Whistleblower Protection Act: Why many companies are still hesitating

Whistleblower Protection Under the EU Whistleblowing Directive: More Than Just a Mailbox

The EU Whistleblowing Directive (Directive 2019/1937) sets a binding framework across the European Union for the protection of persons who report breaches of EU law in a professional context. It applies to a wide range of sectors — from financial services and product safety to environmental protection and public procurement — and creates clear obligations for both private and public organisations.

And yet, in practice, we see that only a few organisations genuinely address the topic. Because this is not just about "some mailbox" — it is about a robust process: a reporting channel, defined roles, deadlines, documentation, communication and training.

Often underestimated: The obligation already applies from 50 employees

Under the Directive, private sector legal entities with 50 or more workers are required to establish internal reporting channels. In practice, this creates a familiar pattern:

• Large organisations often already have "something" in place — a compliance hotline or ombudsperson.
• Mid-sized organisations meeting the threshold frequently still take the position: "We'll deal with it later" — even though the obligation has long applied.

A genuine whistleblower system is more than just a postbox

A functioning whistleblower system consists not just of a channel, but of a channel + procedure + protection mechanisms. Among other things, the Directive provides for:

• Reporting channels: written and verbal — including the option of an in-person meeting upon request

• Confidentiality: mandatory, and often the central sticking point in implementation

• Deadlines: acknowledgement of receipt within 7 days; feedback within 3 months

• Prohibition of retaliation: protection from reprisals is the core of the system

• Outsourcing: organisations may task a third party (e.g. an ombudsperson or external service provider) with receiving and following up on reports

The option to outsource is frequently chosen in practice to ensure confidentiality, neutrality and operational capacity.

Practical takeaway: A whistleblowing system is always a system of trust. If workers — or business partners in a professional context — do not genuinely believe that confidentiality is maintained, they will either not report at all or turn to external channels instead.

Why implementation often fails in practice

Experience shows it rarely comes down to a lack of goodwill. Instead, three very human factors tend to get in the way:

• Misjudging the scope:"We just need a tool." Reality: A tool without a process is like a fire extinguisher without a fire protection plan.
• Fear of incoming reports:"What if things start coming in?" (Note: If there is no trustworthy internal channel, the issues do not disappear — they simply surface elsewhere, often less controllably.)
• Unclear responsibilities between Compliance, HR, Legal, Data Protection and IT.

Why doing nothing is usually the more expensive decision

The Directive requires Member States to provide for effective, proportionate and dissuasive penalties for breaches — including failure to establish reporting channels or violations of the confidentiality obligation. Non-compliance is therefore not a cost-free option.

But the real cost block is often not the formal penalty. Equally relevant — and frequently more expensive — are:

• Reputational risks (public accusations, social media, press coverage)
• Employment law conflicts arising from alleged retaliation — which can escalate both organisationally and emotionally
• External reporting instead of internal clarification, when internal trust is absent
• Investigation costs when a case "boils over" in an unstructured way
• Confidentiality also professionalises the investigation itself: protecting the reporter's identity is key to ensuring that procedures are fair and secure for all involved.

Proactive instead of reactive: how Eticor approaches whistleblower protection

We have decided not to wait until we reach the mandatory threshold. Why? Because we regard whistleblower protection as a core ethical issue — a matter of responsibility towards our employees and towards everyone who works with us in a professional context, including partners and suppliers along our value chain.

We have proactively implemented a system in line with the Directive's standards:

• A clear internal commitment — whistleblower protection as part of lived responsibility
• A reporting channel with a focus on process integrity and confidentiality
• Coming soon: Training to build understanding, confidence and correct use of the system

Mini checklist: How well positioned are you?

• Do we have 50 or more workers? → Then the obligation applies.

• Do we have a channel that genuinely ensures confidentiality?

• Can we meet the 3-month feedback deadline in terms of process?

• Are roles, substitutions and documentation clearly regulated?

• Is reprisal prevention (HR/management) actively trained?

• Have we made the make-or-buy decision — operate internally or engage a third party?

Conclusion

The EU Whistleblowing Directive is not a topic for later. For organisations with 50 or more workers, it creates concrete obligations now. Anyone who sees whistleblower protection merely as a technical channel is missing the point: the decisive factors are robust processes, genuine confidentiality and clearly defined responsibilities. Organisations that act early not only reduce legal and operational risks — they also build trust and a culture of accountability in their own environment.