Sceau

Regulations · Regulation explained

EU Whistleblower Directive

Breach reporting is part of the AML control fabric: the people most likely to see wrongdoing first are your own staff, and the directive obliges you to give them a safe, confidential route that actually responds.

InstrumentDirective (EU) 2019/1937
Applies fromTransposed; internal channels mandatory for entities with 50+ employees
Who is coveredLegal entities with 50 or more workers, all financial-sector entities regardless of size, and public bodies

The requirements, article by article

Art. 8

An internal channel

Entities in scope must establish internal reporting channels allowing written and oral reports, available to workers and, optionally, wider categories.

In Sceau — The whistleblowing channel runs confidential intake with case management.

Art. 9

Acknowledge in 7 days, respond in 3 months

Receipt must be acknowledged within seven days, and feedback on follow-up given within three months.

In Sceau — Deadline automation tracks both clocks per report with escalation.

Art. 16

Protect confidentiality

The reporter's identity must not be disclosed without explicit consent, except where required in proceedings.

In Sceau — Access to reporter identity is role-restricted and every access is ledgered.

Art. 19

No retaliation

Any form of retaliation — dismissal, demotion, intimidation — is prohibited, with the burden of proof reversed in the reporter's favour.

In Sceau — Case records preserve the timeline evidence that retaliation claims turn on.

§
A honest note

This page is a plain-language orientation, not legal advice. Article numbering follows the instrument as published in the Official Journal; where implementing technical standards are still in draft, we say so. The legal text always prevails.

See it running against your own files

A 30-minute demo walks your real obligations through the platform — classification, screening, evidence, filing.

Book a demo