Whistleblowing in groups - can the parent company handle all cases?
Whistleblowing in groups - can the parent company handle all cases? It is one of the most common questions in international groups: can the parent company handle all whistleblowing reports for the whole group? The answer is: Yes - but not without conditions. The starting point is EU Directive (EU) 2019/1937. 1. The obligation applies per legal entity The Directive states that legal entities in the private sector with 50 or more employees shall establish internal channels and procedures for reporting (Article 8). This applies per legal entity. This means that: A subsidiary with 60 employees is subject to the obligation. A parent company with 10 employees is not covered simply because of the overall size of the group. The Directive does not speak of ”groups” as a single legal obligation bearer. The obligation is linked to each individual legal person. 2. May the group centralize the function? Yes, it can. The Directive does not prohibit the reporting function from being organized jointly within a group. In practice, this may mean that: a parent company receives reports for subsidiaries; a common group platform is used; a central compliance or legal function handles cases. But this does not change the basic responsibilities. Each legal entity must be able to ensure that: Reporting is possible. Confidentiality requirements are met. Feedback is provided in a timely manner. Follow-up is carried out correctly. Centralization must not undermine these requirements. 3. Confidentiality and independence The Directive clearly requires Confidentiality of the identity of the reporting person. Restricted access to data. Protection against retaliation. In the case of group solutions, specific questions arise: Who has access to the information? Can local management have access to sensitive matters? How are matters concerning the parent company's management handled? A central function can strengthen independence - but only if the structure is well thought out. 4. Small subsidiaries in large groups A common situation is: the group has thousands of employees. A subsidiary has 20 employees. If the subsidiary has less than 50 employees, it is normally not subject to the obligation to set up its own internal channel under the Directive. However, if the group chooses to offer a common function, these companies may also be covered in practice. This is allowed - and often wise - but it is a voluntary organizational choice rather than a direct legal requirement at EU level. 5. Who bears responsibility in case of failure? This is a crucial question. Even if reception is centralized, each legal entity must be able to demonstrate that: The requirements of the Directive are met. Monitoring is done correctly. Protection against retaliation is ensured locally. A group structure does not change the legal responsibility at entity level. Conclusion Can the parent company handle all whistleblowing reports? Yes - it is possible to centralize the function within a group. But: the obligation to have a function applies per legal entity. Centralization must not reduce confidentiality, feedback and follow-up requirements. Responsibilities cannot be fully ”moved up” to the group level. A group solution therefore requires a clear structure, clear mandates and documented responsibilities.
How should a whistleblowing channel be structured?
How should a whistleblowing channel be structured? Setting up a whistleblowing channel is now a natural part of modern corporate governance. But many organizations stop at technology. A properly structured whistleblowing function is not just about receiving reports - it's about how they are handled when they become uncomfortable. The starting point is the EU Directive (EU) 2019/1937, but the Directive mainly regulates the minimum requirements. It is in the implementation that the risks arise. Here is what is actually required - and where the most common weaknesses lie. 1. A secure and confidential reporting channel Reporting should be possible: In writing Orally On request by face-to-face meeting The system should ensure confidentiality and restricted access. But this is where many mistakes are made. A technical platform without a clear owner and process creates a false sense of security. The question is not only whether the report can be submitted - but what happens afterwards. 2. Independent receiving function There should be a clearly designated function that: Receives reports Acknowledges receipt Assesses whether the matter falls within the scope Initiates investigation In smaller and medium-sized companies, this often ends up with: HR CFO CEO This is where the practical challenge arises. What happens when the report concerns: Management? The board of directors? The finance function? An internal function can quickly find itself in a conflict of interest - even if no one is acting improperly. Independence is not a formal issue. It is a matter of trust. 3. Acknowledgement within 7 days The reporting person should receive confirmation of receipt. This is easy to fulfill in theory. In practice it is missed when: Responsibility is unclear Cases fall between chairs No one has operational responsibility Structure is required - not just willingness. 4. Objective and professional investigation A report should be assessed objectively and proportionately. It requires: Legal understanding Documentation discipline Knowledge of evidence evaluation Ability to handle sensitive interviews This is where the greatest risk lies. A flawed internal investigation can: Exacerbate the situation Create new legal problems Undermine confidence in the function 5. Feedback within three months Feedback is a legal requirement - but also crucial for legitimacy. An organization that cannot demonstrate: that cases are taken seriously that they are handled consistently that decisions are made in a structured way risks the function being perceived as tokenistic. 6. protection against retaliation It is not enough to have a policy stating that retaliation is prohibited. The organization must be able to: Identify subtle retaliation Assess correlation Document decisions Ensure objectivity This is particularly sensitive when the reporting concerns persons in positions of authority. 7. Documentation and traceability Every step of the process should be accounted for: When the report was received Who handled it What assessments were made What actions were taken Lack of documentation is one of the most common weaknesses in audits. Why internal management is often not enough An internal function can work well in some organizations. But in practice, three problems often arise: 1. Conflicts of interest When the report concerns management, there is a lack of true independence. 2. Lack of expertise Investigating complex breaches requires legal and procedural experience. 3. Trust issues Employees and suppliers are reluctant to report if they do not perceive the function as neutral. An external, legally anchored function can therefore: Create real independence Ensure professional investigation Increase willingness to report internally instead of externally It is not about distrusting your own organization. It is about building a structure that will last even when the pressure increases. Conclusion A properly structured whistleblowing function requires: Safe channel Independent recipients Structured investigation process Clear feedback Documented traceability Technology is one component. But it is the governance and legal craftsmanship that determine whether the function works in practice.
What counts as whistleblowing?
What counts as a whistleblowing? The concept of whistleblowing is harmonized at EU level - but not fully uniform in practice. It is based on the EU Directive 2019/1937, but Member States have had the possibility to go beyond the minimum requirements. For businesses operating in several countries, it is crucial to understand the difference between: EU minimum level National extensions The practical risk picture Here is the structure. Level 1 - EU common minimum level The Directive protects the reporting of information on: Breaches of Union law in specified areas When reporting is done in a work-related context The areas covered include, among others: Public procurement Financial services and market abuse Money laundering and terrorist financing Product safety Transport and nuclear safety Environmental protection Public health Consumer protection Data protection Protection of the Union's financial interests Competition and state aid rules The protection also applies to: Attempts to conceal breaches Conduct that defeats the purpose of EU rules It is not necessary to prove the breach. It is sufficient that the person had reasonable grounds to believe that the information was correct. This is the common EU core. Level 2 - National variations The directive is a minimum directive. Member States have been given the possibility to extend the protection. Here differences arise. 🇸🇪 Sweden Sweden has introduced a broader protection than the Directive by also covering: Misconduct that there is a public interest in bringing to light. This means that serious national wrongdoings can also be covered, even if they do not concern EU law. 🇫🇷 France France already had a system (Sapin II) with broader protection before the Directive. In practice, the implementation means that the protection extends to more types of serious wrongdoing than just those that explicitly concern EU law. 🇮🇹 Italy Italy links whistleblower protection to its established compliance model (e.g. the 231 framework). This means that reporting of certain national crimes and corporate irregularities can be covered even outside the narrow EU areas covered by the Directive. 🇩🇪 Germany Germany has essentially followed the structure of the Directive, but has also opened up the possibility of covering national breaches of rules under domestic law. Summary of level 2 In practice, there are three models in Europe: Strict EU model - Protection only for EU territories. Extended national model - Protection also for serious national misconduct. Hybrid model - EU core + certain national offenses. This means that the definition of ”whistleblowing” is not completely identical in all Member States. Level 3 - What does this mean for your business? For companies operating in several countries, an important question arises: should you build your whistleblowing function on the minimum level - or on the broadest model? The practical reality is that: your whistleblowing function as well as your policy must comply with the minimum protection of national law. However, employees do not carry out an EU legal analysis before reporting. Suppliers do not care about the technical scope of the Directive. Stakeholders expect that serious wrongdoings can be reported. Conclusion At EU level, whistleblowing is linked to breaches in specific areas of law. However, in several Member States, protection has been extended to broader categories of serious wrongdoing. For international companies, it is therefore wise to: Understand the common EU core Identify national variations Build a function that can withstand the widest application It creates legal robustness - and trust.
Can an employee go directly to the media?
Can an employee go directly to the media? Yes - in some situations. But not always. The EU Whistleblowing Directive, EU Directive (EU) 2019/1937, provides protection for people who report breaches of EU law. The protection covers not only internal and external reporting - but also disclosure, which in practice can mean going to the media. The question is under what conditions. Three levels of reporting The directive is based on a three-stage structure: Internal reporting - within the organization External reporting - to the competent authority Public disclosure - for example to the media Protection is strongest for internal and external reporting. Public disclosure is possible - but only under certain conditions. When is it allowed to go directly to the media? An employee may be covered by disclosure protection if one of the following applies: the person has first reported internally and/or externally without appropriate action being taken within a reasonable time. there are reasonable grounds to believe that the breach involves an imminent or manifest danger to the public interest There is a risk of retaliation or destruction of evidence if reporting is done through internal or external channels. The decisive factor is that the person had reasonable grounds to believe that the information was correct and that the conditions for disclosure were met. The motive behind the disclosure is in principle irrelevant. What matters is whether the criteria are met. How does this relate to the duty of loyalty? An employment relationship is based on a fundamental duty of loyalty. At its core, the duty of loyalty means that the employee must: protect the employer's interests not harm the business not spread damaging information without a factual basis Going directly to the media can in many situations be perceived as a breach of this duty of loyalty. But the Whistleblowing Directive means that the duty of loyalty is not absolute. When the specified criteria are met, the protection of reporting breaches of public interest outweighs the employer's interest in internal control over information. This does not mean that the duty of loyalty disappears. It means that it has to be balanced against the right to raise the alarm about serious breaches. What happens if the criteria are not met? If an employee goes directly to the media without the conditions set out in the Directive being met, he or she may be left without the specific protection provided by the Directive. In such a situation, the general duty of loyalty in the employment relationship comes into play again. It is therefore not the case that an employee is always protected simply because information is provided to the media. The protection is conditional. Summary Can an employee go directly to the media? Yes - but only if: there are reasonable grounds to believe that the information is accurate, and the conditions for disclosure under the Directive are met. The Whistleblowing Directive creates a possibility to break the silence when the public interest requires it. But it is not a general right to override the duty of loyalty in the employment contract.
Which companies must have a whistleblowing channel in 2026?
Which companies must have whistleblowing channels in 2026? No, they won't. Not all companies in the EU are required to have an internal whistleblowing channel. But many more than you think are covered by the requirement. Here is what will apply in 2026. The basic rule in the EU According to EU Directive 2019/1937, private companies with 50 or more employees must have internal channels and procedures for reporting. This is the general rule in all Member States. It is therefore the number of employees per legal entity that matters - not the overall size of the group. Do companies with less than 50 employees have to have a channel? As a general rule: no. However, the Directive allows Member States to impose requirements even for companies with fewer than 50 employees, following a risk assessment - especially if the activity poses risks to the environment or public health. This means that some countries have chosen to go beyond the minimum level. Are there countries with exemptions below 50? Yes - but this usually applies to specific sectors, not all companies. Example: Italy - companies subject to specific compliance requirements (e.g. under the so-called 231 legislation) must have reporting channels regardless of their size. Germany - companies in certain financial sectors are covered regardless of the number of employees. Austria - some regulated activities, especially in finance, are covered even below 50. However, most Member States have stuck to the 50 threshold as a general threshold. What is the situation in Sweden? In Sweden, the main rule is: 50 or more employees → internal whistleblowing channel required. Less than 50 employees → no general legal requirement. There is currently no general requirement in Sweden for smaller companies to set up internal channels solely on the basis of risk assessment. So - will everyone have to have a whistleblowing channel in 2026? No, they don't. But: All companies with 50+ employees must. Companies in some regulated sectors may have to, even if they are smaller. Rules differ slightly between Member States. Our advice Whether your company is subject to a formal requirement or not, our recommendation is clear: Have an internal whistleblowing channel. It: builds trust with staff signals transparency to suppliers strengthens relationships with investors reduces the risk of cases going directly to the authorities or the media A whistleblowing function is not just a legal issue. It is a matter of trust and corporate governance.
Why employees choose silence
Why do employees choose silence? Most organizations today have a whistleblowing system in place. Policies are in place. Channels are available. Yet the number of reports is low. This is not because there is no wrongdoing - but because employees don't trust the system that is supposed to catch them. Accessibility is not the same as trust Employees do not ask themselves whether the reporting channel is formally compliant. They ask themselves if it is safe. Who will read the report? What happens next? Will this affect me afterwards? If there are no clear answers to these questions, silence becomes the rational choice. Anonymity is perceived as fragile Anonymity is crucial - but often misunderstood. From the employee's perspective, anonymity is rarely absolute. Writing style, context, timing and internal knowledge can be perceived as identifying. Even small doubts can be enough for a report to never be submitted. If anonymity is perceived as theoretical rather than practical, trust is lost. Internal handling creates perceived conflicts of interest When reports are handled internally - often by HR or compliance - employees may question independence, regardless of good intentions. The concern is not about competence. It is about perceived loyalty. When independence is unclear, trust is eroded. Past cases outweigh policies Employees judge reporting systems on experience - not documentation. If past reports have not led to action, or if whistleblowers have been quietly marginalized, silence becomes a learned behavior. A single mishandled case can undermine years of policy work. Fear is rational Not reporting is often described as cultural or emotional. In practice, it is a risk assessment. When the personal risk is concrete and the organization's follow-up uncertain, it is logical to refrain. Why legal involvement matters Independent legal involvement changes the dynamic. Lawyers are subject to confidentiality, procedural discipline and professional independence. It creates a credible counterweight to internal interests - and a stronger signal of trust than technology alone can provide. Silence is not success Low levels of reporting are often interpreted as a sign of a healthy culture. In fact, silence is ambiguous. Without trust, organizations lose early warning signals and face problems only when the damage is already done. Trust must be engineered An effective whistleblowing system is not defined by platforms or policies. It is defined by whether employees actually believe that the system protects them when it really matters.