Implementation deadline for the EU's Whistleblowing Directive

17 December was the deadline for Member States of the EU to introduce domestic legislation to implement the requirements of the EU's Whistleblowing Directive. The Directive requires a majority of companies in the EU to implement whistleblowing procedures in line with the Directive's at times prescriptive requirements. In this article we assess the impact these requirements are likely to have on companies with offices in one or more EU Member States.

The Directive entered into force almost exactly two years ago, with a two-year window for Member States to introduce or update national legislation implementing the minimum requirements of the Directive. That implementation deadline has now come to pass, and in this brief article we look at the impact the Directive may have on companies with operations in one or more EU Member States.

Obligations imposed on EU Member States

The  preamble to the EU Whistleblowing Directive notes that whistleblower protection currently provided in the EU is fragmented across Member States and uneven across policy areas. The purpose of the Directive is therefore to establish uniform minimum protection to ensure that whistleblowers wishing to report breaches of EU law are adequately protected.

The Directive is limited to reporting of wrongdoing related to specific areas of EU law, such as tax fraud, money laundering or offences related to public procurement, product and transport safety, environmental protection, public health and consumer and data protection. However, the Directive also encourages national legislators to extend the protection provided by the Directive to further areas not in scope of the Directive. This will in all likelihood mean a patchwork of new / amended rules throughout the EU/EEA, which in turn may require companies with offices in different Member States to tailor their global whistleblowing procedures to ensure account is taken of specific local law requirements, as relevant. This could be done by including country-specific appendices in a group-wide procedure or by preparing separate procedures for legal entities in the various jurisdictions. 

The Directive imposes a number of obligations on EU Member States, including (but not limited to) requirements to establish independent and autonomous external reporting channels, designate (and adequately resource) authorities competent to receive and follow up on reports and ensure that reporting persons have access to appropriate support measures.  It also requires Member States to provide for "effective, proportionate and dissuasive penalties" applicable to individuals and companies that, for instance, hinder reporting, retaliate against reporting persons or fail to maintain the confidentiality of the identity of the reporting person.

Relevance for companies

The EU Whistleblowing Directive, like most EU directives, does not have direct effect, and is therefore not legally binding on companies and individuals, absent domestic implementing legislation. At present, only a limited number of EU Member States have introduced such legislation or are expected to do so in the near future. Having said that, all Member States are legally required to implement the requirements of the Directive into national law, so companies would do well to start preparations to ensure their operations comply with the Directive (and relevant implementing legislation) sooner rather than later.

Many companies that already have whistleblowing procedures in place may think that the EU Whistleblowing Directive is just another lowest common denominator and therefore will not impact them. In certain instances, however, the Directive is highly prescriptive, including in its requirements relating to reporting methods, rights of persons concerned and the categories of persons that should be granted protection as whistleblowers. In each of these cases, the Directive goes beyond what is currently required by Norwegian law.

Details of key changes

Most fundamentally, the Directive currently requires all companies in the private sector with 250 or more workers (and all companies in the public sector, irrespective of size) to have in place internal whistleblowing procedures, as described in some detail in Article 9 of the Directive. From 17 December 2023, this requirement will be extended to all companies in the private sector with 50 or more workers. Individual Member States are also free to extend the requirement to private companies with fewer than 50 workers.  

The following is a list of the key changes introduced by the Directive, compared with the current position under the Norwegian Working Environment Act:

  • The Directive expands the category of persons that may be given status as whistleblowers, such as job applicants and former employees (provided they have acquired the relevant information in a work-related context).
  • Employers are subject to enhanced requirements in respect of their receipt and follow-up of reported concerns, including but not limited to time limits to confirm receipt of a report and conclude any subsequent investigation, and requirements to permit both written and oral reporting (e.g. by phone or in person). In case of the latter, the reporter must also be given the opportunity to approve and sign any written summary or meeting minutes recording the contents of the oral report.
  • There are further strict requirements on employers to maintain the confidentiality of the identity of the reporter, only subject to certain limited exceptions, e.g. where disclosure is required by law or in the context of judicial proceedings, or to safeguard the rights of the person(s) concerned. As noted above, Member States are required to introduce penalties (civil, criminal or administrative) for employers (and others) in breach of this duty of confidentiality.
  • Companies must ensure their procedures provide information about how individuals might report externally to competent authorities. Such information should be clear and easily accessible, including, to the extent possible, to persons other than workers who come into contact with the company through their work-related activities, such as service-providers, distributors, suppliers and business partners.
  • In addition to the whistleblower, a number of other persons with connections to the reporting person are also granted protection from retaliation, where such persons could suffer retaliation in a work-related context. These include so-called facilitators (being any person who assists a reporting person in the reporting process in a work-related context), third parties connected to the reporting person, such as colleagues or relatives, and legal entities that are owned by or otherwise connected to the reporting person.
  • Persons concerned have specific procedural rights, including the right to be heard and the right to access their file, although the Directive's preamble suggests that this right can be limited (e.g. by withholding or redacting relevant information) if there is a concern that granting access could adversely impact an ongoing investigation.

Conclusion

The Norwegian government is currently in the process of assessing whether the Directive should be regarded as having EEA relevance, such that it will also need to be transposed into Norwegian law. The general expectation is that the Directive will indeed be deemed to have EEA relevance, and that subsequent amendments will also be required to the existing Norwegian whistleblowing framework. 

In the meantime, companies with operations in the EU would do well to review their existing whistleblowing procedures in light of the key changes introduced by the Directive, while clearly also ensuring they take account of any specific local requirements in countries where they have offices (e.g. some countries have specific requirements regarding the handling of reports relating to bullying and harassment, which differ from requirements for handling reports relating to other types of concerns). As there is also some uncertainty around whether the Directive permits corporate groups to have a group-wide whistleblowing system, companies should also monitor how the different Member States decide to implement the requirement in Article 8(6) that legal entities in the private sector with 250 or more employees cannot have a shared whistleblowing scheme.

The fact that the Directive establishes a set of minimum standards for protection of whistleblowers across the EU, and that it, at times, is highly prescriptive in doing so, also has implications for the process of assessing and investigating a reported concern. In combination with the highly prescriptive requirements of the EU's GDPR – and local law variations, as outlined above – the whistleblowing landscape is becoming increasingly difficult to navigate for companies with offices in multiple jurisdictions. As a result, a company's global whistleblowing procedures may need to contain multiple appendices which take account of and/or give deference to specific local requirements, in addition to entity-specific procedures at subsidiary level.

Read our latest articles on Compliance and Crisis Management