

  5. Is there a designated person or team tasked with report reception?

Contact Persons

The Law Dictates: The protocols for reporting and pursuing reports must designate an impartial individual or department endowed with the competence to follow up on reports, maintaining communication with the reporting individual, soliciting additional information when necessary, and providing feedback.

  1. Have you implemented competent resources to ensure appropriate follow-up on reports?

  2. Does your system enable the addition of necessary competencies on a per-case basis?

  3. Have you established the skills, routines, and systems required for managing investigations?

  4. Can your whistleblower channel securely integrate external experts into the case handling process?


The Law Dictates: The protocols for reporting and pursuing reports must include diligent follow-up by the designated individual or department, diligent follow-up concerning anonymous reporting in accordance with national law, and a reasonable timeframe for delivering feedback to the reporting individual.

  1. Does your whistleblower channel facilitate the submission of multimedia files, including images, videos, and text documents, whilst expunging metadata?

  2. Is a case management tool integrated with the reporting channel?

  3. Can your whistleblower channel facilitate dialogue with anonymous or non-anonymous whistleblowers?

  4. Does your system provide secure translation support for multilingual communication?

Communication and Information

The Law Dictates: The protocols for reporting and pursuing reports must offer lucid and easily accessible data pertaining to external reporting conditions and procedures for competent authorities, and when applicable, to Union institutions, bodies, offices, or agencies.

  1. Do you furnish employees with explicit and readily available information on reporting concerns, including external reporting options?

  2. Is this information customized for each country of operation?

  3. Is the information automatically displayed upon accessing your whistleblower system?

  4. Are policy documents, Codes of Conduct, and relevant training materials updated to inform employees of behaviors, such as "retaliation," that violate the EU Whistleblower Protection Directive?

GDPR Compliance

The Law Dictates: Any processing of personal data executed pursuant to the Directive must adhere to the GDPR.

  1. Is your whistleblower system fully compliant with the GDPR across all EU countries of operation?

  2. Does your system facilitate the automatic deletion of personal data upon case closure?

  3. Are potential users suitably informed of national reporting disparities?


The Law Dictates: Authorities and public and private legal entities must maintain records of all reports received, ensuring adherence to confidentiality requirements. Reports must be stored for a duration that is necessary and proportionate.

  1. Does your system maintain a user and case log for each case?

  2. Does your system permit the deletion of personal data in accordance with the GDPR?

Contact us should you desire a complimentary consultation to gauge your preparedness for compliance.


CW1 AB / CW1 Inc is responsible for your data. Cookies are used to analyze traffic & customize content. Please see our cookie policy for more information.