Leave an application
COREDO > Business support > Legal Protection for Business in Europe > Whistleblowing Act Compliance

Whistleblowing Act Compliance

Whistleblowing Act Compliance: Protecting Whistleblowers and Building an Ethical Culture

Whistleblowing Act Compliance is a comprehensive service for implementing internal reporting systems on violations in accordance with EU Directive 2019/1937 and Czech Act 171/2023 Coll.

COREDO specializes in developing, implementing, and supporting internal whistleblower protection procedures. We create solutions that not only comply with the law but also foster an environment where ethical reporting is welcomed and protected.

Get a Consultation

Legal Framework: EU Directive 2019/1937 and Czech Legislation

EU Directive 2019/1937 (Whistleblower Protection Directive) is the key regulatory instrument adopted in October 2019 and published in the EU Official Journal on 26 November 2019. It requires organizations to establish internal channels for reporting violations of EU and national legislation. The Directive was transposed by all EU Member States by 17 December 2021.

Czech Act 171/2023 Coll. on whistleblower protection implements the requirements of the European Directive into national legislation. This law applies to organizations with 50 or more employees. The law requires:

  • Mandatory internal channel for filing reports of violations;
  • Anonymous reporting capability without fear of identification;
  • Protection from retaliation (dismissal, demotion, discrimination, harassment);
  • Investigation of received reports within reasonable timeframes;
  • Documentation and transparency of all processes.

Organizations with 50 or more employees in the EU, as well as financial institutions and regulated companies (regardless of size) must bring their procedures into compliance with the legislation.

Who Must Comply?

Whistleblowing Act Compliance requirements apply to:

  • Organizations with 50 or more employees registered in the EU;
  • Financial institutions, payment service providers, and crypto-asset service providers;
  • All regulated companies (investment firms, payment service providers, CASP);
  • Companies subject to AML/CFT regulation;
  • Organizations striving to create a culture of ethical management and transparency.

Consequences of Non-Compliance

Failure to comply with Whistleblowing Act requirements carries serious risks:

Fines:

from EUR 10,000 to EUR 50,000 and more depending on the type of violation;

Licence revocation:

for regulated institutions (banks, payment service providers, crypto companies);

Reputational damage:

loss of trust among clients, partners, and employees;

Regulatory sanctions:

activity bans, licence restrictions;

Litigation:

whistleblowers may sue their employer for retaliation and claim compensation.

Implementation Process: Whistleblowing Act Compliance

COREDO offers a comprehensive solution in four stages:

Stage 1: Audit and Assessment (1–2 weeks)

At the first stage, COREDO specialists conduct a detailed review of the current internal reporting system:

  • Audit of existing processes and documentation;
  • Analysis of compliance with EU Directive 2019/1937 and Act 171/2023 requirements;
  • Identification of gaps and risks in the current procedure;
  • Recommendations for priority improvements.
01

Stage 2: Policy Development (2–3 weeks)

Based on the audit results, documents and procedures are developed:

  • Internal Reporting Channel Policy;
  • Designation of responsible persons for receiving and processing reports;
  • Procedures for investigating violations;
  • Measures to protect whistleblowers from retaliation;
  • Document and reporting templates.
02

Stage 3: Implementation and Training (1–2 weeks)

The final practical stage:

  • Communication of policy across the organization;
  • Setup of reporting channels (email, telephone line, web form);
  • Training of responsible persons and managers;
  • Creation of procedures for responding to reports;
  • Documentation of all stages.
03

Stage 4: Ongoing Support

After implementation:

  • Monitoring of system effectiveness;
  • Tracking of legislative changes;
  • Policy updates when requirements change;
  • Consultation on receipt of violation reports;
  • Periodic compliance audits.
04

COREDO Advantages

Proven experience:

dozens of satisfied clients already use COREDO services to set up whistleblower protection systems;

Legislative monitoring:

we continuously track changes in directives and national laws, offering optimal solutions;

Integrated approach:

our team combines legal, AML, and compliance expertise under one roof;

Custom solutions:

each organization is unique; we tailor solutions to your structure and sector;

Experience since 2016:

COREDO works with regulated companies and financial institutions across all 27 EU Member States.

Contact us

Jurisdictions

Whistleblower protection system requirements apply in the following jurisdictions:

  • European Union (27 Member States) — all EU members have mandatory requirements under Directive 2019/1937
  • Czech Republic — Act 171/2023 Coll. with specific requirements for organizations
  • Norway, Iceland, Liechtenstein — also required to comply with Directive requirements (as part of the EEA)
  • United Kingdom — has its own whistleblower protection legislation (Public Interest Disclosure Act 1998)

Comparison Table

Requirement EU Directive 2019/1937 Czech Act 171/2023 UK PIDA
Minimum employees 50+ 50+ 50+
Internal channel mandatory ✅ Yes ✅ Yes ✅ Yes
Anonymous reporting ✅ Yes ✅ Yes ✅ Yes
Protection from retaliation ✅ Yes ✅ Yes ✅ Yes
Fines for non-compliance EUR 10,000–50,000+ EUR 10,000–50,000+ Up to £300,000

Whistleblowing Regulations Beyond the EU: Canada, Singapore, Switzerland, and Dubai/UAE

Whistleblower protection requirements extend far beyond the European Union. COREDO supports organizations operating in key non-EU jurisdictions with comprehensive whistleblowing compliance solutions tailored to each region’s legal framework.

Canada

Whistleblowing is regulated at both federal and provincial levels. The PSDA protects public servants, the OSC covers securities violations (including potential rewards), and FINTRAC governs reporting of financial crimes. Companies must implement internal reporting channels and AML/CFT procedures.

Singapore

Financial institutions must comply with MAS Notice 610 and maintain confidential reporting channels. The SFA protects disclosures related to market misconduct, while CPIB handles corruption reports. The PDPA governs whistleblower data processing. Formal investigation procedures are required.

Switzerland

There is no comprehensive law; protection is based on sectoral rules and FINMA practice. Reporting can be made via FINMA channels. Article 321a limits disclosures due to duty of loyalty. Legislative changes are expected. Companies implement internal channels aligned with regulatory expectations.

Dubai and United Arab Emirates (DFSA)

DFSA requires whistleblowing procedures and protection against retaliation. DIFC and ADGM operate separate legal regimes with mandatory reporting channels. Federal law provides additional protection. Companies must implement AML/CFT-compliant reporting systems.

Case Studies

Case 01Czech Bank with 200+ Employees Achieved Full Compliance in 3 Weeks.

A Czech bank with over 200 employees needed to implement an EU Whistleblower Directive-compliant internal reporting system. COREDO drafted the internal reporting channel policy, configured a secure anonymous reporting platform, trained responsible staff, and defined investigation procedures. The system went live within 3 weeks, bringing the bank into full compliance with Czech Act 171/2023 Coll. without any regulatory fines.

Case 02Lithuanian Fintech Completed Whistleblowing Setup Before PSP Licensing.

A Lithuanian fintech registering as a payment service provider (PSP) was required to implement a whistleblowing system prior to receiving its licence. COREDO deployed the internal reporting channel, trained the compliance team, and ensured full alignment with EU Directive 2019/1937 and Lithuanian transposition requirements. The system was fully operational within 2 weeks, allowing the fintech to proceed with its licensing process on schedule.

Case 03Insurance Group Deployed Multi-Language Platform Across 5 Subsidiaries.

A German-headquartered insurance group needed a unified whistleblowing channel compliant with both the EU Directive and local transposition laws across subsidiaries in Germany, Czech Republic, Poland, Lithuania, and Estonia. COREDO deployed a multi-language platform with jurisdiction-specific reporting workflows and GDPR-compliant data handling. The system went live in 4 weeks, covering 800+ employees across all entities.

Discuss Your Acquisition

Frequently Asked Questions

Can an employee be dismissed or penalised for making a whistleblower report?

Under EU Directive 2019/1937 and Czech Act 171/2023 Coll., dismissing, demoting, or otherwise retaliating against an employee who makes a good-faith report is explicitly prohibited. If retaliation occurs, the whistleblower may seek judicial remedy, including reinstatement and compensation for damages. The burden of proof is reversed — the employer must demonstrate that any adverse action taken was unrelated to the report.

Does a company with fewer than 50 employees need a whistleblower protection system?

The EU Directive applies to organizations with 50 or more employees. However, financial institutions and regulated companies may be required to have a system regardless of size. This is required under specific legislation, such as AML/CFT regulations. It is recommended to check the requirements for your specific sector.

What is the difference between internal and external reporting channels?

An internal reporting channel allows employees to raise concerns directly within the organization — typically through a designated compliance officer, secure web form, or telephone line. An external channel means reporting to a competent national authority or regulatory body (such as ČNB in the Czech Republic). EU Directive 2019/1937 requires organizations to establish internal channels first, while also ensuring whistleblowers have unimpeded access to external channels when internal reporting is ineffective or inappropriate.

Who must process whistleblower reports?

The EU Directive requires the designation of one or more responsible persons. This can be an internal person, such as a compliance officer or HR specialist, or an external organization (competent authority). The procedure must clearly define the chain of command and response timeframes.

How often should whistleblower protection policy be updated?

At minimum once per year, and whenever there are changes to the legislation. COREDO continuously monitors changes in directives and laws. We recommend taking proactive measures and updating your policies promptly.

Can reports be submitted anonymously?

Yes. EU Directive 2019/1937 explicitly requires that organizations provide the ability to submit anonymous reports without risk of identification or retaliation. Anonymous channels are a mandatory element of the system.

What does "reasonable belief" of a violation mean?

“Reasonable belief” means a good-faith belief that the information concerns a violation of law or regulation. A report does not need to be absolutely accurate; good faith is the primary criterion. A whistleblower is protected by law if they act in good faith.

Our Experts

Pavel Kos
Pavel Kos
Head of COREDO's legal team, with the company since June 2017, specializing in corporate law, regulatory compliance, and protection of organizational rights. Pavel develops whistleblower protection policies and adapts them to the requirements of EU Directive 2019/1937 and national legislation. He supports the implementation of reporting systems and provides consultation on anonymous reporting procedures. Education: University of Finance and Administration, Prague.
Grigorii Lutcenko
Grigorii Lutcenko
Strategy lead for building compliance systems and risk management at COREDO. Grigorii integrates whistleblower protection with AML/CFT programs and develops procedures for investigating violations. He establishes reporting channels and ensures protection of whistleblowers from retaliation in compliance with the law. Education: Metropolitan University Prague.
Contact COREDO

Setting up an internal reporting channel to protect whistleblowers is an investment in your organization’s culture of honesty and sustainable development.

Phone: +420 228 886 867 | Email: info@coredo.eu K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    COREDO – EU Legal & Compliance Services Expert legal consulting, financial licensing (EMI, PSP, CASP under MiCA), and AML/CFT compliance across the European Union. Headquartered in Prague, we provide seamless regulatory solutions in Germany, Poland, Lithuania, and all 27 EU member states.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap | llms.txt | © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved.
    Operated by RES JUDICATA s.r.o. (ID: 28548159, VAT: CZ28548159).
    Legal address: Olšanská 2898/4h, Žižkov, 130 00, Prague, Czech Republic