What is it?
The Directive was designed to provide enhanced protection for whistleblowers, including by setting up internal reporting channels.
Member States must implement the Directive into their national law. The deadline for doing so was 17 December 2021. One month on, and only four Member States have finalised their national law implementing the Directive, with the remaining 23 Member States either having drafted their national law or taken no significant action.
Who is affected?
The categories of individuals given protection by the Directive is broad and covers (among others) employees, workers, job applicants and consultants working in the private and public sector. The protection will be triggered when individuals report suspected breaches of certain EU laws in a work-related context, such as in relation to financial services, money laundering, the environment, personal data and information security. Member States can choose to expand the scope of protection, e.g. so that reported breaches of local laws also trigger protection.
Generally, the Directive applies to businesses with over 50 employees, though businesses with between 50 and 249 employees have an additional two years (to 17 December 2023) to comply. Different rules may apply for financial services companies or those vulnerable to money laundering or terrorist financing.
What does it mean in practice?
The minimum requirements of the Directive that Member States must implement into their national laws, include obligations on relevant organisations to, among other things:
- introduce internal reporting channels and specific procedures for reporting concerns internally and externally
- take necessary measures to prohibit all forms of retaliation against whistleblowers
- keep records of reports securely and subject to appliable data protection legislation
- implement effective and proportionate penalties for retaliation, obstructing reports, compromising a whistleblower’s confidentiality, or otherwise breaching the Directive
Specific rules apply to internal reporting channels, including ensuring reports can be made in writing or orally, maintaining the confidentiality of whistleblowers and providing acknowledgement and feedback within certain timeframes.
What happens now?
While businesses cannot be 100% prepared until Members States have implemented their national laws, it would be sensible to assume that all countries will – at some point – adopt at least the minimum standards of the Directive.
At this stage, we recommend that businesses with EU operations:
- review the minimum standards of the Directive
- assess its existing whistleblowing reporting lines, procedures and policies in place
- track the implementation status of the Directive across Member States
- consider where updates may be needed to existing whistleblowing practices for compliance with the Directive/a certain country’s national laws
- consider how to communicate any changes to the workforce
For global businesses, a key challenge will be whether – and to what extent – a uniform approach to whistleblowing protection and practices can be introduced or maintained.
Please get in touch with your MDR ONE team contact if you have any questions on the Directive, or your business needs legal support in this area.