Published

The EU Whistleblower Protection Directive – How Are Member States Handling the Transposition?

With less than six months now to go until the 17th December 2021 deadline for EU member states to transpose the Whistleblower Protection Directive (2019/1937), progress is still very mixed. 

Just one of the 27 member states – Denmark – has completed the transposition of the Directive, with the new Whistleblower Protection Act passed on 24th June 2021.  Of the remaining 26 member states, 21 of them have begun the process of transposition. Still, they are at various stages of the legislative process, from presentations of draft laws, readings of proposed bills to conducting public consultations.  The final five member states – Austria, Cyprus, Hungary, Luxembourg and Malta – do not appear to have begun work to transpose the Directive into national law.

Obstacles to Transposition

A number of factors have contributed to the slow pace of transposition, both across all member states and in certain individual cases.

The Pandemic

Covid-19 has obviously had a big impact – most countries have deferred legislative efforts in many areas in order to focus on the pandemic response.  Perhaps ironically though, the response itself – particularly how large-scale procurement was conducted outside of normal channels – has drawn additional scrutiny and highlighted the need to protect whistleblowers reporting potential corruption issues, even in times of public crisis.

Bureaucracy Is a Slow Process

Some countries either already have or may soon experience problems in passing legislation during current legislative periods.  This creates a risk that long-winded legal processes may not be completed in time and will have to start again, effectively from scratch, eliminating any possibility of transpositions being completed before the December deadline.

A prominent example of this can be seen in Czechia (Czech Republic), where parliamentary elections are due in early October.  Although a draft Bill to enact transposition was passed by majority on 12th May 2021, a simultaneous proposal from the opposition Pirate Party to accelerate deadlines for negotiation and speed up the legislative process was rejected, leaving completion of the transposition in doubt.

To Expand or Not To Expand

Perhaps the biggest obstacle to transposition, however, has been the debate around whether member states should expand the scope of new laws to go beyond the minimum requirements laid out in the Directive.  The EU has repeatedly encouraged member states to implement standards above and beyond the minimum requirements, particularly with regard to protecting those who report breaches of national law, not just EU law.


Note: The EU has no authority to legislate on national law.  It was restricted to drafting a Directive that would only cover the protection of whistleblowers in the area of EU regulations, with provisions and recommendations included that would enable member states to expand the scope of transposition beyond the “minimum requirements” designed to create an initial common standard.

This obstacle has largely manifested itself in conflicts of interest between the parties involved.  For example, in Germany, business- and justice-orientated groups have been unable to agree on the scope of the transposition, with the former resisting attempts to expand the scope of legislation beyond the minimum requirements.  Indeed, the draft law presented to the German parliament in December 2020 was subsequently rejected in April 2021, the central argument for which was the supposed burden it would place on companies.

What Might "Expanding the Scope" Look Like?

Many questions remain over the final scope of national transpositions.  Whether or not countries will take a “verbatim” approach, applying only the minimum requirements laid out in the Directive, or whether they will, as recommended, take the opportunity to expand the scope and create a more robust framework, remains to be seen.                                                                      

Probably the most important choice for member states to make is whether transpositions of the Directive should cover breaches of national law, as well as EU law.  This is a very significant distinction, as failure to expand the scope in this way risks creating an unbalanced system, where better protection is afforded to those reporting minor breaches of EU law than to those who report serious breaches of national law.

Some countries though are looking to make the most of this opportunity and expand the scope of protection even further.  Romania, for example, has proposed that their transposition should cover “any breach of a legal obligation as well as to actions and omissions that contradict the object or purpose of the law, including non-compliance with ethical and professional rules”.

The issue of anonymous reporting has also been widely debated.  Although the Directive makes clear that anonymous whistleblowers should be afforded the same level of protection as anyone else, it does not include any obligation for organizations to actually respond to and investigate reports from anonymous sources. 


Note: Historically, the argument that reports from anonymous sources are too difficult to investigate and substantiate may have had merit.  Now though, technological advances alone, such as the ability to provide two-way encrypted communications, mean that following up on anonymous reports and obtaining further information from the whistleblower, without compromising their anonymity, is easily achievable.

Other significant areas that are being debated by various member states include:

  • Measures to protect whistleblowers reporting in the areas of national security and defense (e.g. Estonia)
  • Provisions for financial and psychological support for whistleblowers (e.g. France)
  • The introduction of personal liability for those persons who retaliate against whistleblowers (e.g. Bulgaria)
  • Expanding the definition of who can be a whistleblower (e.g. Portugal)

What Have the Danes Done?

Now that Denmark has just become the first member state to enact the Directive in national law, the rest of the EU will no doubt have their eyes on the standards and potential precedent being set when completing their own transpositions.

The legislation strikes a bit of a balance between interested parties, expanding the scope in some areas while implementing only the minimum requirements in others.  As a result, the new Danish Whistleblower Protection Act:

  • Covers reporting on breaches of not just EU law, but also national law and infringements of a serious nature (including bribery, corruption, sexual harassment)
  • Provides protection for whistleblowers who choose to report publicly in certain circumstances (for example, if there is an imminent threat)
  • Does not include protection for reports related to issues of national security, matters covered by legal privilege, or health information covered by the Health Act
  • Does not include any requirements for organizations to respond to or investigate reports from anonymous whistleblowers

What Happens Now?

It’s quite likely that over the next few months, we’ll see quite a flurry of activity from member states as they push to complete transposition before the deadline.  Whether or not all countries will manage to achieve this remains to be seen.

Even if not transposed, however, the minimum requirements of the Directive will still apply in each member state from 17th December.  The EU has not given any indication that this deadline will be extended, so organizations should act accordingly and take the opportunity to establish processes that incorporate global best practices, ensuring they are prepared for whatever happens.

Learn More About the Directive


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


ESG Ownership: Compliance, Convergence and Opportunity

Watch Out for Hoax Reports to Your Hotline

Whether filed via email or through an online reporting and case management system, fictitious reports can pose a heightened IT security threat. Here are four recommended steps to take if you receive a suspected hoax report through your case management system.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Shadow Policies: Increasing Legal Exposure & Liability

Shadow policies, like shadow IT, are a growing concern for organizations, especially as they come out of lockdown. Here's what you can do to combat this emerging compliance threat.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!