EU Whistle-blowing regulations: the right questions to ask in and outside Europe

Written by Frank Staelens on Friday December 17, 2021


  • Organisations must ask themselves: ’How do we organise compliance in a way that limits reputational risks and avoids rights abuses?’
  • Non-EU multinationals will need to set up parallel whistle-blowing functions in Europe.

Today marks the deadline for all EU member states to have transposed the EU Whistleblower Protection Directive[1] into national law. It is a deadline most member states, however, have not been able to meet; these now intend to transpose the Directive within the next 3 to 9 months. Any EU fines because of these delays will affect only the member states themselves, not any underlying organisations.

During the transposition process, member states have the liberty to extend the initial scope of the EU Directive. The European Commission even recommended member states extend the protection scope for whistle-blowers from EU law breaches to national law breaches. The fact that many states have already decided to do so is of course a positive evolution (though the notion of 27 different interpretations is somewhat worrying). Next to the reporting scope, there are some marked differences between member states’ implementation, including:

  • the compliance deadline
  • organisations submitted
  • intra-group organisation
  • whistle-blower feedback deadlines and methods, and
  • fines for non-compliance.

Deconstructing the decentralised approach

Organisations have two options ahead of them: operating under a centralised policy or a national policy. Those organisations which seek to limit the reporting rights to the ones applicable in the member state where the whistle-blower is based will need to work with national policies.

Although the decentralised, national policy approach seems the obvious choice, there are several substantial arguments against it.

The administrative burden

First, it will significantly increase the administrative burden, including the need to keep multiple local policies up-to-date and the development of training to inform local stakeholders of their rights. All local stakeholders should also be informed of their equal reporting, information and protection rights. Alongside internal stakeholders such as employees, temporary personnel, directors and shareholders are external stakeholders – applicants, former employees, contractors and suppliers.

The external reporting risk

Applying different reporting rights and protections in different member states will also increase stakeholder uncertainty. Such whistle-blower ambiguity is best avoided, as it will push them towards using their rights to directly report to the competent authorities instead of reporting into the organisation.

Forum shopping

Different reporting rights and protections can, furthermore, encourage whistle-blowers to forum shop. One type of forum shopping is to send in multiple reports on the same issue to multiple destinations, combining either anonymous with named reports, group with local reports or internal with external reports.

A second form is the re-qualification of national law breaches of public interest as EU law breaches. If, for instance, the reporting of the criminal act of misappropriation of company assets is not protected in a specific member state, whistle-blowers may then choose to report it as: an AML breach if the criminal proceeds were transferred; as a GDPR breach if there was a data leak; or as an EU tax law breach if the fraud resulted in the incorrect tax reporting.

A third way is to report to the competent authority of another sister subsidiary of the country of that subsidiary that offers better protection. The fourth and final means of forum shopping could be to report to an involved business partner such as a customer, because your customers will need to facilitate the whistle-blowing from your employees related to their organisation. Each example demonstrates the adverse consequences of limiting reporting rights.

The centralised approach

The other option is working with a centralised policy on a group level. A centralised approach implies working with the greatest common denominator of national reporting rights. It is even worth extending the reporting rights independently from the different national regimes to all serious concerns reporting, provided that the reporting is performed in good faith. This should help create a real speak-up culture and avoid negative consequences like the temptation towards external reporting and/or forum shopping, both of which increase the risk of reputation damage.

Even if a group chose to work with a centralised policy, it will still not be able to share resources with EU subsidiaries that have more than 249 employees. All these subsidiaries require local whistle-blowing functions. Local whistle-blowing managers will not be able to inform the group if it has not been pre-approved by the whistle-blower. If these approvals are not obtained – and the local entity is unable to organise the whistle-blowing management in accordance with the case governance principles of competence, diligence and impartiality – then outsourcing will be the only remaining option. 

Independent of the whistle-blower’s choice of group or local-level reporting, an organisation remains solely responsible for setting up proper procedures that guarantee ID protection and protection from any retaliation against the whistle-blower. So, in the case of local reporting, the group could on the one hand be uninformed because the whistle-blower is not willing to involve them and on the other remain responsible for making sure that the case receives proper local handling by a competent impartial person in such a way that local management is not tempted to intervene or retaliate.

The requirement to organise local whistle-blowing functions relates to both case handling/investigations and reporting systems. The objective of Europe is for the whistle-blowers to have a free choice between group and local reporting. All subsidiaries with more than 49 employees require internal reporting systems, which for subsidiaries with more than 249 employees will need to be run separately from the group reporting system. This does not mean that these subsidiaries cannot use the same gateway software, but there will be a need for Chinese walls to guarantee the free choice of the whistle-blower between group and local reporting.

The local whistle-blowing function should be implemented in accordance with the case governance principles of ‘competence, diligence and impartiality’. 

Impartiality is the most difficult to organise, because it presumes that there is no interference from the business. The function that can easily justify its full independence from the business, and at the same time is not conflicted, is the compliance function. Other risk functions could be assigned provided that their impartiality in whistle-blowing case handling is guaranteed. Management reporting, meanwhile, is best organised through an ethics committee; such a committee is also the most appropriately placed to take care of communication and escalation management.

Diligence will require both a consistent and timely follow up on cases. A risk-scoring methodology will be needed to ensure a consistent approach and support a defensible position. In order to capture a timely follow-up, organisations will also need to organise themselves around the regulatory feedback deadlines (notification within seven days, status reporting within three months, etc.).

The principle of competence presumes that the case recipient has experience with the handling of the reported matters and the handling of whistle-blowers in general. Regulators have already stated that if organisations are unable to organise the whistle-blowing case handling in accordance with the governance principles, then outsourcing is an optional available to them.