Whistleblowing EU

Open-source whistleblowing software

Are you looking for a secure, ethical reporting platform that complies with the EU Whistleblowing Directive?

Try GlobaLeaks, the free and open-source software designed to:

Learn more in the official documentation.

Documentation Demo

The EU Whistleblowing Directive

The EU Directive on the protection of persons who report breaches of Union law requires organisations to set up secure, confidential reporting channels and to safeguard reporting persons from retaliation.

Each EU Member State has transposed Directive (EU) 2019/1937 into its own national law, with specific obligations on reporting channels, retaliation protection, and supervisory authorities. Select your country above to find the local rules that apply to your organisation.

Legal obligations and compliance

Reference Obligation How GlobaLeaks satisfies it
Art. 8 Legal entities with 50+ workers (and most public bodies) must establish internal channels and procedures for reporting and follow-up. A dedicated internal reporting channel the organisation runs under its own control, self-hosted and free and open source.
Art. 9(1)(a) Channels designed, established and operated securely, protecting the confidentiality of the reporting person and third parties and barring unauthorised access. Encryption of reports and attachments, reporter identity protected throughout, and need-to-know access control. Full anonymity is possible thanks to the integration of Tor technology.
Art. 9(2) Channels must allow reporting in writing and/or orally - by telephone or voice messaging and, on request, an in-person meeting. Written reports with attachments, voice-message reporting, and the option to request a direct meeting.
Art. 9(1)(b) Acknowledge receipt of the report to the reporting person within 7 days. A receipt of acknowledgement is issued immediately on submission.
Art. 9(1)(c)-(d) Designate an impartial person or service to keep in contact with the reporter, seek clarifications and diligently follow up. An asynchronous two-way channel lets the case handler dialogue with the reporter while preserving anonymity.
Art. 9(1)(f) Provide feedback within a reasonable timeframe not exceeding 3 months from the acknowledgement. Structured case management with deadlines, timers, reminders and a dashboard tracking the 3-month window.
Art. 16 Duty of confidentiality: the reporter's identity may not be disclosed beyond authorised staff without consent. Granular need-to-know access keeps the reporter's identity restricted to authorised handlers.
Art. 17 Processing of personal data must comply with the GDPR (Regulation (EU) 2016/679). Self-hosting, no third-party components, no IP logging, metadata minimisation.
Art. 18 Keep records of every report received, retained no longer than necessary and proportionate. Privacy preserving audit log with configurable retention and deletion policies.