EU Whistleblower Directive: Country-by-Country Implementation Guide

The EU Whistleblower Directive (2019/1937) set a common framework for whistleblower protection across the European Union, but its implementation varies significantly from country to country. Each member state was required to transpose the Directive into national law, and many have added requirements that go beyond the Directive's minimum standards. For organizations operating in multiple EU countries, understanding these differences is essential for achieving compliance everywhere, not just on paper.

Germany: The Hinweisgeberschutzgesetz (HinSchG)

Germany's transposition, the Whistleblower Protection Act (Hinweisgeberschutzgesetz or HinSchG), came into effect in July 2023 after significant parliamentary debate. The HinSchG applies to all organizations with 50 or more employees and covers breaches of both EU and German law, going beyond the Directive's scope which focused primarily on EU law.

Key German additions include the requirement that internal reporting channels must allow reports in both written and oral form, with the option for in-person meetings upon request. The HinSchG explicitly allows anonymous reporting and requires organizations to accept and process anonymous reports even though the Directive left this to member state discretion. Penalties for retaliation can include compensation claims with a reversed burden of proof, meaning the employer must prove that any adverse action was unrelated to the whistleblower's report.

Organizations in Germany must also designate a specific person or department as responsible for operating the internal reporting channel. This designated person must have the necessary expertise and independence to fulfill the role. External reporting channels are operated by the Federal Office of Justice (Bundesamt fur Justiz) and the Federal Financial Supervisory Authority (BaFin) for financial sector reports.

France: Sapin II and the Waserman Law

France was ahead of the curve on whistleblower protection, having enacted the Sapin II Law in 2016. The Waserman Law of March 2022 updated French legislation to align with the EU Directive while maintaining France's traditionally strong protections. The result is one of the most comprehensive whistleblower protection frameworks in Europe.

The French implementation is notable for its broad personal scope. Protection extends not only to employees but also to shareholders, subcontractors, job applicants, and any person who assists a whistleblower. The definition of reportable breaches is expansive, covering violations of law, threats to the general interest, and breaches of international commitments ratified by France.

A distinctive feature of the French system is that whistleblowers are no longer required to report internally first before going to external authorities. Under the Waserman Law, whistleblowers can choose whether to use internal channels, report directly to external authorities, or in cases of imminent danger or irreversible harm, go directly to the public. This contrasts with the graduated approach preferred by the Directive and adopted by several other member states.

Key Differences Across Member States

Several areas show significant variation in how member states have transposed the Directive. The scope of reportable breaches is one of the most important. While the Directive covers breaches of specific areas of EU law, many member states have extended this to cover breaches of national law as well. Germany, France, and Sweden have adopted this broader scope, while others like Ireland have stayed closer to the Directive's original scope.

The treatment of anonymous reports varies widely. The Directive encourages but does not require member states to accept anonymous reports. Germany and France now explicitly require organizations to accept and process anonymous reports. Italy requires the acceptance of anonymous reports when they are sufficiently detailed. Other member states remain silent on the issue, leaving organizations to decide for themselves.

Penalties also differ substantially. Germany's HinSchG provides for fines of up to EUR 50,000 for various compliance failures. France's penalties can include criminal sanctions. Italy's penalties under Legislative Decree 24/2023 can reach EUR 50,000 for both retaliation and failure to establish reporting channels. The Netherlands has focused penalties primarily on retaliation rather than procedural non-compliance.

Compliance Tips for Multi-Country Operations

For organizations operating in multiple EU member states, compliance requires a strategy that accounts for the highest common denominator of requirements. Accept anonymous reports, even in countries where it is not explicitly required, because it is required in key markets and represents best practice regardless. Implement reporting channels that support written, oral, and in-person reporting options to satisfy the most demanding national requirements.

Use a single platform that can adapt its workflows to jurisdiction-specific timelines and requirements. The core seven-day acknowledgment and three-month feedback timelines from the Directive are consistent across member states, but additional national requirements may apply. Ensure your platform can track and enforce all applicable deadlines automatically.

Train your compliance teams on the specific requirements of each country where you operate. A report received in Germany may need to be handled differently from one received in France, particularly regarding the graduated reporting approach and the designated responsible person requirements. Document your compliance measures for each jurisdiction, as regulators are increasingly asking for evidence that organizations have actively considered and addressed their national requirements, not just the Directive's minimum standards.

Finally, conduct regular gap analyses as member states continue to refine their national legislation. Several countries are still updating their transposition measures, and judicial interpretations are creating new compliance obligations in real time. A whistleblower management platform like lisnto.me that actively tracks regulatory changes and updates its compliance features accordingly can significantly reduce the burden on your legal and compliance teams.