Home
Expertise
PublicationsAbout usContact
EN
Home
Expertise
PublicationsAbout usContact
Reich-Rohrwig
Back
8.6.2026
Wirtschaftsrecht

The EU Whistleblowing Directive

The EU Whistleblowing Directive and its implementation in Austria through the Whistleblower Protection Act (HSchG)

1. EU Whistleblowing Directive

With Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law (the "Whistleblowing Directive"), the European Union has for the first time established uniform minimum standards for the protection of whistleblowers. The aim of the Directive is to protect individuals who, in a work-related context, become aware of and report breaches of law, from detrimental treatment and retaliation, and to ensure the effective enforcement of Union law.

Whistleblowers are individuals with specialized knowledge who report specific legal violations, grievances, or other organizational deficiencies in public administration or private companies, with the aim of promoting their clarification or preventing them from occurring in the first place.

Material scope of the EU Whistleblowing Directive:

The Whistleblowing Directive covers reports of breaches of Union law in a wide range of areas. These include, in particular:

  1. Public procurement;
  1. Financial services, products, and markets, as well as the prevention of money laundering and terrorist financing;
  1. Product safety and compliance;
  1. Transport safety;
  1. Environmental protection;
  1. Radiation protection and nuclear safety;
  1. Food and feed safety, animal health and welfare;
  1. Public health;
  1. Consumer protection;
  1. Protection of privacy and personal data, and the security of network and information systems.

The directive explicitly provides that Member States may extend the material scope. This gives national legislators the opportunity to include additional areas within the scope of protection.

Personal scope:  

The personal scope of the directive is broad. Protection is afforded to all persons employed in the private or public sector who have obtained or acquired information on breaches in the course of their professional activities. In particular, the protection covers:

  1. Current and former employees;
  1. Self-employed persons;
  1. Shareholders;
  1. Members of management, administrative, and supervisory bodies;
  1. Volunteers and interns;
  1. Suppliers and contractors;
  1. Job applicants.

A direct contractual relationship between the whistleblower and the organization concerned is not required. What is crucial, rather, is that the information was obtained in a professional context.

A prerequisite for protection is that the whistleblower had reasonable grounds to believe, at the time of reporting, that the information reported was true. The directive thus protects honest whistleblowers and not individuals who knowingly disseminate false information.

Protection measures for whistleblowers:

A key objective of the directive is to protect whistleblowers from retaliation. Therefore, all retaliatory measures taken in response to a report are expressly prohibited.

Retaliatory measures include, but are not limited to:

  1. Termination;
  1. Suspension;
  1. Demotion;
  1. Denial of promotion;
  1. Salary reductions;
  1. Bullying or discrimination.

Furthermore, the directive obliges member states to provide support measures for whistleblowers and to introduce effective sanctions against individuals who obstruct reporting, intimidate whistleblowers, or engage in retaliation.

Internal and external reporting channels:

A core element of the directive is the obligation to establish secure and confidential reporting channels, which include both internal and external channels.  

Internal reporting channels are established within companies or organizations and are intended to give whistleblowers the opportunity to report legal violations internally first. External bodies can include, in particular, ombudsman offices or government authorities, as well as the press or the internet.

In principle, an internal report should be made first. However, direct reporting to an external body is permissible if, for example, no internal reporting system exists or the whistleblower fears retaliation.

The responsible bodies are obliged to examine incoming reports and to inform the whistleblower about the follow-up measures taken within specified deadlines.

Obligation to establish internal reporting channels:

The EU Whistleblowing Directive obliges companies and public entities to establish internal reporting channels. Companies with more than 250 employees, as well as municipalities with more than 10,000 inhabitants, had to implement corresponding systems by December 17, 2021. For companies with 50 to 249 employees, an extended implementation deadline applied until December 17, 2023.

Special provisions apply to corporate groups: Group companies with 50 to 249 employees can use shared reporting channels under certain conditions. However, this option does not exist for companies with more than 249 employees; they must establish their own internal reporting channels.

2. Implementation of the Directive in Austria: The Whistleblower Protection Act (HSchG)

The Whistleblowing Directive had to be implemented by December 17, 2021. In Austria, the Whistleblowing Directive was implemented with the Federal Act on Procedures and Protection for Reporting Violations of Law in Certain Legal Areas (Whistleblower Protection Act - HSchG). The Act came into force on February 25, 2023.

Extended material scope of the HSchG:

The Austrian legislator has made use of the possibility to extend the scope beyond the minimum requirements of Union law. The HSchG therefore covers not only violations of Union law but also violations of national law in the areas mentioned in the Directive. Furthermore, corruption offenses according to §§ 302 to 309 of the Criminal Code (StGB) were specifically included in the scope.

However, violations of labor law provisions are not included.

Personal Scope of the HSchG:  

The HSchG protects individuals who have obtained information about legal violations due to a current or former professional connection to a private or public sector entity, in particular

  1. employees,
  1. applicants,
  1. interns,
  1. civil servants,
  1. self-employed individuals,
  1. independent contractors, as well as
  1. quasi-employees.

A prerequisite is that the information was obtained in a professional context and constitutes insider knowledge that is usually not accessible to outsiders.

Furthermore, the HSchG also protects certain individuals connected to the whistleblower, such as works council members, employee representatives, colleagues, or close relatives, provided they could be affected by indirect retaliatory measures.

Protection begins as soon as the report is submitted, provided the whistleblower could reasonably assume at the time of reporting that their information is accurate and falls within the scope of the law.

Confidentiality Protection:  

Protecting the identity of all involved parties is of particular importance. The identity of whistleblowers and their personal data must generally not be disclosed. Disclosure is only permissible within the scope of administrative or judicial proceedings and requires a careful balancing of interests between the seriousness of the allegations and the whistleblower's need for protection.

Establishment of internal reporting channels under the HSchG:

Legal entities under private and public law, as well as registered partnerships with at least 50 employees, are obliged to establish internal reporting channels.

The following deadlines applied for implementation in Austria:

  1. Companies and public sector legal entities with at least 250 employees had to establish a corresponding reporting system within a six-month transition period, by August 25, 2023, at the latest.
  1. Companies and legal entities with 50 to 249 employees have been subject to this obligation since December 17, 2023.

Associations and non-profit organizations are also covered by this obligation, provided they meet the legal requirements.

However, the HSchG does not provide for immediate sanctions for the mere failure to establish an internal reporting system.

For reporting channels to effectively fulfill their duties, they must, in particular, have

  1. sufficient financial and human resources;
  1. appropriate measures to ensure confidentiality;
  1. impartiality and independence from instructions;
  1. Compliance with general data protection regulations

have.

In addition to written reports, oral communication channels must also be offered. At the whistleblower's request, a personal meeting must be made possible within 14 days.

Furthermore, the following procedural deadlines apply:

  1. Acknowledgement of receipt within seven days,
  1. Feedback on follow-up measures within three months.

If no measures are taken, this must be comprehensibly justified to the whistleblower. Reports outside the scope of the HSchG or tips without sufficient evidence of their validity do not have to be pursued further.

External reporting offices under the HSchG – the Federal Bureau of Anti-Corruption (BAK):

The central external reporting office in Austria is the Federal Bureau of Anti-Corruption (BAK).  

Depending on the legal area concerned, other authorities may also be responsible, such as

  1. the Financial Market Authority;
  1. the Bar Associations;
  1. the Chambers of Notaries; or
  1. the Federal Competition Authority.

Reports to competent bodies of the European Union also fall within the scope of protection of the HSchG.

Documentation and Information Obligations:

According to § 9 HSchG, all incoming reports and follow-up discussions must be documented. Whistleblowers must be given the opportunity to review the documentation, correct it if necessary, and confirm its accuracy.

Additionally, employers are obliged to provide their employees with clear and easily accessible information about the existing reporting channels and the corresponding procedures.

Protection against Retaliation:

The HSchG declares measures taken in response to a legitimate report to be legally invalid.

These include, in particular:

  1. Suspension, termination, or similar measures;
  1. Non-renewal or premature termination of a fixed-term employment contract;
  1. Demotion or denial of promotion;
  1. Reassignment of duties, change of workplace, reduction in remuneration, change in working hours;
  1. Negative performance review or issuance of a poor employment reference;
  1. Disciplinary action, reprimand, or other sanction, including financial sanctions.

Affected whistleblowers can claim damages and demand the restoration of the lawful state. If this is not possible, there is a right to appropriate compensation.

Administrative Penalties:

To enforce legal requirements, the HSchG stipulates administrative penalties of up to EUR 20,000. For repeat offenses, fines of up to EUR 40,000 may be imposed.

Offenses include, in particular:

  1. Retaliation;
  1. Obstructing reports;
  1. Intimidating or pressuring whistleblowers; and
  1. Breaches of confidentiality.

Liability for knowingly false reports by whistleblowers:

Whistleblowers themselves can also face administrative penalties if they knowingly make false reports. The penalty here is also up to EUR 20,000, and for repeat offenses, up to EUR 40,000.

Furthermore, a knowingly false report that includes an accusation of a criminal act to be prosecuted ex officio or a violation of official or professional duties, if made with the intent to expose another person to the risk of official prosecution, may be criminally punishable as defamation (§ 297 StGB). The penalty in this case is generally imprisonment for up to one year or a fine of up to 720 daily rates; however, if the falsely attributed act is punishable by imprisonment exceeding one year, the penalty for defamation imprisonment from six months to five years.  

The Criminal Code, however, also includes the ground for exemption from punishment based on active repentance (§ 297 Abs 2 StGB).