Eu-Directive on Whistleblowing Softwarehttps://whistleblowing-software.pages.dev/tags/eu-directive/Recent content in Eu-Directive on Whistleblowing SoftwareHugoen-usThu, 09 Apr 2026 00:00:00 +0000EU Directive vs SOX 806 vs Dodd-Frank: One Platform, Three Regimeshttps://whistleblowing-software.pages.dev/posts/eu-directive-vs-sox-806-vs-dodd-frank/Tue, 09 Sep 2025 00:00:00 +0000https://whistleblowing-software.pages.dev/posts/eu-directive-vs-sox-806-vs-dodd-frank/<p>A multinational employer with EU operations and US public-company exposure has to satisfy three whistleblowing regimes from a single platform: <a href="https://eur-lex.europa.eu/eli/dir/2019/1937/oj">EU Directive 2019/1937</a>, <a href="https://www.law.cornell.edu/uscode/text/18/1514A">Sarbanes-Oxley Section 806</a>, and <a href="https://www.sec.gov/whistleblower">Dodd-Frank Section 922</a>. The engineering rule of thumb, verified against the three statutes as of April 2026, is to default every workflow to the strictest regime (the EU directive&rsquo;s 7-day acknowledgement and 3-month feedback timers), then layer SOX-specific audit-committee routing and Dodd-Frank&rsquo;s &ldquo;anonymous via counsel&rdquo; carve-out as overlays on top. Configure once to the EU baseline and the US obligations fall into place as additive routing rules, not as competing pipelines.</p>Inside a Whistleblowing Platform: 7 Components and the Data Flowhttps://whistleblowing-software.pages.dev/posts/whistleblowing-platform-7-components-and-data-flow/Wed, 16 Jul 2025 00:00:00 +0000https://whistleblowing-software.pages.dev/posts/whistleblowing-platform-7-components-and-data-flow/<p>A whistleblowing platform is built from seven cooperating components: an intake layer that accepts reports over web, Tor, hotline, voice, and mobile channels; a triage and routing engine that classifies and assigns each case; a case management subsystem that owns the investigation lifecycle; an investigator workspace where authorised staff decrypt evidence and write findings; a two-way messaging channel that lets the platform talk back to anonymous reporters via a 16-digit receipt; an audit trail and reporting subsystem that records every action; and an admin and configuration plane that controls retention, encryption, and access policies. The reference architecture used here is grounded in publicly available application-security documentation from mature open-source whistleblowing software (verified April 2026) and the four lifecycle stages defined in <a href="https://www.iso.org/standard/65035.html">ISO 37002:2021</a>. The data flow is intake into encrypted submission storage, then routing to a recipient or audit committee, then case work over the receipt channel, then closure with a structured outcome and an audit trail that survives the reporting record after retention deletion.</p>