Regulation of Whistleblowing in Europe – A Comparative Perspective

Within the EU – Supranational Rules

The EU Whistleblowing Directive

The EU Whistleblowing Directive (2019/1937), officially named the "Directive on the protection of persons reporting on breaches of Union law," aims to improve the enforcement of EU law by establishing common standards across EU member states to protect whistleblowers. This Directive is a minimum directive, meaning that member states can implement regulations that offer better protection for whistleblowers than what the Directive stipulates.

Member states were given a two-year deadline after the adoption of the Directive to implement it, which means until the end of 2021. Some countries have missed this implementation deadline, but as of now, most EU countries have established national legislation in line with the Directive's requirements. This means there is a common set of minimum requirements across Europe that protect whistleblowers. Norway is not directly bound by the Directive, but the question of whether the Directive should be included in the EEA Agreement is currently under consideration, which may lead to changes in Norwegian whistleblowing legislation.

Sectoral Limitations

The Directive sets a minimum level of protection within specific areas, including public procurement, financial services, anti-money laundering, product safety, transport safety, environmental protection, nuclear safety, food safety, animal welfare, public health, consumer protection, and data protection.

Whistleblowing about breaches of regulations concerning HSE (Health, Safety, and Environment) and labor rights, however, is not included in this list and is therefore not regulated by the Directive. This differs from Norwegian law, see the Working Environment Act Chapter 2. According to the EU Directive, a new assessment should be made about whether the scope should include HSE and labor law regulations after four years following its adoption.

Who is Protected by the Directive?

The Directive sets out two main conditions for whistleblowers to be protected under the Directive. Firstly, the whistleblower must have "reasonable grounds to believe" that the facts reported are correct and fall within the scope of the Directive. Secondly, the whistleblower must have followed the prescribed procedure for whistleblowing as required by the Directive: the matter must first have been reported internally, or possibly to public authorities, before it can be publicly disclosed to the media.

Directive Requirements for Internal and External Reporting Channels

The Directive requires member states to establish internal reporting channels and procedures for the reception, registration, and follow-up of internal reports. This requirement initially covers all private enterprises with 50 or more employees, as well as all public sector organizations. However, municipalities with fewer than 10,000 inhabitants and municipal enterprises with fewer than 50 employees may be exempt from these requirements.

The Directive also includes an obligation for member states to establish external channels that whistleblowers can contact to have their reports registered and processed. This means that authorities must designate competent bodies to receive and follow up on reports and provide them with sufficient resources. Additionally, the Directive requires that states report the designated authorities to the Commission.

How are Whistleblowers and Other Affected Parties Protected?

The Directive mandates that member states must prohibit retaliation against whistleblowers. Retaliation includes any form of negative reactions as a result of the whistleblowing, such as harassment, dismissal, or similar actions. Furthermore, member states must ensure that whistleblowers have easy access to information and free advice about procedures and legal remedies concerning protection against retaliation.

Member states must also ensure effective, proportionate, and dissuasive sanctions for violations of the Directive. The type of sanctions used is up to each member state and can be criminal, civil, or administrative.

The Directive also entails that member states must ensure certain rights for the parties implicated in the reports. This includes, in particular, a duty of confidentiality regarding their identity.


  • Ministry of Justice and Public Security's position paper, last updated on 18.09.2023, Regjeringen
  • "Expert Guide on Whistleblowing Laws in the EU – A glance at the implementation of the EU Whistleblowing Directive in the EU Member States," EQS Group, July 2023 (facts last updated July 2023)

Contact us