Skip to main content

Glossary Jurisdictional posture

Whistleblower Directive

Also: EU Directive 2019/1937, Directive on the protection of persons who report breaches of Union law

Origin: Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019.

The 2019 EU directive establishing minimum standards for the protection of persons who report breaches of Union law — codified as Directive (EU) 2019/1937. It mandates internal and external reporting channels, prohibits retaliation, and provides remedies for whistleblowers who suffer it. Implementing legislation in the member states has been uneven; Switzerland and Iceland are not bound by the directive but maintain analogous protections.

Reviewed

Directive (EU) 2019/1937 — the “Whistleblower Directive” — is the EU directive establishing minimum standards for the protection of persons who report breaches of Union law. It was adopted in October 2019 with a transposition deadline of 17 December 2021 for the bulk of its provisions and an extended deadline for private-sector entities of fewer than 250 employees. The directive supplies an enforceable minimum across the union; member-state implementations may go further, and several have.

The substantive surface of the directive covers three elements. It mandates internal reporting channels in private and public entities of specified size, with prescribed minimum standards on accessibility, confidentiality, and follow-up. It establishes external reporting channels operated by member-state competent authorities, with parallel minimum standards. And it prohibits retaliation — dismissal, demotion, transfer, withdrawal of benefits, blacklisting, harassment — against persons who report through either channel, and supplies a reverse burden of proof in retaliation claims (the employer must demonstrate that adverse action was not retaliatory).

The directive’s material scope is breaches of Union law in specified sectors — public procurement, financial services, product safety, transport safety, environment, food safety, public health, consumer protection, data protection, network and information systems security, financial interests of the Union, and breaches affecting the internal market. The scope is broader than the popular framing as “corporate whistleblowing”; the directive also covers breaches of EU human-rights law and breaches affecting the functioning of the internal market.

Iceland is not bound by the directive (the EEA Agreement does not extend to all of the directive’s scope, and Iceland has not opted to import it through national legislation, though analogous protections exist in IMMI-derived statute and the public-sector employment code). Switzerland is also not bound; the Swiss Code of Obligations contains a whistleblower-protection surface that is significantly thinner than the directive’s, and Swiss legislative proposals to bring the regime to parity have not been adopted.

For an offshore-hosting operator the directive matters when the operator hosts content produced through whistleblower disclosures — a SecureDrop instance, an investigative archive, a leak-aggregator. The directive’s protections run to the discloser, not to the publisher; the operator’s role is to ensure that hosting the disclosure does not by itself frustrate the protections the discloser has under their home jurisdiction.