Whistleblowing Directive: an update

Latest Update: 20th May 2022

The latest news on the German Whistleblower Protection Act: Your guide for the implementation in your company

Current progress on the Whistleblower Protection Act

October 2022: On the 19th October, the draft law was discussed in a public hearing in the Legal Affairs Committee. In theory, all experts at the hearing were in favour of the draft law. However, the draft still had room for improvement and still did not sufficiently protect whistleblowers in the case of observations that were not illegal but nevertheless involved unethical behaviour. The insufficient protection of wrongly accused persons was also frequently criticised. The AfD parliamentary group in particular expressed much criticism of the draft law.

September 2022: The Bundestag and Bundesrat discuss the Whistleblower Protection Act.

July 2022: The Federal Government publishes a detailed draft bill.

April 2022: Dr Marco Buschmann (FDP) submits the new draft bill for the German Whistleblower Protection Act to the ministries for voting. The professional public has time until 11.5.22 to comment on the draft bill.

February 2022: The EU initiates infringement proceedings because the transposition deadline has been exceeded.

December 2021: The EU’s transposition deadline for implementing a national whistleblower protection law expires.

November 2021: The implementation of the EU Directive at national level is included in the coalition agreement.

Early 2021: A draft law is presented by the SPD-led Ministry of Justice. Due to objections to the draft, especially from the CDU/CSU, the law is rejected.


The German parliamentary elections are over, the new coalition has taken over the work of the government, and we are eagerly watching the developments surrounding the Whistleblowing Directive and the German Whistleblower Protection Act. With this article, we would like to update you on the Whistleblower Protection Act as an implementation of the EU Directive, which has been in force since 17 December 2021. We are eliminating the uncertainties and reservations about whistleblower systems and providing you, as an entrepreneur, with clear recommendations for action.

And the conclusion: it is worthwhile to act immediately. The Directive forces your luck by prescribing an early warning system for your company and a protective shield for your employees.

The Whistleblower Protection Act for the protection of whistleblowers

The EU Whistleblower Protection Directive (EU Directive 2019/1937) requires all companies with more than 50 employees to set up a whistleblowing system. This also applies to public authorities and public institutions, companies with a turnover of more than 10 million euros and municipalities with a population of 10,000 or more. For companies between 50 and 249 employees, an extended implementation period until December 2023 is intended. The Whistleblowing Directive and the associated requirements for companies are designed to protect whistleblowers better when they report violations of the law within the company. This is to be ensured by an internal whistleblowing system as a reporting channel, which is to be accessible not only to the company’s own employees, but also to those of distribution partners, customers and service providers.

Whistleblower Protection Act: The implementation of the Whistleblowing Directive

Since it is a directive and not a regulation (as it is with the GDPR), all EU member states must additionally adopt their own national law that ensures the whistleblower protection based on the directive. In this context, the legal requirements of the EU Directive represent the “minimum”. The German government could interpret the requirements in the German Whistleblower Protection Act more strictly, but not soften them and apply them more loosely. There were already talks on the draft for the German Whistleblower Protection Act in the first half of 2021. However, as reported in the SZ, these failed because of the Union (CDU).

Denmark was the first EU member to adopt the national law “Lov om beskyttelse af whistleblowere” on 24th June 2021. Sweden followed with “Lag (2021:890) om skydd för personer som rapporterar om missförhållanden” on 29th September 2021. Legislation is in progress in most of the remaining EU countries.

The governments of some countries are discussing a stricter interpretation. The Czech Republic, for example, has a draft law that would require companies with 25 or more employees to comply with the law. 

The example of Poland shows that things can suddenly move very quickly: The current draft law foresees 3 years imprisonment for the managing director if the company does not implement a whistleblowing system. The obligation to have such a system implemented is supposed to be effective immediately 14 days after the law is approved. In the draft bill, Poland has thus clearly exceeded the requirements of the EU Whistleblowing Directive. The majority situation in Poland speaks in favour of adopting the present draft. 


What does the German Whistleblower Protection Act include? 

Legal Tech Gerichte Urteile

The national whistleblower protection act is eagerly awaited, which will hopefully clarify questions regarding details and give companies certainty in its implementation. In the draft, German Justice Minister Christine Lambrecht (SPD) proposed to protect not only whistleblowers who report violations of EU law, but also those who report violations of German law.  

“Otherwise, anyone who reports a violation of European data protection regulations would be protected, but not someone who points out bribe payments, tax evasion or violations of German environmental protection or occupational health and safety regulations.” 
[Quote Christine Lambrecht,
source: https://www.sueddeutsche.de/wirtschaft/whistleblower-lambrecht-unternehmen-1.5278761]   ]


The CDU/CSU accused her of creating hurdles for companies and imposing even more bureaucracy. The parties currently in coalition negotiations, however, have taken a clear position: SPD, FDP and the Green Party demand extensive protection for whistleblowers and see this as an opportunity to prevent scandals and reduce damage. You can read more about this in our article on the impact of the Bundestag elections on whistleblower protection.

With the publication of the coalition agreement between the SPD, the Green Party and the FDP, it is officially certain that Germany will receive an independent whistleblowing law. Specifically, the coalition agreement says (p. 111, 3737-3742):

“We are implementing the EU Whistleblower Directive in a legally secure and practicable way. Whistleblowers must be protected from legal disadvantages not only when reporting breaches of EU law, but also significant breaches of regulations or other significant misconduct, the uncovering of which is in particular public interest. We want to improve the enforceability of claims for reprisals against the injurer and are looking into counselling and financial support schemes for this purpose.”

This makes it clear: the coming law will uniformly cover both violations of German law and the disclosure of significant wrongdoing. As long as the federal government has not yet passed the law, the directive has nevertheless applied since 17 December 2021.

Thus, the EU Whistleblowing Directive especially moves private sector companies into a dangerous grey area between national law and EU law.

Whistleblower Protection Act: What is whistleblower protection in general?

One of the biggest challenges in the context of implementing the Whistleblowing Directive in companies is the negative connotation that often resonates with the topic of “whistleblowing”. The term is associated with betrayal of secrets and is thus interpreted in a very one-sided way. What is not recognised is that it is not generally bad if secrets are revealed – especially if they involve violations of the law. By uncovering violations of the law in companies, internal whistleblowers are an early warning system. This enables reported problems to be solved instead of one day ending up in the headlines as a scandal without prior notice.  

Rettungsring als Schutzsymbol

When observing violations of the law, employees have to decide whether to report them or not. Depending on power relations and corporate culture, such a report resulted in personal disadvantages, exclusion or dismissal. Consequently, the personal risks of a whistleblower often became an insurmountable hurdle. 

To prevent precisely this hesitation, the EU has decided to protect whistleblowers better in future. Someone who uncovers a wrongdoing in the company must not fear discrimination or even have to fear for his or her job or future. 


A Whistleblower Protection Act requires whistleblower systems

The Whistleblowing Directive defines all persons as potential whistleblowers who are in contact with your company in the course of their work activities, i.e. not only your employees but also customers or suppliers (read more in our article “What is a whistleblower?”). Therefore, the company is obliged to provide easy and understandable information about the reporting possibilities and the processing of reports (for example on the company website). 

In addition to the possibility to report in writing and verbally, the company must also enable a personal exchange at the whistleblower’s request. Of course, the company must also process the data in connection with the report in accordance with the GDPR. 

The Whistleblowing Directive and the draft for the German Whistleblower Protection Act do not oblige companies to enable anonymous reporting. This is left to the companies or the authorities themselves. However, the recommendation is clear: only anonymity creates security and trust, which reduces the inhibition to report in itself. The majority of companies that have already implemented whistleblowing systems have decided to use reporting channels that include anonymous reporting. 


Further requirements for companies and authorities imposed by the EU Whistleblowing Directive

However, the Directive does not only require the implementation of whistleblowing systems. It also requires you to establish whistleblowing procedures in your company. By setting specific deadlines during which your company must respond to whistleblowing, the Directive also requires you to manage follow-up actions:  

Important for these additional requirements is the selection and appointment of an impartial person who is responsible for the reports and the communication with the whistleblower. Depending on the size of the company, this can alternatively be done for your company by an external responsible person, such as a lawyer, in addition to the management or a compliance officer. However, you must ensure that the responsible person is not exposed to any conflict of interest. 

The reversal of the burden of proof applies here: In case of doubt, the employer is obliged to prove that a dismissal has nothing to do with the whistleblowing on the part of the employee. This requires complete documentation of the entire process surrounding the whistleblowing – both for the company and for the whistleblower. 

Whistleblower Protection Act: Call for implementation of internal and external reporting channels 

The EU Directive obliges companies to implement internal and external reporting channels. What is the difference between the channels?

Internal channels

“Internal” in this case means “internal to the company”, i.e. within the legal entity, but this internal reporting channel can also be mapped via an external service provider (such as a software provider and / or a lawyer).



Commissioning a third party to implement or manage the internal reporting channel is not only explicitly listed as a legally compliant solution in the guideline, but can also be a practicable compromise in practice: Potential whistleblowers often fear that they will not actually remain anonymous in internal reporting systems or criticise the lack of transparency regarding the processing and responsibility of the reports. “Can’t someone curious from our IT find out that I was the one who filed the report?” is a frequently asked question in this scenario.

An internal reporting channel that is independent of the company’s IT infrastructure can resolve these reservations. Companies can also leave the supervision and processing of the reports to lawyers or compliance advisors. Some companies even go so far as not to commission the “lawyer of trust” with whom the company has been working for years. They actively select a “new” lawyer for this task. This can create additional security for employees, as it reduces the likelihood of a conflict of interest. 

External channels

The Directive also calls for external channels to be available to the whistleblower in addition to an internal company reporting channel. The instance of the external reporting channel is to be mapped by each EU member state by a regulatory body established for this purpose. Of course, all requirements of the Whistleblower Protection Act also apply to external reporting channels. An external report then triggers an official investigation.



The important thing is that companies should point out both channels – internal and external – and employees have the freedom to choose which channel they use to report their observations.

The incentive for companies to make the internal reporting channel intuitive and accessible at all times and to create trust among employees in this channel is therefore great. In this way, an official investigation, i.e. the involvement of third parties, can be prevented and the problem can be dealt with and solved internally.

Which reporting systems meet the requirements of a Whistleblower Protection Act?

The simple, widespread “good old grievance box” already fails because of the bilateral communication that is necessary to be able to confirm the whistleblower’s receipt of his report. You can read about other reporting channels in our blog article “The whistleblowing system”.

In practice, however, digital whistleblowing systems have proven their worth:

Start looking for the right whistleblowing system for your company today and make sure when choosing your whistleblowing software that there is no “one size fits all”.

Consequences of violations against the Whistleblower Protection Act

In the opinion of the EU, the EU explicitly provides for sanctions for those companies that do not set up a whistleblower system. How high these fines will be depends on the national Whistleblower Protection Act. This also applies to companies that do not comply with other whistleblower protection requirements, such as not keeping the identity of the whistleblower confidential or even taking reprisals against the whistleblower.

And even if the Whistleblower Protection Act, as the German implementation of the Directive, is still pending, courts would decide on the basis of the EU Directive in case of emergency, according to the current assessment of lawyers.

Irrespective of this, non-compliance with the requirements of the EU Whistleblower Directive has a high price: If the company…

… the whistleblower may go public with his information without penalty. He is nevertheless protected under the EU Whistleblowing Directive in these above-mentioned constellations.

Next steps for the implementation of the Whistleblower Protection Act 

Entrepreneurs are well advised to take care of the reduction of personal liability already now. Because that is what the Whistleblowing Directive actually sets in motion here: an early warning system for your company. A protective shield for your employees. Choose the external service provider you trust to set up this reporting channel in your company and ensure that your employees actually use it.  

How you can achieve this? Find out about the next steps and recommendations for action in our guide “Your guide to comply with the EU Whistleblowing Directive in your company”

Do you have any questions? Feel free to contact one of our experts for a personal consultation. 

Why wait any longer?

Compliant in 5 minutes

Our solution fits to your clients?

Join our partner program