Skip to content

How To Meet The EU Whistleblowing Directive's Requirements For Company Groups

Post Picture

When the European Union proposed its EU Whistleblowing Directive, requiring legal entities to provide whistleblowing reporting channels for employees, it caused some concern for those groups with multiple subsidiaries within the bloc. Many raised issues with the European Commission regarding how the EU Whistleblowing Directive implementation would affect centralised whistleblowing functions that already existed.  

In response to some of the queries, the commission reiterated that the directive purposefully requires each entity with 50 or more employees to run its own reporting system. However, entities employing between 50 and 249 staff members may share their reporting and investigation channels. This is, in its words, for the purpose of “ensuring their proximity to the whistleblower”. It must be noted that the European Commission does not encourage operating compliance programmes solely through a company’s headquarters. There are some cases when this is possible, but the directive’s requirements have to be considered carefully first.  

This article explores how company groups are required to run their whistleblowing programmes within the EU, whether their subsidiaries are based within the same member state or across multiple countries. In addition, it sets out the rules for multinational companies based outside of the European Union but with entities within the bloc.  

1. Reporting requirements at the subsidiary level vs group level 

The European Commission, in a letter sent in June 2021, states: 

 “The provision in Article 8(3) leaves no room for interpretation: each legal entity with 50 or more workers is required to set up channels and procedures for internal reporting, even where such legal entities belong to a group of companies. Any different interpretation would be contra legem.” 

Medium-sized entities, those with between 50 and 249 employees, can share reporting channels and investigation procedures whether they share a common owner or not. However, each individual entity will remain responsible for maintaining the confidentiality of the reporting person, providing feedback to them and addressing the misconduct that they reported.  

For larger legal entities, there is no such provision. The law states clearly that they must run their own internal channels, regardless of their ownership structure.  

1.1 Where central whistleblowing functions work

However, that is not to say that company groups cannot run a central whistleblowing programme in tandem with the individual entity channels. This allows whistleblowers the option of choosing between reporting locally or taking the complaint higher up the chain. The advantage of this would be, for example, if the reporting person did not believe their complaint could be dealt with effectively at a local level.  

1 (2)-1

Such an arrangement would also be helpful in cases where the local independent investigation team believes it does not have the resources to deal effectively with the report or when the report reveals structural issues that affect multiple entities within the group. In these cases, the team would have to inform the whistleblower of their intentions to escalate and ask for their consent. When this happens, the reporting person has the right to withdraw their internal report and instead make an external report to a competent authority.  

1.2 Rationale for keeping reporting at entity level 

The European Commission explains that the rationale for ensuring entity-level reporting is due to the aim of the directive to make it as easy as possible for a whistleblower to make their report. Being able to do so within the entity in which they work makes the process easier and more efficient because there will be specific information on how to report and where they will receive feedback. They may also feel more comfortable reporting to their own entity rather than talking to headquarters, where they might have few, if any, contacts.  

2. Multinational group reporting 

There are multiple reasons why entities in different EU member states must each run their own internal reporting channels. They include:  



Different scope 

Up to a certain limit, each member state can transpose the directive in its own way. The directive itself applies only to breaches of EU law. However, some countries have extended the scope to include breaches of national law, too, meaning that the whistleblowing procedure in one country could differ from that in another. As a result, a company with entities in two separate countries may have to comply with different requirements and offer different systems in each.  

Varying rights 

Some countries require companies to set up face-to-face meetings with whistleblowers if requested. Others do not.  

Differences in provisions 

The directive states that legal entities have a week at most to acknowledge receipt of reports and three months to respond. However, member states can make these terms more favourable to the whistleblower when they transpose the law into national legislation, if they wish.  

Contrasting feedback requirements 

Member states can make their own legislation regarding how entities follow up and respond after their investigations. 

3. The specifics of multinational whistleblowing 

3 (2)

There are methods for company groups and multinationals to help rationalise the process of creating whistleblowing programmes across different entities. They include:  

  • The EU Whistleblowing Directive states that “reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party”. This means that you can use an external source to manage the receipt and acknowledgement of reports across multiple entities. However, these external parties cannot investigate, follow up or address breaches uncovered in reports. 
  • Medium-sized entities, those with between 50 and 249 employees, can share resources for both the receipt and the investigation of reports. If your entities fall within this scope, then a shared whistleblowing function is acceptable.  
  • Medium-sized entities can allow headquarters (or another entity in the group) to take on its investigations, as long as they communicate this with the whistleblower. In this case, the organisation has to inform the employee that they can refuse and have the report actioned at the subsidiary level instead if they wish.  
  • In the event that a report uncovers issues that affect more than one subsidiary or structural problems within the business, it might be that the subsidiary does not have the resources to deal adequately with the investigation. In these cases, it is possible to carry out the investigation at the group level with the permission of the whistleblower.  

4. Problems with resource sharing between subsidiaries 

Although it is possible for a medium-sized subsidiary to take advantage of a parent company’s superior resources when investigating reports, it is important to remember that the whistleblower has the right to decline that opportunity.  

In order to escalate the case to HQ, the subsidiary must inform the reporting person of the move and seek their consent. If they do not give their consent, there is a chance that they could withdraw their report and make it externally instead.  

 The issue with this is that, when a whistleblower reports to an external party, it takes the narrative out of the company’s hands. This means that the news can go public before the company has had time to act, causing reputational damage.  

Another issue with the whistleblower declining consent for the complaint to be investigated at the group level is that the group head of compliance does not have visibility on the workings of the report, which can hinder them in their work. The company must also gain consent to investigate the report at a higher level, even in the event of the report highlighting an infringement that takes place in more than one entity.  

This means that companies must be proactive about promoting the benefits for the whistleblower of having their report heard at the group level rather than simply at the subsidiary level.  

5. Requirements for group whistleblowing channels 

The requirements for whistleblowing channels within the group are the following: 

  • They must be easily accessible to reporting persons. 
  • Each legal entity should display information on the uses of the channel and the ability to make an external disclosure on its website and inside its premises. 
  • There should be an independent party within the subsidiary where the report was made to follow up and maintain communication with the whistleblower. 
  • Depending on the transposition of the law in that country, the whistleblower has a right to request a face-to-face meeting with a representative of the subsidiary through which they made the report.  

Whistleblower software helps meet all of the above requirements, as it is fully compliant with the EU whistleblowing directive. The platform provides an easily accessible reporting system to all employees, wherever they are based. They can log in remotely from any device and do not have to travel to a certain office to make a declaration in person. 

6. Impact on multinational employers outside the EU

The approach that multinational employers based outside of the EU need to take to whistleblowing programmes depends on the types of entities they run and the countries in which they operate.  

Each EU member state has created its own “version” of the EU Whistleblowing Directive when transposing it into national law. This means that the whistleblowing channels within those territories will require different inputs.  

It would be possible for a multinational with multiple medium-sized subsidiaries within a single country to create a shared process. However, if it ran single subsidiaries in multiple countries, each would have to have its own reporting process to ensure compliance.   

7. FAQs

7.1 Should group entities provide whistleblowing channels to contractors?

The directive does not just apply to employees but also to freelancers, interviewees, former employees, volunteers, contractors and many other people connected with the organisation. Therefore, the organisation’s whistleblowing channels should be available to all such parties. 

7.2 Should parent companies accept reports from subsidiary employees?

Parent companies can accept reports from employees of their subsidiaries. However, they must make it clear that this is a group-level reporting channel and seek their consent.  

7.3 Can investigation be centralised for the group?

Where the group consists of medium-sized entities, you can centralise investigation. This is reliant on subsidiary reporting channels also remaining easily accessible, informing the whistleblower that you are centralising investigation. You must allow the whistleblower to request the investigation takes place at subsidiary level instead. If they exercise this option, you should honour their wishes and restrict the details to the subsidiary’s investigation team.  

7.4 What information from a report at the subsidiary level can be shared at the group level?

Only when the reporting person gives permission can any information be shared from a subsidiary-level report at the group level. The whistleblower must allow access to sufficient information for the group-level investigator to be able to carry out the investigation. 

8. Conclusion

Although groups might wish to share information on whistleblowing reports and investigations, the directive has been set up purposefully to make it as easy as possible for whistleblowers to make reports, gain feedback and request face-to-face meetings. This whistleblower protection policy means decentralising the process as much as possible in the eyes of the European Commission.  

The EU Whistleblowing directive’s implementation is such that it dictates each subsidiary has its own internal reporting channels, although the sharing of resources is acceptable in some circumstances. If you need an effective whistleblowing reporting system that provides confidentiality, GDPR compliance and a dashboard that keeps your investigation team on track with deadlines, IntegrityLog can help. Request a demo today.  

9. References and further reading

Share this post

Article Summary

Subscribe to our newsletter

Stay up to date with the latest news and products


Sign up for our newsletter

Stay up to date with the latest news and products

You have successfully subscribed!

This is your official confirmation. Thank you for joining ComplyLog Newsletter. While you wait for the next issue of ComplyLog, check out the latest articles and references.

Related articles

Post Picture

All About The EU Whistleblowing Directive (Summary + Key Points)

Directive (EU) 2019/1937 of the European Parliament, commonly known as the ‘EU whistleblowing directive’ requires member states to create laws to...
Read More
Post Picture

Status Update: Transposition of the New EU Whistleblowing Directive

The new EU Whistleblowing Directive is due to be transposed into national law by member states before the end of the year, protecting people who...
Read More
Post Picture

MiFID II Directive Summary For Compliance Professionals

The European Securities and Markets Authority (ESMA) is committed to investor protection. It ensures companies that sell financial products, and...
Read More
Post Picture

How To Choose An Internal Whistleblowing System

Whistleblowers are integral to stamping out corruption and other wrongdoing within businesses and public bodies. With a typical company losing 5% of...
Read More
All articles