Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law
Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law. Requires legal entities with 50 or more workers and public sector bodies to establish secure, confidential internal reporting channels with prescribed procedures (7-day acknowledgement, impartial follow-up, 3-month feedback); requires Member States to designate competent authorities operating external reporting channels; sets the conditions for protected public disclosure; mandates confidentiality of the reporting person's identity, GDPR-compliant data processing and record-keeping; prohibits retaliation and provides protective measures including reversal of the burden of proof, support measures and remedies; and requires effective, proportionate and dissuasive penalties.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
Whistleblowing: Confidentiality, Data Protection and Record-Keeping
| Code | Title |
|---|---|
| WB-Art.16 | Duty of confidentiality |
| WB-Art.17 | Processing of personal data |
| WB-Art.18 | Record keeping of the reports |
Whistleblowing: External Reporting Channels
| Code | Title |
|---|---|
| WB-Art.10 | Reporting through external reporting channels |
| WB-Art.11 | Obligation to establish external reporting channels and to follow up on reports |
| WB-Art.12 | Design of external reporting channels |
| WB-Art.13 | Information regarding the receipt of reports and their follow-up |
| WB-Art.14 | Review of the procedures by competent authorities |
Whistleblowing: Internal Reporting Channels
| Code | Title |
|---|---|
| WB-Art.7 | Reporting through internal reporting channels |
| WB-Art.8 | Obligation to establish internal reporting channels |
| WB-Art.9 | Procedures for internal reporting and follow-up |
Whistleblowing: Penalties and Remedies
| Code | Title |
|---|---|
| WB-Art.23 | Penalties |
| WB-Art.24 | No waiver of rights and remedies |
| WB-Art.25 | More favourable treatment and non-regression clause |
Whistleblowing: Protection Measures
| Code | Title |
|---|---|
| WB-Art.19 | Prohibition of retaliation |
| WB-Art.20 | Measures of support |
| WB-Art.21 | Measures for protection against retaliation |
| WB-Art.22 | Measures for the protection of persons concerned |
Whistleblowing: Public Disclosures
| Code | Title |
|---|---|
| WB-Art.15 | Public disclosures |
Whistleblowing: Scope and Conditions for Protection
| Code | Title |
|---|---|
| WB-Art.4 | Personal scope |
| WB-Art.5 | Definitions |
| WB-Art.6 | Conditions for protection of reporting persons |
Your Compliance Coverage
If you comply with Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law, you already cover:
Maps to 3 other frameworks
Frequently Asked Questions
What is Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law?
Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law is a compliance framework from European Union with 7 domains and 22 controls. Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law. Requires legal entities with 50 or more workers and public sector bodies to establish secure, confidential internal reporting channels with prescribed procedures (7-day acknowledgement, impartial follow-up, 3-month feedback); requires Member States to designate competent authorities operating external reporting channels; sets the conditions for protected public disclosure; mandates confidentiality of the reporting person's identity, GDPR-compliant data processing and record-keeping; prohibits retaliation and provides protective measures including reversal of the burden of proof, support measures and remedies; and requires effective, proportionate and dissuasive penalties. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law have?
Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law has 22 controls organised across 7 domains. The largest domains are Whistleblowing: External Reporting Channels (5 controls), Whistleblowing: Protection Measures (4 controls), Whistleblowing: Confidentiality, Data Protection and Record-Keeping (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law map to?
Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law maps to 3 other compliance frameworks. The top mapping partners are ISO 37002:2021 - Whistleblowing Management Systems (14% coverage), ISO 37301:2021 (5% coverage), GDPR (5% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law compliance?
Start your Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required