Quick view: EU Whistleblowing Directive implementation tracker

Austria

The Whistleblower Protection Act 2023 (German language only) entered into force on 25 February 2023. A review of the Act is scheduled for 2026.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of national law in the areas covered by the Directive and certain violations of Austrian criminal law such as bribery and fraud.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Whistleblowers must be able to make a report in writing, orally, or upon request in a face-to-face conversation. Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. Businesses that fall within the scope of Annex I.B and II of the Directive are required to set up a channel regardless of size.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response, including the outcome of the investigation and follow-up action or reasons for not taking follow-up action, must be provided within three months. If a whistleblower asks to make a report in a face-to-face conversation, the meeting must take place within 14 days.

Anonymous reporting

Anonymous reporting is permitted and anonymous whistleblowers whose identities have been exposed are entitled to protection.

Whistleblower protection

Whistleblowers and connected persons are protected from all forms of retaliation. If retaliatory action is suspected, the burden of proof falls on the whistleblower.

Penalties for non-compliance

Administrative offences under the Act include obstructing or attempting to obstruct a report, taking retaliatory action, violating the confidentiality requirements or knowingly reporting false information. These offences are punishable by fines of up to €20,000 (US$21,896), rising to €40,000 (US$43,792) for repeat offences.

Which competent authorities are responsible for investigating external reports?

The Federal Office for the Prevention of and Fight Against Corruption is the central authority and is responsible for regulating whistleblowing. The Money Laundering Reporting Office and the Federal Competition Authority operate external reporting channels for their respective areas.

Belgium

The Act of 28 November 2022 (French and Dutch languages only) on the protection of reporters of breaches of Union or national law established within a legal entity in the private sector entered into force on 15 February 2023.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of national law in financial services, products, markets, prevention of money laundering and terrorist financing, tax fraud and social fraud.  

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must consult employee representative bodies before establishing an internal reporting channel. The channel must be independent with no conflicts of interest. Businesses with 50 to 249 employees can set up joint reporting channels but are encouraged to set up individual channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. are required to set up a channel regardless of size.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months

Anonymous reporting

Businesses with 250 or more employees and external reporting channels must accept and investigate anonymous reports. Businesses with less than 250 employees can choose whether to allow anonymous reporting.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation if they had reasonable belief that the information was accurate and fell within the scope of the Act. If retaliatory action is suspected, the burden of proof falls on the employer.

Penalties for non-compliance

Failure to comply with internal reporting channel requirements is punishable by the level 4 fines from the Social Criminal Code of €300 to €3000 (US$327 to $3279) for legal entities, their employees or agents.

Retaliation against a whistleblower by a legal entity, their employees or any natural person is punishable by a prison sentence of six months to three years or a criminal fine of €600 to €6000 (US$657 to $6569). The Act also sets out remedies for whistleblowers who have been subject to retaliation: for current employees, 18 to 26 weeks’ salary; for non-employees, the damage they suffered as a result of the retaliation; and for employees in specified sectors including financial services, reinstatement.

Which competent authorities are responsible for investigating external reports?

The Federal Ombudsman is the central authority and operates an external reporting channel.

Bulgaria

The Whistleblowers Protection Act (Bulgarian language only) entered into force on 4 May 2023.

On 9 May 2025, the Law on Amendments and Supplements to the Law on the Protection of Persons Reporting or Publicly Disclosing Information on Violations 2025 (Bulgarian language only) took effect, building on the EU Whistleblowing Directive.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of other national legislation. This includes cross-border tax arrangements contrary to the purpose of corporate taxation law, general crimes which the whistleblower has become aware of in a work-related context, breaches of employment law and breaches of certain civil service rules. Breaches committed more than two years ago cannot be reported on.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint one or more people to receive reports and ensure there is no conflict of interest. Whistleblowers must be able to make a report in writing, orally, or upon request in a face-to-face conversation. Businesses must make information on whistleblowing procedures available to employees and should review their internal procedures every three years.

Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more workers and public sector organisations (excluding municipalities with fewer than 10,000 inhabitants or fewer than 50 workers) must set up internal reporting channels. Businesses that fall within the scope of Annex I.B and II of the Directive are required to set up a channel regardless of size.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

As of 9 May 2025, companies must maintain detailed records of whistleblowing reports, and all subsequent follow-up actions under the updated regulations (Bulgarian language only). 

There is no longer a time limit for reporting incidents. Under the previous regulations, reports concerning violations that took place over two years prior were considered out of scope.

Anonymous reporting

Anonymous reporting is not permitted: reports must include the whistleblower’s name and date of birth. However, if a report is made anonymously and the whistleblower’s identity is exposed, the whistleblower is entitled to protection.

Whistleblower protection

Whistleblowers and connected persons are protected from all forms of retaliation. 

The new regulations (Bulgarian language only) reinforce safeguards for whistleblowers, including those in non-traditional employment – such as freelancers, interns, and volunteers.

Public disclosure is encouraged and whistleblowers who disclose information publicly are granted the same protections. The Act also provides support measures for whistleblowers, including free legal assistance and cross-border mediation.

Croatia

The Act on the Protection of Persons Reporting Irregularities (Croatian language only) came into force on 23 April 2022.

Which breaches can be reported under the Act?

The Act extends to breaches of national law which endanger public interest.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint a person to manage the channel and establish an internal policy on whistleblowing. Businesses must consult a works council or union when choosing this person and when drafting internal policies. Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. Businesses that fall within the scope of Annex I.B and II of the Directive are required to set up a channel regardless of size.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. Businesses must take action and provide feedback on the report within 30 days and a full response must be provided within 90 days. Businesses must also report to the competent authority to notify them of the report and the investigation outcome within 30 days of the outcome decision.

Anonymous reporting

Anonymous whistleblowers are not recognized under the Act. However, whistleblowers who do report anonymously and whose identities have been exposed and suffered retaliation are entitled to protection.

Whistleblower protection

Whistleblowers, including those who disclose information publicly, and connected persons are protected from all forms of retaliation. To be eligible for protection, whistleblowers must have reasonable belief that the information was true at the time of reporting and fell under the scope of the Act.

Penalties for non-compliance

Legal entities that fail to comply with the Act can be fined €1,333 to €6,666 (US$1459 to $7298) and natural persons can be fined €133 to €1,333 (US$146 to $1459).

Which competent authorities are responsible for investigating external reports?

The Ombudswoman is the central authority and operates an external reporting channel. If an external report is made, the Ombudswoman will forward it to the relevant competent authority. The Ombudswoman also reports annually to the Croatian Parliament on the protection of whistleblowers and ensures the constitutional rights of whistleblowers are protected.

Cyprus

The Law on Protection of Persons Reporting Violations of Union and National Law (Greek language only) entered into force on 4 February 2022.  

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of other national legislation, including criminal offences such as corruption, and breaches that are likely to endanger the health and safety of any person.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint a person to manage the channel and must operate the channel in a secure manner that ensures confidentiality is protected. Businesses must make information on external reporting procedures available to employees.

Whistleblowers must be able to make a report in writing, orally, or upon request in a face-to-face conversation.

Businesses with 50 to 249 employees can set up joint reporting channels. Businesses with fewer than 50 employees that fall within the scope of Annex I.B and II of the Directive can also set up internal joint reporting channels provided they are distinct and autonomous from the related external reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels, but all businesses are encouraged to accept and investigate reports. Certain entities must set up a channel regardless of size, including public sector entities and entities which fall within the scope of certain EU legislation listed in the Annex of the Act.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous reporting is permitted.  

Whistleblower protection

Whistleblowers are protected from retaliation and businesses are required to establish an internal policy that includes measures to protect whistleblowers.

Penalties for non-compliance

Penalties may include administrative fines, legal action or other types of enforcement. Certain actions, including retaliation against a whistleblower, hindering proceedings, bringing vexatious litigation, breaching confidentiality, or knowingly reporting false information, are punishable by a prison sentence up to three years and/or a fine up to €30,000 (US$32,844). If an individual is acting on behalf of a legal entity, the legal entity will be considered liable.

Which competent authorities are responsible for investigating external reports?

No competent authorities are specified in the Act as responsible for investigating external reports. Instead, existing entities (Greek language only) that already receive complaints, or which are responsible for supervising and/or investigating breaches covered by the Act, are considered 'competent authorities' for whistleblowing purposes.

Czech Republic

The Whistleblower Protection Act (Czech language only) entered into force on 1 August 2023.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 15 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches relating to auditing services, transportation or road traffic safety, public auctions, protection of internal order and security, and protection of electronic communications.

Who can report breaches?

Same categories of person in the Directive, plus persons in military service and trust fund management.

How should businesses establish reporting channels?

Businesses must appoint a person or persons to manage the channel. Whistleblowers must be able to make a report in writing, orally, or upon request in a face-to-face conversation. Businesses with 249 or fewer employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses and other legal entities which have 50 or more employees on 1 January of each calendar year must set up internal reporting channels. Certain entities must set up a channel regardless of size, including public authorities involved in tax administration, civil aviation, maritime transport, or offshore oil and gas, in addition to regulated financial institutions.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within 30 days. The 30-day deadline can be extended twice, to a maximum of 90 days. If a whistleblower asks to make a report in a face-to-face conversation, the meeting must take place within 14 days.

Anonymous reporting

Anonymous reporting is not permitted: reports must include the whistleblower’s name and date of birth. However, if a report is made anonymously and the whistleblower’s identity is exposed, the whistleblower is entitled to protection.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation if they have correctly followed reporting procedures and have reasonable grounds to believe the information to be true. If retaliatory action is suspected, the burden of proof falls on the employer.

Penalties for non-compliance

Businesses that fail to comply with internal reporting channel requirements can be fined up to CZK 1 million (US$44,647).

Which competent authorities are responsible for investigating external reports?

The Ministry of Justice is the central authority.

Denmark

The Whistleblower Protection Act 2021 (Danish language only) entered into force on 17 December 2021.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of:

• serious offences and other serious matters (defined as those in the public interest and to be decided on a case-by-case basis); and
• criminal offences, misuse of financial resources, theft, fraud.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Internal reporting channels may be outsourced to an external service provider. Businesses can set up joint reporting channels, but the Ministry of Justice can revoke this right if it sees fit.

Which businesses must establish reporting channels?

Businesses with 50 or more employees and must set up internal reporting channels. Businesses under sector-specific obligations, including regulated financial institutions, are required to set up a channel regardless of size. The Ministry of Justice may conduct risk assessments and order businesses with 49 or fewer employees to set up an internal reporting channel.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous reporting is permitted. However, businesses are not required to follow up on anonymous reports.

Whistleblower protection

Whistleblowers who file reports ‘in good faith’ are protected from all forms of retaliation.

Penalties for non-compliance

Businesses that fail to comply with internal reporting channel requirements can face fines or criminal liability. Whistleblowers who have been subject to retaliatory action are entitled to remedies including up to one year’s salary and reinstatement.

Which competent authorities are responsible for investigating external reports?

The Danish Data Protection Agency is the central authority for external reporting; the Ministry of Justice and Ministry of Defence operate external reporting channels for matters concerning the intelligence services.

Finland

The Act on the Protection of Whistleblowers (Finnish language only) entered into force on 1 January 2023.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel. If businesses with 49 or fewer employees voluntarily set up an internal reporting channel, the channel must comply with the law by 17 December 2023.

Which breaches can be reported under the Act?

The Act extends to breaches of national law in the areas covered by the Directive, with limitations on defence and security procurement and public health. The Act also extends to any acts or omissions which are punishable under national law or may seriously endanger ‘general interest’ objectives of national legislation.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Internal reporting channels may be outsourced to an external service provider. The company or external service provider who manages the reporting channel must appoint one or multiple people to process reports independently. Certain entities can set up joint reporting channels, including wellbeing services authorities, municipal authorities and enterprises, certain religious organisations, specified agencies, and businesses with 50 to 249 employees.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. If businesses with 49 or fewer employees voluntarily set up an internal reporting channel, the channel must comply with the requirements under the Act.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous reporting is permitted, but businesses are not required to accept or follow up on anonymous reports.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation if they had reasonable grounds to believe the information to be true and reporting of the information was necessary to reveal a breach. If challenged in court, the burden of proof falls on the initiator of the case.

Penalties for non-compliance

Penalties include compensation and fines.

Which competent authorities are responsible for investigating external reports?

The Office of the Chancellor of Justice is responsible for managing competent authorities and acts as a centralised external reporting channel.

France

The Law on Improving Protection of Whistleblowers 2022 (French language only) entered into force on 1 September 2022.

Which breaches can be reported under the Act?

The Act extends to crimes or offences, breaches or attempts to conceal breaches of:

• French laws or regulations and European law;
• serious threat or harm to the public interest; and
• an international commitment approved and ratified by France as well as a unilateral act of an international organisation based on this commitment.

The Act amends previous French whistleblowing legislation and reports no longer need to concern a ‘serious and manifest’ breach.

Who can report breaches?

Any natural person can report breaches if the reporting is done ‘in good faith’ and without direct financial compensation.

How should businesses establish reporting channels?

Businesses must consult with staff representatives when setting up internal reporting channels. Businesses with less than 250 employees may share resources for internal reporting channels.

Which businesses must establish reporting channels?

Businesses with at least 50 or more employees, state administrations, and other organisations falling under the EU Directive must set up internal reporting channels.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous reporting is not recommended by French authorities. However, businesses can choose whether to allow anonymous reporting. If permitted, anonymous reports must be:

• treated with caution; and
• detail and establish the seriousness of the facts. 

Whistleblower protection

Whistleblowers are protected from all forms of retaliation.

Penalties for non-compliance

Individuals who retaliate against a whistleblower can be imprisoned for up to three years and fined €45,000 (US$48,950). Whistleblowers who have been subject to retaliatory action are entitled to remedies and labour courts may annul retaliatory action.

Those who obstruct submission of a report can be imprisoned for one year of fined €15,000 (US$16,422).

Which competent authorities are responsible for investigating external reports?

More than 30 national authorities have been designated under the 3 October 2022 law decree as competent authorities and must establish external reporting channels. Whistleblowers may refer to one of the listed authorities if the report concerns a subject matter within their jurisdiction. If a report is not within the scope of any of the competent authorities listed in the 3 October 2022 law, whistleblowers are urged to report to the Defender of Rights (Defenseur des Droits) or the judicial authority.

Germany

The Whistleblower Protection Act 2023 (German language only) entered into force on 2 July 2023.

German NGO Whistleblower-Netzwerk-e.V. (WBN) filed a complaint about the Act to the European Commission in September 2023, arguing that the Act falls short in 12 areas, including incomplete compensation and creating a deterrent effect to reporting.

On 10 March 2025, the Federal Ministry issued Regulation on the Jurisdiction of the Federal Office of Justice for Administrative Offences (German language only) to build on the EU Whistleblowing Directive. 

The new regulation took effect just days before German was fined by the European Court of Justice for failing to fully adopt the Directive.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of:

• German national law;
• a wide range of EU laws (listed in Article 1 (2)) (German language only) encompassing the prevention of money laundering, maritime safety, financial audit regulations for businesses of public interest;
• laws regulating the rights of stockholders in stock corporations; and
• taxation and corporate law.

Who can report breaches?

Employees, ‘leased employees’, and individuals who are connected to the business through professional activity can report through the internal reporting channel. Soldiers are also considered to be employees.

How should businesses establish reporting channels?

Internal reporting channels may be outsourced to an external service provider. Businesses or external service providers must appoint a person to manage the channel independently. Businesses must also provide employees with clear and accessible information on how to report externally on both a national and EU level. Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels, but internal channels are recommended for all businesses. Certain entities must set up a channel regardless of size, including specified financial institutions.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Internal reporting channels are required to process reports received anonymously. However, there is no obligation under the legislation to design a reporting channel in a way that enables the submission of anonymous reports.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation. If challenged, the burden of proof falls on the employer.

Penalties for non-compliance

Businesses that fail to comply with internal reporting channel requirements can be fined up to €20,000 (US$21,896).

Which competent authorities are responsible for investigating external reports?

The Federal Office of Justice (BfJ) is the central authority and operates an external reporting channel; the Federal Financial Supervisory Authority and Federal Cartel Office operate external reporting channels for their respective areas.

The BfJ can now eforce penalties against companies that fail to comply with whistleblower protection requirements, under the new regulations (German language only). Enforcement measures apply to failures such as inadequate follow-up or lack of reporting channels,

The new regulations (German language only) expand the power of the BfJ, allowing it to enforce penalties against companies that fails to comply with whistleblower protection requirements – such as ignoring follow-up obligations or failing to establish reporting channels. 

Greece

Law 4990/2022 on the protection of persons reporting violations of Union law (Greek language only) transposing the EU Directive entered into force on 11 November 2022.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel. All private sector legal entities are required to inform their respective Labour Inspectorate within 2 months of complying with this law.

Which breaches can be reported under the Act?

Same categories of breach as in the Directive.

Who can report breaches?

Same categories of person as in the Directive.  

How should businesses establish reporting channels?

Businesses must appoint a person (Report Receipt and Monitoring Officer) to manage the channel. The appointed officer will have a term lasting at least one calendar year unless terminated for good cause.

Internal reporting channels may be outsourced to an external service provider.

Whistleblowers must be able to submit a report in writing, orally, through an electronic platform accessible to people with disabilities or upon request in a face-to-face conversation.

Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels; the requirement to set up a channel applies for two calendar years after the business reaches 50 employees.

Entities in the following sectors must set up a channel regardless of size:

• financial services, products and markets;
• transport and environment; and
• entities operating on the basis of a decision to approve environmental conditions or whose activities may by nature pose a risk to the environment and public health.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

The Act does not address anonymous reporting.

Whistleblower protection

Whistleblowers and connected persons are protected from all forms of retaliation if the whistleblower has correctly followed reporting procedures and had reasonable grounds to believe the information to be true.

Penalties for non-compliance

Certain actions, including retaliation against a whistleblower, hindering proceedings, breaching confidentiality, or knowingly reporting false information, are punishable by a prison sentence of at least two years and fines. If an individual is acting on behalf of a legal entity, the entity can face an administrative fine of €10,000 to €500,000 (US$10,948 to $547,400).

Which competent authorities are responsible for investigating external reports?

The National Transparency Authority is the central authority and operates an external reporting channel.

Hungary

The 2023 law on complaints, reports in the public interest and the rules related to the reporting of abuses (Hungarian language only) entered into force on 25 July 2023.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to illegal or suspected illegal acts or omissions or other abuses.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Whistleblowers must be able to make a report in writing, orally, or upon request in a face-to-face conversation. At the start of the investigation, whistleblowers and other affected persons must be informed of their rights in relation to personal data and its processing. The persons involved in the report must also express their position regarding the report through a legal representative.

Businesses must appoint a “whistleblower protection lawyer” to manage the channel and ensure there is no conflict of interest.

Internal reporting channels may be outsourced to an external service provider. External service providers are also subject to the same impartiality and conflict of interest rules.

The operator of the internal reporting channel must make information on procedures available to employees.

Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels.

Certain entities must set up a channel regardless of size, including:

• financial institutions regulated for money laundering;
• offshore gas and oil licenses and operators;
• entities covered by civil aviation regulation; and
• operators of flagged floating installations.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. Businesses must take action and provide feedback on the report within 30 days; this deadline can be extended to a maximum of three months.

Anonymous reporting

Anonymous reporting is permitted. However, businesses are not required to follow up on anonymous reports.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation.

Penalties for non-compliance

Businesses that fail to comply with internal reporting channel requirements can face warnings and sanctions from labour authorities. If the businesses are regulated by AML and terrorist financing laws, they can face criminal liability and imprisonment for up to two years.

Those who obstruct submission of a report or retaliate against a whistleblower can face administrative liability and a fine of €800 (US$876).

Which competent authorities are responsible for investigating external reports?

The Hungarian Labour Inspectorate is the central authority and will monitor businesses’ compliance with the Act; 10 other national authorities have been nominated as competent authorities and must establish external reporting channels.

Italy

Legislative Decree No 24/2023 (Italian language only) implementing the EU directive entered into force on 30 March 2023.

Additional implementation deadlines

Businesses with 249 or fewer employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to administrative, financial, and criminal offences outside the scope of the Directive. It also extends to breaches of Legislative Decree No.231/2001, which outlines the corporate criminal liability of legal entities.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Private sector entities must consult trade union representatives listed in Legislative Decree 81/2015 (on various types of employment contracts) when setting up their internal reporting channels.

Businesses with 249 or fewer employees in the past year can set up internal reporting channels. This applies to independent businesses and entities which are under the same group but legally separate.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. If businesses with 49 or fewer employees voluntarily set up an internal reporting channel, the channel must comply with the requirements under the Decree. Certain entities must set up a channel regardless of size, including businesses within the scope of Annex I.B and II of the Directive and businesses covered by Legislative Decree No.231/2001.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous reporting is permitted.

Whistleblower protection

All employees are protected from retaliation.

Penalties for non-compliance

Businesses that fail to comply with internal reporting channel requirements can be fined €10,000 to €50,000 (US$10,948 to $54,740).

Those who retaliate against a whistleblower can be fined €10,000 to €50,000 (US$10,948 to $54,740).

Which competent authorities are responsible for investigating external reports?

The National Anti-Corruption Authority is the authority managing the external reporting channel.

Ireland

The Protected Disclosures (Amendment) Act 2022 entered into force on 1 January 2023.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to a wide range of breaches, including:

• criminal offences;
• failure to comply with a legal obligation (other than a worker's contract of employment);
• miscarriage of justice;
• endangerment of health and safety;
• damage to the environment;
• unlawful or improper use of public fund;
• oppressive, discriminatory or negligent behaviour by a public body;
• breaches of EU law; and
• concealing or destroying evidence of wrongdoing.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint a person to manage the channel, communicate with whistleblowers, and follow up on reports. The person must be independent and have sufficient authority and training to carry out the role. Businesses must make information on internal reporting procedures available to employees.

Internal reporting channels may be outsourced to an external service provider.

Businesses with less than 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. Certain entities must set up a channel regardless of size, including public sector organisations and businesses that fall within excluded areas under the Directive.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous reporting is permitted, but businesses are not required to accept or follow up on anonymous reports.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation.

Penalties for non-compliance

Failure to comply with internal reporting channel requirements is an offence and businesses can be liable for:

• a fine not exceeding €5000 (US$5,484) or imprisonment up to 12 months; or
• a fine not exceeding €250,000 (US$273,700) or imprisonment up to 2 years or both.

Which competent authorities are responsible for investigating external reports?

The newly created Office of the Protected Disclosures Commissioner is the central authority and operates an external reporting channel.

Latvia

The Whistleblowing Law (Latvian language only) entered into force on 4 February 2022.

Which breaches can be reported under the Act?

The Act extends to:

• inaction, negligence, abuse of official position or other illegal activity by officials;
• corruption and violations of the financing rules of political organisations;
• wasting financial resources or property of a public person;
• tax evasion;
• threat to public order;
• money laundering, prevention of terrorism and proliferation financing; and
• violations of competition law and commercial activity support regulations.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Internal reporting channels may be outsourced to an external service provider. Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. Certain entities must set up a channel regardless of size, including public entities, regulated financial institutions, and those that fall within the scope of special EU regulatory acts.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months. If the internal channel receives a report that is outside of its scope, it must transfer the report to the relevant authority to investigate within 7 days of receipt.

Latvian law requires internal reporting channels to assess and classify reports as “whistleblower reports”. The deadline to inform the reporter of the outcome of the application is two months from the date a report is designated as a “whistleblower’s report”.

Anonymous reporting

Anonymous reporting is permitted. However, businesses are not required to follow up on anonymous reports.

Whistleblower protection

Whistleblowers and connected persons are protected from retaliation.

Penalties for non-compliance

Individuals who obstruct or attempt to obstruct submission of a report can be fined three to 75 fine units (€15 to €375 or US$16 to $411), officials can be fined four to 75 fine units (€20 to €375 or US$22 to $375) and legal entities can be fined seven to 1400 fine units (€35 to €7000 or US$38 to $1533).

Individuals who retaliate against a whistleblower can be fined six to 140 fine units (€30 to €700 or US$33 to $766), officials can be fined eight to 149 fine units (€40 to €745 or US$48 to $816) and legal entities can be fined 14 to 2800 fine units (€70 to €14,000 or US$77 to $15327).

Which competent authorities are responsible for investigating external reports?

The State Chancellery is the central authority and operates an external reporting channel.

Lithuania

Amendments to the Law on the Protection of Whistleblowers of the Republic of Lithuania in February 2022 (Lithuanian language only) entered into force on 15 February 2022. A resolution that implements the Act and provides further details about which businesses need to set up reporting channels, entered into force on 1 January 2019.

Which breaches can be reported under the Act?

The Act provides a non-exhaustive list of breaches which can be reported, including:

• illegal interference with legal investigations or court process;
• illegally acquired assets; and
• concealing the consequences of a breach of law.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must ensure that the internal reporting channel adheres to confidentiality. Within the business, senior management is responsible for implementing an internal reporting channel and its functioning. Senior management must also make information on procedures available and accessible to all employees.

Businesses with 250 or more employees must set up separate reporting channels but the law does not expressly allow other entities to set up joint channels.

Which businesses must establish reporting channels?

Businesses (including foreign legal entities) with 50 or more employees must set up internal reporting channels.

Businesses that fall under regulations listed in Annex I.B and II of the Directive  are required to set up a channel regardless of size.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within two working days. A full response must be provided within 10 days following the acknowledgement of receipt. If the receiver considers the report to be outside the remit of the internal channel, they must forward the report to the competent authority within two working days and inform the whistleblower.  

Anonymous reporting

Businesses must accept and investigate anonymous reports.

Whistleblower protection

Whistleblowers and connected persons are protected from all forms of retaliation.

Penalties for non-compliance

Those who fail to comply with the will be held ‘liable’ but penalties are not specified.

Which competent authorities are responsible for investigating external reports?

The Prosecutor’s Office of the Republic of Lithuania is the central authority and operates an external reporting channel.

Luxembourg

The law of 16 May 2023 (French language only) entered into force on 16 May 2023. The law on the financial sector, insurance sector and the fight against money laundering and terrorist financing also provides requirements for whistleblowing procedures.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to violations, acts or omissions which are unlawful or go against the object or purpose of the provisions of directly applicable national or European law.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint a person to manage the channel or outsource management of the channel to an impartial external service provider. Businesses must make information on reporting procedures available to employees. Whistleblowers must be able to make a report in writing or orally in one of the three administrative languages (French, German, Luxembourg) or other languages permitted by the business in a telephone call, voicemail, or face-to-face conversation.

Businesses with 50 to 249 employees can share resources on reporting channels but are still obliged to maintain confidentiality and follow up on reports.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

The Act does not expressly permit or prohibit anonymous reporting. However, anonymous whistleblowers whose identities are exposed and who suffer retaliation as a result are entitled to protection.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation.

Penalties for non-compliance

All competent authorities may impose remedies or administrative fines from €1500 to €250,000 (US$1642 to $273,700). Fines can be doubled if the offence is repeated within 5 years.

Those who retaliate or ‘initiate abusive procedures’ against a whistleblower can be fined €1250 to €25,000 (US$1369 to $27,370).

Which competent authorities are responsible for investigating external reports?
The Minister Responsible for Justice is the central authority and operates an external reporting channel; 22 other national authorities have been nominated as competent authorities.

Malta

The Protection of the Whistleblower (Amendment) Act 2021 (Maltese and English language) entered into force on 24 December 2021.

Which breaches can be reported under the Act?

The Act extends to the following breaches national law:

• failure to comply with any legal obligation a person may be subject to;
• corrupt practices
• miscarriages of justice
• bribery; and
• failure to comply with laws on financial services, products and markets, prevention of money laundering and terrorist financing.

Who can report breaches?

Same categories of person as in the Directive, and also:

• individual persons undertaking work or service and under the immediate direction and control of another person;
• any person in employment in the public administration including members of a disciplined force;
• any person who is or was seconded to an employer; and
• volunteers under article 2(1) of the Voluntary Organisations Act even when such work or service is not regulated by a specific contract of service.

How should businesses establish reporting channels?

The internal reporting channel must handle reports impartially and confidentially. The persons responsible for the internal reporting must be operated securely and prevent access to reports by unauthorised staff members.

Entities with 50 to 249 employees can share resources for the receipt of reports and follow-up investigations.

Which businesses must establish reporting channels?

All entities with 50 or more employees must set up an internal reporting channel. Businesses with under 50 employees may be required to establish a channel following a risk assessment.   

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Businesses may accept and investigate anonymous reports, but they are not “protected disclosures” under the Act. Anonymous reporters are therefore not entitled to protection from retaliation.

Whistleblower protection

Whistleblowers are protected from retaliatory actions.

Penalties for non-compliance

N/A.

Which competent authorities are responsible for investigating external reports?

Seven national authorities have been nominated as competent authorities including Commissioner of Revenue, Financial Intelligence Analysis Unit, Malta Financial Services Authority, Commissioner of Voluntary Organisation, Permanent Commission Against Corruption and the Ombudsman.

For public sector employees, an external whistleblowing officer has been appointed within the Cabinet Office.

Other notable differences

The amendments transposing the EU Directive add public disclosure clauses to the Protection of the Whistleblower (Amendment) Act 2021. Public disclosure by whistleblowers is permitted providing the person has gone through the initial stages of reporting, there is a risk of retaliation if they report internally or there is an imminent or manifest danger to the public interest.

The Netherlands

The Dutch Whistleblower Protection Act (English language text) entered into force on 18 February 2023. Provisions relating to anonymous reporting and enforcement are not yet effective and it is uncertain when they will come into force.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to violations of public interest. This includes violations of statutory regulations and dangers to public health, safety of persons, the environment, or functioning of the public service or an enterprise.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Whistleblowers must be able to make a report in writing, orally, or upon request in a face-to-face conversation.

Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels.

Businesses that fall within the scope of Annex I.B and II of the Directive are required to set up a channel regardless of size.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Whistleblower protection

Whistleblowers and connected persons are protected from all forms of retaliation, including threats or attempts to retaliate. If challenged, the burden of proof falls on the employer. If a whistleblower suffers a detriment after making a report or public disclosure, it will be presumed that the detriment is the result of the report or public disclosure.

Which competent authorities are responsible for investigating external reports?

The Whistleblowers Authority  is the central authority and operates an external reporting channel. Other competentnational authorities responsible for investigating external reports include:

• the Netherlands Authority for Consumers and Markets;
• the Dutch Authority for the Financial Markets;
• the Data Protection Authority;
• De Nederlandsche Bank N.V.;
• the Authority;
• the Health and Youth Care Inspectorate;
• the Dutch Healthcare Authority;
• the Authority for Nuclear Safety and Radiation Protection; and
• other administrative authorities designated by a ministerial order.

Other notable differences

The recipient of a report can choose not to follow up on a report if the breach of law or public interest is insignificant, or if the authority is/has investigated the same abuse and the report brings no new facts to light.

A whistleblower can publicly disclose a suspected breach if they have reasonable grounds to believe the disclosure is necessary to reveal the breach, and the disclosure is done in accordance with the conditions of the Act.

Portugal

Law no.93/2021 (Portuguese language only) entered into force on 18 June 2022.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of national law, specifically organised crime and economic financial crimes listed in art.1(1) of Law no. 5/2002.

Who can report breaches?

Same categories of person as in the Directive, and also:

• workers in the private, social or public sector; and
• tax or supervisory bodies of legal entities including non-executive members.

How should businesses establish reporting channels?

The internal reporting channel must operate independently, confidentially and allow for secure submission and follow-up reports.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels. Businesses that operate in transport safety or financial services or fall under money laundering regulations are required to set up a channel regardless of size.

Businesses with 50 to 249 employees may share resources for receiving reports and follow-up investigations. Branches of businesses located in Portuguese national territory, with headquarters abroad are still under the obligation to set up internal reporting channels.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months. Whistleblowers have the right to request a result of the analysis carried out by the internal reporting channel within 15 days of the investigation concluding.

Anonymous reporting

Anonymous reporting is permitted both internally and externally.

Whistleblower protection

Whistleblowers are protected from all forms of retaliation. Carrying out retaliatory actions, failing to comply with the duty of confidentiality, preventing/attempting to hinder a report or investigation may result in administrative fines ranging from €1000 to €125,000 (US$1095 to $136,850) for legal persons and €500 to €12,500 (US$547 to $13,685) for natural persons.

Penalties for non-compliance

Businesses that fail to comply with internal reporting channel requirements can be fined €1000 to €125,000 (US$1095 to $136,850) for legal persons and €500 to €12,500 (US$547 to $12,685) for natural persons.

Which competent authorities are responsible for investigating external reports?

External reports falling within the scope of the authority’s work area should be made to authorities listed below:

• Public Prosecutor’s Office;
• criminal police bodies;
• Bank of Portugal;
• independent administrative authorities;
• public institutes;
• inspection bodies, similar entities and other central services of the direct administration of the State with administrative autonomy;
• local authorities; and
• public associations.

If an authority receives a report but it is not within its remit to investigate it, the authority must relay the report to a different competent authority and inform the whistleblower. The date of receipt will be considered as the date on which the competent authority receives the report.  

If the information in the report is not relevant to any of the competent authorities, a whistleblower may report to the National Anti-Corruption Mechanism. If the report is about the National Anti-Corruption Mechanism, then whistleblowers may resort to the Public Prosecutor’s Office.

The National Anti-Corruption Mechanism has the power to ensure businesses comply with the law and can sanction entities.

Romania

Law on Protection of Whistleblowers in Public Interest No.361/2022 (Romanian language only) entered into force on 22 December 2022.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of national and EU law in the areas covered by the Directive.

Who can report breaches?

Same categories of person as in the Directive.  

How should businesses establish reporting channels?

Businesses must appoint a person to manage the channel and ensure there is no conflict of interest. The person responsible for the internal channel is also obliged to inform the leaders of the authorities, public authorities and other legal entities under public law and private sector entities regarding the way to resolve the reports.

Businesses with 50 to 249 employees can share resources for internal reporting channels and investigations.

Which businesses must establish reporting channels?

All businesses and unincorporated structures with 50 or more employees must set up internal reporting channels.

Businesses which are governed under the list of laws in appendix no. 3 of the Act must set up internal reporting channels regardless of size.

Authorities, public institutions and other legal entities under public law must set up internal reporting channel regardless of size.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous reporting is permitted and anonymous whistleblowers are entitled to protection.

Whistleblower retaliation

Whistleblowers are protected from all forms of retaliation.

Penalties for non-compliance

Businesses that fail to correctly implement an internal reporting channel can be fined 4000 to 40,000 leu (US$881 to $8807). Businesses that fail to set up an internal reporting channel at all can be fined 3000 to 30,000 leu (US$660 to $6605).

Which competent authorities are responsible for investigating external reports?

The National Integrity Agency is the central authority and operates an external reporting channel. The Agency also reports to other authorities and public institutions for competent resolution.

Slovakia

Act No. 189/2023 Coll. (Slovak language only) entered into force on 1 July 2023 as an amendment to Slovakia’s pre-existing piece of whistleblower legislation, Act No. 25/2019 Coll.

Which breaches can be reported under the Act?

Whistleblowers who report ‘anti-social activities’, including unethical workplace practices, are given minimal protection. Full protection is afforded to whistleblowers who report ‘serious anti-social activities’, including specified crimes, all offences punishable by over two years imprisonment, and certain administrative offences.

Who can report breaches?

Same categories of person as in the Directive, in addition to public officers and soldiers.

How should businesses establish reporting channels?

Businesses must appoint a person or organisational unit in charge of the channel and establish an internal policy on whistleblowing. Internal reporting channels may be outsourced to an external service provider.

Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses that fall within the scope of Annex I.B and II of the Directive and public authorities with at least five employees are required to set up internal reporting channels.

Deadlines for responding to internal reports

An acknowledgement must be sent to the whistleblower within seven days of a whistleblower report being submitted and a full response must be provided to the whistleblower within 90 days. If there is suspicion that a crime has been committed, the employer must refer the case to the police or public prosecutor for assessment and inform the whistleblower. When the assessment is returned, the employer must inform the whistleblower of the results within 10 days.

Anonymous reporting

The Act does not expressly permit or prohibit anonymous reporting. However, anonymous whistleblowers whose identities are exposed and who suffer retaliation as a result are entitled to protection.

Whistleblower protection

Whistleblowers who file reports ‘in good faith’ and any connected persons are protected from all forms of retaliation, including threats or attempts to retaliate.

Employers must seek permission from the Whistleblower Protection Office before taking any action that could constitute retaliation.

Businesses that retaliate or attempt to retaliate against a whistleblower can be fined up to €100,000 (US$109,480) or €200,000 (US$218,960) for repeat offences.

Individuals who attempt to prevent a report, breach confidentiality obligations or attempt to retaliate against a whistleblower can be fined €6000 (US$6569) or up to €12000 (US$13,138) for repeat offences.

Penalties for non-compliance

Businesses that fail to comply with internal reporting channel requirements can be fined up to €50,000 (US$54,740). If the business has over 250 employees, the fine is €100,000 (US$109,480) or €200,000 (US$218,960) for repeat offences.

Which competent authorities are responsible for investigating external reports?

The Whistleblower Protection Office is the central authority and operates an external reporting channel.

Other notable differences

Whistleblowers can disclose information publicly if they have:

• made an internal or external report and not been notified of the outcome within the specified timeframe; or
• a well-founded fear that the activity is an imminent threat to the public interest; or
• a well-founded fear that the competent authority would fail to ensure impartial examination of the facts.

Slovenia

The Whistleblower Protection Act (Slovenian language only) entered into force on 22 February 2023.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of national law. Information on criminal proceedings and classified information are excluded where covered by other legislation.

Who can report breaches?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint a ‘trustee’ in charge of the channel, establish an internal policy on whistleblowing and provide information on how to use reporting channels. Whistleblowers must be able to make a report in writing or orally. Trustees are required to report annually to the Commission for the Prevention of Corruption on the number of reports received and investigations conducted.

Businesses with 50 to 249 employees, self-governing local communities and certain educational institutions can set up joint whistleblowing schemes.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels.

Businesses in certain fields are required to set up internal reporting channels regardless of size, including: healthcare; water, sewage, and waste management and processing; environmental remediation; and all other businesses falling within the scope of Annex I.B and II. Ministries, administrative units, government offices, public agencies, and other specified offices are also required to set up internal reporting channels.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months.

Anonymous reporting

Anonymous whistleblowers are entitled to the same protections as other reporters.

Whistleblower protection

Whistleblowers and connected persons are protected from all forms of retaliation, including threats or attempts to retaliate. The Act also provides support measures for whistleblowers subject to retaliation, including judicial protection, legal aid, unemployment benefits and psychological support.

Penalties for non-compliance

The Act distinguishes between systemic, minor, and serious offences.

Systemic and minor offences include failure to comply with internal reporting requirements. Individuals can be fined €1000 to €2000 (US$1095 to $2190), responsible persons can be fined €300 to €2000 (US$328 to $2190), legal entities can be fined €2000 to €4000, and medium or large businesses can be fined €3000 to €6000 (US$3284 to $6569).

Serious offences include retaliation, for which individuals can be fined €3000 to €15,000 (US$3284 to $16,422), responsible persons can be fined €500 to €2500 (US$547 to $2737), legal entities can be fined €5000 to €20,000 (US$5474 to $21,896) and medium or large businesses can be fined €10,000 to €60,000 (US$10,948 to $65,688).

Whistleblowers who knowingly report false information can be fined €400 to €1200 (US$438 to $1314).

Which competent authorities are responsible for investigating external reports?

The Commission for the Prevention of Corruption will be created to manage competent authorities and operate an external reporting channel; 23 other national authorities have been nominated as competent authorities.

Other notable differences

Whistleblowers who disclose information publicly are granted the same protections if they have used internal or external reporting channels and no appropriate action was taken within three months.

Spain

Law 2/2023 regulating the protection of people who report regulatory infractions and the fight against corruption (Spanish language only) entered into force on 13 March 2023.

Additional implementation deadlines

Businesses with 50 to 249 employees have until 17 December 2023 to set up an internal reporting channel.

Which breaches can be reported under the Act?

The Act extends to breaches of national law such as serious criminal or administrative offences including those resulting in a financial loss for Spanish authorities, and breaches of occupational health and safety regulation.

Who can report infringements?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint a person to manage the internal reporting channel. Whistleblowers must be able to make a report in writing, orally, or upon request in a face-to-face conversation. Internal reporting channels may be outsourced to an external service provider.

Businesses with 50 to 249 employees can set up joint reporting channels.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels.

Organisations that receive public funds, including political parties, trade unions, business organisations, and foundations that depend on these groups, are required to set up internal reporting channels regardless of size. Businesses that fall within the scope of Annex I.B and II of the Directive are also required to do so.

If businesses with 49 or fewer employees voluntarily set up an internal reporting channel, the channel must comply with the requirements under the Act.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days. A full response must be provided within three months, extendable to six months in complex cases.

Anonymous reporting

Anonymous reporting is permitted, but businesses are not required to follow up on anonymous reports.

Whistleblower protection

Whistleblowers who file reports ‘in good faith’ are protected from all forms of retaliation during the investigation and up to two years after the end of the investigation.

Penalties for non-compliance

Businesses that fail to correctly implement an internal reporting system can be fined €100,000 to €1 million (US$109,480 to US$1,094,800). Businesses that fail to implement an internal reporting system at all can be fined €600,000 to €1 million (US$656,880 to US$1,094,800). Other penalties include public warnings, prohibitions on subsidies or tax benefits for up to four months, and temporary suspension of authorisation to operate.

Which competent authorities are responsible for investigating external reports?

The Independent Authority for the Protection of Whistleblowers is the central authority and operates an external reporting channel.

Other notable differences

Whistleblowers who disclose information publicly are also protected.

Sweden

The Whistleblowing Act (Swedish language only) entered into force on 17 December 2021.

Additional implementation deadlines

Businesses with 50 to 249 employees must set up an internal reporting channel by 17 December 2023.

Which breaches can be reported under the Act?

The Act extends to any misconduct in work-related contexts if there is a public interest. Certain national security information, including information falling under the Protective Security Act, is excluded.

Who can report infringements?

Same categories of person as in the Directive.

How should businesses establish reporting channels?

Businesses must appoint a person or organisational unit in charge of the channel, establish an internal policy on whistleblowing, and provide employees with information on whistleblowing procedures.

Businesses with collective bargaining agreements may agree to deviate from rules on internal reporting channels, reporting and follow-up procedures as long as the agreement doesn’t breach any individual rights.

Businesses with 50 to 249 employees can set up joint whistleblowing schemes.

All businesses must ensure workers are protected when filing internal reports.

Which businesses must establish reporting channels?

Businesses with 50 or more employees must set up internal reporting channels.

Deadlines for responding to internal reports

An acknowledgement of receipt must be sent to the whistleblower within seven days of the report unless they have requested not to be contacted. A full response must be provided within three months of the receipt.

Anonymous reporting

Businesses are not required to accept anonymous reports.

Whistleblower protection

Whistleblowers and connected persons are protected from retaliation and are entitled to damages, including 16-32 months' salary for termination. If challenged, the burden of proof falls on the respondent.

Penalties for non-compliance

Penalties include injunctions and fines.

Which competent authorities are responsible for investigating external reports?

The Swedish Work Environment Authority has oversight over external reporting channels; 30 national authorities have been nominated as competent authorities.

Other notable differences

Protection is also granted to whistleblowers who disclose information publicly if they have:

• already reported their concerns through official channels and no action has been taken;
• reasonable grounds to believe the breach constitutes an imminent danger; or
• reasonable grounds to believe that reporting externally would result in retaliation or failure to address the breach.