PolicifyAI
Back to Blog

PolicifyAI

Published February 2026 · 7 min read

Regulations

Whistleblowing Policies: EU Directive and UK Requirements

The EU Whistleblower Protection Directive requires internal reporting channels for companies with 50+ employees.

Why Whistleblowing Policies Are Now a Legal Obligation

The EU Whistleblower Protection Directive came into force in December 2021, requiring member states to mandate internal reporting channels. In the UK, the Public Interest Disclosure Act 1998 (PIDA) provides statutory protection for qualifying disclosures.

EU Directive: Scope and Thresholds

  • Companies with 50 or more employees must establish internal reporting channels
  • Companies with fewer than 50 may be subject to national implementing legislation
  • All public bodies, regardless of size, must have internal channels

The subject matter covers breaches of EU law across financial services, product safety, environmental law, public health, data protection, anti-money laundering, and competition law.

UK Framework: The Public Interest Disclosure Act

PIDA protects workers who make "qualifying disclosures" — disclosures the worker reasonably believes show wrongdoing in defined categories. Unlike the EU Directive, PIDA has no company-size threshold — protections apply regardless of employer size.

Internal Reporting Channels

  • Acknowledgement of receipt within 7 days
  • Diligent follow-up and feedback within 3 months
  • Channel must allow for reporting in writing, orally, or both
  • Confidentiality of the reporter's identity must be maintained

Confidentiality and Retaliation Protections

Both frameworks prohibit retaliation. Under PIDA, any dismissal as a result of a protected disclosure is automatically unfair — no qualifying period of employment applies. Under the EU Directive, the burden of proof shifts to the employer to demonstrate detrimental treatment was not connected to the disclosure.

Practical Implementation

Your policy should cover: types of conduct that can be reported, available reporting channels, investigation process and timelines, confidentiality commitments, anti-retaliation provisions, and the designated person responsible for managing reports. Publish the policy, train managers, and test the channel annually.

Need a policy for your business?

Generate a legally-formatted, AI-reviewed policy in under 60 seconds.

Generate your policy →
All articles