How Xono Helps You Comply with the EU Whistleblowing Directive

The deadline for having a compliant internal reporting channel has already passed for every EU company with 50+ employees. Here's exactly what's required, why a plain email inbox doesn't meet the bar, and how Xono's platform supports the rest.

Book a Demo
Star indicating GDPR compliance

GDPR Compliant

Star indicating POPIA compliance

POPIA Compliant

Star indicating EU Whistleblowing Directive compliance

EU Whistleblowing Directive Compliant

Xono compliance dashboard

The Legal Deadline Has Already Passed

250+

employees: compliant channel required since 17 December 2021

50–249

employees: compliant channel required since 17 December 2023

10,000+

resident municipalities and public bodies are also in scope

Source: Directive (EU) 2019/1937, EUR-Lex.

Why a Company Email Address Isn't Enough

"Just set up a whistleblowing@ inbox" is the most common compliance shortcut we see — and it doesn't hold up.

No Access Control

The Directive requires channels to prevent access by unauthorised staff (Art. 9(1)(a)). A standard inbox is typically reachable by IT admins and anyone with the password — there's no layer restricting it to designated case handlers only.

No Real Anonymity

An email reveals the sender's address by default. True anonymous reporting needs a system built for it — not a workaround.

No Acknowledgment Tracking

The Directive requires acknowledging receipt within 7 days. An inbox has no way to track whether that happened, for which report, by when.

No Audit Trail

Durable, retrievable record-keeping (Art. 18) means more than a folder of emails — case status, who handled what, and when, all need to be traceable.

Web-based reporting is now more popular than phone hotlines (40% vs 30%) — for the first time on record.

Source: ACFE, Report to the Nations 2024.

How Xono's Platform Supports Compliance

Mapped directly to what the Directive actually requires — not just a marketing checklist.

Secure, Access-Controlled Channel

Report visibility is gated by permission tiers — separate from general admin access — so only designated, authorised handlers can see case content.

Automatic Acknowledgment

Every report is acknowledged immediately on submission, with a reference number — satisfying the 7-day requirement without relying on someone remembering to reply.

Written and Oral Reporting

Reporters can type or record a voice message directly in the app — covering both channels the Directive requires, not just written text.

Anonymous or Confidential, Your Choice

Set your organisation to fully anonymous (no identifying information collected at all) or confidential (identity visible only to authorised handlers) — configured once at setup.

Case Management and Audit Trail

Assign cases to designated handlers, track status, and maintain a full, timestamped audit trail — durable record-keeping by design, not an afterthought.

Whistleblower Policy Starter

Every new organisation gets a draft whistleblower policy ready to customise and publish — a real starting point, not a blank page.

What's Still Your Responsibility

We'd rather tell you this plainly than have you find out the hard way.

The Directive's legal obligations sit with your organisation, not with any software vendor — including us. Xono gives you the platform features needed to run a compliant programme, but compliance itself depends on how you operate it:

  • Staffing a designated, impartial person or team to actually review and act on reports
  • Giving reporters substantive feedback within 3 months (extendable to 6) — the acknowledgment is automatic, the follow-up isn't
  • Customising and publishing your own whistleblower policy, rather than leaving the draft unpublished
  • Deciding your own data retention schedule for case records

Any vendor claiming their software alone makes you "100% compliant" isn't being straight with you. We'd rather you trust what we say because it's accurate, not because it sounds reassuring.

Beyond the EU: UK and South Africa

United Kingdom

The UK doesn't have a single blanket mandate like the EU Directive, but the Public Interest Disclosure Act protects workers who raise concerns through proper channels — including the right to escalate to a "prescribed person" (a specific regulator) if internal handling fails. FCA/PRA-regulated firms have additional obligations under FCA Handbook SYSC 18.

South Africa

The Protected Disclosures Act protects whistleblowers who report through specified channels. King IV — South Africa's governance code, binding on JSE-listed companies via "apply and explain" — recommends an effective whistleblowing mechanism, including anonymous reporting, as part of good governance.

FAQs: Whistleblowing Compliance

Q1: Does Xono make my organisation compliant with the EU Whistleblowing Directive?

A1: Xono provides the platform features required to run a compliant programme — a secure channel, automatic acknowledgment, case handling, and an audit trail. Compliance itself is a combination of the software and how your organisation operates it, including staffing a designated handler and publishing your own whistleblower policy.

Q2: Why isn't a company email address enough for whistleblowing reports?

A2: The Directive requires reporting channels to prevent access by unauthorised staff and protect reporter confidentiality. A standard email inbox is typically accessible to IT staff, has no access-control layer restricted to authorised case handlers, no audit trail, and doesn't support anonymous reporting well.

Q3: Does the EU Whistleblowing Directive apply to my company?

A3: Companies with 250 or more employees in the EU were required to have a compliant internal reporting channel by 17 December 2021. Companies with 50 to 249 employees had until 17 December 2023. Both deadlines have already passed.

See Where Your Compliance Gaps Are

Book a 15-minute walkthrough and we'll show you exactly how Xono's platform maps to what the Directive requires.

Book a Demo