What is the Whistleblower Protection Act and how can it be implemented in companies?
With this article, we would like to bring you up to date on Whistleblower Protection Act (HinSchG) as an implementation of the rules applicable since 17 December 2021 EU Directive bring. We will clear away uncertainties and reservations about whistleblower systems and provide you, as a company, with clear Recommendations for action.
As the law was passed on 12.05.2023 and came into effect on 02.07.2023 Companies with 250 or more employees has come into force, companies should act immediately.
Since 17 December 2023, Businesses with 50-249 employees to act.
The directive forces you to be happy by mandating an early warning system for your business and a protective shield for your employees.
Current information on the implementation deadline of the Whistleblower Protection Act
On 9 May, the mediation committee of the Bundestag and Bundesrat agreed on amendments to the Whistleblower Protection Act. The Bundestag passed the law on 11 May 2023, and the Bundesrat approved the amendments on 12 May 2023. On 2 June 2023, the Act was published in the Federal Law Gazette. The most important changes are summarised further down in the post. Implementation deadline for companies of different sizes With an implementation deadline of one month, companies are faced with at least 250 employees since the 02.07.23 obliged to provide a whistleblower or. Whistleblowing system to have set up. Private employers with 50 to 249 employees are since the 17 December 2023 obliged to establish an internal reporting office.The German Act on Corporate Due Diligence Obligations for the Prevention of Human Rights Violations in Supply Chains (HinsG) sets out the following requirements for German companies: * **Due diligence obligations:** Companies must establish and implement adequate and effective systems of governance and risk management to identify, prevent, mitigate, and account for human rights violations and certain environmental violations within their own operations and by their direct suppliers. * **Scope:** The law applies to German companies with 3,000 or more employees (from 2023 onwards) and will extend to companies with 1,000 or more employees (from 2024 onwards). Indirect suppliers are also covered. * **Key elements of the due diligence process:** * **Risk analysis:** Companies must conduct a risk analysis to identify potential human rights and environmental risks. * **Preventive measures:** They must take appropriate preventive measures to avoid or minimise identified risks. * **Remedial action:** If a violation occurs, companies must take appropriate remedial measures. * **Complaint mechanism:** A complaints procedure must be established to allow affected parties to report human rights or environmental risks or violations. * **Reporting:** Companies must publish an annual report on their due diligence efforts. * **Liability:** Companies can be held liable for violations of due diligence obligations. * **Enforcement:** The Federal Office for Economic Affairs and Export Control (BAFA) is responsible for supervising compliance and can impose fines for non-compliance.
- Companies with 50 to 249 employees: These companies also have to provide their employees with a reporting channel, although the deadline for this was 17.12.2023.
- Public sector organisations, or municipalities and cities those with over 10,000 inhabitants are also affected by the law.
- The reporting systems must both written or oral as well as a personal Notification from incidents.
- Within 7 days beantwortet werden?. confirmed to be.
- At the latest 3 months after reporting whistleblowers must have measures taken to be informed.
- The application areas of the Whistleblower Protection Act relate to EU law and national law.
- The whistleblowing system must GDPR-compliant being and the Identity of the whistleblower protect. The offer of a anonymised submission from reports has so far been recommended, but for 2025 Mandatory. This means that internal reporting offices must make appropriate provisions for receiving and processing anonymous reports.
- When laws are broken, companies must Fines of up to €50,000 Calculate.
The most important questions about the Whistleblower Protection Act
With our online check, you can find out in under 5 minutes if your current system meets legal requirements and is state-of-the-art.
Answer specific „Yes/No questions“ and then, if desired, receive an evaluation with individual recommendations.
German Whistleblower Protection Act: What is whistleblower protection?
One of the biggest Challenges When implementing the Whistleblower Protection Act in companies, there's a negative connotation that often accompanies the topic of „whistleblowing.“ In Germany, the term is frequently associated with the betrayal of secrets, leading to a very one-sided interpretation. This overlooks the fact that it's not inherently bad when secrets are revealed, especially when they involve violations of the law. Furthermore, Difference in the designation between Whistleblowing, donating valuable Notes, and A leak, In sharing sensitive data with the general public, it plays an important role: With leaking, misconduct or illegal activities in an organisation are usually made public via the press. Whistleblower or Whistleblower whereas information only directs to responsible authorities further, usually without appearing in public.
Durch das Aufdecken von Gesetzesverstößen in Unternehmen werden unternehmensinterne Hinweisgeber zu einem wichtigen Bestandteil des Corporate Governance Systems. Sie tragen dazu bei, dass Unternehmen im Einklang mit Gesetzen und Vorschriften handeln. Early warning system. This allows reported problems to be addressed and resolved promptly, rather than ending up as a scandal in the headlines one day without warning.
employees must at the Observation of legal infringements decide whether they this To report or not. Depending on the power dynamics and company culture, such a report has previously resulted in personal disadvantages, exclusion, or termination. This has meant that the personal risks for a whistleblower have become an often insurmountable hurdle.
To prevent exactly this hesitation, the EU has decided to, Whistleblower The German Whistleblower Protection Act aims to better protect individuals in the future. Someone who uncovers wrongdoing within a company, must not fear disadvantage or even have to worry about their job or their future.
Failure to comply with the implementation deadline for the Whistleblower Protection Act could result in fines.
Employers with 250 or more employees had to implement the provisions of the Whistleblower Protection Act as early as 2 July 2023. For companies with between 50 and 249 employees, the deadline was Implementation deadline of 17.12.2023. they then must Internal reporting channels and concepts to Protection of whistleblowers and operated. Failure to do so may result in fines of up to €50,000 for companies.
Since 2025 The Federal Office of Justice (BfJ) is responsible nationwide for the prosecution of administrative offences related to the Whistleblower Protection Act. It plays a central role in sanctioning violations, for example, if companies have not set up a system, obstruct reporting, or breach confidentiality obligations.
Typical penalty offenses according to the Whistleblower Protection Act
- No whistleblower system or reporting channel available
- Hindering or intimidating employees when they make a report
- Breach of statutory confidentiality of identity
- Victimisation of a whistleblower for reporting
Anonymous tips are gaining relevance
Even though the Whistleblower Protection Act (HinSchG) does not mandate anonymous reporting channels, they are increasingly gaining importance. International standards such as ISO 37301 (Compliance) and ISO 37001 (Anti-Corruption) effectively require them – particularly for companies striving for certification or wishing to further develop their compliance structures.
A ruling by the Regional Court of Nuremberg-Fürth (2025) further strengthens the importance of anonymous tips: it confirmed that even completely anonymous reports – if they are concrete and comprehensible – can justify prosecutorial investigations and searches. In this case, an invoicing fraud was uncovered through anonymously submitted documents and photographs.
In the international business environment, anonymous reporting channels are now considered a crucial criterion for an effective and credible compliance system.
Central corporate reporting offices are not sufficient
Whistleblowers can freely choose whether to report to internal reporting offices within the company – such as an ombudsperson – or to external bodies like the Federal Office of Justice. In certain cases, BaFin or the German Federal Cartel Office are also responsible. However, companies are obliged to create incentives for the internal reporting channel. The prerequisite is that employees are transparently informed about the internal procedure and have confidence in its effectiveness.
At the same time, the EU Commission made it clear in 2025 that central group reporting offices alone are not sufficient. Every legally independent group entity must provide its own functioning internal reporting system. If employees are effectively denied access to a practical internal reporting channel, this violates the requirements of the EU Whistleblower Directive.
Burden of proof reversed only on active appeal
A ruling by the Lower Saxony Regional Labour Court from 2025 makes it clear that whistleblowers must actively invoke the statutory prohibition of discrimination and provide evidence that they submitted a report via the designated reporting channel for the reversal of the burden of proof to apply. For companies, this means they must take particular care to document whether and when such a report is made – and how it was responded to.
Whistleblower protection only when using the reporting channel
Following a ruling by the Hamm Labour Court in 2024, an employee is only protected by the HinSchG if they use their organisation’s internal reporting channel or an external reporting channel. In the specific case, an employee had expressed complaints or given indications within the scope of performance reviews, also before the HinSchG came into effect.
Incentives for internal whistleblowing
Whisleblowers should in principle have a choice between external and internal reporting. This also means that employers should create incentives for whistleblowers to contact the respective internal reporting office of the employer first before submitting a report to an external reporting office of the federal state or the state government.
Previous developments on the Whistleblower Protection Act
Below you will find the current status of implementation in all 16 federal states as well as Berlin as a city-state – including the respective state laws and further links.
Conclusion
What is the EU basis for the German Whistleblower Protection Act?
The EU Whistleblower Protection DirectiveEU Directive 2019/1937) requires that all Companies with more than 50 employees set up a whistleblowing system. This also applies to authorities and public institutions, as well as to Council with 10,000 inhabitants. For companies with between 50 and 249 employees, an extended implementation deadline applied until 17 December 2023. The EU Directive, the Whistleblower Protection Act, and the associated requirements for companies are intended to provide better protection for whistleblowers when they report breaches of law within the company. For this purpose, a Internal whistleblowing system also Reporting channel concerns. This can be accessible not only to its own employees but also to those of sales partners, customers, and service providers.
Implementation of the HinSchG Whistleblowing Directive
As this is a policy and not a regulation (as with GDPR), all EU Member States must also implement a national whistleblower protection act to introduce a law that ensures whistleblower protection. The legal requirements of the EU directive represent the „minimum“.
Many European countries were faster than the German federal government in implementing the EU directive. Some governments also see stricter sanctions as Germany. In Poland, managing directors face up to 3 years in prison for non-compliance with legislation. Other countries such as the Czech Republic already require companies with more than 25 employees to implement a whistleblowing system.
In Germany However, companies must not only observe the HinSchG when dealing with whistleblowers: The Supply Chain Due Diligence Act (LkSG) further stipulates that, since 01 January 2023, companies with 3,000 or more employees must ensure that all employees along the supply chain enable the submission of tips. Since 1 January 2024, this also applies to companies with over 1,000 employees.
The new Whistleblower Protection Act mandates whistleblower systems
A Whistleblower Protection Act defines all individuals as potential whistleblowers who come into contact with your company in the course of their work. This means it affects not only your employees but also customers or suppliers (you can read more about this in our article „Ein Whistleblower ist eine Person, die illegale oder unethische Aktivitäten in einer Organisation aufdeckt.“). Therefore, the company is obliged to provide clear and understandable information on reporting channels and the processing of reports (for example, on the company website).".
In addition to the possibility of reporting in writing and orally, the company must also offer personal contact if the whistleblower wishes. Naturally, it must also process the data in connection with the report in a GDPR-compliant manner. In companies, reports of compliance violations are usually made by so-called Ombudspersons A mediator is appointed to resolve conflicts, mediate independently between, for example, employees and managers, and ensure fair procedures within organisations. This includes handling whistleblowing.
Important: The statutory duty of confidentiality under the HinSchG applies in relation to the organisation. With regard to state authorities – such as government agencies, courts, or the public prosecutor's office – reporting channels must disclose information upon request. Only if an ombudsman is a lawyer bound by professional secrecy does the duty of confidentiality also apply in relation to state authorities. For companies, this can be a decisive criterion when selecting a whistleblowing system supported by a lawyer.
The Whistleblowing Directive and the German Whistleblower Protection Act not explicitly obliged to enable anonymous reporting. You phrase it as Required provision and thereby create a grey area, particularly for companies.
However, the recommendation is clear: Only anonymity provides sufficient Safety and Trust, to reduce the inhibition to report critical observations. The majority of companies that have already implemented whistleblowing systems have opted for reporting channels that include the option of anonymous reporting.
Further requirements for companies and authorities due to the EU Whistleblowing Directive
However, the directive does not just prescribe the implementation of whistleblowing systems. It also requires, Procedure for handling notifications To set up within your company. By stipulating specific deadlines within which your company must respond to notices, the directive also requires the management of follow-up actions:
- Within 7 days Must your company confirm to the whistleblower that the report has been received.
- You must also inform the whistleblower of any subsequent actions taken and that no later than three months.
Important for these additional requirements is the selection and Nomination of an impartial person, who is responsible for receiving reports and communicating with the whistleblower. Depending on the size of the company, this can be the management or a compliance officer, or alternatively, an external representative for your company. However, you must ensure that the responsible person is not exposed to any conflict of interest.
This applies to Burden of proof reversalIn case of doubt, the employer is obliged to prove that a dismissal is not related to the employee’s whistleblowing. This requires complete documentation of the entire process surrounding the disclosure – both for the company and for the whistleblower.
Whistleblower protection is corporate protection
The legal requirements of the new Whistleblower Protection Act are raising many questions for companies in practice. You can find out more about the current status of the Whistleblower Protection Act, statutory requirements for whistleblower software, and practical implementation in this excerpt from our webinar on 25.05.23. The full recording can be here request.
You are currently viewing placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
Further informationHinSchG: Call for the implementation of internal and external reporting channels
The EU directive obliges companies to implement internal and external reporting channels. What is the Difference between the channels?
Internal channels
„In this case, “internal„ means “within the company", i.e. within the legal entity, although this internal reporting channel can also be provided via an external service provider (such as a software provider and/or a lawyer).
INTERNAL REPORTING CHANNEL
Pro
- faster flow of information
- Possibility to counteract and solve problems directly internally
- The recipient knows the company and can classify the content of the notification more quickly.
Contra
- high demands on security, data protection and processes
- Hesitations on the part of whistleblowers: more communication needed to build trust
Outsourcing internal reporting channels
The internal reporting channel from a third party to be entrusted with its introduction or its support, is not only explicitly as a solution that complies with the law not only listed in the policy, but can also be a practical compromise: Potential whistleblowers often fear that they will not remain truly anonymous in internal reporting systems or complain about a lack of transparency regarding the processing and responsibility of reports. „Can't someone curious from our IT find out that I was the one who submitted the report?“ is a frequently asked question in this scenario.
Managing internal reporting channels in-house
An internal reporting channel that is independent of the company’s IT infrastructure can Resolve reservations. Companies can also manage and process the notifications Lawyers or compliance advisers left to others. Some companies even go so far as not to entrust the task to their „trusted lawyer“, with whom the company has been working for years. Instead, they actively select a „new“ lawyer for this task. This can provide employees with additional reassurance, as it reduces the likelihood of a conflict of interest.
External channels
The Directive also requires external reporting channels to be made available to whistleblowers in addition to an internal reporting channel within the organisation. The external reporting channel is to be operated in each EU Member State by a designated public authority. Naturally, all the requirements of the Whistleblower Protection Act also apply to external reporting channels. An external report then triggers a official investigation aus.
EXTERNAL REPORTING CHANNEL
Pro
- completely independent of the company
- Standardised checking of notifications
Contra
- The company only becomes aware of the internal malpractice when the situation escalates or an internal investigation is launched: an incalculable risk for the company
- a slower flow of information
It is important that companies highlight both channels – internal and external – and that staff are aware of the free choice have, which channel select them to report your observations.
There is therefore a strong incentive for companies to ensure that their internal reporting channel is intuitive and accessible at all times, and to build trust in this channel amongst their staff. This can prevent an official investigation – and thus the involvement of third parties – and allow the problem to be dealt with and resolved internally.
Whistleblower protection in corporations
For Corporations, which consist of a parent company and one or more subsidiaries, the Whistleblower Protection Act provides for special provisions: In principle, the following applies to subsidiaries the same rules as is the case for independent companies, meaning that their staff must have access to a whistleblowing scheme once the workforce reaches 50 or more employees. What is particularly noteworthy, however, is that Subsidiaries up to 249 employees do not need to set up their own internal reporting office or their own whistleblowing system – they may the system of their parent company use.
Subsidiaries From 250 and more employees must own whistleblowing system set up. You may continue to entrust the operation of an internal reporting office to the parent company – however, the subsidiary itself remains responsible for ensuring that the requirements of confidentiality are met.
The added value of a whistleblowing system for businesses
Many entrepreneurs have reservations about anonymous whistleblower systems, however, whistleblowing channels offer companies some advantages that cannot be ignored.
- Studies on effectiveness in early detection: a measure of trust
Current studies from 2025 show that effective whistleblowing systems receive an average of 0.4 to 1.0 reports per 100 employees. Companies that do not receive any reports over a prolonged period should see this as a warning sign – it indicates a lack of trust or insufficient awareness of the system. Therefore, companies are well advised to regularly review their communication, training, and technical frameworks. - Improving company culture By implementing a whistleblowing system, the company signals openness and transparency. Employees feel encouraged to raise concerns. This contributes to a positive working environment. When a company provides trusted channels, it shows employees that management takes their concerns seriously and is prepared to respond appropriately.
- Strengthening trust in the organisation: Legal protection for whistleblowers helps employees to have confidence in the company’s integrity. This can have a positive impact on staff retention, motivation, willingness to innovate and the company’s reputation.
- Improving compliance: A whistleblowing scheme helps companies to comply with legal requirements and uphold ethical standards. By involving external parties in accordance with the new Supply Chain Act, the risk of non-compliance is also reduced throughout the entire supply chain.
- Studies on effectiveness in early detection: a measure of trust
Current EU criticism and international comparisons (2025)
The EU criticises Germany for the lack of public support funds and legal advisory services for whistleblowers. Other EU countries offer active support, while Germany refers to private providers.
Critique of the EU: Lack of state support in Germany
While other EU member states provide public support funds and free legal advice for whistleblowers, Germany will still largely rely on private providers in 2025. The EU strongly criticises this situation – particularly with regard to the protection and advice of whistleblowers, who often find themselves in a precarious position.
How can the Whistleblower Protection Act be successfully implemented?
Do you have any questions? Contact You are welcome to a personal conversation with one of our experts.
Our next free webinar for you:
We regularly offer exciting webinars on the subject of whistleblowing.
Customers, partners, and experts engage in dialogue with us and you here, sharing insights and expertise on whistleblowing related to supply chains, ESG & sustainability, employment law, data protection, and more.
Register for our next webinar now!
Further information sources on the HinSchG
- Federal Ministry of Justice and Federal Office of Justice: Legal Text of the HinSchG
- Federal Law Gazette for the HinSchG: BGBl. 2023 I No. 140 of 2 June 2023
- German Federal Government's contribution on the entry into force of the Whistleblower Protection Act on 2 July 2023
- Bundestag proceedings on the HinSchG in the DIP (Documentation and Information System for Parliamentary Materials)
- Information from the Federal Office of Justice of 2 June 2023 on the establishment of external reporting offices
- Thematic page of the Federal Ministry of Labour and Social Affairs on the Supply Chain Due Diligence Obligations Act (LkSG)
- BMAS Corporate Social Responsibility Initiative
- Whistleblower protection as a topic of Transparency International Deutschland e.V.
- Website of the non-profit Whistleblower Network e.V.
- Directive (EU) 2019/1937
- Federal Ministry of Justice — The Whistleblower Protection Act
- Press Release of the German Bundestag
- Press release from the BMJ
(The male form used refers to all persons, regardless of gender.)
