Which Companies Must Have a Whistleblowing Channel Under EU Law

What the EU Whistleblowing Directive requires

Directive (EU) 2019/1937, commonly known as the EU Whistleblowing Directive, obliges a wide range of organisations across the European Union to put in place secure internal reporting channels. The goal is to give employees and other stakeholders a safe route to report breaches of EU law without fear of retaliation. National laws transpose the Directive, so the precise wording varies by Member State, but the core thresholds and duties are harmonised across the EU.

Which companies are in scope

The obligation to set up an internal reporting channel applies to:

• Private-sector companies with 50 or more employees. Below that threshold, most private organisations are not required to create a channel, though Member States may impose stricter rules in certain sectors.
• Public-sector entities, including state administrations, regional authorities and many municipalities, which are covered regardless of headcount (small municipalities may be exempted by national law).
• Companies in specific regulated sectors, such as financial services, anti-money-laundering, transport safety and environmental protection, which may fall under the rules irrespective of the 50-employee threshold.

How the employee threshold is counted

The 50-employee figure generally refers to the number of workers within a single legal entity. Group structures should assess each entity carefully, as obligations can apply at subsidiary level. National transposition laws set out exactly how part-time and seasonal staff are counted, so it is worth confirming the local rule. Organisations that fluctuate around the threshold should monitor their headcount over time rather than relying on a single snapshot, since crossing 50 employees triggers the obligation.

Key compliance deadlines

The Directive set a phased timeline based on organisation size:

1. 17 December 2021 — deadline for organisations with 250 or more employees, as well as public-sector bodies, to have a compliant channel in place.
2. 17 December 2023 — deadline for organisations with between 50 and 249 employees.

Both deadlines have now passed, meaning every in-scope organisation should already operate a functioning channel. Companies approaching the 50-employee mark should prepare in advance so the obligation does not catch them unready.

What an in-scope organisation must guarantee

Having a channel is only the starting point. The Directive also requires organisations to acknowledge receipt of a report within seven days, provide feedback within three months, protect the confidentiality of the reporter, shield reporters from retaliation, and keep proper records of every report. Where national law allows, organisations must also be able to handle anonymous reports.

Risks and penalties for non-compliance

Failing to establish a compliant channel is not a low-stakes matter. Depending on the Member State, sanctions can include administrative fines, liability for retaliation against reporters, and orders to remedy the breach. Beyond formal penalties, organisations face significant reputational and legal exposure if misconduct surfaces through external channels — or the press — because no safe internal route existed.

Purpose-built platforms such as TrueSpeak help organisations meet these obligations with secure, deadline-aware reporting workflows. Whatever solution you choose, the message is clear: if your organisation meets the threshold, a compliant whistleblowing channel is a legal requirement, not an optional extra.