Regulations · Regulation explained
EU Whistleblower Directive
Breach reporting is part of the AML control fabric: the people most likely to see wrongdoing first are your own staff, and the directive obliges you to give them a safe, confidential route that actually responds.
The requirements, article by article
An internal channel
Entities in scope must establish internal reporting channels allowing written and oral reports, available to workers and, optionally, wider categories.
In Sceau — The whistleblowing channel runs confidential intake with case management.
Acknowledge in 7 days, respond in 3 months
Receipt must be acknowledged within seven days, and feedback on follow-up given within three months.
In Sceau — Deadline automation tracks both clocks per report with escalation.
Protect confidentiality
The reporter's identity must not be disclosed without explicit consent, except where required in proceedings.
In Sceau — Access to reporter identity is role-restricted and every access is ledgered.
No retaliation
Any form of retaliation — dismissal, demotion, intimidation — is prohibited, with the burden of proof reversed in the reporter's favour.
In Sceau — Case records preserve the timeline evidence that retaliation claims turn on.
This page is a plain-language orientation, not legal advice. Article numbering follows the instrument as published in the Official Journal; where implementing technical standards are still in draft, we say so. The legal text always prevails.
All regulations
See it running against your own files
A 30-minute demo walks your real obligations through the platform — classification, screening, evidence, filing.
Book a demo