GDPR Compliant
How Xono Helps You Comply with the EU Whistleblowing Directive
The deadline for having a compliant internal reporting channel has already passed for every EU company with 50+ employees. Here's exactly what's required, why a plain email inbox doesn't meet the bar, and how Xono's platform supports the rest.
Book a DemoPOPIA Compliant
EU Whistleblowing Directive Compliant
The Legal Deadline Has Already Passed
250+
employees: compliant channel required since 17 December 2021
50–249
employees: compliant channel required since 17 December 2023
10,000+
resident municipalities and public bodies are also in scope
Source: Directive (EU) 2019/1937, EUR-Lex.
Why a Company Email Address Isn't Enough
"Just set up a whistleblowing@ inbox" is the most common compliance shortcut we see — and it doesn't hold up.
No Access Control
The Directive requires channels to prevent access by unauthorised staff (Art. 9(1)(a)). A standard inbox is typically reachable by IT admins and anyone with the password — there's no layer restricting it to designated case handlers only.
No Real Anonymity
An email reveals the sender's address by default. True anonymous reporting needs a system built for it — not a workaround.
No Acknowledgment Tracking
The Directive requires acknowledging receipt within 7 days. An inbox has no way to track whether that happened, for which report, by when.
No Audit Trail
Durable, retrievable record-keeping (Art. 18) means more than a folder of emails — case status, who handled what, and when, all need to be traceable.
Web-based reporting is now more popular than phone hotlines (40% vs 30%) — for the first time on record.
Source: ACFE, Report to the Nations 2024.
How Xono's Platform Supports Compliance
Mapped directly to what the Directive actually requires — not just a marketing checklist.
Secure, Access-Controlled Channel
Report visibility is gated by permission tiers — separate from general admin access — so only designated, authorised handlers can see case content.
Automatic Acknowledgment
Every report is acknowledged immediately on submission, with a reference number — satisfying the 7-day requirement without relying on someone remembering to reply.
Written and Oral Reporting
Reporters can type or record a voice message directly in the app — covering both channels the Directive requires, not just written text.
Anonymous or Confidential, Your Choice
Set your organisation to fully anonymous (no identifying information collected at all) or confidential (identity visible only to authorised handlers) — configured once at setup.
Case Management and Audit Trail
Assign cases to designated handlers, track status, and maintain a full, timestamped audit trail — durable record-keeping by design, not an afterthought.
Whistleblower Policy Starter
Every new organisation gets a draft whistleblower policy ready to customise and publish — a real starting point, not a blank page.
What's Still Your Responsibility
We'd rather tell you this plainly than have you find out the hard way.
The Directive's legal obligations sit with your organisation, not with any software vendor — including us. Xono gives you the platform features needed to run a compliant programme, but compliance itself depends on how you operate it:
- Staffing a designated, impartial person or team to actually review and act on reports
- Giving reporters substantive feedback within 3 months (extendable to 6) — the acknowledgment is automatic, the follow-up isn't
- Customising and publishing your own whistleblower policy, rather than leaving the draft unpublished
- Deciding your own data retention schedule for case records
Any vendor claiming their software alone makes you "100% compliant" isn't being straight with you. We'd rather you trust what we say because it's accurate, not because it sounds reassuring.
Beyond the EU: UK and South Africa
United Kingdom
The UK doesn't have a single blanket mandate like the EU Directive, but the Public Interest Disclosure Act protects workers who raise concerns through proper channels — including the right to escalate to a "prescribed person" (a specific regulator) if internal handling fails. FCA/PRA-regulated firms have additional obligations under FCA Handbook SYSC 18.
South Africa
The Protected Disclosures Act protects whistleblowers who report through specified channels. King IV — South Africa's governance code, binding on JSE-listed companies via "apply and explain" — recommends an effective whistleblowing mechanism, including anonymous reporting, as part of good governance.
FAQs: Whistleblowing Compliance
Q1: Does Xono make my organisation compliant with the EU Whistleblowing Directive?
A1: Xono provides the platform features required to run a compliant programme — a secure channel, automatic acknowledgment, case handling, and an audit trail. Compliance itself is a combination of the software and how your organisation operates it, including staffing a designated handler and publishing your own whistleblower policy.
Q2: Why isn't a company email address enough for whistleblowing reports?
A2: The Directive requires reporting channels to prevent access by unauthorised staff and protect reporter confidentiality. A standard email inbox is typically accessible to IT staff, has no access-control layer restricted to authorised case handlers, no audit trail, and doesn't support anonymous reporting well.
Q3: Does the EU Whistleblowing Directive apply to my company?
A3: Companies with 250 or more employees in the EU were required to have a compliant internal reporting channel by 17 December 2021. Companies with 50 to 249 employees had until 17 December 2023. Both deadlines have already passed.
See Where Your Compliance Gaps Are
Book a 15-minute walkthrough and we'll show you exactly how Xono's platform maps to what the Directive requires.
Book a Demo