28.04.2021 | KPMG Law Insights

Whistleblower system and case management – The EU Whistleblower Protection Directive and its implementation in national law: What is in store for companies?

The EU Whistleblower Protection Directive and its implementation in national law: What lies ahead for companies?

The EU Directive: The Directive is in the context of a paradigm shift in law enforcement policy – in Europe and also in Germany. The aim of the Directive is – as described in its Art. 1 – “to improve the enforcement of Union law and policies in specific areas by setting common minimum standards ensuring a high level of protection for persons reporting infringements of Union law”. These requirements are intended to preventively transfer the enforcement of European law from the state to the legal entities as a matter of their own. By specifically mandating that reporting channels and case management be implemented and maintained

Status of the legislative procedure: the directive was adopted in the so-called triolog procedure and entered into force on 16.12.2019 with an implementation period of two years.

  • Implementation status in the EU: 19 out of 27 EU member states have already started implementation. In some cases, we are already further along than in Germany, especially in the area of in the Nordic countries.
  • Draft bill: In Germany, the Ministry of Justice and the Ministry of Labor are working on the draft bill. However, due to the complexity and uncharted territory of whistleblower protection, a draft released to the public is not yet available. The goal is to meet the implementation timeline by the end of 2021 (Dec. 17, 2021). Due to the many challenges of implementation, it is not yet possible to give an exact date for an official draft bill. The BMAS and the BMJV are in consultation with the federal government on this. For some time now, however, the “Draft Law for Better Protection of Whistleblowers and for the Implementation of the Directive on the Protection of Persons Reporting Violations of Union Law” (Whistleblower Protection Act) has been circulating. Subject to possible amendments, the present draft shows where the journey may lead for German companies.

Core requirements: Of the core requirements of the EU Whistleblowing Directive and its planned implementation in German law, a few points can be singled out:

  • All companies, so-called employers, regardless of their legal form or sector, and also public administration, courts and municipalities, so-called departments, will in future be obliged to set up a whistleblower system. That already from 50 employees. Legislation in Germany extends it further for certain companies within the scope of the WPHG, BörsG, KWG, and VAG. In the public sector, for example, state law should regulate municipalities.
  • The scope of the Directive covers whistleblowers in the private and public sectors. For the public sector, this means all employees who receive information in a professional context: Civil servants, public employees. This applies accordingly in the private sector. Important: It is a broad scope – employees of a business partner of the company must also be able to report.
  • With regard to the reports covered, it was to be expected that not only violations of EU law but also violations of national law would fall within the scope of the Whistleblower Protection Act. This requirement, which is not uncontroversial in the political arena, means that the reporting channels must be open to all violations that are subject to penalties or fines and must not only cover EU law violations.
  • There is an EU requirement for dealing with anonymous tips Germany is not required to open reporting channels for anonymous tips. It is only explicitly clarified that external reporting offices do not have to follow up on anonymous tips. This statement is not found for internal hotlines. In any case, the anonymous whistleblower is protected if his identity comes to light.
  • With regard to the handling of reported cases, there are precise EU requirements with feedback and documentation obligations, which are implemented accordingly at national level.
  • Finally, obligations are imposed to protect the whistleblower, the fulfillment of which must be proven in case of doubt. The reversal of the burden of proof to the detriment of the so-called employers and service providers is provided for accordingly in the draft bill.
  • However, there is no whistleblower protection in principle if the whistleblower reports particularly protected information. There is also no protection if the whistleblower goes directly to the public, so-called disclosure. He is only protected if he has previously unsuccessfully submitted an external report to an External Reporting Office to be set up by the state (Federal Data Protection Commissioner, the BaFin and, if applicable, state authorities). Finally, there is no whistleblower protection if the whistleblower intentionally or grossly negligently reports inaccurate information. Then he is even obliged to compensate for the damage incurred.


Implementation period and market impact: The deadline for transposing the EU directive into national law is December 2021. For companies with up to 249 employees, however, the requirements are not expected to take effect this year, but rather in 2023. It would be good to clarify whether headcount is calculated by headcount or by Full Time Equivalents. In any case, the new legal situation will have an impact on very many companies in the short and medium term.

  • According to our estimates, there are probably 50,000 companies in the EU with more than 250 employees; in Germany alone, there are probably 17,000 companies. Here, the obligations take effect from the end of this year. If only half of them have to make adjustments, e.g. introduce a digital system, that’s more than 25,000 companies across the EU in the short and medium term.
  • For smaller companies, the obligation comes later. According to our estimates, around 250,000 companies in the EU have more than 50 employees (for Germany, the figure is probably around 65,000). If only a quarter of them intend to implement a sustainable implementation, e.g., to introduce a digital system, that’s more than 15,000 companies in the long term.
  • In our view, the requirements of the future Whistleblower Protection Act will also have a formative effect worldwide The DOJ requires whistleblower systems as a hallmark of a compliance management system via the FCPA also extraterritorially. The EU and German legislators provide precise guidelines for the design of the whistleblower system. If a company introduces a group-wide system internationally, it should not be possible to apply lower compliance requirements within the company in countries outside the EU than for the European companies.


Employers and departments are well advised to use the time until the mandatory regulations come into force to adapt existing whistleblower systems to the future requirements or to introduce adequate whistleblower systems. Among the various whistleblowing channels, we believe that an IT-based solution will prevail in Europe. When setting up and operating whistleblower systems, there are other legal requirements to be observed in addition to the above. In particular, data protection, which is essentially about the handling of personal data: Here there is an orientation guide from the state data protection authorities. In addition, the implementation and regular operation of the system must take into account company co-determination, company law and, where applicable, local regulations.

With EQS Group, KPMG Law has a strong alliance partner at its side – one of the five most relevant IT solution providers in the European market, with global reach. We thus believe that we are well equipped to support employers and departments with a holistic compliance solution, the globally available KPMG Integrity Service, during implementation and regular operation.

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…


Dr. Bernd Federmann

Stuttgart Site Manager
Head of Compliance & Corporate Criminal Law

Theodor-Heuss-Straße 5
70174 Stuttgart

tel: 0711 781923418

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.