The Whistleblowing Directive: Update on its implementation

In 2018, the European Commission explicitly stated: “Unlawful activities and abuse of law may occur in any organisation, whether private or public, big or small. They can take many forms, corruption, fraud, businesses’ malpractice or negligence. And if they are not addressed, it can result in serious harm to the public interest. People who work for an organisation or are in contact with it in their work-related activities, are often the first to know about such occurrences and are, therefore, in a privileged position to inform those who can address the problem. Whistleblowers, i.e. persons who report (within the organisation concerned or to an outside authority) or disclose (to the public) information on a wrongdoing obtained in a work-related context, help preventing damage and detecting threat or harm to the public interest that may otherwise remain hidden. However, at European and national level the protection of whistleblowers is uneven and fragmented. As a consequence, whistleblowers, are often discouraged from reporting their concerns for fear of retaliation.”

For these reasons, on the 23rd April 2018, the European Commission presented a package of initiatives, including a proposal for a Directive “on the protection of persons reporting on breaches of Union law” and a Communication, establishing a comprehensive legal framework for whistleblower protection for safeguarding the public interest at European level by setting up easily accessible reporting channels, underlining the obligation to maintain confidentiality and the prohibition of retaliation against whistleblowers, and establishing targeted measures of protection.

The Member States have a transposition deadline of the 17th of December 2021 (with the exception of the obligation to establish internal reporting channels within a further two-year extended deadline).

The fundamental intentions of the Directive are, inter alia to ensure a harmonized framework at national level, and to offer a satisfactory level of protection to persons reporting breaches of Union law, sheathing a number of critical areas including public procurement, financial services, consumer protection, public health, protection of the environment, animal welfare, the security of network and information systems, data privacy, money laundering, as well as breaches affecting the financial interests of the Union, the internal market (including competition and state aid), and corporate tax law.

Member States must ensure that the whistleblowing channels are established in a way that their national legislation mandates internal and external whistleblowing channels following some minimum standards:

a. Companies with over 50 employees must establish an internal whistleblowing channel and may also outsource those channels to third parties. In that case, the third parties need to guarantee confidentiality, data protection, secrecy and independence.

b. Member States are required to establish external reporting channels, by designating an authority competent to assume the tasks of receiving reports, giving feedback, and doing follow-up.

It is important to mention that both internal and external channels must ensure confidentiality of the processes and that the whistleblowers shall not face any kind retaliation.

Whistleblowers shall be granted protection under Art. 6(1) of the Directive where they had reasonable grounds to believe that the information reported about the potential breach was true at the time of reporting and such information is in the scope of the Directive (and the implementing act); and the whistleblower used the designated reporting channels.

Member States are required to provide at least the minimum requirements to protect whistleblowers, such as, for example, providing them with exhaustive information and advice on legal protection, the assistance of an authority and, granting certain rights in regard to legal procedures.


An executive summary circulated by Transparency International gives a glimpse of the transposition status of the Directive within the 27 Member States’ national legislations.

In particular, it is mentioned that “By mid-February 2021, two-thirds (18) of the 27 member states had not started or had made minimal progress in the transposition process, and it is uncertain whether any EU country will transpose the Directive by the December deadline. This lack of urgency from EU member states is concerning. The corruption and other health and public interest concerns exposed by the COVID-19 pandemic, and the huge amounts of relief funds at stake, should spur countries into action. Unfortunately, they seem to have done the opposite. It is understandable that governments are currently dedicating significant resources to dealing with COVID-19. However, thinking that implementing whistleblower protection legislation is not a high priority in that context would be a mistake. The purpose of whistleblower protection legislation is to enhance the enforcement of laws and policies, thus preventing loss or harm and preserving the rule of law. Critical times, such as those we are living through today, only accentuate that need.”

Transparency International has suggested some key elements for a robust implementation and practical usage of the Directive, which, mainly describes that the transposition process should be transparent and include all key stakeholders. This is the reason that adequate public consultation, research and sufficient thoughts are brought to the drafting process. This also means that member states should not just have a minimalistic (or verbatim) approach to the transposition, but they should seize the opportunity offered by the transposition process to go further than the minimum standards and adopt comprehensive national legislation that meets best practice and international standards. Only then will whistleblower protection laws across the EU meet the promise of the Directive and be fit for purpose, enhancing the enforcement of both EU and national law and policies by providing for high-level protection of every single whistleblower speaking up in the public interest.


According to the EU-UK Trade and Co-operation Agreement (“TCA”), the UK and EU have agreed not to weaken or reduce their labour and social protections below the levels in place at the end of the transition period (31 December 2020) and to continue to strive to increase their respective labour and social levels of protection. Where there are significant divergences, the EU can take appropriate rebalancing measures and if there is any significant divergence in a way that materially affects trade or investment, the EU could activate the rebalancing mechanism.

Nonetheless, the Directive remains relevant, particularly for financial services firms and organisations which operate across Europe, as it may come to be regarded as best practice. It will also need to be taken into account by companies which maintain a single global whistleblowing framework.


To date, Cyprus appears to provide some fragmentary protection in several fields, without however any established reporting channels. It appears therefore, not to have taken the steps necessary to meet the 17th of December 2021 deadline for fully transposing the Directive into the national law. 

However, this is possibly as a result of administrative backlog, rather than opposition to the contents of the Directive since the Commissioner for the Protection of Personal Data in Cyprus has been openly supportive of it. 

Available is a link below, from a Panel Discussion in which the Commissioner for the Protection of Personal Data in Cyprus participated and spoke about the ways in which Cyprus intends to protect whistle-blowers.$file/Panel%20discussion%20on%20Whistleblowing.pdf.

Failure to transpose EU Directives within the deadline may result in the European Commission commencing infringement proceedings.

For more information about the issues raised in this article please get in touch with Eleni Victoros.  Alternatively, you may reach out to your usual contact within Elias Neocleous & Co LLC.