Whistleblower Protection Act: Actual Development

Latest Update: 1st March 2023

The latest news on the German Whistleblower Protection Act: Your guide for the implementation in your company

Table of Content

With this article, we would like to bring you up to date on the Whistleblower Protection Act as an implementation of the EU Directive in force since 17 December 2021. We will clarify the uncertainties and reservations about whistleblower systems and provide you as an entrepreneur with clear recommendations for action.

And we gladly anticipate the outcome: Since the law was passed on the 16th of December 2022 and only the final approval from the Bundesrat is pending, companies should act immediately. The directive forces your hand by prescribing an early warning system for your company and a protective shield for your employees.

German Whistleblower Protection Act: What is whistleblower protection in general?

One of the biggest challenges in the context of implementing a whistleblower protection law in companies is the negative connotation that often resonates with the topic of “whistleblowing”. The term is associated with betrayal of secrets and is thus interpreted in a very one-sided way. What is not recognised is that it is not generally bad if secrets are revealed – especially if they involve violations of the law. By uncovering violations of the law in companies, internal whistleblowers become an early warning system. This makes it possible to solve reported problems instead of ending up as scandal in the headlines one day without warning.

When observing violations of the law, employees have to decide whether to report them or not. Depending on power relations and corporate culture, such a report resulted in personal disadvantages, exclusion or dismissal. As a result, the personal risks of a whistleblower became an often insurmountable hurdle.

To prevent precisely this hesitation, the EU has decided to protect whistleblowers better in future with a Whistleblowing Act. Someone who uncovers a malpractice in the company must not fear discrimination or even have to fear about their job or their future.

Rettungsring als Schutzsymbol

What are the next steps for the Whistleblower Protection Act?

The Federal Council still has to approve the Whistleblower Protection Act. After this the law must be signed by the Federal President and announced in the Federal Law Gazette.

From this announcement, the law comes into force and employers with 250 or more employees have three months to implement the requirements of the Whistleblower Protection Act. For companies with between 50 and 249 employees, the deadline for implementation is 17th December 2023. Internal reporting offices and concepts for the protection of whistleblowers must then be established and operated. If this is not done, companies face fines of up to €100,000.

Which amendments were made in response to the Legal Affairs Committee's proposal on the Whistleblower Protection Act?

The government’s draft passed the Legal Affairs Committee on 14.12.2022 with some proposed amendments. The plenum of the Bundestag then passed the draft with the amendments of the legal committee on 16.12.2022.

Until the end, it was disputed which reports fall under the protection of the Whistleblowing Act. The CDU/CSU fractions argued for a narrow scope of application, oriented towards the EU Directive, which only stipulated the inclusion of violations of EU law and national law based on EU law. The government draft went far beyond this and extended the scope to include information on criminal offences of all kinds and serious administrative offences. At the last minute, due to current events (“Reichsbürger raid”), reports were also included on statements made by civil servants that constitute a violation of the duty to be loyal to the constitution.

In general, whistleblowers should have the choice between external and internal reporting. Employers are to create incentives for whistleblowers to first contact the respective internal reporting office of the employer before submitting a report to an external reporting office of the Federation or the Land.

Another significant change made by the Legal Affairs Committee is that whistleblowers who experience prohibited reprisals can claim both material and non-material damages, i.e. a claim for compensation for pain and suffering has been added.

Current progress on the Whistleblower Protection Act

February 2023: The Bundesrat blocks the Whistleblower Protection Act. On February 10th, a decision was made in a session of the Bundesrat on the entry into force of the German Whistleblower Protection Act. Contrary to many expectations, the law was not approved. Especially the CDU and CSU parties were negative towards the law, saying it was too cost-intensive and involved too much bureaucracy. The Minister of Justice had originally announced that he would approve a law in the first half of 2023. The next session of the Bundesrat will take place in March. A final decision can therefore be expected in the next few months.

December 2022: The Whistleblower Protection Bill passes the Legal Committee of the German Bundestag after some amendments! According to a press release of the Bundestag, the Legal Affairs Committee adopted the motion for a resolution of the coalition parliamentary groups this morning. Thus, nothing more should be standing in the way from passing the draft of the Whistleblower Protection Bill.

November 2022: Although experts expected the law to be passed this year in Q4 2022, Justice Minister Dr Marco Buschmann expects the decision to be delayed until early 2023. He also announced that the law will come into force in the first half of 2023.

October 2022: On the 19th October, the draft law was discussed in a public hearing in the Legal Affairs Committee. In theory, all experts at the hearing were in favour of the draft law. However, the draft still had room for improvement and still did not sufficiently protect whistleblowers in the case of observations that were not illegal but nevertheless involved unethical behaviour. The insufficient protection of wrongly accused persons was also frequently criticised. The AfD parliamentary group in particular expressed much criticism of the draft law.

September 2022: The Bundestag and Bundesrat discuss the Whistleblower Protection Act.

July 2022: The Federal Government publishes a detailed draft bill.

April 2022: Dr Marco Buschmann (FDP) submits the new draft bill for the German Whistleblower Protection Act to the ministries for voting. The professional public has time until 11.5.22 to comment on the draft bill.

February 2022: The EU initiates infringement proceedings because the transposition deadline has been exceeded.

December 2021: The EU’s transposition deadline for implementing a national whistleblower protection law expires.

November 2021: The implementation of the EU Directive at national level is included in the coalition agreement.

Early 2021: A draft law is presented by the SPD-led Ministry of Justice. Due to objections to the draft, especially from the CDU/CSU, the law is rejected.


The Whistleblower Protection Act for the protection of whistleblowers

The EU Whistleblower Protection Directive (EU Directive 2019/1937) requires all companies with more than 50 employees to set up a whistleblowing system. This also applies to public authorities and public institutions, companies with a turnover of more than 10 million euros and municipalities with a population of 10,000 or more. For companies between 50 and 249 employees, an extended implementation period until December 2023 is intended. The Whistleblowing Directive and the associated requirements for companies are designed to protect whistleblowers better when they report violations of the law within the company. This is to be ensured by an internal whistleblowing system as a reporting channel, which is to be accessible not only to the company’s own employees, but also to those of distribution partners, customers and service providers.

Whistleblower Protection Act: The implementation of the Whistleblowing Directive


Since it is a directive and not a regulation (as it is with the GDPR), all EU member states must additionally adopt their own national law that ensures the whistleblower protection based on the directive. In this context, the legal requirements of the EU Directive represent the “minimum”. The German government could interpret the requirements in the German Whistleblower Protection Act more strictly, but not soften them and apply them more loosely. There were already talks on the draft for the German Whistleblower Protection Act in the first half of 2021. However, as reported in the SZ, these failed because of the Union (CDU).

Denmark was the first EU member to adopt the national law “Lov om beskyttelse af whistleblowere” on 24th June 2021. Sweden followed with “Lag (2021:890) om skydd för personer som rapporterar om missförhållanden” on 29th September 2021. Legislation is in progress in most of the remaining EU countries.

The governments of some countries are discussing a stricter interpretation. The Czech Republic, for example, has a draft law that would require companies with 25 or more employees to comply with the law. 

The example of Poland shows that things can suddenly move very quickly: The current draft law foresees 3 years imprisonment for the managing director if the company does not implement a whistleblowing system. The obligation to have such a system implemented is supposed to be effective immediately 14 days after the law is approved. In the draft bill, Poland has thus clearly exceeded the requirements of the EU Whistleblowing Directive. The majority situation in Poland speaks in favour of adopting the present draft. 

What does the German Whistleblower Protection Act include? 

Legal Tech Gerichte Urteile

In the draft, German Justice Minister Christine Lambrecht (SPD) proposed to protect not only whistleblowers who report violations of EU law, but also those who report violations of German law.  

“Otherwise, anyone who reports a violation of European data protection regulations would be protected, but not someone who points out bribe payments, tax evasion or violations of German environmental protection or occupational health and safety regulations.” 
[Quote Christine Lambrecht,
source: https://www.sueddeutsche.de/wirtschaft/whistleblower-lambrecht-unternehmen-1.5278761]   ]

The CDU/CSU accused her of creating hurdles for companies and imposing even more bureaucracy. The parties currently in coalition negotiations, however, have taken a clear position: SPD, FDP and the Green Party demand extensive protection for whistleblowers and see this as an opportunity to prevent scandals and reduce damage. You can read more about this in our article on the impact of the Bundestag elections on whistleblower protection.

With the publication of the coalition agreement between the SPD, the Green Party and the FDP, it is officially certain that Germany will receive an independent whistleblowing law. Specifically, the coalition agreement says (p. 111, 3737-3742):

“We are implementing the EU Whistleblower Directive in a legally secure and practicable way. Whistleblowers must be protected from legal disadvantages not only when reporting breaches of EU law, but also significant breaches of regulations or other significant misconduct, the uncovering of which is in particular public interest. We want to improve the enforceability of claims for reprisals against the injurer and are looking into counselling and financial support schemes for this purpose.”

This makes it clear: the coming law will uniformly cover both violations of German law and the disclosure of significant wrongdoing. As long as the federal government has not yet passed the law, the directive has nevertheless applied since 17 December 2021.

Thus, the EU Whistleblowing Directive especially moves private sector companies into a dangerous grey area between national law and EU law.

A Whistleblower Protection Act requires whistleblower systems

The Whistleblowing Directive defines all persons as potential whistleblowers who are in contact with your company in the course of their work activities, i.e. not only your employees but also customers or suppliers (read more in our article “What is a whistleblower?”). Therefore, the company is obliged to provide easy and understandable information about the reporting possibilities and the processing of reports (for example on the company website). 

In addition to the possibility to report in writing and verbally, the company must also enable a personal exchange at the whistleblower’s request. Of course, the company must also process the data in connection with the report in accordance with the GDPR. 

The draft for the German Whistleblower Protection Act oblige companies to enable anonymous reporting. However, the recommendation is clear: only anonymity creates security and trust, which reduces the inhibition to report in itself. The majority of companies that have already implemented whistleblowing systems have decided to use reporting channels that include anonymous reporting.

Further requirements for companies and authorities imposed by the EU Whistleblowing Directive

However, the Directive does not only require the implementation of whistleblowing systems. It also requires you to establish whistleblowing procedures in your company. By setting specific deadlines during which your company must respond to whistleblowing, the Directive also requires you to manage follow-up actions:  

Important for these additional requirements is the selection and appointment of an impartial person who is responsible for the reports and the communication with the whistleblower. Depending on the size of the company, this can alternatively be done for your company by an external responsible person, such as a lawyer, in addition to the management or a compliance officer. However, you must ensure that the responsible person is not exposed to any conflict of interest. 

The reversal of the burden of proof applies here: In case of doubt, the employer is obliged to prove that a dismissal has nothing to do with the whistleblowing on the part of the employee. This requires complete documentation of the entire process surrounding the whistleblowing – both for the company and for the whistleblower. 

Whistleblower protection is corporate protection

The legal requirements and the elaborations of the national laws raise many questions for companies in practice. Learn more about the current status of the Whistleblower Protection Act, legal requirements for whistleblower software and practical implementation in the recording of our webinar from 13th February 2023. (Abvailable only in German)


Mit dem Laden des Videos akzeptieren Sie die Datenschutzerklärung von YouTube.
Mehr erfahren

Video laden

Whistleblower Protection Act: Call for implementation of internal and external reporting channels 

The EU Directive obliges companies to implement internal and external reporting channels. What is the difference between the channels?

Internal channels

“Internal” in this case means “internal to the company”, i.e. within the legal entity, but this internal reporting channel can also be mapped via an external service provider (such as a software provider and / or a lawyer).



Commissioning a third party to implement or manage the internal reporting channel is not only explicitly listed as a legally compliant solution in the guideline, but can also be a practicable compromise in practice: Potential whistleblowers often fear that they will not actually remain anonymous in internal reporting systems or criticise the lack of transparency regarding the processing and responsibility of the reports. “Can’t someone curious from our IT find out that I was the one who filed the report?” is a frequently asked question in this scenario.

An internal reporting channel that is independent of the company’s IT infrastructure can resolve these reservations. Companies can also leave the supervision and processing of the reports to lawyers or compliance advisors. Some companies even go so far as not to commission the “lawyer of trust” with whom the company has been working for years. They actively select a “new” lawyer for this task. This can create additional security for employees, as it reduces the likelihood of a conflict of interest. 

External channels

The Directive also calls for external channels to be available to the whistleblower in addition to an internal company reporting channel. The instance of the external reporting channel is to be mapped by each EU member state by a regulatory body established for this purpose. Of course, all requirements of the Whistleblower Protection Act also apply to external reporting channels. An external report then triggers an official investigation.



The important thing is that companies should point out both channels – internal and external – and employees have the freedom to choose which channel they use to report their observations.

The incentive for companies to make the internal reporting channel intuitive and accessible at all times and to create trust among employees in this channel is therefore great. In this way, an official investigation, i.e. the involvement of third parties, can be prevented and the problem can be dealt with and solved internally.

Which reporting systems meet the requirements of a Whistleblower Protection Act?

The simple, widespread “good old grievance box” already fails because of the bilateral communication that is necessary to be able to confirm the whistleblower’s receipt of his report. You can read about other reporting channels in our blog article “The whistleblowing system”.

In practice, however, digital whistleblowing systems have proven their worth:

Start looking for the right whistleblowing system for your company today and make sure when choosing your whistleblowing software that there is no “one size fits all”.

Consequences of violations against the Whistleblower Protection Act

In the opinion of the EU, the EU explicitly provides for sanctions for those companies that do not set up a whistleblower system. How high these fines will be depends on the national Whistleblower Protection Act. This also applies to companies that do not comply with other whistleblower protection requirements, such as not keeping the identity of the whistleblower confidential or even taking reprisals against the whistleblower.

And even if the Whistleblower Protection Act, as the German implementation of the Directive, is still pending, courts would decide on the basis of the EU Directive in case of emergency, according to the current assessment of lawyers.

Irrespective of this, non-compliance with the requirements of the EU Whistleblower Directive has a high price: If the company…

… the whistleblower may go public with his information without penalty. He is nevertheless protected under the EU Whistleblowing Directive in these above-mentioned constellations.

Next steps for the implementation of the Whistleblower Protection Act 

Entrepreneurs are well advised to take care of the reduction of personal liability already now. Because that is what the Whistleblowing Directive actually sets in motion here: an early warning system for your company. A protective shield for your employees. Choose the external service provider you trust to set up this reporting channel in your company and ensure that your employees actually use it.  

How you can achieve this? Find out about the next steps and recommendations for action in our guide “Your guide to comply with the EU Whistleblowing Directive in your company”

Do you have any questions? Feel free to contact one of our experts for a personal consultation. 

Why wait any longer?

Compliant in 5 minutes

Our solution fits to your clients?

Join our partner program