Comparing ISO 37002 and the EU Whistleblower Directive

How the voluntary ISO guidelines differ from the EU’s new whistleblower protection requirements

Kelly Maxwell, Content Marketing Specialist, OneTrust
July 19, 2022

Blue and violet gradient background

The European whistleblowing landscape has seen massive progress with the passage of the EU Whistleblowing Directive — and the ripple effects are being felt far beyond the EU’s borders. Take, for example, ISO 37002. Published within two years of the EU Whistleblowing Directive, this standard applies to a wide range of companies across the globe and provides best practices for a whistleblower management system.

What is ISO 37002?

ISO 37002 is a framework for setting up and maintaining a whistleblowing hotline that adheres to the highest standards as outlined by the International Organization for Standardization (ISO). In their own language, it provides “guidelines for establishing, implementing and maintaining an effective whistleblowing management system” based on the principles of trust, impartiality and protection in the following four steps:

  • Receiving reports of wrongdoing
  • Assessing reports of wrongdoing
  • Addressing reports of wrongdoing
  • Concluding whistleblowing cases

The ISO is an independent, non-governmental international organization, bringing together global experts to “share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.” Its standards, including ISO 37002: Whistleblowing Management Systems, represent guidelines or best practices that organizations can adopt voluntarily. This sets ISO standards apart from regulations like the EU Whistleblower Directive, Sarbanes-Oxley in the United States, or Sapin II in France which companies are legally obligated to comply with.

Why should my company adopt ISO 37002?

The ISO recommends the adoption of ISO 37002 stating, “It can assist an organization to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.” This means ISO 37002 is a holistic and adaptable approach to establishing a whistleblowing management system that meets or exceeds regulatory requirements.

According to the ISO, adopting ISO 37002 will encourage whistleblowers to come forward and make case handling much more effective – improving your organization’s culture and governance, while reducing the risk of wrongdoing.

How does ISO 37002 differ from the EU Whistleblower Protection Directive?

The EU Whistleblower Protection Directive outlines a minimum set of protections for whistleblowers in Member States of the European Union, which must be implemented by organizations with 250+ workers (and by organizations with 50+ workers by December 17, 2023). The EU Directive focuses on whistleblower protections and empowerment; ISO 37002 focuses on the processes and systems a company uses to enable whistleblowers. Plus, the EU Whistleblower Directive is (as the name implies) a directive which must be transposed into law in all 27 EU Member States, while ISO 37002 is a set of guidelines that companies may voluntarily adopt.

From a tactical perspective, ISO 37002 recommends standards for processes, systems, and technology an organization must meet in order to follow through with whistleblower protections. ISO 37002 details voluntary guidelines for organizations who wish to establish their own compliant whistleblower management system anywhere in the world.

The two sets of guidelines complement one another, ensuring that any whistleblower protection standards put into place between now and the adoption of the EU Whistleblower Protection Directive will work together. Following both sets of guidelines could prevent companies from a costly whistleblower hotline implementation that ends up being non-compliant.

Both the EU Whistleblower Directive and ISO 37002 aim to protect whistleblowers and the confidentiality of the subsequent reports. Private, public, and not-for-profit organizations, regardless of employee count or geographic location, can adopt the ISO 37002’s guidance.

Want to learn more about the EU Whistleblower Directive? Check out our ultimate guide.

Establishing a compliant hotline

Whether your organization is a global enterprise with thousands of EU-based employees or a growing start-up that wants to set their hotline up according to the highest standards, OneTrust can help.

Request a free Helpline and Case Management demo today.

You may also like


Speak-Up Program Management

Navigating the EU Whistleblower Protection Directive: New rules, new risks

Join our expert-led webinar where we explore the EU Whistleblower Protection Directive and practical steps towards compliance. 

November 02, 2023

Learn more


Privacy & Data Governance

Understanding the EU Data Boundary

Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.

September 22, 2023

Learn more


Privacy Management

Privacy in practice: PIA & DPIA with PA Consulting

Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

September 21, 2023

Learn more