The EU Whistleblower Protection Directive: Retaliation and the reverse burden of proof

Does your whistleblower retaliation strategy meet the requirements of the EU Whistleblower Protection Directive?


Kelly Maxwell, Content Marketing Specialist, OneTrust
June 16, 2022


Imagine this: After submitting a whistleblower report, a man experiencing ongoing and relentless harassment at work has a heart attack. His young son, believing his father can no longer work and their lives will be upended, attempts suicide. Another scenario: A woman attempts to blow the whistle anonymously, but her identity is revealed, and her employers destroy her reputation. She loses not only her job and any prospect of a new one, but also her home. She ends up begging on the streets of London.

As dramatic as these stories are, they are real examples of the true impact of whistleblower retaliation. Often, the retaliation leading up to such horrifying consequences is so subtle and insidious that other managers and employees are totally oblivious to it. That’s why the anti-retaliation requirements of the EU Whistleblower Protection Directive are a positive – and necessary – step forward for companies in the European Union.

Your company likely has an anti-retaliation policy in place, but is it enough to meet these new anti-retaliation requirements within the EU Whistleblower Protection Directive? Let’s dive into what the Directive’s anti-retaliation requirements are, what they mean for your company, and what you need to do in order to comply.

Whistleblower Retaliation Policy: Anti-Retaliation requirements

The EU Whistleblower Protection Directive specifies that employees, former employees, subcontractors, shareholders, suppliers, and other third parties will be protected from dismissal, suspension, demotion, and other forms of whistleblower retaliation, in response to submitting a whistleblower report. Additionally, those who support a whistleblower are also protected from experiencing retaliation.

The most significant anti-retaliation requirement within the Directive is the “reverse burden of proof.” For the first time in a wide-ranging directive, individuals are no longer required to prove that they have experienced whistleblower retaliation. Instead, the company must prove that no retaliation has occurred. If they can’t, they’ll face penalties.

How does the EU Whistleblower Protection Directive define Whistleblower Retaliation?

The EU Whistleblower Protection Directive defines retaliation broadly. The list of retaliatory actions covered by the Directive includes:

  • Suspension, lay-off, dismissal or equivalent measures
  • Demotion or withholding of promotion
  • Transfer of duties, location changes for place of work, reduction in wages, or change in working hours
  • Withholding of training
  • A negative performance assessment or employment reference
  • Imposition or administration of any disciplinary measure, reprimand, or other penalty, including a financial penalty
  • Coercion, intimidation, harassment, or ostracism
  • Discrimination; disadvantageous or unfair treatment
  • Failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations for a permanent employment offer
  • Failure to renew, or early termination of, a temporary employment contract
  • Harm, including to the person’s reputation, particularly in social media, or financial loss, including loss of business and loss of income
  • Blacklisting based on a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry
  • Early termination or cancellation of a contract for goods or services
  • Cancellation of a license or permit
  • Psychiatric or medical referrals


What Anti-Retaliation “Protective Measures” does the directive require?

The EU Whistleblower Protection Directive mandates that companies implement safeguards to prevent the above actions – plus more indirect forms of whistleblower retaliation – and communicate those safeguards to their workforces and third parties. Additionally, the Directive requires that whistleblowers’ identities be disclosed only to authorized staff members who are competent to receive and respond to reports. The same protection extends to those who assist and support whistleblowers and those who are implicated in whistleblower reports.

It is likely that future whistleblowing cases will put scrutiny on what protective measures and anti-retaliation policies were in place at the time of the report, and how effectively they were deployed.

What does the EU Whistleblower Protection Directive’s “Reverse burden of proof” mean?

Under this stipulation, companies must prove that whistleblowers have faced no retaliation as a result of their report. This is a unique and novel approach to whistleblower retaliation. Instead, the company must prove that no retaliation has occurred.

Given the Directive’s purpose of protecting whistleblowers, retaliation is a significant area of focus. The Directive presumes that when a whistleblower suffers some sort of detriment at work, that detriment exists as a form of retaliation to their report. Whereas previously, whistleblowers needed to prove that they experienced retaliation, now employers and companies are accountable for proving that no retaliation has occurred. Individuals are no longer required to prove that they have experienced retaliation.

Preventing and Detecting Retaliation

If your anti-retaliation strategy begins and ends with a policy, it’s time to go back to the drawing board. The Directive’s reverse burden of proof calls for a much more proactive approach to preventing whistleblower retaliation.

The first step is to examine what processes are already in place within your company to address whistleblower retaliation. For example, do you have analytics that can predict the risk of retaliation based on the report? Do you communicate anti-retaliation measures to those parties that may retaliate? Do you follow up with reporters? What is the timeline and process for following up, and what does your follow-up screen for?

How to comply with the EU Whistleblower Directive’s anti-retaliation requirements

Complying with the EU Whistleblower Directive’s anti-retaliation requirements starts with examining your current anti-retaliation policy, processes, and strategy. When you’ve ensured that your policy is comprehensive and up to date, communicate it to your workforce and all third parties using awareness campaigns. Where training is necessary – for high-risk individuals and managers, for example – ensure that those people are aware of your anti-retaliation policy and procedure, the requirements of the Directive, and the consequences for falling short.

A whistleblower retaliation risk assessment may be a helpful tool in benchmarking the current status of retaliation within your company. That process begins with establishing your markers of retaliation – for example, pay raises, performance reviews, and relocations – and establishing a “normal range” for each marker. Some markers can be measured with HR data, and some may require a higher-touch approach; regardless, measure each marker against the reports you’ve received over the last year and make note of any outliers.

When you know what you’re dealing with, you’ll be much better equipped to form a prevention plan. Still have questions about this new regulation? Download our helpful guide where Asha Palmer, OneTrust’s Chief Ethics and Compliance Officer and Head of the Ethics Center of Excellence, outlines what will be enforced, where, and when under the new directive.

You may also like


Ethics Program Management

Ethics Exchange: Third-party applications and ephemeral apps

Learn practical advice on how to navigate the risks of ephemeral apps and employee privacy in BYOD world.

November 09, 2023

Learn more


Speak-Up Program Management

Navigating the EU Whistleblower Protection Directive: New rules, new risks

Join our expert-led webinar where we explore the EU Whistleblower Protection Directive and practical steps towards compliance. 

November 02, 2023

Learn more


Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more