← Back to blog

EU Whistleblower Directive Penalties: What Companies Risk

Lantern Team

The EU Whistleblower Directive (2019/1937) became enforceable in December 2021 for companies with 250+ employees, and July 2022 for companies with 50-249 employees.

If you haven't implemented a compliant reporting channel yet, you're operating outside the law—and the penalties vary significantly by country.

This guide breaks down what each EU member state penalizes, how enforcement works, and what happens if you're non-compliant.

How the Directive Works

The EU Whistleblower Directive sets minimum standards that all member states must implement. Each country then passes its own national legislation with specific penalties and enforcement mechanisms.

What the Directive requires:

  • Secure, confidential reporting channels for companies with 50+ employees
  • 7-day acknowledgment of reports
  • 3-month follow-up on investigation outcomes
  • Protection from retaliation
  • Clear internal procedures

What it doesn't specify:

  • Exact penalties (left to member states)
  • Enforcement agencies (each country designates its own)
  • Implementation details (countries can add requirements)

This means penalties differ across the EU—sometimes dramatically.

Penalties by Country

Germany

National Law: Hinweisgeberschutzgesetz (HinSchG), effective July 2, 2023

Penalties for companies:

  • Failure to establish a reporting channel: Up to €50,000
  • Retaliation against whistleblowers: Up to €50,000 (for legal entities)
  • Obstruction of whistleblowing: Up to €50,000
  • Breaches of confidentiality: Up to €20,000

Penalties for individuals:

  • Retaliation: Up to €20,000 (for individuals) or imprisonment up to 1 year
  • Obstruction: Up to €20,000 or imprisonment

Enforcement: Federal Office of Justice (Bundesamt für Justiz)

Notable: Germany has one of the strictest implementations. Penalties apply even if the violation was unintentional.

France

National Law: Loi Waserman (Law No. 2022-401), effective September 1, 2022

Penalties:

  • Obstruction of reporting system: Up to €1 million (yes, one million euros)
  • Retaliation: Up to €45,000 and 3 years imprisonment (for individuals)
  • Breach of confidentiality: Up to €45,000 and 3 years imprisonment
  • Failure to protect whistleblowers: Administrative sanctions (amount varies)

Additional requirement: Companies with 250+ employees must have a phone hotline (not just a web form). This is specific to France.

Enforcement: Défenseur des droits (Defender of Rights), labor inspectorates

Notable: France treats retaliation as a criminal offense, not just an administrative penalty. This is one of the harshest implementations in the EU.

Ireland

National Law: Protected Disclosures (Amendment) Act 2022, effective January 1, 2023

Penalties:

  • Failure to establish internal reporting channels: Summary conviction: Up to €5,000 and/or 12 months imprisonment. On indictment: Unlimited fine and/or up to 2 years imprisonment.
  • Retaliation (penalization): Civil remedy—compensation awarded to whistleblower (unlimited)
  • Breach of confidentiality: On indictment: Unlimited fine and/or up to 2 years imprisonment

Enforcement: Workplace Relations Commission (WRC), courts

Notable: Ireland focuses on civil remedies for retaliation (compensating the whistleblower) rather than fines to the company. But criminal penalties apply for obstruction.

Italy

National Law: Legislative Decree No. 24/2023, effective July 15, 2023

Penalties:

  • Retaliation: €10,000 to €50,000
  • Breach of confidentiality: €10,000 to €50,000
  • Failure to establish reporting channels: €10,000 to €50,000
  • Obstruction of reports: €10,000 to €50,000

Enforcement: National Anti-Corruption Authority (ANAC)

Notable: Italy uses a sliding scale based on company size and severity. Penalties can increase for repeat violations.

Spain

National Law: Law 2/2023, effective February 13, 2023

Penalties:

  • Minor infractions (delays in processing reports): €1,000 to €40,000
  • Serious infractions (failure to protect confidentiality): €40,001 to €300,000
  • Very serious infractions (retaliation, obstruction): €300,001 to €1 million

Enforcement: Labor and Social Security Inspectorate, Ombudsman

Notable: Spain has a three-tier system based on severity. Retaliation is classified as "very serious" and can result in million-euro fines.

Netherlands

National Law: Wet bescherming klokkenluiders (Wbk), effective February 18, 2023

Penalties:

  • Retaliation: Compensation to whistleblower (no set limit)
  • Breach of confidentiality: Criminal liability (up to 2 years imprisonment or fine of category 4: €21,750)
  • Failure to establish internal channel: Administrative sanctions (amount not specified, but enforced)

Enforcement: Huis voor Klokkenluiders (House for Whistleblowers), courts

Notable: The Netherlands emphasizes compensation for whistleblowers rather than direct fines to companies. But retaliation can be prosecuted criminally.

Belgium

National Law: Law of 28 November 2022, effective February 15, 2023

Penalties:

  • Retaliation: €250 to €20,000 (per violation)
  • Failure to establish reporting channel: €250 to €20,000
  • Breach of confidentiality: €250 to €20,000

Enforcement: Labor courts, Ombudsman

Notable: Belgium's penalties are relatively low compared to France or Germany, but retaliation can result in reinstatement + damages.

Sweden

National Law: Whistleblower Protection Act (Lag om skydd för personer som rapporterar om missförhållanden), effective July 17, 2021 (early adopter)

Penalties:

  • Retaliation: Compensation to whistleblower (typically 3-12 months' salary)
  • Failure to establish reporting channel: Sanctions not specified (enforcement relies on labor law)

Enforcement: Swedish Work Environment Authority, labor courts

Notable: Sweden was one of the first EU countries to implement the Directive. Enforcement focuses on civil remedies (compensating whistleblowers) rather than fines.

Denmark

National Law: Lov om beskyttelse af whistleblowere, effective December 17, 2021 (early adopter)

Penalties:

  • Retaliation: Compensation to whistleblower (amount varies based on circumstances)
  • Failure to comply: Administrative sanctions (unspecified amounts)

Enforcement: Danish Business Authority, courts

Notable: Denmark emphasizes proactive compliance over punitive fines. Enforcement is relatively light compared to France or Germany.

Other EU Countries

Most other EU member states have implemented the Directive with penalties ranging from:

  • €5,000 to €50,000 for administrative violations (failure to establish channels)
  • €20,000 to €1 million for serious violations (retaliation, obstruction)
  • Criminal liability (imprisonment) for individuals in cases of retaliation or breach of confidentiality

Key countries still finalizing implementation:

  • Poland, Hungary, Czech Republic, Slovakia, Romania (legislation passed, but enforcement mechanisms still being established)

What Triggers Enforcement?

Penalties aren't issued automatically. Enforcement typically happens when:

1. Whistleblower Complains Externally

If an employee tries to report internally but your channel doesn't exist or doesn't work, they may escalate to:

  • National whistleblower authorities (Ombudsman, labor inspectorate)
  • Regulators (data protection authorities, financial regulators)
  • Media or public disclosure

When external authorities investigate, they'll check whether you have a compliant internal channel. If you don't, penalties may apply.

2. Retaliation Claims

If a whistleblower alleges retaliation (termination, demotion, harassment) and proves it in court or through a labor authority, penalties can include:

  • Reinstatement of the whistleblower
  • Back pay and damages
  • Fines to the company
  • Criminal charges for managers (in France, Netherlands, Ireland)

3. Regulatory Audits

Some member states conduct proactive compliance checks:

  • Germany's Federal Office of Justice can request proof of compliance
  • France's labor inspectorate can audit reporting channels
  • Italy's ANAC conducts random checks on public sector organizations

If you can't demonstrate compliance, penalties may apply.

4. Data Protection Authority (DPA) Review

If your reporting system violates GDPR (e.g., you collect unnecessary personal data, fail to encrypt reports, don't have a DPA with your vendor), the DPA can fine you:

  • GDPR fines: Up to €20 million or 4% of global turnover

This is separate from Whistleblower Directive penalties but often overlaps.

What Happens If You're Non-Compliant?

Scenario 1: No Reporting Channel

You have 100 employees but no whistleblower reporting system.

Likely outcome:

  • If no one reports externally, you may not be penalized (but you're still violating the law)
  • If an employee tries to report and escalates to authorities, you'll face penalties for failure to establish a channel (€5,000-€50,000 depending on country)

Worst case: Retaliation occurs, the whistleblower sues, and you're liable for both the failure to provide a channel + retaliation damages.

Scenario 2: Non-Compliant Channel

You have an email-based reporting system, but it doesn't meet Directive requirements (not anonymous, no acknowledgment tracking, no audit logs).

Likely outcome:

  • If a whistleblower escalates, authorities will review your system and find it non-compliant
  • Penalties depend on the gap (e.g., missing acknowledgment = administrative fine; breach of confidentiality = higher fine + criminal liability)

Worst case: A breach of confidentiality (whistleblower's identity leaked) leads to €20,000-€50,000 fine + civil damages + criminal charges for individuals.

Scenario 3: Retaliation

An employee reports harassment through your channel. The accused manager finds out (breach of confidentiality) and terminates the whistleblower.

Likely outcome:

  • Whistleblower files claim with labor authority
  • Investigation finds evidence of retaliation
  • Company must reinstate whistleblower + pay back pay + damages (potentially 12-24 months salary)
  • Company fined €20,000-€1 million (depending on country)
  • Manager may face criminal charges (France, Ireland, Netherlands)

Worst case: Public disclosure (media), reputational damage, loss of contracts, additional regulatory scrutiny.

How to Avoid Penalties

The best way to avoid penalties is proactive compliance:

1. Implement a Compliant Reporting Channel

Ensure your system meets Directive requirements:

  • Secure, confidential (ideally anonymous)
  • Tracks 7-day acknowledgment and 3-month follow-up deadlines
  • Audit logs (for regulatory review)
  • Accessible to employees, contractors, vendors

2. Train Your Team

Managers, HR, and case managers need to understand:

  • How to handle reports without compromising confidentiality
  • What constitutes retaliation (and how to avoid it)
  • When to escalate to legal or external authorities

3. Document Everything

If you're audited, you'll need to prove compliance:

  • Acknowledgment sent within 7 days (timestamp)
  • Follow-up provided within 3 months (documentation)
  • Audit trail of all actions taken (who accessed the report, when, why)

4. Act on Reports

Penalties often stem from inaction, not just lack of a channel. If you receive a report but don't investigate or take corrective action, you're still non-compliant.

Conclusion

EU Whistleblower Directive penalties range from €5,000 to €1 million, depending on the country and severity of the violation. Criminal liability (imprisonment) applies in some countries for retaliation or breach of confidentiality.

But the real cost of non-compliance isn't just fines—it's:

  • Reputational damage (public disclosure of misconduct)
  • Legal liability (civil suits, criminal charges)
  • Loss of trust (employees stop reporting, problems fester)

The Directive is mandatory. The penalties are real. The grace period is over.

If you haven't implemented a compliant reporting channel yet, you're taking a gamble—and the odds aren't in your favor.

Need to get compliant fast? Lantern deploys in 15 minutes and meets all EU Whistleblower Directive requirements out of the box. Avoid the fines. Get compliant today.

← Back to blog