Governance

Whistleblowing: who is required and what to know

Find out who is required to implement whistleblowing systems and how to protect the whistleblower’s identity.

Whistleblowing

23 December 2025

Table of contents

  • Whistleblowing: what it is and what it’s for
  • Whistleblowing obligation: who is required
  • Internal reporting channels and case management
  • External reporting and competent authorities
  • Who can report: employees, self-employed and collaborators
  • Confidentiality and protection of whistleblowers
  • When the obligation came into effect
  • Whistleblowing in the public and private sectors
  • Technology and secure reporting systems
  • Penalties and liability

What exactly is whistleblowing, and why has it become such a crucial topic for companies and public administrations?

Since December 17, 2023, when the EU Directive 2019/1937 came into effect in Italy, the reporting of misconducthas become a legal obligation for many public and private entities. But who is required to comply with whistleblowing, how does the reporting process work, and how is the confidentiality of the whistleblower’s identity protected?

In this article, we explain in practical terms the whistleblowing obligation, its scope of application, the categories of entities involved, the reporting process, and the rights and protections guaranteed to employees and self-employed workers.

Whistleblowing: what it is and what it’s for

The word whistleblowing comes from the English phrase to blow the whistle and refers to the act of exposing unlawful or improper behavior that a person has become aware of within a work relationship.

It is, in essence, a system of internal or external reporting that allows individuals to communicate violations of European or national laws, corruption, fraud, abuse of power, or other irregular conduct, while protecting them from retaliation or discrimination.

The purpose is twofold:

  • To prevent and address misconduct;
  • To promote a transparent and responsible workplace, where data protection and confidentiality are fully respected.

Whistleblowing obligation: who is required

Italian Legislative Decree no. 24/2023, implementing EU Directive 2019/1937, clearly defines who is required to comply with whistleblowing obligations.

Entities required to establish internal reporting channels include:

  • All public administrations, independent authorities, public economic bodies, and state-owned enterprises;
  • Private companies with at least 50 employees;
  • Smaller private companies operating in regulated sectors such as finance, environment, or transport safety;
  • Any company implementing a 231 compliance model, regardless of size.

In short, all these organizations must guarantee a secure and confidential channel for handling whistleblowing reports.

Internal reporting channels and case management

A cornerstone of the regulation concerns the management of reports.
Each obligated organization must establish internal reporting channels that ensure:

  • Confidentiality of the whistleblower’s identity and the individuals mentioned;
  • Full compliance with data protection regulations (GDPR);
  • The possibility to submit reports in writing, orally, or through secure IT systems.

Reports may concern not only confirmed violations but also reasonable suspicions, provided they are based on accurate and consistent information.

The reporting process must be handled impartially by trained and independent personnel.
Many organizations today use dedicated whistleblowing platforms that allow anonymous communication while maintaining traceability and legal compliance.

External reporting and competent authorities

In addition to internal channels, the regulation allows external reporting.
In Italy, the National Anti-Corruption Authority (ANAC) is responsible for receiving such reports when:

  • The internal channel is ineffective or compromised;
  • The whistleblower fears retaliation;
  • The violation poses an imminent or serious risk to the public interest.

The choice between internal and external reporting depends on the severity of the issue, the trust in the organization, and the level of confidentiality assured.

Who can report: employees, self-employed and collaborators

One of the main innovations introduced by the EU Directive 2019/1937 is the expansion of its scope of application.
Not only employees, but also several other categories can be whistleblowers:

  • Employees and self-employed workers;
  • Suppliers, consultants, and external collaborators;
  • Volunteers and interns, even unpaid;
  • Former employees and job applicants who have become aware of violations during their employment or recruitment process.

This means that whistleblowing is no longer limited to traditional employment but extends to anyone in a position to observe misconduct within an organization.

Confidentiality and protection of whistleblowers

The confidentiality of the whistleblower’s identity is a core principle of the law.
Article 12 of Legislative Decree 24/2023 states that the identity of the whistleblower cannot be disclosed without explicit consent, except in very limited cases such as criminal proceedings.

All parties involved in the reporting process including data processors are bound by strict confidentiality obligations.
The protection of personal data is guaranteed at every stage, from the receipt to the storage of the report.

Organizations must also ensure that no retaliation occurs against whistleblowers acting in good faith such as dismissal, demotion, or discriminatory treatment.

When the obligation came into effect

The whistleblowing obligation came into force on December 17, 2023, as set by the EU Directive 2019/1937.
In Italy, the decree has been effective since July 15, 2023, with a transition period until December for private companies with fewer than 250 employees.

From that date, all obligated entities must implement clear procedures, appoint a whistleblowing officer or external manager, and train their personnel on how to handle reports securely and confidentially.

Whistleblowing in the public and private sectors

In both the public and private sectors, whistleblowing is a fundamental tool for organizational transparency.

  • In the public sector, it helps prevent corruption, abuse of power, and conflicts of interest.
  • In the private sector, it enables early detection of fraud, unethical behavior, and compliance breaches.

In both cases, proper management of reports protects not only the whistleblower but also the organization’s reputation.

Technology and secure reporting systems

Modern whistleblowing platforms integrate cyber security and data protection standards to ensure the safety of the reporting process.
Through encrypted channels and authentication protocols, they guarantee:

  • The confidentiality of the communication;
  • The separation between identifying data and the report’s content;
  • A verifiable trace of each procedural step.

Some systems allow two-way anonymous communication between whistleblower and manager, without revealing identities.

In this way, the reporting process becomes transparent, auditable, and compliant with EU privacy standards.

Penalties and liability

Failure to comply with whistleblowing obligations may lead to heavy penalties.
The ANAC may impose:

  • Fines from €10,000 to €50,000 for retaliation or obstruction of a report;
  • Fines from €5,000 to €30,000 for failure to establish reporting channels;
  • Additional sanctions for breaches of confidentiality or data protection.

For this reason, organizations must adapt their internal procedures and invest in secure reporting mechanisms.

Conclusions

Whistleblowing is not merely a compliance requirement it’s a culture of integrity that strengthens trust between organizations and their people.

Since the entry into force of the EU Directive 2019/1937, every entity, public or private, must handle reportsresponsibly, ensuring confidentiality, data protection, and freedom from retaliation.

Implementing an effective whistleblowing system means not only avoiding fines but fostering a workplace rooted in ethics, transparency, and accountability.

Questions and answers

  1. What is whistleblowing?
    It’s a system allowing individuals to report unlawful or unethical acts within their workplace safely and confidentially.
  2. Who is required to comply with whistleblowing regulations?
    All public entities and private companies with at least 50 employees, or those in specific regulated sectors.
  3. What happens if a company fails to comply?
    It may face administrative fines ranging from €5,000 to €50,000.
  4. Can whistleblowing reports be anonymous?
    Yes, if the reporting channel supports anonymity and complies with data protection rules.
  5. Who can submit a whistleblowing report?
    Employees, freelancers, consultants, suppliers, volunteers, and even former workers.
  6. How is confidentiality guaranteed?
    Through encryption, secure channels, and strict legal obligations of secrecy for those managing the reports.
  7. When did the whistleblowing obligation come into force?
    On December 17, 2023, as established by EU Directive 2019/1937.
  8. What is the difference between internal and external reporting?
    Internal reports go through the company’s channels; external reports are sent to ANAC or other authorities.
  9. Why is whistleblowing important in the private sector?
    It helps detect fraud, ensure compliance, and protect the company’s reputation.
  10. Where can I find official guidance?
    On the ANAC website and in the European Commission’s documentation on Directive 2019/1937.
1
To top