Whistleblowing Triage Workflow: The 7-Day and 3-Month SLA Clock

A compliant whistleblowing operation runs two SLA clocks per case: 7 days from intake to acknowledgement, then up to 90 days from acknowledgement to substantive feedback. Both timers come straight from Articles 9 and 11 of EU Directive 2019/1937, and they are mirrored verbatim in every Member-State transposition: France’s Loi Waserman, Italy’s D.lgs. 24/2023, and Germany’s HinSchG. Lay them on top of the ISO 37002:2021 four-stage management cycle (Receive, Assess, Address, Conclude), add a parallel 12-month retaliation watch, and you have a workflow that satisfies the directive, the international standard, and the operational reality of running an investigation. A platform that does not surface both clocks per case as countdown badges (rather than as background retention settings) is non-compliant by design.

Key Takeaways

• EU Directive 2019/1937 sets two hard timers per case: 7 days to acknowledge a report and 90 days to provide substantive feedback.
• ISO 37002:2021 names a four-stage cycle (Receive, Assess, Address, Conclude) that maps onto those two clocks.
• Triage at the Assess stage scores four axes: severity, retaliation risk, legal exposure, and evidence perishability.
• Retaliation monitoring runs as a parallel workstream for at least 12 months after case closure.
• The two clocks must surface per case as countdown badges, not as background data-retention settings.

What are the two SLA clocks every whistleblowing platform must run?

Two clocks, both running in series on the same case, both anchored in the directive text.

The 7-day acknowledgement clock starts at intake and stops the moment the first outbound communication reaches the reporter confirming receipt. Article 9(1)(b) mandates it for internal channels; Article 11(2)(b) mandates it for external channels operated by competent authorities. As of April 2026, the EUR-Lex consolidated text still phrases it as “acknowledgement of receipt of the report to the reporting person within seven days of that receipt”, with no carve-outs for weekends, holidays, or batch processing. Seven calendar days, full stop.

The 90-day feedback clock starts at acknowledgement, or, if no acknowledgement was sent, at the expiry of the 7-day clock. Article 9(1)(f) mandates it for internal channels; Article 11(2)(d) mandates it for external. The directive phrases the cap as “a reasonable timeframe not exceeding three months”, and explicitly permits external competent authorities to extend that to six months in duly justified cases. Internal channels do not get the extension. If you operate an employer-side reporting line, three months is the ceiling.

The directive’s definition of “feedback” matters here. Article 5(13) defines it as “the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up”. That is an action description, not a final outcome. The 90-day clock stops on the substantive update, not on case closure. A case can legitimately stay open for many more months while corrective actions track to completion, provided the reporter has been told what is being done and why.

The Italian transposition, D.lgs. 24/2023, expresses the same window in operational language: a 90-day overdue alert that begins 7 days after report creation. That phrasing translates directly into a UI pattern for the case header: a single SLA progress bar that changes colour at day 7 (acknowledgement due) and day 97 (feedback due). One bar per case, two colour flips, and the operations lead can read the entire compliance posture of the channel at a glance.

This is also where most platforms fail an audit. A generic 90-day data-retention setting on the channel is not the same thing as an SLA clock. Retention is about deleting data after a fixed window; the SLA clock is about prompting an investigator before a fixed deadline. The two have different audit footprints, different alerting needs, and different escalation paths. Conflating them is one of the most common findings on a directive readiness review.

How does ISO 37002:2021 structure the operations workflow?

The directive tells you what timers must run. It does not tell you what stages a case passes through, who owns each stage, or how to document the transitions between them. That is what ISO 37002:2021 adds.

The standard names a four-stage management cycle:

• Stage 1, Receive. Intake from any channel format Article 9(2) requires (written, oral by phone or voice messaging, in-person on request). The system records the report, starts the 7-day clock, and sends the acknowledgement.
• Stage 2, Assess. The triage gate, which decides whether the report is in scope, who handles it, what investigation response is appropriate, and whether to refer the report out. ISO 37002 requires this decision to be documented.
• Stage 3, Address. The investigation itself: evidence collection, witness interviews, decision, outcome documentation. The 90-day feedback clock runs across this stage.
• Stage 4, Conclude. Outcome management, including feedback to the reporter to the extent legally permitted, corrective actions tracked through to completion, formal closure, and the learning loop back into channel design and intake forms.

Running alongside the four-stage cycle is a fifth workstream that ISO 37002 deliberately keeps separate: anti-retaliation monitoring. The standard treats it as its own track, not as a sub-step of any of the four stages. Mature programmes monitor for retaliation against the reporter and witnesses for at least 12 months after case closure, often longer in regulated sectors.

The clean way to think about the relationship between the directive and the standard is a mapping table:

Every stage transition is a documented decision point where the platform must record who decided, what they decided, and why. The audit trail of those transitions is itself a security control, not a side effect of the workflow.

How do you triage a report at the Assess stage?

Triage is the single decision that determines whether the rest of the workflow is even appropriate. ISO 37002 expects it to be risk-based and documented, but the standard stops short of a concrete rubric. The four-axis scoring below is the rubric most mature programmes converge on.

Axis 1 is severity. Criminal conduct ranks above administrative breach, which ranks above policy violation. Safety-of-life implications (medical-device tampering, structural-engineering fraud) automatically promote the case. A financial-impact tier is useful but secondary to the criminal-versus-civil distinction.

Axis 2 is people risk: the retaliation exposure to the reporter, witnesses, and identified parties. A reporter who works directly under the alleged wrongdoer scores higher than one who is two reporting lines removed. Witnesses with disclosed identities score higher than witnesses already pseudonymised. A high score on this axis can legitimately slow down disclosure events, even where the directive permits them, because the disclosure itself is a retaliation vector.

Axis 3 covers legal exposure: regulatory deadlines that ride alongside the directive’s timers. SOX 806 and Dodd-Frank obligations apply to US-listed groups. GDPR Article 33’s 72-hour breach-notification window applies if the report names a personal-data incident, and that window is the strictest of the lot, blowing past the directive’s 7-day acknowledgement clock by a wide margin. Sector-specific reporting obligations (medical-device vigilance, aviation safety, anti-money-laundering) overlay further deadlines.

Axis 4 is evidence perishability: server log retention, CCTV overwrite cycles, witness availability before reassignments or contract endings. A perishable-evidence flag promotes the case to immediate-investigation regardless of severity score, because waiting on a low-severity case while logs roll over costs the organisation the only chance it had to substantiate any future allegation.

The output of triage is a documented decision in one of four categories: investigate, monitor, refer-out, close. Each has a templated communication back to the reporter that respects the 90-day clock.

The Assess stage is also where the impartial-person requirement under Article 9(1)(c) bites. The person performing triage must be free of conflicts and independent of the alleged wrongdoer’s chain of command. Document the conflict-of-interest check at this stage, with a named alternate ready in case the primary triager is conflicted out.

What does a compliant case-management surface look like?

The two SLA clocks plus the four ISO stages define what every case record has to expose. Translated into vendor-neutral terms, the case-management screen needs the following fields.

The per-case header carries the case ID, channel of receipt (web form, oral phone, in-person, external authority forwarding), intake timestamp (which is t=0 of both clocks), current ISO stage, current sub-status, and two countdown badges: 7-day acknowledgement and 90-day feedback. The badges are the load-bearing element. Without them, an investigator cannot read the compliance posture of the case from the header alone.

Reporter-facing fields cover the reporter token (for anonymous reporters), preferred-language flag, opt-in flags (consent to be contacted, consent to recording where applicable), and feedback-due-by date.

Investigator-facing fields cover the assigned investigator, conflict-of-interest-checked flag, scope-of-investigation document link, evidence index, decision-and-rationale field, outcome category, and retaliation-watch-until date.

Audit-trail fields capture every status transition, every disclosure event, and every notification sent. The trail is append-only, signed, and queryable. It is a security control in its own right, not a side effect of the workflow.

Notification triggers fire on report received, acknowledgement-due-soon, acknowledgement-overdue, feedback-due-soon, feedback-overdue, retaliation-watch-due-soon, and retaliation-watch-closed.

The most common anti-pattern in the market is the platform that ships a generic 90-day report-expiration retention default but no acknowledgement clock and no feedback clock. The default is configured at the channel level and silently deletes the report after 90 days. That happens to coincide numerically with the directive’s feedback timer, which makes the design look legitimate at a glance, but retention and SLA are different mechanisms. Retention deletes data; the clock prompts a human. A channel can satisfy retention while failing every SLA, and vice versa. Audit findings on this point are routine.

How do Member-State transpositions change the timers?

Article 25 of the directive forbids Member States from weakening reporter protection, but it explicitly allows them to go stricter. Several transpositions tighten the wording of the timers without changing the floor. Operations teams running multinational programmes need to know which version applies to which subsidiary.

France’s Loi Waserman (Law 2022-401 of 21 March 2022) copies the 7-day acknowledgement and 3-month feedback timers verbatim. It adds an explicit verify, rectify, and approve cycle for oral reports, where the reporter must be offered the chance to sign the transcript or the recorded conversation in a durable and retrievable form. The voice-intake mechanics live in the Sapin II / Loi Waserman lineage.

Italy’s D.lgs. 24/2023 keeps the same timer floor, but its implementing language is the “90-day overdue alert that starts 7 days after report creation” framing this post recommends as a UI pattern. It also adds notification obligations the directive only implies.

Germany’s HinSchG carries the same timers plus an explicit duty for the channel to be reachable in writing and orally. Crucially, it adds a fine schedule for missed timers, which gives the SLA clocks regulatory teeth that the directive itself lacks. A missed acknowledgement is no longer just a compliance failure; it is a fineable administrative offence.

For companies with 50 to 249 employees, Article 8(6) of the directive permits resource-sharing for the internal channel. Companies in this size band can pool their reporting line into a shared service. The SLA clocks still apply per case across the shared service. Pooling resources does not pool the clock.

Multinational groups run a clock per in-scope subsidiary unless a documented intra-group reporting model is in place. The clock does not pause when a case is escalated up the group hierarchy. If French intake at T+0 escalates to a German parent at T+5, the French entity is still on the hook for the day-7 acknowledgement, even if the parent is also handling the case.

For current transposition status by Member State, the European Commission maintains a protection of whistleblowers tracker, verified as of April 2026.

A worked example: one case through both clocks

Concrete numbers make the framework legible. Here is a realistic case timeline:

• T+0 (intake): reporter submits a written report through the web form. The 7-day acknowledgement clock starts. The 90-day feedback clock is dormant, waiting on acknowledgement.
• T+5d (acknowledgement): the designated impartial person sends the templated acknowledgement, which reads “We confirm receipt of your report. A handler has been assigned. You can expect substantive feedback no later than [T+5d + 90d].” The 7-day clock stops well within the deadline. The 90-day clock starts.
• T+8d (triage): the triage scores severity, people risk, legal exposure, and evidence perishability. The case is in scope, no conflicts of interest, perishable evidence flag raised. Decision is to investigate, with a witness interview scheduled within 14 days. Stage transitions from Assess to Address.
• T+45d (mid-investigation): evidence collected, interviews complete, preliminary findings drafted. Outcome leans toward substantiated. Reporter receives a non-substantive status note that does not stop the clock.
• T+85d (substantive feedback): reporter receives the substantive update covering scope of investigation, actions taken to date, corrective actions planned, and expected closure window. The 90-day clock stops at T+85, with 5 days of margin. Stage transitions from Address to Conclude.
• T+120d (closure): corrective actions implemented and verified. Case formally closed. The retaliation-watch clock starts, set to T+120d + 365d.
• T+485d (watch close): no retaliation observed. Watch period closed. Reporter receives a one-line acknowledgement that the watch has ended, with their right to re-open it on new evidence preserved.

The pattern to internalise: substantive feedback at T+85 is not the end of the case, closure at T+120 is not the end either, and the retaliation watch at T+485 is the actual end, more than a year after the original intake.

How long does the retaliation watch run after closure?

The directive prohibits retaliation but sets no monitoring duration. ISO 37002 fills the gap, and mature programmes operationalise the 12-month minimum window the standard suggests as best practice.

The 12-month floor is what most programmes settle on. Some sectors (financial services, life sciences) and some Member States impose longer, particularly where retaliation can manifest in non-obvious ways like blocked promotion cycles or unfavourable performance reviews tied to the next annual review.

Several events should pause or restart the watch:

• HR actions involving the reporter: performance reviews, transfers, terminations, bonus determinations.
• Witness retaliation reports.
• Internal-audit triggers that touch the reporter’s department.
• Any new whistleblowing report that names the same reporter or witnesses.

When the watch closes cleanly, the reporter receives a brief acknowledgement that the watch period has ended, with the explicit reservation of their right to re-open it on new evidence. The closing documentation includes the periodic-monitoring log, the no-retaliation finding, and a cross-reference to any HR actions that touched the reporter or witnesses during the watch.

This part of the workflow gets dropped first under operational pressure. The case has been “closed” for a year, the original investigator has rotated, the platform has expired the case data under its retention policy. The fix is structural: maintain a separate retention policy for retaliation-watch records that survives the closure of the underlying case, and bind the watch-close notification to a calendar trigger that does not depend on the case file still being live.

When NOT to Use This

This SLA framework targets the typical employer-operated internal channel under EU Directive 2019/1937. It does not fit cleanly into every situation:

• The organisation is below the 50-employee threshold and has not voluntarily opted in to the directive’s regime. Different obligations may apply, or none at all.
• The reporting channel is purely an external competent-authority channel (a regulator’s intake), where Article 11 grants a 6-month feedback extension that this internal-channel framework does not cover.
• The organisation’s sector is governed by stricter sector-specific rules (financial services under Dodd-Frank or SOX 806; aviation safety; medical-device vigilance) where the SLA model needs sector-specific overlays not covered here.
• The case is being routed through external counsel under privilege, where the law firm, not the platform, owns the SLA clock.
• Non-EU jurisdictions outside the directive’s transposition scope, including UK PIDA, US SOX/Dodd-Frank, and Canadian PSDPA. The 7-day and 90-day numbers are EU-specific.

FAQ

• Eu-Directive-2019-1937
• Compliance
• Internal-Channel