Protection of persons who report breaches of EU law

Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law establishes rules and procedures to protect ‘whistleblowers’, individuals who report information they acquired in a work-related context on breaches of EU law in key policy areas. Breaches include both unlawful acts or omissions and abusive practices.


The directive covers reports on:

  • breaches of rules in the following areas (listed in detail in Part I of the annex)
  • public procurement
  • financial services, products and markets; prevention of money laundering and terrorist financing
  • product safety and compliance
  • transport safety in the railway, road, maritime and inland waters sectors
  • protection of the environment, ranging from waste management to chemicals
  • radiation protection and nuclear safety
  • food and feed safety, animal health and welfare
  • public health, including patients’ rights and tobacco controls
  • consumer protection
  • protection of privacy and personal data, security and information systems;
  • breaches affecting the EU’s financial interests;
  • breaches relating to the internal market, including breaches of EU competition and State aid rules, and breaches of national corporate tax rules.

The directive complements specific EU legislation which already includes rules on whistleblowing (notably on financial services, money laundering, terrorist financing, transport safety and environmental protection).

The directive does not:

  • affect the responsibility of EU governments to protect their national security;
  • affect EU or national law on protection of classified information, legal and medical professional privilege, secrecy of judicial proceedings or criminal procedural rule;
  • override national rules on rights of employees to consult their representatives or trade unions.

The legislation covers a wide range of people working in the private and public sectors, including those who report after their work-based relationship has ended:

  • employees, self-employed people, shareholders, persons belonging to the administrative, management and supervisory bodies of businesses, volunteers, trainees and job applicants;
  • persons who help whistleblowers in a confidential manner, persons connected to a whistleblower who might suffer retaliation at work, and legal entities linked to the whistleblower.

Individuals are protected if they go public with their concerns provided they:

  • first reported (internally and) externally but no action was taken;
  • reasonably believe that there is an imminent or clear danger to the public interest, a risk of retaliation or little likelihood of their concern being properly addressed.

Reporting arrangements include:

  • internal channels: all private companies with 50 or more employees and, in principle, all public entities must set up effective reporting channels, ensuring confidentiality; public entities with less than 50 employees and municipalities with fewer than 10,000 inhabitants may be exempted;
  • external channels: appropriate national authorities must establish reporting channels enabling confidential reporting;
  • follow-up procedures and deadlines for handling reports received through internal and external channels. These include

  1. a duty not to reveal the whistleblower’s identity, except in strictly limited circumstances
  2. compliance with EU data protection legislation
  3. records of every oral or written report received.

Legal protection

To qualify for legal protection, an individual must:

  • have reasonable grounds to believe that the information they report is covered by the legislation and true at the time of reporting;
  • report the breach to the competent authorities use the internal or external channels provided. Whistleblowers are encouraged to report internally (within the organisation) first, where the breach can be addressed effectively internally and where they consider that there is no risk of retaliation. However, they can choose whether to report first internally or to directly report externally to the competent authorities.


  • are protected against all forms of retaliation, such as dismissal, demotion, intimidation and blacklisting;
  • have access to appropriate support measures, notably independent information and advice and legal aid in accordance with EU rules on legal aid in criminal and cross-border civil proceedings;
  • have access to appropriate remedial measures, such as interim relief and immunity from liability for breaching non-disclosure clauses in their contracts.

EU countries must:

  • ensure appropriate internal and external reporting channels are in place;
  • take the necessary measures to prevent any retaliation against a whistleblower;
  • respect the right to an effective remedy, a fair trial, presumption of innocence and rights of defence of persons concerned by the allegations in the reports;
  • provide effective, proportionate and dissuasive penalties for breaches of certain rules of the directive, for instance for persons who hinder reporting or who retaliate against whistleblowers;
  • transpose the directive and notify to the European Commission the transposition measures by 17 December 2021; with a possible exemption for transposing the provisions on the obligation of private companies with between 50 and 249 employees to set up their internal reporting channels until 17 December 2023;
  • provide the Commission with annual data on numbers of reports received and investigations opened and their outcome, and the financial consequences.

The Commission submits to the European Parliament and the Council:

  • a first public and easily accessible report on the incorporation of the directive in EU countries’ national law by 17 December 2023; and
  • a second on the implementation of the directive and on possible amendments needed, by 17 December 2025.


It has applied since 16 December 2019 and It has to become law in the EU countries by 17 December 2021. (source:

The Directive is available here



George Kazoleas, Lawyer

Top Stories

Obligation of a creditor to check a consumer’s creditworthiness - Credit agreement void and creditor’s entitlement to payment of the agreed interest forfeited

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Graduate Programme 2024 for EU Nationals in European Central Bank

The rules of UEFA on ‘homegrown players’ could be contrary to EU law (ECJ)

ECtHR Judgement against Greece: Disclosure of the identities and medical data of prostitutes diagnosed with HIV was a breach of their right to private life

Cybercrime: the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage (ECJ)

Woman forced to travel abroad to have an abortion following legislative amendments in Poland breached the ECHR (ECtHR)