How the EU's New Whistleblowing Directive Could Impact Professionals in Compliance, Risk, and Audit



When it comes to raising alarms about misconduct at companies, whistleblowers in Europe have been left to themselves for many years. A stigma attached to whistleblowing hints at Europe's dark history of fascism and World War II. Yet the EU Whistleblower Directive marks a new era in the discussion of this subject.

The attitude toward whistleblowing has evolved significantly over the last decade. Several European Union member states have initiated whistleblower protection directives, and countries have begun enacting their own national laws to inspire corporate whistleblowers.

What Is The EU Whistleblower Directive?

EU lawmakers passed a regulation on whistleblower protection in December 2019 to guarantee an EU-wide policy for whistleblower protection. EU member countries must align their national laws to the directive within a two-year implementation period, which ends in December 2021.

This directive is aimed at ensuring that whistleblowers are protected across the public and private sectors. In order to comply with the directive, countries must amend existing legislation or adopt new draft legislation.

Among the requirements of the directive is that any company with more than 50 employees must set up an internal reporting and investigation system. This will enable employees and those working for the company to report misconduct and prevent retaliation against whistleblowers.

The reported incidents must be investigated impartially and diligently, and companies must allocate enough resources to the investigation.

How Useful Is an Internal Whistleblowing System?

Whistleblowing systems have enormous value for organisations of all sizes and can be used both internally and externally to alert the organisation's leaders to suspected misconduct. While the EU whistleblower directive does set up clear obligations for companies to use internal reporting channels, they are meant to be an opportunity, not a burden.

Members of the EU are required to encourage whistleblowers to utilise internal channels first before they pursue external channels, as long as those internal channels are capable of effectively addressing the violation and there is no fear of retaliation.

The company benefits from this approach since they can sort out their problems in private. Although the directive does not require whistleblowers to report using certain channels, it confirms that whistleblowers have the freedom to choose according to their individual circumstances. Hence, perceptions about the accuracy and effectiveness of internal reporting procedures and channels are crucial in practice.

Challenges for Professionals in Compliance, Risk, and Audit

There are certain fundamental requirements for whistleblower protection in all EU countries:

  • Employees and third parties should be able to submit suspicions of misconduct.
  • Policies and procedures need to ensure that whistleblowers will not be retaliated against.

It is thus a challenging task for professionals in audit, risk, and compliance to conform with the new whistleblower directive and ensure that a sound whistleblowing system is in place.

Although whistleblower protection requirements may vary quite a bit among different nations, they often have a few things in common. When a company has to comply with several whistleblower protection laws simultaneously across Europe, it will have to ask itself several questions as it tries to discern precisely what obligations it has.

Impact: Compliance Professionals

The bigger challenge here is clear to compliance officers. First, they need to evaluate all whistleblower protection laws in the EU that may be applicable to their organisation. Next, they need to formulate policies, procedures, and training that fully meet whistleblower protection laws while respecting privacy rights. 

In Articles 16.1-16.2 of the new EU directive, confidentiality is stressed as a necessary precondition to complying with the EU's privacy policies. When an organisation implements compliance policies, whistleblowing reinforces them.

Effective whistleblowing systems greatly improve the efficiency of handling each case. Compliance professionals should be able to follow built-in processes that ensure sensitivity, consistency, and accuracy in the handling of cases.

In addition, the system is fully compliant with any applicable laws, such as those covering data protection and privacy; this provides professionals with confidence that they are carrying out the task appropriately.

Impact: Risk & Audit Professionals 

It is not often that senior managers are alerted to regular risk-taking; they can see it only when they work every day with risk-takers. Although they are not documented in the risk register or revealed in a business impact analysis, they exist.

A well-developed whistleblowing process is key to uncovering such ‘invisible’ risk-taking. By establishing an effective internal whistleblower program, organisations can gain insight into hidden risks and the associated hidden consequences; they also make employees feel valued, empowered, and listened to.

The internal audit department's role is to improve controls, making it ideally suited to assist the board in informing them of the effectiveness of whistleblowing processes. In addition to promoting best practices and testing systems, internal audits can also offer advice on needed changes.

The internal audit department is responsible for coordinating the response to whistleblower disclosures at the company. In addition, whistleblowing services have proven to be one of the more cost-effective methods of identifying wrongdoing and inadequacies within the controlled environment.

Article 9.1 of the EU directive recommends developing secure and confidential internal reporting channels is a priority for public and private sector organisations. Written and/or oral reports can be made either by telephone, video conferencing, or other communication tools. It is also possible that the whistleblower can meet in person to report.

After receiving the report, the whistleblower must receive an acknowledgment within seven days, and within three months should be provided with feedback on the follow-up. Audit professionals should encourage and promote incorporated reporting channels for accepting reports from employees. They may not accept reports from third parties, like self-employed individuals, shareholders, or volunteer groups.

Regulations regarding the follow-up of anonymous reports are set by the Member States.


Among the most pressing problems in our societies, whistleblowing has emerged as the dominant way of enacting accountability. Despite the benefits of whistleblowing to the public, the people behind these disclosures are often treated unfairly and subjected to harassment and retaliation.

Throughout the EU, the Whistleblower Directive is the first law that provides whistleblower protection. The document covers 12 policy fields, including both the public and private sectors, and adopts a broad definition of who qualifies as a whistleblower. In addition, organisations that fail to establish proper whistleblowing systems and whistleblower reporting channels should be punished.


For more information on the EU Whistleblower Directive, check out the infographic below.






Back to article list