1. Who: From the end of 2021, EU companies and public bodies with 250 or more employees must implement an internal reporting system. From 2023, this will change to include companies and public bodies with 50 or more employees.
The scheme must be made available to all employees (see key point 3).
2. What: The Directive covers disclosure of breaches of EU law in the following areas, among others: public procurement; financial services; product safety and compliance; transport safety; protection of the environment; protection against radiation and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data; network and information system security; as well as state aid and competition law compliance to the extent that a matter is not mandatorily regulated by sector-specific EU legislation.
3. Why: The purpose of the Directive is to provide greater protection across EU countries for those seeking to expose breaches of EU law.
Whistleblowers who report breaches of EU law will be protected from dismissal, suspension, demotion and other forms of discrimination. This protection extends to employees, former employees, subcontractors, shareholders, suppliers and other third parties.
4. How: It is up to each individual member state to define how the reporting channels will be established, provided that protections to ensure confidentiality and anonymity are incorporated.
5. Sanctions: The Directive obliges member states to impose effective and proportionate sanctions on companies and public bodies that do not adhere to the reporting system, including failing to maintain the confidentiality of whistleblowers and hindering attempts to report breaches.
6. When: The Directive must be implemented by EU member states no later than 17 December 2021.
7. The Directive requires that every company or public body with 50 or more employees set up reporting channels and procedures. Employers with 50-249 employees (be it group companies or individual companies) have the option to share resources.
8. The European Commission’s view is that the Directive has enough flexibility to be compliant with whistleblowing legislation in other jurisdictions, such as the U.S. FCPA and the UK Bribery Act, but that is difficult to see. And in turn, as regards compliance with the Directive, the Commission’s position is that each subsidiary must have its own separate procedure. Whistleblowers then have the choice to report breaches at either the local or group level. That choice, however, cannot be turned into an obligation to report to the parent company and the whistleblower must give their approval to a local report being shared with or handled and investigated by the parent company. Moreover, potentially holding the parent company out of an investigation may prevent it from mitigating the breach, if any.