New Directive on Whistleblower Protection

Philipp Rosenauer Partner Legal, PwC Switzerland 07 May 2019

The European Parliament and EU Council have recently agreed to a game-changing piece of legislation that will help protect persons reporting incidents (“whistleblowers”) across Europe. It is the first time that the EU will have a dedicated legislation in this area.


“Whistleblowers” are individuals who come across information about wrongdoings or about illegal or unethical activities or omissions that may harm the public interest (e.g. fraud, corruption, etc.) and report such acts to their employers, the competent authorities or the press. Recent scandals, such as Luxleaks, Panama Papers or Cambridge Analytica, have revealed wrongdoings within companies or organisations that have harmed public interests across the EU. In many cases, these incidents have become known thanks to individuals speaking up when they encountered wrongdoings in the context of their work. The level of whistleblower protection, however, varies greatly among the EU Member States, and these differences can lead to legal uncertainty and the risk of unequal treatment.

Material scope

The approved Directive on the Protection of persons reporting on breaches of the Union Law establishes a common minimum standard for whistleblower protection. The breaches falling in the scope of the Directive lie mainly within areas such as public procurement, financial services including the prevention of money laundering and terrorist financing, product and transport safety, public health, and consumer and data protection. The EU Member States are free to add to these areas and establish a broader national regime to cover further areas.

Currently, the protection offered to whistleblowers across the EU is fragmented. Some EU Member States have comprehensive legislation in place, but most offer only sectoral protection. Elements of whistleblower protection have already been introduced in specific EU instruments in areas such as financial services, transport safety and environmental protection. Where distinct rules are established in sector-specific EU acts (e.g. the UCITS and PRIIPs Regulations), this Directive does not apply.

Personal scope

The Directive applies to reporting individuals working in the private or public sector who have acquired information on breaches in a work-related context. That means that it covers employees (including civil servants), shareholders and persons belonging to the administrative management, but also self-employed people, freelancers, consultants, contractors, suppliers, volunteers, unpaid trainees and job applicants.

To avoid penalising people who act in good faith, whistleblowers also qualify for protection if they had reasonable grounds to believe that the information reported was true at the time of reporting or if they had serious suspicions that they had observed an illegal activity.

New ruleset established for whistleblower protection


The Directive establishes obligations to set up new or enhanced internal reporting channels to ensure that whistleblowers are safeguarded and that the information disclosed is kept confidential. Legal entities in the private sector with more than 50 employees and legal entities in the public sector are obliged to establish internal channels and procedures for reporting and following up on reports.

Small and micro companies are exempted from this obligation, with the exception of companies operating in the field of financial services or that are vulnerable to anti-money laundering/counter terrorist financing given the high risks arising from their business activities.

Internal reporting channels

Such internal reporting channels have to be designed and operated in a manner that provides protection and ensures that the identity of the reporting person and any third party mentioned in the report remains confidential. Further requirements include the designation of an independent person or department responsible for receiving and following up reports and to provide transparent information about the procedures and the conditions under which reports may be made externally to the competent authorities.

The reporting channels may be run internally by a person or department designated for that purpose or outsourced to an independent third party (e.g. law firm, trusted advisor).

External reporting channels

In general, reporting persons should pass on information relating to breaches through external channels and procedures only after having used internal channels or, under certain conditions, by reporting directly to the competent authorities.

EU Member States are required to designate the authorities competent to receive and give feedback or follow-up on reports and to provide them with adequate resources.

Public disclosure

If no appropriate measure are taken after an incident is reported through internal or external channels, or if the whistleblower believes that there is an imminent danger to the public interest or a risk of retaliation, the reporting person will still be protected if he/she discloses the information to the public (e.g. through web platforms, the press, and social media).

Whistleblower protection

The Directive establishes a series of safeguards to protect the whistleblower from being suspended, demoted, intimidated or experiencing any form of retaliation. The safeguards also apply to persons assisting the whistleblower, such as facilitators, relatives or colleagues. If whistleblowers do experience retaliation, the new law provides for a set of measures to protect them, including free legal advice, remedial measures to deal with retaliation (e.g. interim relief to halt ongoing retaliation or to prevent dismissal, reversal of the burden of proof) or protection in judicial proceedings.

What’s next

The Directive now needs to be approved by EU Ministers. It is expected that there will be no major changes to the draft. Once approved and published, the EU Member States will then have two years to comply and put in place national rules that are in line with the Directive.

Companies with more than 50 employees will have to implement appropriate measures to comply with the forthcoming requirements. Those measures will include the implementation of an incident reporting system within the organisation to meet the internal channel reporting requirements, as well as adopting policies and guidelines establishing the appropriate internal organisation and the applicable processes.

Your PwC Experts will provide you with more detailed information in the near future.



Susanne Hofmann

Data Protection Officer, Zurich, PwC Switzerland and Liechtenstein

+41 58 792 17 12


Philipp Rosenauer

Partner Legal, Zurich, PwC Switzerland

+41 58 792 18 56


Contact us

Stefan Haag

Stefan Haag

Director, Corporate Reporting Services, PwC Switzerland

Tel: +41 58 792 71 29

Bruno Gmür

Bruno Gmür

Technical Partner Financial Services Banking, PwC Switzerland

Tel: +41 58 792 7317