This page aims to provide an overview of the EU Whistleblowing Directive (2019) and how it relates to the EU AI Act, as well as provide useful resources for potential whistleblowers.
This resource was put together by Santeri Koivula, an EU Fellow at the Future of Life Institute, and Karl Koch, founder of the AI Whistleblower Initiative.
Summary
- The EU Whistleblowing Directive (2019) protects whistleblowers who report violations of EU law by requiring clear reporting channels and protecting whistleblowers from retaliation.
- Protections apply to a wide range of people in a professional context, including employees, contractors, suppliers, job applicants, and former workers.
- Reports can be made internally within an organisation, externally to national authorities, or publicly in certain situations where urgent public interest or risk of retaliation exists.
- From 2nd August 2026, whistleblowing protections explicitly cover violations of the EU AI Act, though some AI-related issues may already fall under existing protections.
- Various institutions and organisations offer free legal, psychological, and technical support to whistleblowers. Reaching out early can help ensure the best possible protection.
Coming up in this post:
- Introduction
- The connection between the EU AI Act and the Whistleblowing Directive
- How the EU Whistleblowing Directive works
- Practical recommendations for whistleblowers
- Support infrastructure
Introduction
Whistleblowing plays an important role in identifying violations of law in companies that would otherwise remain hidden. This is especially true in the case of artificial intelligence, where the rapid development of technology makes regulation difficult to keep up. Consequently, policymakers often operate with limited information. Whistleblowing can help fill this information gap, as insiders in companies are uniquely positioned to detect issues that are not readily observable externally. In a recent study, whistleblower protections were listed as one of the most effective interventions for mitigating AI risks. The effectiveness of whistleblowing has been documented in other industries. In the United States, the Securities and Exchange Commission’s Whistleblower Program has enabled the recovery of over US$6.3 billion in monetary sanctions since its launch in 2010.
To protect whistleblowers from adverse consequences connected to their speaking up, in 2019 the European Union adopted the Whistleblowing Directive, which mandates Member States to implement strong laws prohibiting retaliation against whistleblowers. It requires companies to establish internal reporting channels and Member States to set up external reporting channels through designated public authorities. The Directive also allows whistleblowers in certain cases to report directly to the media or the public. This option, though, has been transposed differently in each Member State, often with restrictions that make it an option of last resort.
This post provides an overview of the Whistleblowing Directive and how its provisions relate to the EU AI Act. It also offers practical advice to potential whistleblowers, such as appropriate reporting channels.
The connection between the EU AI Act and the Whistleblowing Directive
From 2nd August 2026 onward, the EU Whistleblowing Directive will explicitly cover reporting violations of the EU AI Act. This means that if you’re in any professional relationship with a company covered by the EU AI Act, and your relationship is governed by EU law, you are protected when reporting violations. For instance, an employee at a general-purpose AI (GPAI) provider could safely report that a GPAI model with systemic risk has inadequate cybersecurity protection, violating Article 55 of the Act.
However, as the Whistleblowing Directive does not currently cover violations specific to the AI Act, there remains uncertainty regarding the exact scope of reportable AI-related issues today. Further, there are some issues that will remain unclear after violations of the AI Act are covered. Namely, it is unclear whether risks arising solely from internal deployment would qualify for protection.
Nevertheless, even before 2nd August 2026, whistleblowers may already benefit from protections if reporting AI-related concerns under other categories like product safety, consumer protection, or data protection that are already within the Directive’s scope.
How the EU Whistleblowing Directive works
The EU Whistleblowing Directive was adopted to establish comprehensive whistleblower protections across the EU Member States. Initially approved in 2019, it requires all Member States to transpose its provisions into national law by December 2021. As of July 2025, all Member States have adopted the law on paper. However, the European Commission has not yet reviewed and confirmed that these national laws fully comply with the Directive’s standards. Until this confirmation, legal uncertainty remains regarding the extent to which the Directive’s protections are enforceable in some Member States.
Indeed, implementation issues remain. A 2024 report by the European Commission states that the transposition in several Member States needs to be improved in areas such as the material scope and the measures of protection against retaliation. Given this legal uncertainty, those considering a report may benefit from seeking guidance, as the provisions of the Directive are not satisfied in each Member State. Several organisations listed at the end of this post offer support and legal advice.
The Whistleblowing Directive establishes clear reporting channels and protections for reporting misconduct. It applies to a wide range of areas such as public procurement, financial services, environmental protection, and from August 2026, violations related to the EU AI Act, although there may be a lag in implementation in different Member States. The Directive protects whistleblowers across various types of professional relationships, including employees, part-time workers, contractors, and suppliers.
The Directive rests on a straightforward principle: protection from retaliation is afforded to Covered Persons who report on violations of the EU law through appropriate channels. Below, we expand on these protections in detail.
Protection against retaliation
The Directive prohibits any action triggered by a report that causes unjustified detriment to the whistleblower. This includes dismissal, suspension, demotion, withholding of promotion, transfer of duties, change of workplace location, reduction in wages, disciplinary measures, coercion, intimidation, harassment, discrimination, and damage to reputation.
Crucially, the burden of proof shifts to the employer to demonstrate that any adverse action was not related to the whistleblowing. If retaliation is found, remedies include reinstatement and full back pay, with some countries offering additional damages.
Who is protected? (personal scope)
Protection applies to anyone who gained information in a professional context. This includes at least the following:
- Employees in both public and private sectors,
- Self-employed persons,
- Shareholders and persons belonging to administrative or management bodies,
- Volunteers and trainees,
- Job applicants,
- Subcontractors and suppliers, and;
- Individuals who report breaches after their work relationship has ended.
Protection also extends to facilitators who assist the whistleblower in the reporting process, and third persons connected with the whistleblower such as colleagues and relatives who might face retaliation. However, only natural persons qualify as facilitators, meaning support organisations themselves are not covered.
The professional relationship must be governed by EU law. This means that if you are based in the EU but under a non-EU contract, you are still covered when reporting EU law violations. Similarly, if you are based outside the EU but under an EU employment contract, you are also covered. Citizenship is not relevant to protection status.
What can be reported? (material scope)
From August 2026, any suspected violation of the EU AI Act will be covered under the Whistleblowing Directive. Currently, the Directive covers violations in areas such as public procurement, financial services, prevention of money laundering and terrorist financing, product safety, transport safety, environmental protection, nuclear safety, food and feed safety, public health, consumer protection, privacy and data protection, and security of network and information systems. Consequently, some activities related to AI may already fall within its scope, particularly concerning product safety, consumer protection, privacy and personal data, and information security.
Importantly, whistleblower protections do not depend on whether the resulting investigation confirms an actual violation of a law. Rather, whistleblowers are protected if they had reasonable cause to believe the information was true at the time of reporting and constituted a violation covered under the Directive. The “spirit of the law” is also covered, meaning attempts to circumvent the letter of the law are also reportable violations.
Certain exceptions apply to what can be reported under the Directive. National security matters are excluded, particularly reports of breaches involving defense or security procurement covered by Article 346 TFEU, which is subject to strict interpretation under EU case law. Trade secrets may be disclosed only if necessary to expose a violation and if doing so serves the public interest. Additionally, the Directive does not override confidentiality protections, such as confidential communications between a lawyer and their client.
Reporting channels and procedures
Under the Whistleblowing Directive, individuals can choose freely between internal reporting channels within their organisation, external reporting channels managed by public authorities, or both in parallel. There is no requirement to wait for an internal process to conclude before turning to external reporting. Under certain circumstances, whistleblowers may also directly disclose their information publicly.
Internal reporting channels are established directly by companies and are mandatory for organisations with 50 or more employees. These channels must designate impartial persons or departments to handle reports, acknowledge reports within seven days, provide diligent follow-up, and give feedback to the whistleblower within three months. The confidentiality of both the reporter and the reported person must be maintained.
External reporting is directed to competent authorities designated by Member States. These authorities must diligently follow up on reports and maintain confidentiality, though not all allow for anonymous reporting. Authorities must respond within three months, and failure to do so can enable the whistleblower to go public with the information. In some extraordinary cases, the time frame may be six months due the nature and complexity of the subject of the report.
Public disclosure refers to sharing information outside of the official internal or external reporting channels, for example by directly informing the media or making information publicly available. Whistleblowers who disclose information publicly are protected under the Whistleblowing Directive only under specific conditions. Protection applies if the whistleblower has already reported internally or externally, but the violation remains unaddressed, meaning internal channels or authorities have not responded appropriately within three months, have inadequately investigated, or have failed to take sufficient action. Whistleblowers may also disclose publicly without prior internal or external reporting if they reasonably believe there is imminent danger to the public interest, such as a risk of irreversible damage or physical harm, or if there are reasonable grounds to suspect retaliation when reporting externally, or collusion between authorities and those responsible for the violation. Under these circumstances, those who choose to disclose information to the public will in principle retain full legal protections under the Directive. However, going public with the information is often seen as a last resort, and this option has been implemented differently in each Member State.
For AI Act violations specifically, enforcement responsibilities are divided between EU-level bodies and national authorities. As Member States are yet to integrate the EU AI Act into their implementations of the Whistleblower Directive, we do not yet have certainty on how exactly reporting channels surrounding suspected AI Act violations will be structured. While direct reporting to EU authorities is likely possible, the strongest protections will likely come from reporting through national authorities who can then refer cases to European bodies as needed. In the future, this direct channel to EU authorities may be strengthened; a statement by the Chairs and Vice-Chairs of the EU Code of Practice recommends that a dedicated reporting channel for the EU AI Office is established.
Practical recommendations for whistleblowers
When considering reporting, proper preparation can help protect both you and the integrity of your disclosure. Below, we outline several considerations (for more, you can refer to e.g. “A Tech Workers Guide To Whistleblowing, Ireland Edition” by The Signals Network):
Documenting evidence
When gathering evidence of potential violations, consider your digital safety:
- Your employer may monitor work emails and devices. Use personal devices and communication channels when researching your options.
- If you need to preserve evidence from work systems, taking photos with a personal device (with Wi-Fi turned off) is generally safer than screenshots on work equipment, which might be detected.
- Be careful not to remove or delete files inappropriately, as this could potentially undermine your protection or expose you to other legal issues.
Secure communication
- Use encrypted communication tools like Signal or ProtonMail (with a non-work email address and phone number) when discussing your concerns with legal advisors or support organisations.
- Plan for the possibility that your access to work systems could be abruptly terminated if your reporting becomes known to your employer.
- Use secure intake forms if provided by whistleblower support organisations.
Before you report
- Create a clear chronological timeline of events, and document dates of the suspected wrongdoing and any attempts you’ve made to address the issue internally.
- Focus on factual information rather than opinions or interpretations. Be specific about what rules or regulations you believe are being violated.
- Seek legal advice early, before making any disclosure. This helps ensure your actions remain protected under whistleblower laws.
- Recognise the personal toll that coming forward can exact on you and your family. Many support organisations offer additional services, including psychosocial and career support to help.
- Consider carefully which reporting channel is most appropriate for your specific situation.
Support infrastructure
Whistleblowers can greatly benefit from knowing where to report concerns and where to seek assistance. Below we highlight key institutions and organisations across some EU Member States, as well as international efforts.
International
- The AI Whistleblower Initiative (AIWI) helps connect AI insiders to specialised support organisations and offers specialised support for insiders at frontier AI companies by supplementing existing whistleblower support organisations with AI expertise.
They also offer “Third Opinion” – a “pre-whistleblowing” service allowing insiders to anonymously submit questions around their concern, without disclosing confidential information. AIWI then custom-assembles expert panels together with the insider to clarify if there might be a cause for concern through an anonymous Q&A. - Psst provides a secure digital “Safe” where individuals can privately share concerning non-public information and seek legal, media, or other support. Users can deposit encrypted information, request pro bono legal advice, or choose to be contacted only if similar concerns emerge from others. Psst serves as a lower-stakes alternative to formal whistleblowing. It engages individuals earlier in the process, before they make mistakes that cannot be undone, helping evaluate information and guide next steps while allowing them to remain anonymous if preferred.
- Whistleblowing International Network connects multiple civil society organisations that protect whistleblowers. They offer a range of resources on whistleblowing law and practice, along with other services.
- SUSA (Speak-Up Self-Assessment) is a tool to help employees to understand whether the whistleblowing policy in their company complies with the EU Whistleblowing Directive.
Belgium
- The Federal Ombudsman serves as an authority for receiving whistleblower reports. They guarantee strict confidentiality and never disclose the whistleblower’s identity. Reports can be submitted through their online reporting form, by email, or by scheduling an appointment with their Centre for Integrity.
- Whistleblowers are entitled to comprehensive support from the Federal Institute for Human Rights (FIRM/IFDH), an independent public institution that provides psychological, social, technical and media support, legal assistance in proceedings, and financial assistance for legal costs.
France
- The Défenseur des droits (The Defender of Rights) is an independent authority that provides comprehensive support for whistleblowers. Their services include studying complaints, mediating disputes, and conducting investigations, among others. If a complaint falls outside their five areas of mission, they redirect it to the appropriate authorities.
- Maison des Lanceurs d’Alerte is a coalition of 30 civil society organisations that focuses specifically on supporting whistleblowers. They provide comprehensive assistance including legal, psychological, technical, financial, media and social support tailored to individual needs.
Germany
- Whistleblower Netzwerk E.V (WBN) is the largest whistleblower support organisation in Germany. This non-profit provides legal advice and psychological support to whistleblowers, with particular expertise in corporate misconduct cases. They collaborate with other organisations like Whistleblowing International Network (WIN) and can help connect whistleblowers with international actors if needed.
- The Bundesamt für Justiz (Federal Office of Justice) hosts the Federal External Reporting Office for whistleblowers. They can forward information to responsible authorities. The office accepts online reports through their secure portal and provides detailed information about the reporting process on their website. Before making a report, whistleblowers can also receive advice about protection against reprisals.
Ireland
- The Office of the Protected Disclosures Commissioner (OPDC) serves as an external reporting channel for whistleblowers. Reports can be submitted to the OPDC using their downloadable form, by email, or by phone. Before making a report, whistleblowers can use the OPDC’s pre-engagement procedure to understand if their disclosure qualifies for protection. Whistleblowers also have the option to report to “prescribed persons” – designated public service bodies and regulators who can receive disclosures directly related to their area of responsibility. However, a prescribed person has not yet been designated for AI.
- Transparency International Ireland is the only Irish NGO specialising in whistleblower support. They operate the Speak Up Helpline, providing free confidential information and advice to whistleblowers. They have established the Transparency Legal Advice Centre (TLAC), Ireland’s only independent law center offering free legal advice to whistleblowers.