Complete guide

What is whistleblowing?

Whistleblowing is how organizations surface misconduct before it becomes a crisis. This guidec overs the legal framework, what a compliant program requires, and how to build a culture where people actually speak up.

What is whistleblowing?

Whistleblowing is the act of reporting illegal, unethical, or unsafe conduct within an organization to someone in a position to act on it. The person who makes the report is called a whistleblower. Reports can be made internally to a compliance team or manager, externally to a regulator or authority, or anonymously through a dedicated reporting channel.

What makes something whistleblowing, rather than a personal complaint or grievance, is that the conduct reported threatens others, the organization, or the public interest, not just the individual raising the concern.

Why whistleblowing matters for organizations

Most serious misconduct is known before it escalates. Research consistently shows that employees are often the first to see warning signs: fraud being committed, safety procedures bypassed, harassment going unaddressed. The question is whether they feel safe enough to say something.

Organizations that make it easy, safe, and normal to speak up catch problems when they are still manageable. Organizations that do not tend to find out about them in regulatory investigations, tribunal proceedings, or on the front page of a newspaper.

Beyond risk management, whistleblowing programs are now a legal requirement across Europe. The EU Whistleblowing Directive has made a functioning internal reporting channel a baseline compliance obligation for every organization with 50 or more employees operating in an EU member state.

What qualifies as whistleblowing?

Under the EU Whistleblowing Directive, a report qualifies as whistleblowing when a person discloses information about a breach of EU law that they acquired in a work-related context, and they had reasonable grounds to believe the information was true at the time of reporting. The key threshold is good faith, not accuracy. A whistleblower who reports genuinely but turns out to be wrong retains full legal protection.

The scope of what can be reported covers a wide range of conduct, including fraud and financial irregularities, bribery and corruption, harassment and discrimination, health and safety violations, environmental harm, data protection breaches, and breaches of competition law and public procurement rules.
‍
National implementations often extend this scope further. Organizations operating in Germany, the Netherlands, and other member states should verify the full range of reportable conduct under local law, which frequently goes beyond the EU baseline. Read more about the 5 conditions of whistleblowing that determine when legal protection applies.

Who does the law protect?

Whistleblower protection is broader than most organizations realize. Under the EU Whistleblowing Directive, it covers anyone with a work-related connection to the organization, not just permanent employees.

Protected individuals include employees on any contract type, self-employed persons and contractors, shareholders and board members, volunteers and unpaid trainees, job applicants, former employees, and suppliers and their staff. Protection also extends to people who assist the whistleblower, colleagues or family members who may face retaliation by association, and legal entities connected to the reporter.

The standard for protection is reasonable belief in good faith, not the outcome of an investigation. An organization that retaliates against a reporter whose concern turns out to be unfounded is still liable.

Three types of whistleblowing reports

Whistleblowing takes different forms, and understanding the distinction helps organizations build programs that route concerns to the right place through the right channel.

‍Internal reporting means raising a concern through a channel within the organization: a compliance team, ethics function, or dedicated reporting system. This is what the EU Whistleblowing Directive mandates for all in-scope organizations. Critically, internal reporting can be made anonymously. Effective programs make anonymous submission the default option, not a workaround, because reporters who fear identification often do not report at all.

‍External reporting means going directly to a competent authority: a regulator, an anti-corruption body, or an EU institution such as OLAF or ESMA. Reporters are fully protected whether they report internally or externally. Organizations cannot require employees to exhaust internal channels first.

‍Public disclosure means going to the media or making information publicly available. This is protected as a last resort under the directive, where internal and external channels have failed to act, or where there is an immediate risk to the public interest.

What the EU Whistleblowing Directive requires

The EU Whistleblowing Directive (Directive 2019/1937) is the legal foundation for whistleblower protection across all 27 EU member states. It came into force in December 2021 and applies to all private sector organizations with 50 or more employees, all public sector bodies regardless of size, and high-risk sectors such as financial services, transport safety, and environmental protection irrespective of employee count.

Every in-scope organization must meet five core obligations.

Read the full EU Whistleblowing Directive guide

Secure internal reporting channels

At least one confidential channel must exist through which employees and other in-scope persons can raise concerns in writing, verbally, or both. Access must be restricted to authorized personnel only. Generic email inboxes, shared mailboxes, and HR manager referrals do not satisfy this requirement.

Acknowledgment within 7 days

Every report received must be acknowledged within seven days. This is a legal obligation, not a target. For organizations handling volume, automated acknowledgment workflows are the most reliable way to ensure consistent compliance.

Feedback within 3 months

Reporters must receive meaningful feedback on the outcome of their report within three months of the acknowledgment date. This requires active case management, not just an intake system. Reports left without documented progress create legal exposure and erode the trust that makes people report in the first place.

Confidentiality and data protection

Reporter identity and all information that could enable identification must be kept strictly confidential throughout the process. All personal data processed in connection with a report must comply with GDPR, including retention periods, access controls, and data minimization.

No retaliation, with reversed burden of proof

Retaliation in any form is prohibited: dismissal, demotion, salary reduction, harassment, negative references, blacklisting. The burden of proof is reversed. If a reporter suffers adverse treatment after making a report, the organization must prove the treatment was unrelated to the report.

How to build a whistleblowing policy that works

A whistleblowing policy is the document that explains to employees what the reporting channel is, how it works, what conduct can be reported, what protections apply, and what the organization commits to in terms of confidentiality and non-retaliation. The directive requires that this information is communicated clearly and made accessible to everyone in scope.

A policy alone is not enough. The policies that actually drive reporting share several characteristics: they are written for the person reporting, not the organization's legal defense; they explain the process in plain language without requiring employees to understand regulatory terminology; they are communicated actively and repeatedly, not just signed off during onboarding and filed away; they are backed by visible leadership commitment and consistent consequences for retaliation.

Read more about building a whistleblowing policy that meets the directive's requirements.

Speak-up culture:
beyond the legal minimum

A reporting channel and a compliant policy create the legal framework. A speak-up culture is what makes people actually use it.

Organizations with effective speak-up cultures share common traits. Leadership demonstrates openly that concerns are taken seriously. Managers are trained to handle disclosures correctly and understand the consequences of retaliatory behavior. The reporting system is easy to access, available in multiple languages, and clearly anonymous where that matters.

The fastest predictor of whether a program is working is the reporter check-back rate. On SpeakUp, 49% of anonymous reporters return to follow up on their concern. The industry average is under 30%. Reporters who check back are reporters who trust the system.

Read more about how to build a speak-up culture that goes beyond the legal minimum.

National implementations: what changes by country

The directive sets a floor, not a ceiling. Member states may and often do go further. For organizations operating across multiple jurisdictions, the baseline EU requirements are the starting point, not the finish line. Track current EU implementation status across all member states at the EU Whistleblowing Monitor.

Germany: Hinweisgeberschutzgesetz (HinSchG)

In force from 2 July 2023. Applies to organizations with 50 or more employees. Extends the reportable scope to include breaches of German criminal law and certain administrative offences. Explicitly permits anonymous reporting. Applies reversed burden of proof for retaliation claims. Fines of up to €50,000 for retaliation and up to €20,000 for failure to establish a reporting channel.

Netherlands: Wet bescherming klokkenluiders

In force from February 2023. Applies to organizations with 50 or more employees. Extends protection to cover reports about breaches of Dutch law alongside EU law. Introduces explicit burden of proof reversal. The Huis voor Klokkenluiders remains the designated external competent authority and can issue binding recommendations to organizations found to have acted improperly.

United Kingdom: Public Interest Disclosure Act (PIDA)

The UK retained its whistleblowing framework after Brexit through PIDA, which has been in force since 1998. Unlike the EU directive, PIDA is embedded in employment law rather than standalone legislation. Protection applies to workers (including contractors and agency workers) who make a qualifying disclosure about specific categories of wrongdoing. Retaliation claims are brought through employment tribunals rather than a dedicated authority. Organizations with operations in both the UK and EU must meet both frameworks, as they differ in scope, timelines, and enforcement routes.

US companies operating in the EU

The United States has no single equivalent to the EU Whistleblowing Directive. US whistleblower law is sector-specific: Sarbanes-Oxley covers financial fraud at public companies, Dodd-Frank covers SEC violations, and separate regimes govern healthcare, environmental, and federal contractor contexts. However, US-headquartered companies with employees in EU member states are subject to the directive for those operations regardless of where the parent company is incorporated. A company based in New York with 60 employees in Germany must comply with the HinSchG. This is a common compliance gap for US multinationals expanding into Europe.

What to look for in whistleblowing software

A reporting channel must be secure enough for reporters to trust it, capable enough for compliance teams to operate it, and robust enough to demonstrate compliance to regulators and auditors.

When evaluating whistleblowing software, the capabilities that matter most are: multi-channel intake (web, phone, app, voice), end-to-end confidentiality with no logging of IP addresses or device identifiers, anonymous two-way communication so investigators can follow up without breaking anonymity, structured case management with 7-day acknowledgment workflows and 3-month follow-up tracking, role-based access controls and full audit trails, GDPR compliance with defined retention periods, and independent security certification such as ISO 27001 and ISAE3000 Type II.
‍
The most common failure point in whistleblowing programs is not intake. It is case management. Reports come in and stall because there is no structured process for triaging, investigating, documenting, and closing them within the required timelines. The tool you choose needs to handle the full workflow, not just the front end.

For a detailed comparison of leading platforms, read the top whistleblowing software tools. To see how SpeakUp handles the full reporting and investigation workflow, visit the whistleblowing software solution page.

See how SpeakUp makes doing right, easy.

Talk to one of our compliance experts about your program. No pitch. Just a conversation about what you need and whether SpeakUp is the right fit.

Discover SpeakUp Report

Book a demo

Frequently asked questions

Is whistleblowing software mandatory?

In the EU, organizations with 50 or more employees are legally required to have a secure, confidential internal reporting channel. The directive does not mandate specific software, but generic email and informal processes do not meet the confidentiality, access control, and follow-up timeline requirements. Dedicated whistleblowing software is the standard way to meet the obligation in practice.

In the US there is no single equivalent requirement: whistleblower obligations are sector-specific, covering areas such as financial fraud under Sarbanes-Oxley, securities violations under Dodd-Frank, and healthcare and environmental contexts under separate federal statutes. However, US-headquartered companies with employees in EU member states are fully subject to the EU Whistleblowing Directive for those operations, regardless of where the parent company is incorporated.

Do US companies operating in the EU need to comply with the EU Whistleblowing Directive?

Yes. The directive applies to any organization with 50 or more employees operating in an EU member state, irrespective of where the parent company is based or incorporated. A US company with operations in Germany, the Netherlands, France, or any other EU country must meet the directive's requirements, including establishing a secure internal reporting channel, acknowledging reports within seven days, and providing feedback within three months. National implementations such as Germany's HinSchG and the Dutch Wet bescherming klokkenluiders may impose additional obligations and penalties on top of the EU baseline.

What is the difference between whistleblowing and making a complaint?

A complaint is typically a personal grievance about how an individual has been treated. Whistleblowing involves reporting conduct that harms or threatens others, the organization, or the public interest. The distinction matters legally: whistleblower protection laws apply to the latter. In practice, many organizations route both through the same reporting channel and triage accordingly.

Does a whistleblower have to be an employee?

No. Under the EU Whistleblowing Directive, protection extends to contractors, suppliers, volunteers, trainees, job applicants, board members, and former employees. Anyone with a work-related connection to the organization who reports in good faith is covered.

What happens if a whistleblowing report turns out to be unfounded?

Whistleblowers are protected as long as they had reasonable grounds to believe the information was true at the time of reporting. An investigation that finds no wrongdoing does not remove that protection. The standard is good faith, not accuracy.

What is the difference between internal and external whistleblowing?

Internal whistleblowing means reporting through channels within the organization: a manager, HR, compliance team, or ethics hotline. External whistleblowing means going directly to a competent authority such as a regulator or anti-corruption body. Under the EU Whistleblowing Directive, reporters retain full legal protection whether they report internally or externally. Organizations cannot require employees to use internal channels first.

Can whistleblowers go to regulators without reporting internally first?

Yes. The directive explicitly protects reporters who choose to use external channels before, instead of, or alongside internal ones. Organizations cannot require employees to exhaust internal reporting before contacting a regulator.