The Whistleblowing Directive: An Overview


On 23 October 2019, and in a bid to set minimum standards for the protection EU Member States must provide whistleblowers, the European Parliament and the European Council adopted the Whistleblower Protection Directive. As the deadline for Member State implementation looms, Dr Emma Grech, partner at City Legal, delivers an overview of the salient features of the Directive which entities falling within its scope are urged to take into consideration at the earliest.

Published on 13th October 2021

Whistleblowing Regulation: a Universal Objective

The ‘whistleblowing’ phenomenon has recently taken a global centre-stage, as Frances Haugen openly claimed that Facebook – her former employer – knew how its platforms were being misused to spread hate, violence and misinformation among users. Now, the world watches and waits as Facebook decides whether to take legal action against its ex-employee: the whistleblower.

Indeed, whilst the Haugen case is one to be dealt with in terms of US law – accordingly falling beyond the scope of this article – it brings to the fore the universal objective shared by whistleblowing regulation: the protection of the whistleblower, typically a current or former employee, from retaliation by another person, typically the whistleblower’s current or former employer.

The EU’s Conception of the Whistleblower

Whistleblowing rules and regulations are currently fragmented across the 27-Member State bloc. On 23 October 2019, in the culmination of its efforts to curtail this lack of uniformity, the EU adopted the Whistleblower Protection Directive (the “Directive”).[1]

The Directive does not define ‘whistleblowing’. Instead, it refers to protecting individuals – “reporting persons” – reporting breaches of EU law in various areas, such as public procurement, financial services, products and markets, prevention of money laundering, product safety, environmental protection, public health, consumer protection and data protection.

The Directive presents a wide scope of protection, covering current, former and prospective employees, shareholders, management, as well as self-employed persons, unpaid trainees and volunteers, amongst other categories of persons. Notably, persons facilitating the reporting person in making any report are also afforded protection.

Conditions for Protection

In terms of the Directive, a “reporting person”, that is a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities,[2] will only qualify for whistleblower protection if:

  • they had reasonable grounds to believe that the information on the breach reported was true and that such information fell within the Directive’s scope; and
  • the breach was reported either internally (within the employer’s organisation), externally (to a competent authority) or through a public disclosure (by placing information in the public domain).[3]

Further to this, a person making a public disclosure of information will be protected under the Directive if:

  • a report is first made internally or externally, but no appropriate action is taken by the relevant entity; or
  • they reasonably believe that: (a) the breach poses an imminent or manifest danger to the public interest; or (b) if they reported externally, there would be a risk of retaliation or an unlikelihood that the breach would be effectively addressed.

How is the Whistleblower Protected?

Internal and External Reporting Measures[4]

All entities falling within the scope of the Directive are required to implement written whistleblowing procedures and policies that will accordingly inform and guide the whistleblower and related parties about the reporting routes and escalation measures available, as well as the protections afforded.

The whistleblower must have access to organised internal and external reporting channels. The Directive puts forward certain requirements which must be adhered to in the construction, by entities falling within the scope of this Directive – that is, whether private or public entities – of these reporting channels. All channels for receiving reports must be designed and operated in a secure manner that ensures the confidentiality of the identity of the reporting person and any third party mentioned in the report. Entities must designate one or more persons as being responsible for, inter alia, receiving, investigating and following-up reports, as well as maintaining contact with the reporting person.[5] Reporting channels in both the private and public sectors must establish a reasonable timeframe for the provision of feedback to the whistleblower. Generally, this timeframe may not exceed three months from the acknowledgment of receipt of the relevant whistleblower report by the entity concerned.


Member States must ensure that the identity of the whistleblower is not disclosed to anyone beyond the authorised persons competent to receive or follow-up reports (without the explicit consent of the whistleblower). The Directive, however, provides an exception to this rule, stating that the identity of the whistleblower may be disclosed where this is a necessary and proportionate obligation imposed by law in the context of investigations by national authorities or judicial proceedings. In such cases, and unless doing so would jeopardise the relevant investigations or judicial proceedings, reporting persons should be informed before their identity is disclosed.[6]


A person qualifying for protection under the Directive will be protected against retaliation, including threats of or attempts at retaliation. The Directive provides an inclusive description of “retaliation”, putting forward a list of examples, such as suspension, dismissal, demotion, withholding of training, negative performance assessments, harassment, discrimination, and reputational harm.[7]

Other Protections

The Directive is also dotted with other protections in favour of the whistleblower, including:

  • Burden of Proof: in court proceedings, the burden of proof is on the entity concerned to show that it has not retaliated against the whistleblower. Thus, where there is an allegation of retaliation, it is for the entity that has taken the retaliatory measures to prove that these were based on justified grounds;
  • Penalties: Member States are bound to impose effective, proportionate and dissuasive penalties for persons who, inter alia, hinder reporting or retaliate against whistleblowers; and
  • Opportunity for Effective Remedy: effective remedies must be available, including the possibility of the whistleblower obtaining interim relief or compensation for damage suffered.


Except for the requirement that entities in the private sector having 50-249 employees establish mandatory internal reporting channels – which Member States shall have until 17 December 2023 to bring into force[8] – the Directive must be transposed into Member State law by 17 December 2021 (the “Transposition Date”).[9]

Public sector organisations and private sector entities having 250 or more employees must comply with the Directive from the Transposition Date. However, and further to the exception for transposition as mentioned in the paragraph directly above, entities having 50-249 employees are required to begin complying with the Directive by 17 December 2023.

It is interesting to note that the Directive provides for minimum standards that must be adopted at national level, such that Member States may opt to implement more stringent ‘gold-plated’ provisions should they wish. Whether this will result in a patchwork of different rules and regulations across the EU remains to be seen.


Malta does not as yet appear to have taken concrete steps towards the adoption of the Directive. The country currently has its own Protection of the Whistleblower Act (Chapter 527 of the Laws of Malta), which does provide a degree of protection to whistleblowers in a manner that is similar – albeit less extensive than – the Directive.

Legislative updates in this regard are expected imminently in view of the Directive and its Transposition Date.

Way Forward

Companies and government entities alike should have by now begun considering the impact(s) which the Directive is going to have on their operation, by, for example, ensuring they obtain a clear understanding of the obligations being imposed by the Directive, ensuring that their operation, including their data security standards, are compliant with the General Data Protection Regulation,[10] planning for, or, where possible, readily implementing, secure internal and external reporting channels, and publishing internal whistleblower policies and procedures that will assist them in achieving compliance when the time comes.

Whilst the new Directive is certain to result in a compliance burden on in-scope organisations, it is important to bear in mind that, by planning ahead and effectively adopting the requirements imposed, private and public sector employers will be better placed to receive information about any potential wrongdoings or concerns at an early stage – thus significantly reducing the possibility of financial and reputational damage – whilst fostering a healthy environment for their employees.


For more information on how we may assist with your whistleblowing policies, procedures, or general queries, please contact:

Dr Emma Grech, Partner –


DISCLAIMER: The information contained in this document does not constitute legal advice or advice of any nature whatsoever. Although we have carried out research to ensure, as far as is possible, the accuracy and completeness of the information contained in this article, we assume no responsibility for errors or other inconsistencies herein.



[1] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

[2] Article 5(7) of the Directive.

[3] Article 6(1) of the Directive.

[4] For an overview of the requirements the Directive imposes vis-à-vis internal and external reporting channels, please refer to Articles 8-12.

[5] This function may be outsourced.

[6] Article 16(3) of the Directive.

[7] Article 19 of the Directive.

[8] Article 26(2).

[9] Article 26(1) of the Directive.

[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.