Who must have a whistleblowing policy under EU law?

Under EU Directive 2019/1937, legal entities in the private sector with 50 or more workers must establish internal reporting channels, with most public-sector bodies obligated regardless of size. Certain financial and AML-regulated firms must comply even below 50 workers.

What are the key acknowledgement and feedback timelines?

The Directive requires acknowledging receipt of a report within seven days and providing feedback to the reporting person within a reasonable timeframe not exceeding three months from acknowledgement.

What protections must a policy provide?

A compliant policy must guarantee confidentiality of the reporter's identity, prohibit all forms of retaliation such as dismissal or demotion, allow anonymous reporting where national law permits, and inform reporters of external reporting routes to competent authorities.

How does UK PIDA differ from the EU Directive?

The UK Public Interest Disclosure Act 1998 protects workers who make qualifying disclosures but, unlike the EU Directive, does not mandate that employers set up internal channels or meet fixed acknowledgement timelines. Many UK employers adopt Directive-style policies as best practice.

Is anything I enter sent anywhere?

No. The policy is assembled entirely in your browser from the details you enter. Nothing is transmitted or stored, and the generated text never leaves your device unless you copy it.

Whistleblowing Policy Builder

The EU Whistleblower Directive (2019/1937) requires organisations with 50 or more workers to operate secure internal reporting channels and protect whistleblowers from retaliation; the UK’s Public Interest Disclosure Act (PIDA) protects qualifying disclosures. This free builder turns a few answers into a structured, editable whistleblowing policy that reflects the Directive’s core requirements. It is built for HR and legal teams who need a solid first draft to adapt.

How it works

The builder applies the legal trigger first: private-sector entities with 50+ workers must have internal channels, while many public bodies and AML/financial-services firms are obligated regardless of size. It then assembles the policy from mandatory building blocks the Directive specifies:

Reporting channels — written and/or oral, plus the option of an in-person meeting, run by an impartial designated person or team.
Acknowledgement and feedback — confirm receipt within 7 days and give feedback within 3 months.
Confidentiality — protect the reporter’s identity and any third party named.
Anti-retaliation — prohibit dismissal, demotion, harassment and other detriment, with remedies.
External routes — inform reporters of their right to report to competent authorities and, ultimately, to make public disclosures.
Record-keeping — retain reports in line with confidentiality and data-protection (GDPR) duties.

The output is plain text you can copy and refine with counsel — it is a starting template, not legal advice.

Notes and example

A 120-employee SaaS company generates a policy with the full internal-channel, 7-day acknowledgement and 3-month feedback obligations, plus GDPR-aligned record-keeping. A 20-person firm sits below the EU threshold, so the builder notes the channels are voluntary best practice — unless it is in a regulated sector that lowers the trigger.

Always have the generated draft reviewed by a qualified lawyer for your jurisdiction and sector before adoption. Everything is assembled locally.