A compliant voice hotline intake under France’s Loi Waserman, the act that modernised Sapin II to transpose EU Directive 2019/1937, is one pipeline, not three. Capture audio in the browser via the MediaRecorder API, encrypt and upload it into the same report bundle as the text fields using libsodium SealedBox to the recipient’s Curve25519 public key, produce a draft transcript on the recipient side using a self-hosted STT model, and let the reporter verify, rectify, and approve through an anonymous one-time receipt code (never an email or phone re-prompt). The same five-stage pipeline satisfies Article 9(2) and Article 18 of the directive, France’s verify/rectify/approve cycle, and Italy’s D.lgs. 24/2023 oral-report rule. The only deltas across regimes are the consent UX wording and the retention period.

EU Directive 2019/1937 obliges every private legal entity with 50 or more workers, and most public-sector entities, to operate an internal reporting channel that accepts written and oral reports, acknowledges receipt within 7 days, and gives feedback on action taken within 3 months (extendable to 6 in duly justified cases). The channel must protect the identity of the reporter and any third party named in the report, allow third-party operation under the same safeguards, support an in-person meeting on the reporter’s request, and avoid any form of retaliation as defined in Article 19. Translating those legal obligations into product requirements yields a 12-row engineering checklist that any reporting platform must satisfy before it can be considered compliant. As of April 2026, every clause below is still load-bearing under the directive’s text on EUR-Lex and the European Commission’s transposition page.