What is a non-retaliation policy and why does it matter?

There is a gap that sits at the heart of most speak-up programs. Organizations invest in reporting channels, train managers on how to handle concerns, and write whistleblowing policies that check every compliance box. Then someone raises a concern and, six months later, finds themselves passed over for promotion. Or quietly moved to a different team. Or managed out.

Nobody called it retaliation. It rarely is, officially. But the message gets through, and it travels fast.

A non-retaliation policy is the document that makes the difference between a speak-up culture that works and one that exists only on paper. This guide covers what it needs to say, why the language matters, what the law requires, and how to build the broader conditions that allow it to function.

Sources referenced include the EU Whistleblowing Directive (2019/1937), Transparency International’s Business Principles for Countering Bribery, the ACFE Report to the Nations 2022, and ISO 37002:2021 (Whistleblowing management systems).

‍

Why retaliation is the single biggest threat to a speak-up culture

The ACFE’s 2022 Report to the Nations found that organizations with anonymous reporting hotlines detected fraud twice as quickly and suffered lower median losses than those without them. The data is unambiguous: reporting mechanisms save organizations money and surface problems earlier.

But they only work if people use them. And people only use them if they believe they are safe to do so.

The European Commission’s own impact assessment for the Whistleblowing Directive found that fear of retaliation was the primary reason individuals chose not to report concerns. Not uncertainty about the process. Not lack of access to channels. Fear.

ISO 37002:2021, the international standard for whistleblowing management systems, is explicit: protecting individuals from retaliation is not a secondary consideration, it is a foundational requirement for any effective reporting system. Without it, the system does not function.

‍

What is a non-retaliation policy?

A non-retaliation policy is a formal commitment from an organization that individuals who raise concerns in good faith, whether through internal channels, to a regulator, or to other legitimate bodies, will not face adverse consequences as a result.

It is related to, but distinct from, a whistleblowing policy. A whistleblowing policy describes the reporting process. A non-retaliation policy describes the protection afforded to people who use it. Both are necessary; neither alone is sufficient.

‍

What counts as retaliation?

This is where many policies, and many managers, get into trouble. Retaliation is not always obvious. It is rarely a dismissal letter that says “you are being let go because you reported a concern.” Most retaliation is subtler, cumulative, and plausibly deniable.

The EU Whistleblowing Directive provides one of the most comprehensive definitions in any legal framework. It defines retaliation to include suspension, lay-off, dismissal, or equivalent measures; demotion or withholding of promotion; transfer, change of location, or reduction in wages; change in working hours or negative performance assessments; coercion, intimidation, harassment, or ostracism; blacklisting that may impair future employment; premature termination of contracts for goods or services; damage to reputation, including on social media; and mental harm, including psychological pressure.

This breadth matters. A policy that only protects against formal dismissal leaves significant room for the subtler forms that are far more common in practice.

‍

Who is protected?

The instinct to limit protection to direct employees is increasingly out of step with legal requirements and good practice. The EU Directive extends protection to employees including part-time and fixed-term workers, self-employed individuals and freelancers, shareholders and board members, volunteers and unpaid trainees, job applicants who encounter concerns during recruitment, facilitators who assist a reporter, and third parties connected to the reporter who may face secondary retaliation.

For organizations operating outside the EU, many of these extensions reflect best practice even where they are not yet legal requirements. ISO 37002:2021 recommends a similarly broad scope of protection.

‍

What a non-retaliation policy must include

A policy that says “we do not retaliate against people who raise concerns” and nothing else is not a policy , it is a statement. Effective non-retaliation policies are operational documents. They tell people what is covered, who is covered, how complaints are handled, and what the consequences are for those who retaliate.

A clear definition of retaliation

Use the EU Directive’s framework if you operate in or sell into EU markets, it is already the legal standard for a significant part of your workforce. For organizations outside the EU, adapt it to your jurisdiction while erring on the side of breadth. The definition should explicitly include indirect and subtle forms: exclusion from meetings, reduction in responsibilities, change in tone from management, negative references.

The scope of protection

Define clearly who is protected. If you want a speak-up culture that extends beyond direct employees, to contractors, partners, suppliers, say so explicitly. A policy that overpromises and underdelivers is worse than a narrower but reliable one.

The standard of good faith

Protection applies to individuals who raise concerns in good faith, meaning they genuinely believe the information to be true at the time of reporting, even if it later turns out to be inaccurate or the concern is not upheld. This is an important clarification. Employees sometimes hesitate to report because they are not certain their concern is correct. Good faith protection removes that barrier.

The policy should also be clear that protection does not extend to knowingly false reports made in bad faith, which is an entirely different situation from a well-intentioned report that does not result in a finding.

Reporting retaliation

The policy must tell people what to do if they believe they are experiencing retaliation. The reporting mechanism should be independent of line management (which is often the source of the retaliation) and should include a confidential or anonymous option. Under ISO 37002:2021, organisations are required to ensure that those who report retaliation are themselves protected from further retaliation for having done so.

Investigation process

Retaliation complaints must be investigated promptly, by someone with appropriate independence and authority. The policy should describe who receives the complaint, who conducts the investigation, the typical timeline, and what outcomes are possible. Where the alleged retaliator is a senior manager, independent oversight (from the board, an audit committee, or an external party) is appropriate.

Consequences for retaliation

A non-retaliation policy without consequences is not credible. The policy must state plainly that retaliation, in any form, is a serious disciplinary matter that may result in dismissal, and that managers who tolerate or facilitate retaliation by others are equally accountable.

This matters beyond its deterrent effect. Employees are watching how the organization responds when the policy is tested, and the response to the first visible retaliation case will define the policy’s credibility for years.

Legal rights

The policy should acknowledge that, depending on jurisdiction, individuals have legal rights beyond those provided by the policy itself. In the EU, individuals covered by the Whistleblowing Directive can seek remedies directly through national courts and regulators. Being transparent about this is a signal of good faith, not a liability.

‍

The limits of policy: what a document cannot do

A well-written non-retaliation policy is necessary. It is not sufficient.

Retaliation most often occurs at the level of line management, in day-to-day decisions that are individually explainable and collectively devastating. No policy document reaches into that space. What does reach in is culture, the lived experience of whether speaking up is genuinely safe, reinforced by how management behaves and what happens to people who raise concerns.

Management training

Managers need to understand what retaliation looks like in practice, including the subtle forms. They need to understand their obligations when someone on their team raises a concern, including the obligation not to discuss the report with others, not to change the person’s working conditions, and to escalate any concerns about how the reporter is being treated. This cannot be conveyed in a policy document alone. It requires training, repeated over time, with real scenarios.

Visible leadership commitment

Transparency International’s Business Principles for Countering Bribery are clear: tone from the top is not a platitude. It is one of the most reliable predictors of whether ethical commitments are embedded or performative. When leaders speak openly about the importance of raising concerns and are seen to take action when concerns arise, the policy becomes credible. When leaders are silent or dismissive, no policy compensates.

Anonymous and confidential reporting channels

The most consistent finding in research on speak-up programs is that reporters need options. Some individuals are comfortable raising concerns directly with their manager. Others are not —because the concern involves their manager, or because they have seen what happened to others who reported, or because they are not yet sure their concern is significant enough to put their name to.

Confidential and anonymous reporting channels are not a concession to distrust, they are an acknowledgement of how people actually behave under conditions of uncertainty and risk. The EU Whistleblowing Directive requires organizations of 50 or more employees to establish such channels, and to allow anonymous reporting where member states implement that provision.

SpeakUp’s platform is built around this insight: secure, multi-channel reporting with two-way anonymous dialogue, so that even reporters who do not wish to identify themselves can engage with the investigation process. See how it works.

Follow-up and feedback

ISO 37002:2021 requires organizations to acknowledge receipt of a report within seven days and to provide feedback on the outcome within a reasonable period. When reporters receive no acknowledgement and no indication that their concern was taken seriously, they assume it was not. That assumption spreads. Closed-loop reporting, where reporters are kept informed of the status of their concern, within the limits of confidentiality, is one of the strongest signals an organization can send that the system works.

‍

The legal landscape for non-retaliation

Legal requirements vary significantly by jurisdiction, sector, and organisation size. The following is an overview, not legal advice. Your legal or compliance function should assess the specific requirements applicable to your organization.

EU Whistleblowing Directive (2019/1937)

The Directive requires member states to ensure that individuals who report breaches of EU law are protected from retaliation. It applies to organizations with 50 or more employees and all public sector bodies. Key provisions: a prohibition on retaliation in any form, including indirect and threatened retaliation; a reversal of the burden of proof in retaliation proceedings, so that the organization must demonstrate the detriment was not retaliatory; requirements for internal reporting channels allowing anonymous reporting where member states have implemented this provision; and interim relief for individuals facing retaliation pending resolution of proceedings.

UK Public Interest Disclosure Act 1998

The PIDA protects workers who make qualifying disclosures — concerning criminal offenses, health and safety risks, environmental damage, miscarriages of justice, or the concealment of such matters, from dismissal and detriment. The PIDA is narrower in scope than the EU Directive: it covers fewer categories of concern, applies only to workers rather than the broader categories covered by the Directive, and does not include a reversal of the burden of proof. Post-Brexit, UK law in this area has not been updated to align with the Directive.

US federal whistleblower protections

The US has a patchwork of sector-specific protections: the Sarbanes-Oxley Act covers employees of public companies reporting securities fraud; the Dodd-Frank Act provides financial incentives and protections for individuals reporting to the SEC; the False Claims Act covers individuals reporting fraud against the federal government. Protections and remedies vary significantly by statute.

‍

FAQ: non-retaliation policy

What is the difference between a non-retaliation policy and a whistleblowing policy?

A whistleblowing policy describes how to raise concerns, the channels available, the types of concerns covered, and the investigation process. A non-retaliation policy describes the protections afforded to people who use those channels. Both are needed. A whistleblowing policy without a non-retaliation policy is incomplete; a non-retaliation policy with no reporting process to anchor it is theoretical.

Does a non-retaliation policy need to cover contractors and freelancers?

Under the EU Whistleblowing Directive, yes, protection extends to self-employed individuals, freelancers, volunteers, and others beyond direct employees. For organizations outside the EU, extending protection beyond employees is strongly recommended as a matter of good practice, particularly where those individuals have access to information about potential wrongdoing.

What should happen if a manager is accused of retaliation?

The investigation must be conducted independently of that manager. Depending on seniority, this may require involvement from HR, Legal, the compliance function, or ( for very senior individuals) the board or an external party. The individual making the complaint should be protected from further contact with the manager during the investigation period.

Can an organization be held liable for retaliation even if it was unintentional?

In most jurisdictions, yes. The EU Directive places the burden of proof on the organization once a reporter demonstrates they made a report and suffered a subsequent detriment. Intention is relevant to individual accountability but is not a complete defence for the organisation. This makes proactive management of post-report working conditions essential.

How do we know if our non-retaliation protections are actually working?

Reporting rates are one indicator, but they need context. A sudden drop in reports may indicate that trust has eroded. Track: the number of concerns raised over time, the proportion resulting in formal findings, the rate of retaliation complaints, and the employment trajectories of individuals who have raised concerns. Exit interview data can also surface patterns that internal metrics miss.

‍

Create a speak-up culture where reporting feels safe

A non-retaliation policy is only as effective as the infrastructure that supports it. SpeakUp provides organizations with an anonymous, secure reporting platform that makes it easy for employees to raise concerns, and for compliance teams to manage, investigate, and close cases with a full audit trail.

See how SpeakUp works or book a demo to find out how we can help your organization build a speak-up culture that employees actually trust.

‍