Whistleblowing Directive: what it is and how to comply in your company
If you run an SME and have heard about the Whistleblowing Directive without being entirely clear on what it requires you to do, you are not alone. Behind that piece of jargon lies a European regulation that is already mandatory in Spain for thousands of companies, with penalties that can reach one million euros. In this guide we explain, in plain language, what it is, who it affects and how to set up a reporting channel that complies with the law without losing your mind.
What is the Whistleblowing Directive?
The Whistleblowing Directive is the colloquial name for Directiva (UE) 2019/1937 (EU Directive 2019/1937), on the protection of persons who report breaches of Union law. Its aim is simple: to give any worker a safe means of reporting crimes and irregularities within their company without fear of retaliation.
In Spain, this directive was transposed through Ley 2/2023, de 20 de febrero, which regulates the protection of persons who report regulatory breaches and the fight against corruption. It is this Spanish law, in force since March 2023, that actually sets out the obligations your company must meet.
When do you have to comply with the Whistleblowing Directive?
The deadlines have already passed. Ley 2/2023 established two cut-off dates for having an internal reporting system (the reporting channel) in place:
- 13 June 2023 for companies with 250 or more employees and public sector entities.
- 1 December 2023 for companies with between 50 and 249 employees.
In other words: if your company has 50 employees or more and has still not set up the channel, it is already past the deadline. The Autoridad Independiente de Protección del Informante (AAI) (Independent Authority for the Protection of Whistleblowers) is the body responsible for overseeing compliance and processing sanctioning proceedings.
Requirements of the Whistleblowing Directive
For your reporting channel to be valid, it is not enough to set up an email inbox. The law requires a series of specific safeguards:
- Anonymity and confidentiality. The system must allow anonymous reports and protect, in all cases, the identity of the whistleblower and of the persons concerned.
- Broad scope. It covers serious or very serious criminal and administrative breaches: safety, public procurement, money laundering, data protection, the environment and other irregular situations.
- Universal application. It applies to both private companies and public entities once the relevant size threshold is reached.
- Impartial staff. A system manager must be appointed to handle and investigate reports with objectivity and independence.
- Set deadlines. You must acknowledge receipt within 7 days and conclude the investigation within a maximum of 3 months (extendable to 6 in complex cases).
- Recording and traceability. All reports must be recorded securely and with the safeguards required by the RGPD (Spanish GDPR).
Who does the Whistleblowing Law protect?
The protection goes well beyond permanent staff. Ley 2/2023 protects anyone who reports in a work or professional context, including:
- Employees, interns and trainees.
- Subcontracted workers, freelancers and suppliers.
- Shareholders, partners and investors.
- Members of the administrative, management or supervisory body.
- People in the whistleblower’s circle (relatives, colleagues) who may suffer retaliation.
The key point is that the law prohibits any kind of retaliation: dismissals, changes of position, penalties, denied promotions or reputational harm arising from having reported in good faith.
When does its protection apply?
Protection is not limited to the moment of the report or to the current employment relationship. It extends to:
- Situations before and after the employment relationship.
- Candidates in recruitment processes who become aware of irregularities during negotiations.
- Legal advisers, collaborators and people who assist the whistleblower.
- Unpaid collaborators, such as volunteers and trainees.
The reporting channel to comply with the Whistleblowing Directive
Complying with the Whistleblowing Directive does not have to be a never-ending project. The simplest way is to rely on reporting channel software that already builds in all the legal safeguards as standard: anonymity, encryption, deadline management, traceability and data protection in line with the RGPD.
With LapsoWork’s reporting channel your company has a secure, accessible inbox, a management workflow for each report with automated deadlines, and all the documentation needed to demonstrate compliance to the AAI. And because it is part of an all-in-one HR platform, you can combine it with the rest of the modules —from time tracking software to document management— without piling up standalone tools.
If your company is already past the deadline, the priority is to set it up as soon as possible: proving that you have a compliant channel decisively reduces the risk of sanctions. And if you are still unsure whether your headcount obliges you, it is better to err on the side of caution and have it in place.