What is the impact of the EU whistleblowing legislation?

Whistleblowing became a subject of concern when major consequences produced by Swiss Leaks and Lux Leaks made the case for a change in the European framework. In both cases, the whistleblowers worked for private companies prior to leaking information. If their situation was to repeat now, would they be protected?

Launch of whistleblowing directive
In our last article on the topic, we emphasized the need for stronger protection for whistleblowers. In October 2019, the directive 2019/1937 on the protection of persons who report breaches of Union law was adopted. Member States had until 17 December 2021 to transpose it into national law.

The mission of the directive is to pursue the objectives of the former provisional agreement and to solidify the EU framework with a directly applicable, in depth, and broad legislation on this issue. In this article, we will explore if this legislation provides a sufficient protection for whistleblowers and the entities impacted by the leak of confidential information.

What is the scope of the whistleblowing directive?

Material Scope

The following EU matters are included in the scope of application: public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, product safety and compliance, transport safety, protection of the environment, radiation protection and nuclear safety, food and feed safety, animal health and welfare, public health and consumer protection, protection of privacy and personal data, security of network and information systems, and corporate tax. Nonetheless, State Members are free to expand the scope of protected matters as they see fit.

By derogation, this directive doesn’t apply to reports of breaches involving defence, security or national rules, and the rights of workers to consult their representatives or trade unions. The exclusion of defence is understandable. Defence rules have always been, by public international law principles, considered as part of a state’s sovereignty. Based on those principles, the EU chose to stay out of those matters by excluding defence out of the Union’s scope of competence (Treaty on the Functioning of the European Union).

Personal Scope

The directive is applicable to all reporting persons working in the private or public sector who acquired information in a current or past work-related context. The protection also applies to facilitators , third persons or legal entities owned or connected (in a work-related context) to a reporting person. Facilitators are persons who assist reporting persons in the reporting process in a work-related context, and whose assistance should be confidential.

Reporting requirements

Whistleblowers will qualify for protection if, at the moment of the reporting, they had reasonable grounds to believe that the information reported was true and if they reported through an internal channel, external channel, or made a public disclosure. An internal channel implies disclosing information to a source within the organization while an external whistleblowing implies disclosing information outside the organization.

The public disclosure of information will be protected if the information may place public interest in danger or if the internal and external reporting were both ineffective.

Based on the report of the Whistleblowing International Network, 14 Members States have not started or only made minimal progress towards the implementation of the directive.

Map of EU whistleblowing directive

What are the legal repercussions of a leak of information?

As previous cases made it clear, being a whistleblower is not an easy task. The term whistleblowing comes from sports where referees blow their whistle to stop an illegal or foul play.

After leaking information, whistleblowers are often met with public criticism, or even worse with retaliation such as threats or public prosecution. To take a famous example, Julian Assange, is currently detained in prison in the United Kingdom for blowing the whistle on thousands of classified documents of the US government and is currently facing extradition.
Whistleblower retaliation

The directive took some steps forward by forbidding any form of retaliation. Retaliation can among other things include suspension, discrimination, harm, early termination of the contract, and reduction in wages.

To fight against foreseeable legal actions, the directive mandates that all Members States provide legal assistance to whistleblowers protected under the scope, together with compensation and reparation. Comprehensive and independent information or advice, which are easily accessible to the public and free of charge, should also be provided.

How are entities impacted?

Private and public entities need to follow certain guidelines to be in line with the whistleblowing regulation. The mandatory changes differ based on the sector.


There is a common ground of rules that is applicable for both private and public entities. The establishment of an internal channel is one of them. In order to increase the transparency and the fairness of the internal procedure, entities should:

  • 1

    set up a channel for receiving the reports;

  • 2

    acknowledge receipt of the report within 7 days;

  • 3

    designate an impartial person or a competent department responsible for following-up on the reports;

  • 4

    set up a diligent follow-up;

  • 5

    define a reasonable timeframe to provide feedback, not exceeding three months from the acknowledgment of receipt;

  • 6

    provide accessible information on the external procedure;


All entities in the private sector with 50 or more workers shall establish an internal reporting channel. Under that threshold, there is no mandate for the creation of an internal channel. This threshold is not applicable to entities working in financial services, products and markets, and prevention of money laundering and terrorist financing. All legal entities in the public sector shall establish an internal reporting channel, including other entities they may own or control.

How would the Whistleblower Directive grant protection today?

If both the Lux and Swiss Leaks were to repeat now, would the whistleblowers fulfil the directive’s requirements? Let’s make a practical case out of the two examples.

First, both Swiss Leaks and Lux Leaks concerned tax evasion, which is a protected matter under the material scope. Second, concerning the personal scope, both whistleblowers were in a work-related context during their disclosure. Therefore, that condition is also fulfilled. The third condition requires the use of an internal or external channel before the disclosure or the direct use of a public disclosure when the information may constitute a danger to the public interest.

Hypothetically, if the whistleblowers had reasonable ground to believe that the information was a danger to public interest, that condition could have been fulfilled too.

Directive's conditions
Swiss Leaks
Lux Leaks
Information concerns one of the protected matters
Yes - tax evasion
Yes - tax evasion
Information collected in a professional context
The use of an internal channel, external channel, or public disclosure
Yes - public disclosure
Yes - public disclosure

Therefore, the whistleblowers would have fulfilled the three main requirements and eventually be granted the protection of the directive. Obviously, this is only hypothetical.

How are whistleblowers protected in Belgium?

As of today, no transposition was made by Belgium’s federal parliament. Belgium did make a provisional agreement (1380/001) on the topic in June of 2020. Compared to the European Directive 2019/1937, the scope of the agreement is broader in some aspects and more restricted in others.

Belgium and the whistleblowing directive
On the broader side, the agreement expands the protection to those participating in the disclosure process (writers, journalists, documentary filmmakers, directors or producers). The agreement stipulates that the information can be collected in or out of a professional setting. On the more restricted side, the agreement doesn’t mandate companies to create internal reporting channels which can create a safer place for employees.

The major point of the provisional agreement is the creation of a legal status for those recognized as whistleblowers by a court judgment. In practice, any person will be able to bring a case to the Court of Appeal to obtain recognition of the whistleblower’s legal status. Once the judgment granting the recognition of the legal status of the whistleblower is pronounced, the whistleblower and their family will benefit from protection. In our opinion, if it is implemented, it will be a strong element of safeguard.

The directive creates a safer space for whistleblowers to express their concerns on EU rights violations. It creates obligations for private and public entities to establish diligent reporting channels. The absence of transposition by some Members State creates a lack of efficiency. Members States need to take the lead and make the proper changes. Nonetheless, efficiency comes with time. Adopting the directive still is a major step in the right direction.
EU whistleblower directive steps to take
Add your comment

Related articles

What are AML regulations concerning the cryptocurrency sector? Learn about why we need regulations, who is concerned, an...

EU Wed 15 February 2023

Is Google bound to GDPR’s right to be forgotten? Learn about the ECJ’s decision of 2019 on the subject and how Goog...

Personal Data Wed 02 October 2019

What challenges does artificial intelligence pose to GDPR? Dive into the recent issues with ChatGPT, the dilemmas of EU ...

Compliance Tue 27 June 2023

What is DLU4? Learn about the Belgian legal framework for the fiscal regularisation of Belgian foreign accounts.

EU Mon 24 June 2019
Experts in risk management and regulatory compliance

Pideeco is a consultancy firm providing legal services, business solutions, operational assistance and educational material for professionals in the financial industry.

We are based in Brussels and we specialize in regulatory risk compliance services covering the Eurozone.

Pideeco combines professional Regulatory knowledge and technical expertise to safeguard your business’ reputational and operational risk. Our unique customer-centric approach helps us build strategical and legitimate cost-efficient remedies.

Working with us means reaching out to complementary people, allowing for original thinking and innovative vision.

Our Network Learn more about us