A whistleblower system is an internal reporting channel and process that enables individuals to report wrongdoing in an organization in accordance with the EU Whistleblower Directive (2019/1937).
A guide to whistleblowing systems according to the EU Whistleblower Directive. How to create a secure reporting channel, internal process and correct follow-up.
Whistleblowing requirements under EU directives
The EU Whistleblower Directive (2019/1937) requires organisations to establish internal reporting channels and procedures for handling reports of work-related misconduct. The rules apply to organisations with at least 50 employees, public sector organisations and certain regulated sectors.
The directive essentially requires organizations to have:
- a secure internal reporting channel
- a designated function that receives and follows up on reports
- procedures for follow-up and feedback
- protection of the whistleblower’s identity and confidentiality
It is important to understand that the Directive does not require organisations to implement a specific digital whistleblowing system . The law requires a functioning and secure reporting channel, but the technology used may vary. Reports should be able to be submitted in writing, orally by telephone or through a physical meeting if the reporter requests it.
This means that many organizations can meet the requirements of the directive without investing in large and complex systems.
Small organizations don’t need expensive whistleblower systems
When organizations start working with whistleblowing, a common perception is that they have to purchase a comprehensive whistleblowing system. However, many commercial solutions are designed for very large organizations and can be both costly and difficult to implement.
The EU regulations focus instead on security, confidentiality and correct handling of reports . For many organizations, a simpler solution combining:
- a secure digital reporting channel
- encrypted communication during follow-up
- clear internal procedures for handling reports
Such a model may be fully sufficient to meet the requirements of the EU Whistleblower Directive, as long as the channel protects the reporter’s identity and only authorized persons have access to the information.
How to create a simple whistleblower solution in practice
A practical and cost-effective solution can be built with three components:
- a secure reporting channel
- secure communication during follow-up
- a clear internal organization and process
1. Reporting via secure web forms
A common method for creating a digital whistleblower channel is to use secure web forms from ANON::form .
The service is designed to collect sensitive information over the web with high security. Data is encrypted in the reporter’s browser before being sent to the organization. The information is then delivered via encrypted email to the designated recipient.
With such a solution, the organization can:
- publish a whistleblower page on their website
- receive reports anonymously or with contact details
- receive reports directly in a secure email environment
The reporting channel must be designed so that the identity of the whistleblower and the content of the report are only accessible to authorized persons . This is a key requirement of the EU Whistleblower Directive.
Secure forms can therefore function as part of a solution that meets the requirements of the directive, as long as the organization also has a proper internal process for handling reports.
2. Secure communication during follow-up
Once a report has been received, the organization needs to be able to communicate securely with the whistleblower if the person has provided contact information.
An easy way to do this is to use the encrypted email service Proton Mail . The service uses end-to-end encryption and so-called zero-access encryption, which means that only the sender and recipient can read the contents of messages.
An important feature is that Proton can also send encrypted messages to recipients who do not use Proton . In such cases, the recipient receives an email with a secure link to a protected message window where the content can be read after entering a password. The recipient can also reply directly in this protected interface.
This allows the organization to maintain secure communication even when the recipient is using a regular email service.
3. Internal organization and process
The technical reporting channel is only one part of a functioning whistleblower system. The organization must also have a clear internal structure for how reports are received and handled.
Appoint a responsible function
The directive requires the organization to designate a person or function responsible for receiving reports and following up on them. This could be, for example:
- HR
- law
- compliance
- a special whistleblower team
In many organizations, a small team of two to three people is sufficient.
Create a workflow
A simple workflow for whistleblower cases might include the following steps:
- receipt of report
- registration and initial assessment
- confirmation to the whistleblower within 7 days
- any internal or external investigation
- decision on measures
- feedback to the whistleblower within a maximum of three months from confirmation
- documentation and closing
These deadlines follow the directive’s requirements for feedback and follow-up.
Introduce a whistleblower policy
The organization should also have a clear whistleblower policy that describes:
- what can be reported
- how the reporting works
- who handles the reports
- how confidentiality and anonymity are protected
- how follow-up and feedback takes place
Such a policy serves both as internal instructions and as information for people who want to report misconduct.
In addition, ANON::form’s LITE subscription automatically generates a basic policy , which can help organizations quickly establish the documentation required for a functioning whistleblower system.
What do authorities review for compliance?
When regulators review organizations’ whistleblowing systems, they typically focus on a few key factors:
- is there an internal reporting channel
- the whistleblower’s identity and confidentiality are protected
- is there a designated function that handles reports
- are the deadlines for confirmation and feedback met?
- Are there procedures in place to prevent retaliation?
It is therefore primarily the organization’s processes and protection mechanisms that are reviewed, not the technical platform used.
Summary: a simple and cost-effective whistleblower solution
The EU Whistleblower Directive requires that organizations offer a secure channel for reporting misconduct and that reports are handled according to clear and confidential processes.
For many organizations, a simple model may be sufficient:
- secure web forms from ANON::form as a reporting channel
- encrypted communication via Proton Mail
- a small internal whistleblower team
- a clear whistleblower policy and work process
With the right procedures, this model can be a practical and cost-effective whistleblower solution according to the EU Whistleblower Directive .
For organizations responsible for procuring or implementing whistleblower systems, ANON::form can therefore be a simple way to establish a secure whistleblower channel without implementing a large and complex system .