Parliament adopts law on Whistleblower Protection


In Brief

On 17 May 2023, the Luxembourg law transposing Directive (EU) 2019/1937 was published in Memorial A.

The new law (the “Law”) requires entities in the financial, private and public sector to implement internal reporting channels. Since the Law goes far beyond existing requirements, many entities in scope will have to update their systems or implement a new one.


Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law was adopted on 23 October 2019 and should have been transposed by all Member States by 17 December 2021. It focuses on the protection of whistleblowers against retaliation and should thus encourage the identification and rectification of wrongdoings.

Luxembourg presented a draft law in January 2022 which we covered in a previous flashnews article

Now, Luxembourg is one of the last EU countries to adopt a law. Similar to other countries, the Law goes beyond the initial scope of the Directive.

Which entities are in scope?

Article 6 provides that entities in the private and public sector are required to establish internal reporting channels. Private-sector entities with less than 50 employees are exempt. 

Financial-sector entities and firms vulnerable to money laundering are required to comply with the Law regardless of the number of employees. 

The entities within the scope of the Law are numerous and this is especially true of those operating in the financial sector, where current regulatory requirements have been less detailed and less stringent.

Failing to implement internal reporting channels can lead to a fine of up to €250,000. 

What can be reported?

Information obtained in a professional context about acts or omissions which are illegal or defeat the purpose of provisions under national or European law can be reported. Consequently, this involves all kinds of offences and is not limited to financial crime. People making false reports can receive a fine of up to €50,000.

Who can make a report?

Reports can be made not only by current employees, but also by former and prospective workers, volunteers and trainees, the self-employed, shareholders and contractors, subcontractors and suppliers. The Law also applies to civil servants. Therefore, setting up an internal mailbox will not be enough, since the audience extends beyond internal staff.

How are reports managed?

The Law details various requirements for the design of the internal channels, in particular with regard to guaranteeing the confidentiality of the whistleblower’s identity. Article 7 lists specific procedures for managing reports and follow-ups, a timeframe for feedback and the appointment of an impartial person or department for communication with the reporting person.

How are whistleblowers protected?

Reporting persons using the internal channels will be protected against any form of retaliation from their employer as detailed in Article 27, including dismissals, withholding of promotions or training. Persons who retaliate against whistleblowers can receive a fine of up to €25,000. 

What’s next

All entities in scope will have to either review their existing approach and systems or implement a new one. The new legal requirements are going very far and will often require significant amendments to existing approaches.

In both cases, various stakeholders will have to be involved in order to define the governance structure and the different roles and responsibilities linked to the internal channels, e.g. the department in charge, the reporting lines and special procedures to handle cases concerning senior management or board members. 

The drafting, review and approval of policies and procedures will require time and potentially legal support as well as the involvement from the Data Protection Officer (DPO) and the staff delegation, where applicable.

It is recommended to support the implementation with a dedicated communication and training campaign to explain the use of the system and highlight the protection of whistleblowers.  

Finally, entities should consider whether the internal channels can be managed using a software tool. This is not mandatory but can help with case management and to comply with documentation and reporting requirements. 

How we can help

Our teams combine experts in handling whistleblowing cases and organising investigations as well as regulatory experts in order to:

  • help you review your existing policies and procedures or help you design them;

  • support you in designing your training courses – for all employees regarding the use of the internal channels, but also for the dedicated staff handling the reports;

  • advise you on setting up an internal solution for your reporting channels or on choosing an external provider that fits your needs; 

  • assist in assessing whether an incoming alert is substantiated, meaning if it needs further investigation. In that case, we can accompany you during the entire investigation life-cycle. 

  • support you in the operation and alert handling of your whistleblowing system as a managed service with dedicated experts.

Together with our JBR partner EQS group, a leading provider of whistleblowing software solutions, we can support you in the tool implementation and offer Managed Services for the running of your whistleblowing system and the first screening of incoming alerts in close alignment with you. 

Contact us

Michael Weis

Advisory Partner, Forensics & Anti-Financial Crime Leader, PwC Luxembourg

Tel: +352 49 48 48 4153