EU Directive 2019/1937: 12-Row Engineering Checklist for Channels

EU Directive 2019/1937 obliges every private legal entity with 50 or more workers, and most public-sector entities, to operate an internal reporting channel that accepts written and oral reports, acknowledges receipt within 7 days, and gives feedback on action taken within 3 months (extendable to 6 in duly justified cases). The channel must protect the identity of the reporter and any third party named in the report, allow third-party operation under the same safeguards, support an in-person meeting on the reporter’s request, and avoid any form of retaliation as defined in Article 19. Translating those legal obligations into product requirements yields a 12-row engineering checklist that any reporting platform must satisfy before it can be considered compliant. As of April 2026, every clause below is still load-bearing under the directive’s text on EUR-Lex and the European Commission’s transposition page.

Key Takeaways

• Mandatory for private entities with 50+ workers and most public entities (Article 8).
• Channels must accept written and oral reports, plus an in-person meeting on request.
• Acknowledge in 7 days; deliver feedback in 3 months (6 in justified cases).
• Reporter identity is confidential under Article 16; access limited to authorised staff.
• Anonymous reporting is permitted, not mandated; once identified, full protections apply retroactively.

Who Is in Scope of EU Directive 2019/1937?

The directive’s scope is the first filter every product team and CISO must apply, because it controls whether the platform must be deployed at all and whether group-level sharing is allowed. Article 8 sets a worker count, Article 8.4 layers sectoral exceptions on top, and Article 8.9 carves out municipal latitude. The result is that a single corporate group can hold subsidiaries that fall on both sides of the obligation.

• Private legal entities with 50 or more workers must operate an internal reporting channel under Article 8.3; entities below 50 sit outside Article 8’s mandate, although member states may add stricter rules under Article 8.7.
• Private entities with 50 to 249 workers may share resources for receiving and investigating reports under Article 8.6, without prejudice to confidentiality, feedback, and follow-up obligations. The European Commission has confirmed this does not extend to a single central compliance team handling all reports for a corporate group; each subsidiary above 250 workers needs its own channel.
• Most public-sector entities are in scope regardless of size, with member-state discretion to exempt municipalities below 10,000 inhabitants or 50 workers under Article 8.9.
• Financial services entities and entities subject to specific Union acts (anti-money-laundering, transport safety, environmental protection) follow stricter sectoral rules even below the 50-worker threshold, per Article 8.4 and the directive’s Annex Parts I.B and II.
• The compliance deadline was staggered: companies with 250 or more workers had until 17 December 2021 to comply, and the threshold extended to 50 or more workers on 17 December 2023 across all member states.

Image: Diliff via Wikimedia Commons, CC-BY-SA 3.0

What Channels and Timers Must the Platform Support?

This is the spine of the checklist: Article 9 and Article 18 together define the input channels, the durable-record obligation, and the two timers a regulator will measure on audit. A compliant platform exposes each of these as a concrete configuration switch, not a hidden default. Get any one of them wrong and the entire channel is non-compliant, regardless of how good the rest of the product looks.

The 7-day acknowledgement is the easiest box to tick on paper and the easiest to miss in practice, because it counts from receipt of the report and not from the recipient’s first working day. A platform that auto-acknowledges receipt at submission with a unique case identifier solves this in one move. The 3-month feedback timer is harder, because “feedback on action taken” is a substantive obligation, not a ping. The platform must give the recipient a structured way to record what was done, and an extension to 6 months has to carry a written justification stored alongside the case.

Note also that the channel must be permanently visible. Article 9.1(g) requires clear and easily accessible information about the procedure and the alternative external route, which means the URL of the form has to be linked from a place every worker, supplier, and business partner can find without hunting. A button buried three clicks deep in an intranet does not satisfy “easily accessible”.

How Does the Directive Define Confidentiality and Access?

Article 16 is where many platforms over-collect and over-share data, and it is the single most common cause of regulatory criticism in the European Commission’s July 2024 transposition report. The duty of confidentiality covers both the reporter’s identity and any indirect identifiers (“information from which the identity of the reporting person may be directly or indirectly deduced”), which forces the platform to think about metadata and not just the report body.

• Identity of the reporter and of any third party mentioned in the report must not be disclosed without the reporter’s explicit consent, except where required by Union or national law in the context of investigations or judicial proceedings (Article 16.1 and 16.2).
• Access to the report is limited to the authorised staff competent to receive or follow up reports under Article 9.1(a); everyone else, including general management, must be kept out by access controls and not by an honour system.
• Article 8.5 lets organisations entrust the channel to a third party (a vendor or external lawyer), but the third party is bound by the same safeguards under Article 9.1 and must not become a backdoor into the case file.
• The platform must support a designated person or department model so the recipient role is auditable, per Article 9.1(c). A shared inbox owned by “compliance@” is not enough if any member can read any case.
• Cross-case visibility (one recipient seeing another recipient’s case) must be off by default and become a permission, not the other way around. Article 16 read with Article 17 means manifestly irrelevant personal data has to be deleted, which is hard to do when every recipient sees every report.
• The duty of confidentiality also covers persons concerned (the subject of the report) under Article 22; the platform should not leak the accused person’s identity beyond the investigation team either.

Image: Nuno Nogueira via Wikimedia Commons, CC-BY-SA 2.5

What About Anonymous Reports and the Anonymous-Then-Identified Rule?

This is the most-asked operational question and the source of many compliance accidents. The directive does not mandate anonymous acceptance, but it does extend the directive’s full retaliation protections retroactively if an anonymous reporter is later identified. That asymmetry shapes how the platform must store the link between an anonymous receipt and any later identification.

• Article 6.2 leaves to member states the decision whether legal entities and competent authorities must accept and follow up anonymous reports.
• Article 6.3 says that a reporter who initially submitted anonymously and is later identified still benefits from the directive’s retaliation protections, provided they meet the directive’s conditions.
• Operationally, that means the platform must keep the link between the anonymous receipt and any later-identified reporter so the protection chain is documented end to end. A case ID that survives identification, plus an audit trail of who linked the identity to the case, is the minimum.
• Several member states (Germany since the HinSchG entered into force in 2023, and France under Sapin II) explicitly extend anonymous reporting; the platform should expose this as a per-tenant switch, because the same product is sold across all 27 member states.
• Article 9.1(e) requires diligent follow-up of anonymous reports where national law provides for it; the platform should be able to assign a recipient and run the same timers on an anonymous case as on an identified one.

Article 19 Retaliation: What the Platform Should Help With

Retaliation is the regulator’s measure of whether the channel actually worked. Software cannot prevent a manager from cutting a reporter’s hours or moving them to a corner office; what it can do is detect, document, and route the resulting follow-up report so the audit committee sees it. Article 19 lists 15 forms of prohibited retaliation, which is the operational list the platform should help the recipient triage against.

• Article 19 covers suspension, lay-off, dismissal, demotion, withholding promotion, transfer, reduction in wages, change in working hours, withholding training, negative performance assessments, harassment, discrimination, blacklisting, early termination of temporary contracts, and even psychiatric or medical referrals as forms of prohibited retaliation.
• The platform should let the reporter file a follow-up retaliation report tied to the original case, so the chain of cause and effect is preserved without forcing them to start over.
• The platform should record any change in the reporter’s employment status (where the organisation chooses to integrate HR data) as audit-trail context; manual annotation is fine when integration is not possible.
• A retaliation flag on the case dashboard helps recipients escalate to the audit committee or compliance lead without sending an email that itself becomes a confidentiality risk.
• The reverse-burden-of-proof rule under Article 21.5 (the employer must prove the adverse action was unrelated to the report) shapes evidence retention: keep the case audit trail beyond the headline retention window, because the employer is the one who needs the evidence in the eventual proceeding.
• Article 18.1 requires storage for no longer than is necessary and proportionate, which sits in tension with Article 21.5; document the retention rationale per case rather than running one global timer.

When NOT to Use This Checklist

This 12-row checklist is engineering-side, EU-internal, and product-focused. It is not the right lens for several adjacent problems, and trying to bend it to cover them is how compliance teams end up over-scoping a platform RFP.

• You operate only outside the EU and in jurisdictions that have not adopted the directive; a SOX 806 / Dodd-Frank checklist is the correct lens for that footprint.
• You need a specific country implementation (Germany HinSchG, France Sapin II, UK PIDA); a multi-jurisdiction mapping is the correct lens for those national deltas.
• You are looking for legal advice on individual cases; this is an engineering checklist, not legal counsel, and Article 16 has plenty of edge cases that need a lawyer.
• You only handle external reports to competent authorities; the directive’s external-channels obligations under Articles 11 to 14 sit on the authority side, not on the employer’s product, and the configuration switches are different.
• You need to evaluate retaliation outcomes rather than configure intake; Article 19 detection is partly a process question and not a product question, and a checklist of switches will mislead you.

FAQ

• Eu-Directive-2019-1937
• Compliance
• Reporting-Channels
• Internal-Channel