When in 2019 the European Parliament approved Directive 2019/1937 concerning the protection of individuals who report breaches of Union law, it did so with the conviction that the central problem was not the absence of political will, but the lack of real guarantees. Five years later, the data show that this diagnosis remains valid, although the issue has shifted from the regulatory realm to institutional governance.
The Competence Evaluation Report: assessment of organizational capacity in whistleblower protection from the VoiceGuard project, coordinated by FIBGAR and co-financed through the European Commission’s CERV program and based on 150 questionnaires administered in Bulgaria, the Czech Republic, Spain, Greece, Luxembourg and Romania, offers the most detailed snapshot to date of what happens inside the organizations that must implement these systems. The results are revealing and, in many respects, worrying.
Formal compliance, operational failure
The first striking data point is that 86% of the surveyed organizations, almost nine out of ten, meet the Directive’s requirement to publish information about their internal whistleblowing system on a public website. However, when looking beyond that minimal threshold, the outlook deteriorates quickly.
“The whistleblowing system exists in the documents, but is virtually invisible in the everyday work life of those who should use it”
When employing more advanced methods to transparently communicate the function of the internal whistleblowing system, the figures drop significantly: only 17.3% of organizations include references to the internal whistleblowing system in employment contract templates. Just 15.3% offer active secure advisory services. And almost 60% of employees work in environments where training on whistleblowing procedures is insufficient. In practice, this means the whistleblowing system exists in the documents, but is virtually invisible in the day-to-day work life of those who should use it.
This gap is not a minor detail. It is, precisely, the core governance problem that the Directive aimed to resolve: that people with knowledge of irregularities have not only the theoretical right to alert, but the material conditions to do so safely and effectively.
Unsafe channels and the anonymity problem
The issue of anonymous alerts is a clear reflection of this tension. The Directive allows Member States to decide whether they accept anonymous alerts, but it explicitly states that anonymous whistleblowers who are subsequently identified must be protected against retaliation. However, 26% of the surveyed organizations directly reject anonymous alerts, and another 19% (twenty-eight organizations) condition their investigation on whether there is sufficiently justificatory information.
Furthermore, it is important to note that, among these twenty-eight organizations that require sufficient information, only nine allow two-way communication. This creates what the report calls a “procedural trap”: the organization demands more evidence to proceed but does not provide the secure channel that would allow the whistleblower to supply it. The result is that organizations inadvertently discard valid concerns before they can be understood or verified.
Silence is the first retaliation
One of the most significant findings of the report concerns the quality of the response whistleblowers receive. Seventy-four percent of organizations treat legal deadlines — seven days to acknowledge receipt of an alert, three months to respond — as a maximum limit rather than a minimum. In other words, they strictly meet the minimums and do not go beyond.
“Trust in the system is not built solely on rules; it is built on the experience that the rules work”
This is meaningful because the process of feeling heard is very significant for the whistleblower. Prolonged silence — even if formally in line with the Directive — is frequently perceived as indifference or as the first stage of retaliation. Trust in the system is not built solely on rules; it is built on the experience that the rules work.
Ten percent openly admit not having any established process to acknowledge receipt or provide feedback, which constitutes a direct violation of the Directive and, in terms of institutional integrity, a serious red flag.
The aspect of protection against retaliation is where the gap between the regulatory framework and reality becomes most evident. 43.3% of organizations do not offer any active support to the whistleblower. Among those that do provide some mechanism, there is a clear preference for passive and reactive tools over proactive prevention. The result is a system oriented toward managing harm, not preventing it.
Only 12% of surveyed organizations offer psychological and legal support, meaning that in most cases the whistleblower faces the consequences of having alerted alone.
Behind these operational deficits lies a structural problem of resource allocation: for almost half of those surveyed, whistleblower management is considered a minor administrative task rather than a professional function, leaving staff with fewer than ten hours per week to manage alerts, maintain security, and carry out investigations.
What is particularly significant is that this pattern does not improve with organization size. Medium, large, and very large organizations show staffing levels almost identical to small ones. This indicates that the problem responds to a question of prioritization, not scale: whistleblower management is treated as a marginal administrative task, rather than as a specialized professional function.
A reform agenda for regulatory effectiveness
The data from the VoiceGuard project point to a clear agenda for those making decisions in public integrity and anti-corruption. Transposing the normative framework was necessary, but not sufficient. The challenge now is to move from a framework of formal compliance to one of real efficacy.
That requires, first, investment in continuous training: the report’s own data show that those who receive annual training have legal-competence levels nearly four times higher than those who do not. Second, it requires ensuring secure digital infrastructures that enable bidirectional anonymous communication as the standard, not as an exception. And third, it demands supervision and accountability: inspection mechanisms must go beyond verifying that a whistleblowing channel exists to assessing whether that channel actually works.
“Europe has built the normative architecture. Now it needs to build the culture that makes it habitable”
Whistleblower protection is not a technical-legal issue. It is a governance problem that affects the quality of democracy and the state’s ability to detect and correct its own dysfunctions. Available data indicate that Europe has built the normative architecture. Now it needs to build the culture that makes it habitable.
Read the full report here.
