The gap between theory and practice: why whistleblower protection systems continue to fail in Europe
The transposition of the European Whistleblower Protection Directive has created a regulatory framework, but the data reveals that most organisations still lack the institutional maturity to make that framework work.
When, in 2019, the European Parliament adopted Directive 2019/1937 on the protection of persons reporting on breaches of Union law, it did so in the belief that the central problem was not a lack of political will, but a lack of effective safeguards. Five years on, the data show that this assessment remains valid, although the problem has shifted: it is no longer a regulatory issue, but one of institutional governance.
The “Competence Assessment Report: assessment of organisational capacity regarding whistleblower protection’ from the VoiceGuard project, coordinated by FIBGAR and co-funded through the European Commission’s CERV programme, and based on 150 questionnaires administered in Bulgaria, the Czech Republic, Spain, Greece, Luxembourg and Romania, offers the most detailed insight to date into what is happening within the organisations responsible for implementing these systems. The results are revealing and, in many respects, worrying.
Formal compliance, operational failure
The first striking finding is that 86% of the organisations surveyed – almost 9 out of 10 – meet the Directive’s requirement to publish information about their internal whistleblowing system on a public website. But when one examines what happens beyond that minimum threshold, the picture deteriorates rapidly.
When it comes to using more advanced methods to transparently communicate the role of the internal whistleblowing system, the figures drop significantly: only 17.3% of organisations include references to the internal whistleblowing system in employment contract templates. Barely 15.3% offer active secure reporting services. And almost 60% of employees work in environments where training on reporting procedures is insufficient. In practice, this means that the reporting system exists on paper, but is virtually invisible in the day-to-day working lives of those who should be using it.
This gap is no minor detail. It is, precisely, the crux of the governance problem that the Directive sought to resolve: that people with knowledge of irregularities should have not only the theoretical right to report, but the practical conditions to do so safely and effectively.
Insecure channels and the problem of anonymity
The issue of anonymous reports illustrates this tension well. The Directive allows Member States to decide whether or not to accept anonymous reports, but explicitly states that anonymous whistleblowers who are subsequently identified must be protected against retaliation. However, 26% of the organisations surveyed outright reject anonymous reports, and a further 19% (28 organisations) make their investigation conditional on the reports containing sufficient supporting information. It is crucial to note that, of these 28 organisations requiring sufficient information, only 9 allow for two-way communication. This creates what the report terms a ‘procedural trap’: the organisation demands more evidence to proceed, but fails to provide the secure channel that would allow the whistleblower to provide it. The result is that organisations inadvertently dismiss valid concerns before they can be understood or verified.
The problem with feedback: when silence is the first form of retaliation
One of the report’s most significant findings concerns the quality of the response received by whistleblowers. 74% of organisations treat the legal deadlines — seven days to acknowledge receipt of a report, three months to respond — as a maximum limit rather than a minimum. In other words, they strictly comply with the minimums and go no further.
This matters because, as the report itself points out, the process of feeling heard is very significant for the whistleblower. A prolonged silence — even if formally in line with the Directive — is frequently perceived as indifference or as the first stage of retaliation. Trust in the system is not built on rules alone; it is built on the experience that the rules work.
The remaining 10% openly admit to having no established process for acknowledging receipt or providing feedback, which constitutes a direct breach of the Directive and, in terms of institutional integrity, a serious red flag.
Protection against retaliation: better equipped to deal with harm than to prevent it
The issue of protection against retaliation is where the gap between the regulatory framework and reality becomes most evident. 43.3% of organisations offer no active support whatsoever to the whistleblower. Among those organisations that do offer some form of mechanism, there is a clear preference for passive and reactive tools over active prevention. The result is a system geared towards managing the damage, not preventing it.
Only 12% of the organisations surveyed offer psychological and legal support, meaning that in most cases the whistleblower faces the consequences of having raised the alarm alone.
Resources, professionalisation and the size paradox
Behind these operational shortcomings lies a structural problem of resource allocation: for almost half of those surveyed, handling reports is seen as a minor administrative task rather than a professional role, leaving staff with fewer than 10 hours a week to handle reports, maintain security and carry out investigations.
What is particularly significant is that this pattern does not improve with the size of the organisation. Medium, large and very large organisations show staffing levels almost identical to those of small ones. This indicates that the problem is not one of scale, but of prioritisation: whistleblowing management is treated as a marginal administrative task, not as a specialised professional function.
An agenda for regulatory effectiveness
Data from the VoiceGuard project points to a clear agenda for decision-makers in the fields of public integrity and anti-corruption. Regulatory transposition was necessary, but not sufficient. The challenge now is to move from a framework of formal compliance to one of real effectiveness.
This requires, first and foremost, investment in continuous training: the report’s own data shows that those who receive annual training have levels of legal competence almost four times higher than those who do not. Secondly, it requires ensuring secure digital infrastructures that enable anonymous two-way communication as the norm, not the exception. And thirdly, it demands oversight and accountability: inspection mechanisms must go beyond verifying whether a whistleblowing channel exists to assess whether that channel actually works.
Whistleblower protection is not a technical-legal issue. It is a governance issue that affects the quality of democracy and the state’s ability to detect and correct its own dysfunctions. The available data indicate that Europe has built the regulatory framework. It now needs to build the culture that makes it workable.
Carmen Coleto Martínez, Project Manager at FIBGAR
