EUROPEAN COMMISSION

Brussels, 23.4.2018

COM(2018) 218 final

2018/0106(COD)

Proposal for a

DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

FMT:Underlineon/FMT the protection of persons reporting on breaches FMT:Underlineof/FMT Union FMT:Underlinelaw/FMT

{SWD(2018) 116 final}
{SWD(2018) 117 final}

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

•Reasons for and objectives of the proposal

Unlawful activities and abuse of law may occur in any organisation, whether private or public, big or small. They can take many forms, such as corruption or fraud, malpractice or negligence. And if they are not addressed, they can sometimes result in serious harm to the public interest. People who work for an organisation or are in contact with it in their work-related activities are often the first to know about such occurrences and are, therefore, in a privileged position to inform those who can address the problem.

Whistleblowers, i.e. persons who report (within the organisation concerned or to an outside authority) or disclose (to the public) information on a wrongdoing obtained in a work-related context, help prevent damage and detect threat or harm to the public interest that may otherwise remain hidden. However, they are often discouraged from reporting their concerns for fear of retaliation. For these reasons, the importance of providing effective whistleblower protection for safeguarding the public interest is increasingly acknowledged both at European 1 and international level 2 .

Lack of effective whistleblower protection raises further concerns on its negative impacts on the freedom of expression and the freedom of the media, enshrined in Article 11 of the EU Charter of Fundamental Rights (‘the Charter’). Discussions at the second Annual Colloquium on Fundamental Rights on ‘Media pluralism and Democracy’, organised by the Commission in November 2016, highlighted that protecting whistleblowers as sources of information for journalists is essential for investigative journalism to fulfil its ‘watchdog’ role.  3

Lack of effective whistleblower protection can also impair the enforcement of EU law. Alongside other means to collect evidence 4 , whistleblowing is a means of feeding national and EU enforcement systems with information leading to effective detection, investigation and prosecution in breaches of Union rules.

The whistleblower protection currently available across the EU is fragmented 5 . Lack of whistleblower protection in a Member State can have a negative impact on the functioning of EU policies in that Member State, but also spill-over impacts in other Member States. At EU level, whistleblower protection is provided for only in specific sectors and to varying degrees 6 . This fragmentation and these gaps mean that, in many situations, whistleblowers are not properly protected against retaliation. Where potential whistleblowers do not feel safe to come forward with the information they possess, this translates into underreporting and therefore ‘missed opportunities’ for preventing and detecting breaches of Union law which can cause serious harm to the public interest.

Indications about the magnitude of underreporting by whistleblowers can be drawn from surveys such as the 2017 Special Eurobarometer on corruption 7 : 81 % of Europeans indicated that they did not report corruption that they experienced or witnessed. 85 % of respondents to the 2017 public consultation carried out by the Commission believe that workers very rarely or rarely report concerns about threat or harm to the public because of fear of legal and financial consequences 8 . Illustrating negative impacts on the proper functioning of the single market, a 2017 study carried out for the Commission 9  estimated the loss of potential benefits due to a lack of whistleblower protection, in public procurement alone, to be in the range of EUR 5.8 to EUR 9.6 billion each year for the EU as a whole.

To address this fragmentation of protection across the EU, EU institutions and many stakeholders have been calling for action at EU level. The European Parliament, in its resolution of 24 October 2017 on ‘Legitimate measures to protect whistleblowers acting in the public interest and its resolution of 20 January 2017 on the role of whistle-blowers in the protection of the EU’s financial interests 10 , called on the Commission to present a horizontal legislative proposal to guarantee a high level of protection for whistleblowers in the EU, in both the public and private sectors, as well as in national and EU institutions. The Council encouraged the Commission to explore the possibility for future action at EU level in its Conclusions on tax transparency of 11 October 2016 11 . Civil society organisations and trade unions 12  have consistently called for EU-wide legislation on the protection of whistleblowers acting in the public interest.

In its 2016 Communication ‘EU Law: Better Results through Better Application’ 13 , the Commission noted that enforcing EU law remains a challenge and set out its commitment to put ‘a stronger focus on enforcement in order to serve the general interest’. In particular, it highlighted that ‘[O]ften, when issues come to the fore — car emission testing, water pollution, illegal landfills, transport safety and security — it is not the lack of EU legislation that is the problem but rather the fact that the EU law is not applied effectively […]’.

In line with this commitment, this proposal aims at fully exploiting the potential of whistleblower protection with a view to strengthening enforcement. It sets out a balanced set of common minimum standards providing robust protection against retaliation for whistleblowers reporting on breaches in specific policy areas 14 where:

i) there is a need to strengthen enforcement;

ii) underreporting by whistleblowers is a key factor affecting enforcement; and

iii) breaches may result in serious harm to the public interest.

•    Consistency with existing policy provisions in the policy area

In a number of policy areas and instruments, the EU legislator has already acknowledged the value of whistleblower protection as an enforcement tool. Rules providing — in varying levels of detail — for reporting channels and the protection of people reporting on breaches of the rules concerned exist in different instruments related for instance to financial services, transport safety and environmental protection.

The proposal reinforces the protection provided in all these instruments: it complements them with additional rules and safeguards, aligning them to a high level of protection, while preserving their specificities.

To ensure that the scope of the Directive remains up to date, the Commission will pay special attention to the possible need to include provisions amending the Annex in any future Union law where whitleblower protection is relevant and can contribute to more effective enforcement. The possible extension of the scope of the Directive to further areas or Union acts will also be given consideration when the Commission reports on implementation of the Directive.

•Consistency with other Union policies

Ensuring robust whistleblower protection as a means of strengthening the enforcement of Union law in the areas falling within the scope of the proposal will contribute to the Commission’s current priorities, in particular in ensuring the effective functioning of the single market, including improving the business environment, increasing fairness in taxation and promoting labour rights.

The introduction of robust whistleblower protection rules will contribute to protecting the budget of the Union and to ensuring the level playing field needed for the single market to properly function and for businesses to operate in a fair competitive environment. It will contribute to preventing and detecting corruption, which acts as a drag on economic growth, by creating business uncertainty, slowing processes and imposing additional costs. It will enhance business transparency, contributing to the EU strategy on sustainable finance 15 . It further supports the Commission’s actions to ensure fairer, more transparent and more effective taxation in the EU, as outlined in the Communication responding to the Panama Papers scandal 16 . In particular, it complements recent initiatives aimed at protecting national budgets against harmful tax practices 17 , as well as the proposed reinforcement of the rules on money laundering and terrorist financing  18 .

Enhanced whistleblower protection will raise the overall level of the protection of workers, in line with the aims of the European Pillar of Social Rights 19 and in particular its principles 5 (fair working conditions) and 7b (protection in case of dismissals). Providing a common high level of protection to people who acquire the information they report through their work-related activities (irrespective of their nature) and who run the risk of work-related retaliation will safeguard the rights of workers in the broadest sense. Such protection will be of particular relevance for those in precarious relationships, as well as, for those in cross-border situations.

Rules on whistleblower protection will run parallel to existing protection in the field of other EU legislation: (i) on equal treatment, which provide for protection against victimisation as a reaction to a complaint or to proceedings aimed at enforcing compliance with this principle 20 and (ii) on protection against harassment at work 21 .

The Directive is without prejudice to the protection afforded to employees when reporting on breaches of Union employment and social law. Whistleblower protection in a work-related context runs in parallel to the protection that workers and workers' representatives enjoy under existing EU employment legislation when raising issues of compliance with their employers. With respect to rules on health and safety at work, Framework Directive 89/391/EEC provides that workers or workers' representatives may not be placed at a disadvantage because they consult or raise issues with the employer regarding measures to mitigate hazards or to remove sources of danger. Workers and their representatives are entitled to raise issues with the competent national authorities if they consider that the measures taken and the means employed by the employer are inadequate for the purposes of ensuring safety and health. 22 The Commission promotes better enforcement and compliance with the existing EU regulatory framework in the area of occupational health and safety. 23  

As regards EU institutions and bodies, EU staff enjoys whistleblower protection under the Staff Regulations and the Conditions of Employment of Other Servants of the European Union. Since 2004, Council Regulation (EC, Euratom) No 723/2004 24 amended the Staff Regulations, i.a., to put in place procedures for reporting any fraud, corruption or serious irregularity, and provide protection to EU staff reporting on breaches from adverse consequences.

Social partners have an essential, multifaceted role to play in the implementation of whistleblower protection rules. Independent workers' representatives will be vital to promote whistleblowing as a mechanism of good governance. Social dialogue can ensure that effective reporting and protection arrangements are put in place taking into account the reality of Europe’s workplaces, the needs of workers and businesses. Workers and their trade unions should be fully consulted on envisaged internal procedures for facilitating whistleblowing; such procedures can also be negotiated in the framework of collective bargaining agreements. Moreover, unions can act as recipients of whistleblowers' reports or disclosures and have a key function in terms of providing advice and support to (potential) whistleblowers.

Finally, the proposal will contribute to strengthening the effective implementation of a range of core EU policies which have a direct impact on the completion of the single market, relating to product safety, transport safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, competition, protection of privacy and personal data and security of network and information systems.

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

The proposal is based on Articles 16, 33, 43, 50, 53(1), 62, 91, 100, 103, 109, 114, 168, 169, 192, 207 and 325 of the Treaty on the Functioning of the European Union (TFEU) and Article 31 of the Treaty establishing the European Atomic Energy Community (the Euratom Treaty). These Articles provide the legal basis to enhance the enforcement of Union law:

(i)by introducing new provisions on whistleblower protection to strengthen the proper functioning of the single market, the correct implementation of Union policies related to product safety, transport safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, protection of privacy and personal data and security of network and information systems, competition, and the financial interests of the Union;

(ii)to ensure consistent high standards of whistleblower protection in sectorial Union instruments where relevant rules already exist.

•Subsidiarity

The objective of strengthening the enforcement of Union law through whistleblower protection cannot adequately be achieved by Member States acting alone or in an uncoordinated manner. Fragmentation of protection at national level is expected to persist. This means that also the negative impacts of such fragmentation on the functioning of various EU policies within individual Member States, but also spill-over impacts in other Member States are bound to persist.

Breaches of EU public procurement rules or competition rules result in distortions to competition in the single market, an increase in costs for doing business and a less attractive environment for investment. Aggressive tax planning schemes give rise to unfair tax competition and loss of tax revenues for Member States and for the EU budget. Breaches in the areas of product safety, transport safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, protection of privacy and personal data and security of network and information systems, can result in serious risks which go beyond national borders. On the protection of financial interests of the Union, the Treaty stipulates in Articles 310(6) and 325(1) and (4) TFEU, the need for Union legislative action on setting out equivalent and deterrent measures to protect them against unlawful activities.

It is therefore clear that only legislative action at Union level can improve the enforcement of EU law by ensuring minimum standards of harmonisation on whistleblower protection. Moreover, only EU action can provide coherence and align the existing Union sectorial rules on whistleblower protection.

•Proportionality

This proposal is proportionate to the objective of strengthening the enforcement of Union law and does not go beyond what is necessary to achieve it.

Firstly, it lays down common minimum standards for the protection of people reporting breaches only in areas where: i) there is a need to enhance enforcement; ii) under-reporting by whistleblowers is a key factor affecting enforcement and iii) breaches may result in serious harm to the public interest.

It therefore focuses on areas with a clear EU dimension and where the impact on enforcement is the strongest.

Secondly, the proposal merely sets minimum standards of protection, leaving to Member States the possibility to introduce or retain provisions more favourable to the rights of whistleblowers.

Thirdly, the costs of implementation (i.e. to establish internal channels) for medium-sized businesses are not significant, while the benefits in terms of increasing business performance and reducing distortions to competition appear to be substantial. Subject to specific exceptions in the area of financial services, small and micro-companies are generally exempted from the obligation to establish internal procedures for reporting and follow up of reports. The costs of implementation for Member States have also been estimated as limited, since Member States can transpose the new obligation building on the existing structures put in place based on the current sectorial legal framework.

•Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS 25 , STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Stakeholder consultations

•Collection and use of expertise

•Impact assessment

Four policy options have been assessed beside the baseline scenario (i.e. maintaining the status quo) and two options have been discarded.

The two options that were discarded are: (i) a legislative initiative based on Article 50(2)(g) TFEU on enhancing the integrity of the private sector by introducing minimum standards for setting up reporting channels, and (ii) a legislative initiative based on Article 153(1)(a) and (b) TFEU on improving the working environment to protect workers’ health and safety and on working conditions.

In the first case, the legal basis would not have allowed covering the public sector, while the availability and design of external reporting channels (i.e. to the competent authorities) and the availability and forms of whistleblower protection against retaliation would have been left to the discretion of Member States laws.

In the second case, the personal scope of the Directive would have been limited to employees, leaving unprotected other types of potential whistleblowers, such as self-employed people, contractors etc., who, according to evidence available and international standards can be key in exposing threats or harm to the public interest and also need protection against retaliation. The limited scope would constitute a main gap in whistleblower protection at EU level while, by excluding from protection crucial categories of potential whistleblowers, such an initiative would also have limited effectiveness in terms of improving the enforcement of Union law. The limited personal scope would not be compensated by a more extensive protection, as the legal basis would not offer any additional protection in comparison to the policy options retained. Moreover, extending protection to include situations where there is no cross-border dimension or other spill-over impact, where there is no connection with Union law or with the financial interests of the EU, would be a far-reaching — and consequently also quite costly — EU regulatory intervention.

The policy options examined were: i) a Commission Recommendation providing guidance to Member States on key elements of whistleblower protection complemented by flanking measures to support national authorities; ii) a Directive introducing whistleblower protection in the area of the financial interests of the Union complemented by a Communication setting a policy framework at EU level, including measures to support national authorities; iii) a Directive introducing whistleblower protection in specific areas (including the financial interests of the Union) where it is necessary to address whistleblowers' underreporting in order to enhance the enforcement of Union law, as breaches would lead to serious harm to the public interest; iv) a Directive as sub iii) complemented by a Communication as sub ii).

The latter is the option chosen for this proposal. A legislative initiative with such a broad scope is particularly apt to address the current fragmentation and enhance legal certainty so as to effectively address underreporting and enhance the enforcement of Union law in all the areas identified, where breaches can cause serious harm to the public interest. The Communication accompanying it, setting out additional measures envisaged by the Commission and good practices that can be taken at Member States’ level will contribute to ensuring effective whistleblower protection.

The preferred option will have economic, societal and environmental benefits. It will support national authorities in their efforts to detect and deter fraud and corruption to the EU budget (the current risk of loss revenue is estimated to be between EUR 179 billion and EUR 256 billion per annum). In other areas of the single market, such as in public procurement, the benefits are estimated to be in the range of EUR 5.8 to EUR 9.6 billion each year for the EU as a whole. The preferred option will also effectively support the fight against tax avoidance resulting in loss of tax revenues from profit-shifting for Member States and the EU, estimated to about EUR 50-70 billion per annum. The introduction of robust whistleblower protection will improve the working conditions for 40 % of the EU workforce who are currently unprotected from measures against retaliation and will increase the level of protection for nearly 20 % of the EU workforce. It will enhance the integrity and transparency of the private and the public sector, contribute to a fair competition and a level playing field in the single market.

The implementation costs for the public sector are expected to amount to EUR 204.9 as one-off costs and EUR 319.9 million as annual operational costs. For the private sector (medium-sized and large companies) the projected total costs are expected to amount to EUR 542.9 million as one-off costs and EUR1 016.6 million as annual operational costs. The total costs for both the public and private sector are EUR 747.8 million as one-off costs and EUR 1 336.6 million as annual operational costs.

•Regulatory fitness and simplification

•Fundamental rights

By increasing the current level of protection for whistleblowers, the proposal will have a positive impact on fundamental rights, in particular:

i)Freedom of expression and right to information (Article 11 of the Charter): Insufficient whistleblower protection against retaliation affects the individuals’ freedom of expression as well as the public’s right to access information and media freedom. Strengthening protection of whistleblowers and clarifying the conditions for that protection also when they disclose information to public, will encourage and enable whistleblowing also to the media.

ii)The right to fair and just working conditions (Articles 30 and 31 of the Charter): a higher level of whistleblower protection will be secured by establishing reporting channels and improving protection against retaliation in the work-related context.

iii)The right to respect for private life, protection of personal data, healthcare, environmental protection, consumer protection, (respectively, Articles 7, 8, 35, 37 and 38 of the Charter), and the general principle of good administration (Article 41) will also be positively impacted in as far as the proposal will increase the detection and prevention of breaches.

More generally, the proposal will increase reporting and deterrence of all fundamental rights violations within the implementation of Union law in the areas falling within its scope.

The proposal pursues a balanced approach to ensure the full respect of further rights that may be affected, such as the right to private life and to the protection of personal data (Articles 7 and 8 of the Charter) of whistleblowers but also of the people concerned by the reports, as well as the presumption of innocence and the rights of defence of the latter (Articles 47 and 48 of the Charter). In the same vein, the impacts on the freedom to conduct a business (Article 16 of the Charter) are in line with Article 52(1) of the Charter.

4.BUDGETARY IMPLICATIONS

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

•Detailed explanation of the specific provisions of the proposal

The proposal draws upon the case law of the European Court of Human Rights on the right to freedom of expression enshrined in Article 10 of the European Convention on Human Rights 10 ECHR, and the principles developed on this basis by the Council of Europe in its 2014 Recommendation on Protection of Whistleblowers, as well as further international standards and good practices, cited above, and EU fundamental rights and rules.

Chapter I (Articles 1-3) circumscribes the scope of the Directive and outlines the definitions.

Article 1 lists the areas where, according to available evidence, whistleblower protection is necessary to strengthen enforcement of Union rules whose breaches can cause serious harm to the public interest.

Article 2 sets forth the personal scope of the Directive. Based on the Council of Europe Recommendation on Protection of Whistleblowers, it encompasses the broadest possible range of categories of persons, who, by virtue of work-related activities (irrespective of the nature of these activities and whether they are paid or not), have privileged access to information about breaches that can cause serious harm to the public interest and who may suffer retaliation if they report, as well as to other categories of persons who can be assimilated to them for the purposes of the Directive, such as shareholders, volunteers, unpaid trainees and job applicants.

The definitions set out in Article 3 are based on the principles of the Council of Europe Recommendation on Protection of Whistleblowers. In particular, the notions of reporting persons and retaliation are defined in the broadest possible manner, in order to ensure effective protection of whistleblowers as a means of enhancing the enforcement of Union law.

Chapter II (Articles 4-5) sets out the obligation for Member States to ensure that legal entities in the private and public sectors establish appropriate internal reporting channels and procedures for receiving and following-up on reports. This obligation is meant to ensure that information on actual or potential breaches of Union law reaches swiftly those closest to the source of the problem, most able to investigate and with powers to remedy it, where possible.

Article 4 translates the principle that the obligation to put in place internal reporting channels should be commensurate with the size of the entities, and in the case of private entities, take into account the level of risk their activities pose to the public interest. With the exception of businesses operating in the area of financial services as provided under Union legislation, micro and small companies are exempted from the obligation to establish internal channels.

Article 5 sets out the minimum standards that internal reporting channels and procedures for following up on reports should meet. In particular, it requires that reporting channels guarantee the confidentiality of the identity of the reporting person, which is a cornerstone of whistleblower protection. It also requires that the person or department competent to receive the report diligently follows it up and informs the reporting person within a reasonable timeframe about such follow up. Moreover, the entities having in place internal reporting procedures are required to provide easily understandable and widely accessible information on these procedures as well as on procedures to report externally to relevant competent authorities.

Chapter III (Articles 6-12) obliges Member States to ensure that competent authorities have in place external reporting channels and procedures for receiving and following-up on reports and sets out the minimum standards applicable to such channels and procedures.

According to Article 6, the authorities to be designated as competent by Member States should, in particular establish independent and autonomous external reporting channels, which are both secure and ensure confidentiality, follow up on the reports and provide feedback to the reporting person within a reasonable timeframe. Article 7 sets out the minimum requirements for the design of the external reporting channels. Article 8 requires that competent authorities have staff members dedicated to and specifically trained for handling reports and outlines the functions to be exercised by such staff members.

Article 9 provides the requirements to be met by procedures applicable to external reporting, e.g. as regards further communications with the reporting person, the timeframe for giving feedback to the reporting person and the applicable confidentiality regime. In particular, these procedures should ensure the protection of the personal data of both reporting and concerned persons. Article 10 provides that competent authorities should publicly disclose and make easily accessible user-friendly information about the available reporting channels and the applicable procedures for the receipt of reports and their follow up. Article 11 provides for adequate record-keeping of all reports. Article 12 provides for a regular review by national competent authorities of their procedures for receiving and following up on reports.

Chapter IV (Articles 13-18) sets out minimum standards on the protection of reporting persons and of persons concerned by the reports.

Article 13 outlines the conditions under which a reporting person shall qualify for protection under the Directive.

More specifically, it requires that the reporting persons had reasonable grounds to believe that the information reported was true at the time of reporting. This is an essential safeguard against malicious or abusive reports, ensuring that those who knowingly report wrong information do not enjoy protection. At the same time, it ensures that protection is not lost where the reporting person made an inaccurate report in honest error. In the same vein, reporting persons should be entitled to protection under the Directive if they had reasonable grounds to believe that the information reported falls within its scope.

Moreover, reporting persons are generally required to use internal channels first; if these channels do not work or could not reasonably be expected to work, they may report to the competent authorities, and, as a last resort, to the public/ the media. This requirement is necessary to ensure that the information gets to the persons who can contribute to the early and effective resolution of risks to the public interest as well as to prevent unjustified reputational damages from public disclosures. At the same time, by providing for exceptions from this rule in cases where internal and/or external channels do not function or could not reasonably be expected to function properly, Article 13 provides the necessary flexibility for the reporting person to choose the most appropriate channel depending on the individual circumstances of the case. Moreover, it allows for the protection of public disclosures taking into account democratic principles such as transparency and accountability, and fundamental rights such as freedom of expression and media freedom.

Article 14 provides a non-exhaustive list of the many different forms that retaliation can take.

Article 15 requires that retaliation in any form be prohibited and sets out further measures that Member States should take to ensure the protection of reporting persons, including:

·Making easily accessible to the public and free of charge independent information and advice on procedures and remedies available on protection against retaliation;

·Exempting reporting persons from liability for breach of restrictions on disclosure of information imposed by contract or by law;

·Providing for the reversal of the burden of proof in legal proceedings so that, in prima facie cases of retaliation, it is up to the person taking action against a whistleblower to prove that it is not retaliating against the act of whistleblowing;

·Putting at the disposal of reporting persons remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings, in accordance with the national framework;

·Ensuring that, in legal actions taken against them outside the work-related context, such as proceedings for defamation, breach of copyright or breach of secrecy, whistleblowers can rely on having made a report or disclosure in accordance with the Directive as a defence.

Article 16 makes clear that those concerned by the reports shall fully enjoy their rights under the EU Charter of Fundamental Rights, including the presumption of innocence, the right to an effective remedy and to a fair trial, and their rights of defence.

Article 17 provides for effective, proportionate and dissuasive penalties which are necessary:

·on the one hand, to ensure the effectiveness of the rules on the protection of reporting persons, so as to punish and proactively discourage actions aimed at hindering reporting, retaliatory actions, vexatious proceedings against reporting persons and breaches of the duty of maintaining the confidentiality of their identity, and,

·on the other hand, to discourage malicious and abusive whistleblowing which affects the effectiveness and credibility of the whole system of whistleblower protection, and to prevent unjustified reputational damage for the concerned persons.

Article 18 refers to the application of the EU rules on protection of personal data to any processing of personal data carried out pursuant to the Directive. In this regard, any processing of personal, including the exchange or transmission of such data, shall comply with the rules established by Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EC) 45/2001.

Chapter V (Articles 19-22) sets out the final provisions.

Article 19 specifies that Member States retain the possibility of introducing or maintaining more favourable provisions to the reporting person, provided that such provisions do not interfere with the measures for the protection of concerned persons. Article 20 relates to the transposition of the Directive.

Article 21 requires Member States to provide the Commission with information regarding the implementation and application of this Directive, on the basis of which the Commission shall submit a report to the Parliament and the Council by 2 years after transposition. This provision further requires Member States to submit annually to the Commission, if they are available at a central level in the Member State concerned, statistics inter alia on the number of reports received by the competent authorities; the number of proceedings initiated based on the reports and the outcome of such proceedings. Article 21 also provides that the Commission shall, by 6 years after transposition, submit a report to the Parliament and to the Council assessing the impact of national law transposing this Directive and consider the need for additional measures, including, where appropriate, amendments with a view to extending whistleblower protection to further areas or Union acts.

2018/0106 (COD)

Proposal for a

DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of persons reporting on breaches of Union law

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16, 33, 43, 50, 53(1), 62, 91, 100, 103, 109, 114, 168, 169, 192, 207 and 325(4) thereof and to the Treaty establishing the European Atomic Energy Community, and in particular Article 31 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee 31 ,

Having regard to the opinion of the Committee of the Regions 32

Having regard to the opinion of the Court of Auditors 33 ,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)Persons who work for an organisation or are in contact with it in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in this context. By ‘blowing the whistle’ they play a key role in exposing and preventing breaches of the law and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation.

(2)At Union level, reports by whistleblowers are one upstream component of enforcement of Union law: they feed national and Union enforcement systems with information leading to effective detection, investigation and prosecution of breaches of Union law.

(3)In certain policy areas, breaches of Union law may cause serious harm to the public interest, in the sense of creating significant risks for the welfare of society. Where weaknesses of enforcement have been identified in those areas, and whistleblowers are in a privileged position to disclose breaches, it is necessary to enhance enforcement by ensuring effective protection of whistleblowers from retaliation and introducing effective reporting channels.

(4)Whistleblower protection currently provided in the European Union is fragmented across Member States and uneven across policy areas. The consequences of breaches of Union law with cross-border dimension uncovered by whistleblowers illustrate how insufficient protection in one Member State not only negatively impacts on the functioning of EU policies in that Member State but can also spill over into other Member States and the Union as a whole.

(5)Accordingly, common minimum standards ensuring effective whistleblower protection should apply in those acts and policy areas where i) there is a need to strengthen enforcement; ii) under-reporting by whistleblowers is a key factor affecting enforcement, and iii) breaches of Union law cause serious harm to the public interest.

(6)Whistleblower protection is necessary to enhance the enforcement of Union law on public procurement. In addition to the need of preventing and detecting fraud and corruption in the context of the implementation of the EU budget, including procurement, it is necessary to tackle insufficient enforcement of rules on public procurement by national public authorities and certain public utility operators when purchasing goods, works and services. Breaches of such rules create distortions of competition, increase costs for doing business, violate the interests of investors and shareholders and, overall, lower attractiveness for investment and create an uneven level playing field for all businesses across Europe, thus affecting the proper functioning of the internal market.

(7)In the area of financial services, the added value of whistleblower protection was already acknowledged by the Union legislator. In the aftermath of the financial crisis, which exposed serious shortcomings in the enforcement of the relevant rules, measures for the protection of whistleblowers were introduced in a significant number of legislative instruments in this area 34 . In particular, in the context of the prudential framework applicable to credit institutions and investment firms, Directive 2013/36/EU 35 provides for protection of whistleblowers, which extends also to Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms.

(8)As regards the safety of products placed into the internal market, the primary source of evidence-gathering are businesses involved in the manufacturing and distribution chain, so that reporting by whistleblowers has a high added value, since they are much closer to the source of possible unfair and illicit manufacturing, import or distribution practices of unsafe products. This warrants the introduction of whistleblower protection in relation to the safety requirements applicable both to ‘harmonised products’ 36 and to ‘non-harmonised products’ 37 . Whistleblower protection is also instrumental in avoiding diversion of firearms, their parts and components and ammunition, as well as defence-related products, by encouraging the reporting of breaches, such as document fraud, altered marking or false declarations of import or export and fraudulent intra-communitarian acquisition of firearms where violations often imply a diversion from the legal to the illegal market. Whistleblower protection will also help prevent the illicit manufacture of homemade explosives by contributing to the correct application of restrictions and controls regarding explosives precursors.

(9)The importance of whistleblower protection in terms of preventing and deterring breaches of Union rules on transport safety which can endanger human lives has been already acknowledged in sectorial Union instruments on aviation safety 38 and maritime transport safety 39 , which provide for tailored measures of protection to whistleblowers as well as specific reporting channels. These instruments also include the protection from retaliation of the workers reporting on their own honest mistakes (so called ‘just culture’). It is necessary to complement the existing elements of whistleblower protection in these two sectors as well as to provide such protection to enhance the enforcement of safety standards for other transport modes, namely road and railway transport.

(10)Evidence-gathering, detecting and addressing environmental crimes and unlawful conduct against the protection of the environment remain a challenge and need to be reinforced as acknowledged in the Commission Communication "EU actions to improve environmental compliance and governance" of 18 January 2018 40 . Whilst whistleblower protection rules exist at present only in one sectorial instrument on environmental protection 41 , the introduction of such protection appears necessary to ensure effective enforcement of the Union environmental acquis, whose breaches can cause serious harm to the public interest with possible spill-over impacts across national borders. This is also relevant in cases where unsafe products can cause environmental harm.

(11)Similar considerations warrant the introduction of whistleblower protection to build upon existing provisions and prevent breaches of EU rules in the area of food chain and in particular on food and feed safety as well as on animal health and welfare. The different Union rules developed in these areas are closely interlinked. Regulation (EC) No 178/2002 42 sets out the general principles and requirements which underpin all Union and national measures relating to food and feed, with a particular focus on food safety, in order to ensure a high level of protection of human health and consumers’ interests in relation to food as well as the effective functioning of the internal market. This Regulation provides, amongst others, that food and feed business operators are prevented from discouraging their employees and others from cooperating with competent authorities where this may prevent, reduce or eliminate a risk arising from food. The Union legislator has taken a similar approach in the area of ‘Animal Health Law’ through Regulation (EU) 2016/429 establishing the rules for the prevention and control of animal diseases which are transmissible to animals or to humans 43 .

(12)Enhancing the protection of whistleblowers would also favour preventing and deterring breaches of Euratom rules on nuclear safety, radiation protection and responsible and safe management of spent fuel and radioactive and would be reinforce the enforcement of existing provisions of the revised Nuclear Safety Directive 44  on the effective nuclear safety culture and, in particular, Article 8 b (2) (a), which requires, inter alia, that the competent regulatory authority establishes management systems which give due priority to nuclear safety and promote, at all levels of staff and management, the ability to question the effective delivery of relevant safety principles and practices and to report in a timely manner on safety issues.

(13)In the same vein, whistleblowers’ reports can be key to detecting and preventing, reducing or eliminating risks to public health and to consumer protection resulting from breaches of Union rules which might otherwise remain hidden. In particular, consumer protection is also strongly linked to cases where unsafe products can cause considerable harm to consumers. Whistleblower protection should therefore be introduced in relation to relevant Union rules adopted pursuant to Articles 114, 168 and 169 TFEU.

(14)The protection of privacy and personal data is another area where whistleblowers are in a privileged position to disclose breaches of Union law which can seriously harm the public interest. Similar considerations apply for breaches of the Directive on the security of network and information systems 45 , which introduces notification of incidents (including those that do not compromise personal data) and security requirements for entities providing essential services across many sectors (e.g. energy, health, transport, banking, etc.) and providers of key digital services (e.g. cloud computing services). Whistleblowers' reporting in this area is particularly valuable to prevent security incidents that would affect key economic and social activities and widely used digital services. It helps ensuring the continuity of services which are essential for the functioning of the internal market and the wellbeing of society.

(15)Reporting by whistleblowers is necessary to enhance the detection and prevention of infringements of Union competition law. This would serve to protect the efficient functioning of markets in the Union, allow a level playing field for business and deliver benefits to consumers. The protection of whistleblowers would enhance Union competition law enforcement, including State aid. As regards competition rules applying to undertakings, the importance of insider reporting in detecting competition law infringements has already been recognised in the EU leniency policy as well as with the recent introduction of an anonymous whistleblower tool by the European Commission 46 . The introduction of whistleblower protection at Member State level would increase the ability of the European Commission as well as the competent authorities in the Member States to detect and bring to an end infringements of Union competition law. With respect to State aid, whistleblowers can play a significant role in reporting unlawfully granted aid and informing when aid is misused, both at national, regional and local levels.

(16)The protection of the financial interests of the Union, which relates to the fight against fraud, corruption and any other illegal activity affecting the use of Union expenditures, the collection of Union revenues and funds or Union assets, is a core area in which enforcement of Union law needs to be strengthened. The strengthening of the protection of the financial interests of the Union also encompasses implementation of the Union budget related to expenditures made on the basis of the Treaty establishing the European Atomic Energy Community. Lack of effective enforcement in the area of the financial interests of the Union, including fraud and corruption at national level, causes a decrease of the Union revenues and a misuse of EU funds, which can distort public investments and growth and undermine citizens’ trust in EU action. Whistleblower protection is necessary to facilitate the detection, prevention and deterrence of relevant fraud and illegal activities.

(17)Acts which breach the rules of corporate tax and arrangements whose purpose is to obtain a tax advantage and to evade legal obligations, defeating the object or purpose of the applicable corporate tax law, negatively affect the proper functioning of the internal market. They can give rise to unfair tax competition and extensive tax evasion, distorting the level-playing field for companies and resulting in loss of tax revenues for Member States and for the Union budget as a whole. Whistleblower protection adds to recent Commission initiatives aimed at improving transparency and the exchange of information in the field of taxation 47 and creating a fairer corporate tax environment within the Union 48 , with a view to increasing Member States’ effectiveness in identifying evasive and/or abusive arrangements that could otherwise go undetected and will help deter such arrangements.

(18)Certain Union acts, in particular in the area of financial services, such as Regulation (EU) No 596/2014 on market abuse 49 , and Commission Implementing Directive 2015/2392, adopted on the basis of that Regulation 50 , already contain detailed rules on whistleblower protection. Such existing Union legislation, including the list of Part II of the Annex, should be complemented by the present Directive, so that these instruments are fully aligned with its minimum standards whilst maintaining any specificities they provide for, tailored to the relevant sectors. This is of particular importance to ascertain which legal entities in the area of financial services, the prevention of money laundering and terrorist financing are currently obliged to establish internal reporting channels.

(19)Each time a new Union act for which whistleblower protection is relevant and can contribute to more effective enforcement is adopted, consideration should be given to whether to amend the Annex to the present Directive in order to place it under its scope.

(20)This Directive should be without prejudice to the protection afforded to employees when reporting on breaches of Union employment law. In particular, in the area of occupational safety and health, Article 11 of Framework Directive 89/391/EEC already requires Member States to ensure that workers or workers' representatives shall not be placed at a disadvantage because of their requests or proposals to employers to take appropriate measures to mitigate hazards for workers and/or to remove sources of danger. Workers and their representatives are entitled to raise issues with the competent national authorities if they consider that the measures taken and the means employed by the employer are inadequate for the purposes of ensuring safety and health.

(21)This Directive should be without prejudice to the protection of national security and other classified information which Union law or the laws, regulations or administrative provisions in force in the Member State concerned require, for security reasons, to be protected from unauthorised access. In particular, Moreover, the provision of this Directive should not affect the obligations arising from Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information or Council Decision of 23 September 2013 on the security rules for protecting EU classified information.

(22)Persons who report information about threats or harm to the public interest obtained in the context of their work-related activities make use of their right to freedom of expression. The right to freedom of expression, enshrined in Article 11 of the Charter of Fundamental Rights of the European Union (‘the Charter’) and in Article 10 of the European Convention on Human Rights (ECHR), encompasses media freedom and pluralism.  

(23)Accordingly, this Directive draws upon the case law of the European Court of Human Rights on the right to freedom of expression, and the principles developed on this basis by the Council of Europe in its 2014 Recommendation on Protection of Whistleblowers 51 .

(24)Persons need specific legal protection where they acquire the information they report through their work-related activities and therefore run the risk of work-related retaliation (for instance, for breaching the duty of confidentiality or loyalty). The underlying reason for providing them with protection is their position of economic vulnerability vis-à-vis the person on whom they de facto depend for work. When there is no such work-related power imbalance (for instance in the case of ordinary complainants or citizen bystanders) there is no need for protection against retaliation.

(25)Effective enforcement of Union law requires that protection is granted to the broadest possible range of categories of persons, who, irrespective of whether they are EU citizens or third-country nationals, by virtue of work-related activities (irrespective of the nature of these activities,whether they are paid or not), have privileged access to information about breaches that would be in the public’s interest to report and who may suffer retaliation if they report them. Member States should ensure that the need for protection is determined by reference to all the relevant circumstances and not merely by reference to the nature of the relationship, so as to cover the whole range of persons connected in a broad sense to the organisation where the breach has occurred.

(26)Protection should, firstly, apply to persons having the status of 'workers', within the meaning of Article 45 TFEU, as interpreted by the Court of Justice of the European Union 52 , i.e. persons who, for a certain period of time, perform services for and under the direction of another person, in return of which they receive remuneration. Protection should thus also be granted to workers in non-standard employment relationships, including part-time workers and fixed-term contract workers, as well as persons with a contract of employment or employment relationship with a temporary agency, which are types of relationships where standard protections against unfair treatment are often difficult to apply.

(27)Protection should also extend to further categories of natural or legal persons, who, whilst not being 'workers' within the meaning of Article 45 TFEU, can play a key role in exposing breaches of the law and may find themselves in a position of economic vulnerability in the context of their work-related activities. For instance, in areas such as product safety, suppliers are much closer to the source of possible unfair and illicit manufacturing, import or distribution practices of unsafe products; in the implementation of Union funds, consultants providing their services are in a privileged position to draw attention to breaches they witness. Such categories of persons, including self-employed persons providing services, freelance, contractors, sub-contractors and suppliers, are typically subject to retaliation in the form of early termination or cancellation of contract of services, licence or permit, loss of business, loss of income, coercion, intimidation or harassment, blacklisting/business boycotting or damage to their reputation. Shareholders and persons in managerial bodies, may also suffer retaliation, for instance in financial terms or in the form of intimidation or harassment, blacklisting or damage to their reputation. Protection should also be granted to candidates for employment or for providing services to an organisation who acquired the information on breaches of law during the recruitment process or other pre-contractual negotiation stage, and may suffer retaliation for instance in the form of negative employment references or blacklisting/business boycotting.

(28)Effective whistleblower protection implies protecting also further categories of persons who, whilst not relying on their work-related activities economically, may nevertheless suffer retaliation for exposing breaches. Retaliation against volunteers and unpaid trainees may take the form of no longer making use of their services, or of giving a negative reference for future employment or otherwise damaging their reputation.

(29)Effective detection and prevention of serious harm to the public interest requires that the information reported which qualifies for protection covers not only unlawful activities but also abuse of law, namely acts or omissions which do not appear to be unlawful in formal terms but defeat the object or the purpose of the law.

(30)Effective prevention of breaches of Union law requires that protection is also granted to persons who provide information about potential breaches, which have not yet materialised, but are likely to be committed. For the same reasons, protection is warranted also for persons who do not provide positive evidence but raise reasonable concerns or suspicions. At the same time, protection should not apply to the reporting of information which is already in the public domain or of unsubstantiated rumours and hearsay.

(31)Retaliation expresses the close (cause and effect) relationship that must exist between the report and the adverse treatment suffered, directly or indirectly, by the reporting person, so that this person can enjoy legal protection. Effective protection of reporting persons as a means of enhancing the enforcement of Union law requires a broad definition of retaliation, encompassing any act or omission occurring in the work-related context which causes them detriment.

(32)Protection from retaliation as a means of safeguarding freedom of expression and media freedom should be provided both to persons who report information about acts or omissions within an organisation (internal reporting) or to an outside authority (external reporting) and to persons who disclose such information to the public domain (for instance, directly to the public via web platforms or social media, or to the media, elected officials, civil society organisations, trade unions or professional/business organisations).

(33)Whistleblowers are, in particular, important sources for investigative journalists. Providing effective protection to whistleblowers from retaliation increases the legal certainty of (potential) whistleblowers and thereby encourages and facilitates whistleblowing also to the media. In this respect, protection of whistleblowers as journalistic sources is crucial for safeguarding the ‘watchdog’ role of investigative journalism in democratic societies.

(34)It is for the Member States to identify the authorities competent to receive and give appropriate follow up to the reports on breaches falling within the scope of this Directive. These may be regulatory or supervisory bodies in the areas concerned, law enforcement agencies, anti-corruption bodies and ombudsmen. The authorities designated as competent shall have the necessary capacities and powers to assess the accuracy of the allegations made in the report and to address the breaches reported, including by launching an investigation, prosecution or action for recovery of funds, or other appropriate remedial action, in accordance with their mandate.

(35)Union law in specific areas, such as market abuse 53 , civil aviation 54 or safety of offshore oil and gas operations 55 already provides for the establishment of internal and external reporting channels. The obligations to establish such channels laid down in this Directive should build as far as possible on the existing channels provided by specific Union acts.

(36)Some bodies, offices and agencies of the Union, such as the European Anti-Fraud Office (OLAF), the European Maritime Safety Agency (EMSA), the European Aviation Safety Agency (EASA) and the European Medicines Agency (EMA), have in place external channels and procedures for receiving reports on breaches falling within the scope of this Directive, which mainly provide for confidentiality of the identity of the reporting persons. This Directive does not affect such external reporting channels and procedures, where they exist, but will ensure that persons reporting to those bodies, offices or agencies of the Union benefit from common minimum standards of protection throughout the Union.

(37)For the effective detection and prevention of breaches of Union law it is vital that the relevant information reaches swiftly those closest to the source of the problem, most able to investigate and with powers to remedy it, where possible. This requires that legal entities in the private and the public sector establish appropriate internal procedures for receiving and following-up on reports.

(38)For legal entities in the private sector, the obligation to establish internal channels is commensurate with their size and the level of risk their activities pose to the public interest. It should apply to all medium-sized and large entities irrespective of the nature of their activities, based on their obligation to collect VAT. As a general rule small and micro undertakings, as defined in Article 2 of the Annex of the Commission Recommendation of 6 May 2003, as amended 56 , should be exempted from the obligation to establish internal channels. However, following an appropriate risk assessment, Member States may require small undertakings to establish internal reporting channels in specific cases (e.g. due to the significant risks that may result from their activities).

(39)The exemption of small and micro undertakings from the obligation to establish internal reporting channels should not apply to private undertakings active in the area of financial services. Such undertakings should remain obliged to establish internal reporting channels, in line with the current obligations set forth in the Union acquis on financial services.

(40)It should be clear that, in the case of private legal entities which do not provide for internal reporting channels, reporting persons should be able to report directly externally to the competent authorities and such persons should enjoy the protection against retaliation provided by this Directive.

(41)To ensure in particular, the respect of the public procurement rules in the public sector, the obligation to put in place internal reporting channels should apply to all public legal entities, at local, regional and national level, whilst being commensurate with their size. In cases where internal channels are not provided in small public entities, Member States may provide for internal reporting within a higher level in the administration (that is to say at regional or central level).

(42)Provided the confidentiality of the identity of the reporting person is ensured, it is up to each individual private and public legal entity to define the kind of reporting channels to set up, such as in person, by post, by physical complaint box(es), by telephone hotline or through an online platform (intranet or internet). However, reporting channels should not be limited to those amongst the tools, such as in-person reporting and complaint box(es), which do not guarantee confidentiality of the identity of the reporting person.

(43)Third parties may also be authorised to receive reports on behalf of private and public entities, provided they offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy. These can be external reporting platform providers, external counsel or auditors or trade union representatives.

(44)Internal reporting procedures should enable private legal entities to receive and investigate in full confidentiality reports by the employees of the entity and of its subsidiaries or affiliates (the group), but also, to any extent possible, by any of the group’s agents and suppliers and by any person who acquires information through his/her work-related activities with the entity and the group.

(45)The most appropriate persons or departments within a private legal entity to be designated as competent to receive and follow up on reports depend on the structure of the entity, but, in any case, their function should ensure absence of conflict of interest and independence. In smaller entities, this function could be a dual function held by a company officer well placed to report directly to the organisational head, such as a chief compliance or human resources officer, a legal or privacy officer, a chief financial officer, a chief audit executive or a member of the board.

(46)In the context of internal reporting, the quality and transparency of information provided on the follow up procedure to the report is crucial to build trust in the effectiveness of the overall system of whistleblower protection and reduces the likelihood of further unnecessary reports or public disclosures. The reporting person should be informed within a reasonable timeframe about the action envisaged or taken as follow up to the report (for instance, closure based on lack of sufficient evidence or other grounds, launch of an internal enquiry and possibly its findings and/or measures taken to address the issue raised, referral to a competent authority for further investigation) as far as such information would not prejudice the enquiry or investigation or affect the rights of the concerned person. Such reasonable timeframe should not exceed in total three months. Where the appropriate follow up is still being determined, the reporting person should be informed about this and about any further feedback he/she should expect.

(47)Persons who are considering reporting breaches of Union law should be able to make an informed decision on whether, how and when to report. Private and public entities having in place internal reporting procedures shall provide information on these procedures as well as on procedures to report externally to relevant competent authorities. Such information must be easily understandable and easily accessible, including, to any extent possible, also to other persons, beyond employees, who come in contact with the entity through their work-related activities, such as service-providers, distributors, suppliers and business partners. For instance, such information may be posted at a visible location accessible to all these persons and to the web of the entity and may also be included in courses and trainings on ethics and integrity.

(48)Effective detection and prevention of breaches of Union law requires ensuring that potential whistleblowers can easily and in full confidentiality bring the information they possess to the attention of the relevant competent authorities which are able to investigate and to remedy the problem, where possible.

(49)Lack of confidence in the usefulness of reporting is one of the main factors discouraging potential whistleblowers. This warrants imposing a clear obligation on competent authorities to diligently follow-up on the reports received, and, within a reasonable timeframe, give feedback to the reporting persons about the action envisaged or taken as follow-up (for instance, closure based on lack of sufficient evidence or other grounds, launch of an investigation and possibly its findings and/or measures taken to address the issue raised; referral to another authority competent to give follow-up) to the extent that such information would not prejudice the investigation or the rights of the concerned persons.

(50)Follow up and feedback should take place within a reasonable timeframe; this is warranted by the need to promptly address the problem that may be the subject of the report, as well as to avoid unnecessary public disclosures. Such timeframe should not exceed three months, but could be extended to six months, where necessary due to the specific circumstances of the case, in particular the nature and complexity of the subject of the report, which may require a lengthy investigation.

(51)Where provided for under national or Union law, the competent authorities should refer cases or relevant information to relevant bodies, offices or agencies of the Union, including, for the purposes of this Directive, the European Anti-Fraud Office (OLAF) and the European Public Prosecutor Office (EPPO), without prejudice to the possibility for the reporting person to refer directly to such bodies, offices or agencies of the Union.

(52)In order to allow for effective communication with their dedicated staff, it is necessary that the competent authorities have in place and use specific channels, separate from their normal public complaints systems, that should be user-friendly and allow for written and oral, as well as electronic and non-electronic reporting.

(53)Dedicated staff members of the competent authorities, who are professionally trained, including on applicable data protection rules, would be necessary in order to handle reports and to ensure communication with the reporting person, as well as following up on the report in a suitable manner.

(54)Persons intending to report should be able to make an informed decision on whether, how and when to report. Competent authorities should therefore publicly disclose and make easily accessible information about the available reporting channels with competent authorities, about the applicable procedures and about the dedicated staff members within these authorities. All information regarding reports should be transparent, easily understandable and reliable in order to promote and not deter reporting.

(55)Member States should ensure that competent authorities have in place adequate protection procedures for the processing of reports of infringements and for the protection of the personal data of the persons referred to in the report. Such procedures should ensure that the identity of every reporting person, concerned person, and third persons referred to in the report (e.g. witnesses or colleagues) is protected at all stages of the procedure. This obligation should be without prejudice to the necessity and proportionality of the obligation to disclose information when this is required by Union or national law and subject to appropriate safeguards under such laws, including in the context of investigations or judicial proceedings or to safeguard the freedoms of others, including the rights of defence of the concerned person.

(56)It is necessary that dedicated staff of the competent authority and staff members of the competent authority who receive access to the information provided by a reporting person to the competent authority comply with the duty of professional secrecy and the confidentiality when transmitting the data both inside and outside of the competent authority, including where a competent authority opens an investigation or an inquiry or subsequent enforcement activities in connection with the report of infringements.

(57)Member States should ensure the adequate record-keeping of all reports of infringement and that every report is retrievable within the competent authority and that information received through reports could be used as evidence in enforcement actions where appropriate.

(58)Protection of personal data of the reporting and concerned person is crucial in order to avoid unfair treatment or reputational damages due to disclosure of personal data, in particular data revealing the identity of a person concerned. Hence, in line with the requirements of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter also referred to as 'GDPR'), competent authorities should establish adequate data protection procedures specifically geared to the protection of the reporting person, the concerned person and any third person referred to in the report that should include a secure system within the competent authority with restricted access rights for authorised staff only.

(59)The regular review of the procedures of competent authorities and the exchange of good practices between them should guarantee that those procedures are adequate and thus serving their purpose.

(60)To enjoy protection, the reporting persons should reasonably believe, in light of the circumstances and the information available to them at the time of the reporting, that the matters reported by them are true. This reasonable belief should be presumed unless and until proven otherwise. This is an essential safeguard against malicious and frivolous or abusive reports, ensuring that those who deliberately and knowingly report wrong or misleading information do not enjoy protection. At the same time, it ensures that protection is not lost where the reporting person made an inaccurate report in honest error. In a similar vein, reporting persons should be entitled to protection under this Directive if they have reasonable grounds to believe that the information reported falls within its scope.

(61)The requirement of a tiered use of reporting channels, as a general rule, is necessary to ensure that the information gets to the persons who can contribute to the early and effective resolution of risks to the public interest as well as to prevent unjustified reputational damage from public disclosure. At the same time, some exceptions to its application are necessary, allowing the reporting person to choose the most appropriate channel depending on the individual circumstances of the case. Moreover, it is necessary to protect public disclosures taking into account democratic principles such as transparency and accountability, and fundamental rights such as freedom of expression and media freedom, whilst balancing the interest of employers to manage their organisations and to protect their interests with the interest of the public to be protected from harm, in line with the criteria developed in the case-law of the European Court of Human Rights 57 .

(62)As a rule, reporting persons should first use the internal channels at their disposal and report to their employer. However, it may be the case that internal channels do not exist (in case of entities which are not under an obligation to establish such channels by virtue of this Directive or applicable national law) or that their use is not mandatory (which may be the case for persons who are not in an employment relationship), or that they were used but did not function properly (for instance the report was not dealt with diligently or within a reasonable timeframe, or no action was taken to address the breach of law despite the positive results of the enquiry).

(63)In other cases, internal channels could not reasonably be expected to function properly, for instance, where the reporting persons have valid reasons to believe that they would suffer retaliation in connection with the reporting; that their confidentiality would not be protected; that the ultimate responsibility holder within the work-related context is involved in the breach; that the breach might be concealed; that evidence may be concealed or destroyed; that the effectiveness of investigative actions by competent authorities might be jeopardised or that urgent action is required (for instance because of an imminent risk of a substantial and specific danger to the life, health and safety of persons, or to the environment. In all such cases, persons reporting externally to the competent authorities and, where relevant, to bodies, offices or agencies of the Union shall be protected. Moreover, protection is also to be granted in cases where Union legislation allows for the reporting person to report directly to the competent national authorities or bodies, offices or agencies of the Union, for example in the context of fraud against the Union budget, prevention and detection of money laundering and terrorist financing or in the area of financial services.

(64)Persons making a public disclosure directly should also qualify for protection in cases where a breach remains unaddressed (for example, it was not properly assessed or investigated or no remedial action was taken) despite having been reported internally and/or externally following a tiered use of available channels; or in cases where reporting persons have valid reasons to believe that there is collusion between the perpetrator of the breach and the competent authority is reasonably suspected , that evidence may be concealed or destroyed, or that the effectiveness of investigative actions by competent authorities might be jeopardised; or in cases of imminent and manifest danger for the public interest, or where there is a risk of irreversible damage, including, inter alia, harm to physical integrity.

(65)Reporting persons should be protected against any form of retaliation, whether direct or indirect, taken by their employer or customer/recipient of services and by persons working for or acting on behalf of the latter, including co-workers and managers in the same organisation or in other organisations with which the reporting person is in contact in the context of his/her work-related activities, where retaliation is recommended or tolerated by the concerned person. Protection should be provided against retaliatory measures taken vis-à-vis the reporting person him/herself but also those that may be taken vis-à-vis the legal entity he/she represents, such as denial of provision of services, blacklisting or business boycotting. Indirect retaliation also includes actions taken against relatives of the reporting person who are also in a work-related connection with the latter’s employer or customer/recipient of services and workers’ representatives who have provided support to the reporting person.

(66)Where retaliation occurs undeterred and unpunished, it has a chilling effect on potential whistleblowers. A clear prohibition of retaliation in law has an important dissuasive effect, further strengthened by provisions for personal liability and penalties for the perpetrators of retaliation.

(67)Potential whistleblowers who are not sure about how to report or whether they will be protected in the end may be discouraged from reporting. Member States should ensure that relevant information is provided in a user-friendly way and is easily accessible to the general public. Individual, impartial and confidential advice, free of charge, should be available on, for example, whether the information in question is covered by the applicable rules on whistleblower protection, which reporting channel may best be used and which alternative procedures are available in case the information is not covered by the applicable rules (‘signposting’). Access to such advice can help ensure that reports are made through the appropriate channels, in a responsible manner and that breaches and wrongdoings are detected in a timely manner or even prevented.

(68)Under certain national frameworks and in certain cases, reporting persons suffering retaliation may benefit from forms of certification of the fact that they meet the conditions of the applicable rules. Notwithstanding such possibilities, they should have effective access to judicial review, whereby it falls upon the courts to decide, based on all the individual circumstances of the case, whether they meet the conditions of the applicable rules.

(69)It should not be possible to waive the rights and obligations established by this Directive by contractual means. Individuals’ legal or contractual obligations, such as loyalty clauses in contracts or confidentiality/non-disclosure agreements, cannot be relied on to preclude workers from reporting, to deny protection or to penalise them for having done so. At the same time, this Directive should not affect the protection of legal and other professional privilege as provided for under national law.

(70)Retaliatory measures are likely to be presented as being justified on grounds other than the reporting and it can be very difficult for reporting persons to prove the link between the two, whilst the perpetrators of retaliation may have greater power and resources to document the action taken and the reasoning. Therefore, once the reporting person demonstrates prima facie that he/she made a report or disclosure in line with this Directive and suffered a detriment, the burden of proof should shift to the person who took the detrimental action, who should then demonstrate that their the action taken was not linked in any way to the reporting or the disclosure.

(71)Beyond an explicit prohibition of retaliation provided in law, it is crucial that reporting persons who do suffer retaliation have access to legal remedies. The appropriate remedy in each case will be determined by the kind of retaliation suffered. It may take the form of actions for reinstatement (for instance, in case of dismissal, transfer or demotion, or of withholding of training or promotion) or for restauration of a cancelled permit, licence or contract; compensation for actual and future financial losses (for lost past wages, but also for future loss of income, costs linked to a change of occupation); compensation for other economic damage such as legal expenses and costs of medical treatment, and for intangible damage (pain and suffering).

(72)The types of legal action may vary between legal systems but they should ensure as full and effective a remedy as possible. Remedies should not discourage potential future whistleblowers. For instance, allowing for compensation as an alternative to reinstatement in case of dismissal might give rise to a systematic practice in particular by larger organisations, thus having a dissuasive effect on future whistleblowers

(73)Of particular importance for reporting persons are interim remedies pending the resolution of legal proceedings that can be protracted. Interim relief can be in particular necessary in order to stop threats, attempts or continuing acts of retaliation, such as harassment at the workplace, or to prevent forms of retaliation such as dismissal, which might be difficult to reverse after the lapse of lengthy periods and which can ruin financially the individual — a perspective which can seriously discourage potential whistleblowers.

(74)Action taken against reporting persons outside the work-related context, through proceedings, for instance, related to defamation, breach of copyright, trade secrets, confidentiality and personal data protection, can also pose a serious deterrent to whistleblowing. Directive (EU) 2016/943 of the European Parliament and of the Council 58 exempts reporting persons from the civil redress measures, procedures and remedies it provides for, in case the alleged acquisition, use or disclosure of the trade secret was carried out for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest. Also in other proceedings, reporting persons should be able to rely on having made a report or disclosure in accordance with this Directive as a defence. In such cases, the person initiating the proceedings should carry the burden to prove any intent on the part of the reporting person to violate the law.

(75)A significant cost for reporting persons contesting retaliation measures taken against them in legal proceedings can be the relevant legal fees. Although they could recover these fees at the end of the proceedings, they might not be able to cover them up front, especially if they are unemployed and blacklisted. Assistance for criminal legal proceedings, particularly in accordance with the provisions of Directive (EU) 2016/1919 of the European Parliament and of the Council 59 and more generally support to those who are in serious financial need might be key, in certain cases, for the effective enforcement of their rights to protection.

(76)The rights of the concerned person should be protected in order to avoid reputational damages or other negative consequences. Furthermore, the rights of defence and access to remedies of the concerned person should be fully respected at every stage of the procedure following the report, in accordance with Articles 47 and 48 of the Charter of Fundamental Rights of the European Union. Member States should ensure the right of defence of the concerned person, including the right to access to the file, the right to be heard and the right to seek effective remedy against a decision concerning the concerned person under the applicable procedures set out in national law in the context of investigations or subsequent judicial proceedings.

(77)Any person who suffers prejudice, whether directly or indirectly, as a consequence of the reporting or disclosure of inaccurate or misleading information should retain the protection and the remedies available to him or her under the rules of general law. Where such inaccurate or misleading report or disclosure was made deliberately and knowingly, the concerned persons should be entitled to compensation in accordance with national law.

(78)Penalties are necessary to ensure the effectiveness of the rules on whistleblower protection. Penalties against those who take retaliatory or other adverse actions against reporting persons can discourage further such actions. Penalties against persons who make a report or disclosure demonstrated to be knowingly false are necessary to deter further malicious reporting and preserve the credibility of the system. The proportionality of such penalties should ensure that they do not have a dissuasive effect on potential whistleblowers.

(79)Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, should be undertaken in accordance with Regulation (EU) 2016/679, and with Directive (EU) 2016/680 of the European Parliament and of the Council, and any exchange or transmission of information by Union level competent authorities should be undertaken in accordance with Regulation (EC) No 45/2001 of the European Parliament and of the Council 60 . Particular regard should be had to the principles relating to processing of personal data set out in Article 5 of the GDPR, Article 4 of Directive (EU) 2016/680 and Article 4 of Regulation (EC) No 45/2001, and to the principle of data protection by design and by default laid down in Article 25 of the GDPR, Article 20 of Directive (EU) 2016/680 and Article XX of Regulation (EU) No 2018/XX repealing Regulation No 45/2001 and Decision No 1247/2002/EC.

(80)This Directive introduces minimum standards and Member States should have the power to introduce or maintain more favourable provisions to the reporting person, provided that such provisions do not interfere with the measures for the protection of concerned persons.

(81)In accordance with Article 26(2) TFEU, the internal market needs to comprise an area without internal frontiers in which the free and safe movement of goods and services is ensured. The internal market should provide Union citizens with added value in the form of better quality and safety of goods and services, ensuring high standards of public health and environmental protection as well as free movement of personal data. Thus, Article 114 TFEU is the appropriate legal basis to adopt the measures necessary for the establishment and functioning of the internal market. In addition to Article 114 TFEU, this Directive should have additional specific legal bases in order to cover the fields that rely on Articles 16, 33, 43, 50, 53(1), 62, 91, 100, 103, 109, 168, 169 and 207 TFEU and Article 31 of the Euratom Treaty for the adoption of Union measures. Since this Directive also aims at better protecting the financial interests of the Union, Article 325(4) TFEU should be included as a legal basis.

(82)The material scope of this Directive is based on the identification of areas where the introduction of whistleblower protection appears justified and necessary on the basis of currently available evidence. Such material scope may be extended to further areas or Union acts, if this proves necessary as a means of strengthening their enforcement in the light of evidence that may come to the fore in the future or on the basis of the evaluation of the way in which this Directive has operated.

(83)Whenever subsequent legislation relevant for this Directive is adopted, it should specify where appropriate that this Directive will apply. Where necessary, Article 1 and the Annex should be amended.

(84)The objective of this Directive, namely to strengthen enforcement in certain policy areas and acts where breaches of Union law can cause serious harm to the public interest through effective whistleblower protection, cannot be sufficiently achieved by the Member States acting alone or in an uncoordinated manner, but can rather be better achieved by Union action providing minimum standards of harmonisation on whistleblower protection. Moreover, only Union action can provide coherence and align the existing Union rules on whistleblower protection. Therefore, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve this objective.

(85)This Directive respects fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union. Accordingly, this Directive must be implemented in accordance with those rights and principles. In particular, this Directive seeks to ensure full respect for freedom of expression and information, the right to protection of personal data, the freedom to conduct a business, the right to a high level of consumer protection, the right to an effective remedy and the rights of defence.

(86)The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on […] 61

HAVE ADOPTED THIS DIRECTIVE:

CHAPTER I

SCOPE AND DEFINITIONS

Article 1

Material scope

1.With a view to enhancing the enforcement of Union law and policies in specific areas, this Directive lays down common minimum standards for the protection of persons reporting on the following unlawful activities or abuse of law:

a) breaches falling within the scope of the Union acts set out in the Annex (Part I and Part II) as regards the following areas:

(i)public procurement;

(ii)financial services, prevention of money laundering and terrorist financing;

(iii)        product safety;

(iv)transport safety;

(v)protection of the environment;

(vi)nuclear safety;

(vii)food and feed safety, animal health and welfare;

(viii)public health;

(ix)consumer protection;

(x)protection of privacy and personal data, and security of network and information systems.

b) breaches of Articles 101, 102, 106, 107 and 108 TFEU and breaches falling within the scope of Council Regulation (EC) No 1/2003 and Council Regulation (EU) No 2015/1589;

c)breaches affecting the financial interests of the Union as defined by Article 325 TFEU and as further specified, in particular, in Directive (EU) 2017/1371 and Regulation (EU, Euratom) No 883/2013;

d)breaches relating to the internal market, as referred to in Article 26(2) TFEU, as regards acts which breach the rules of corporate tax or arrangements whose purpose is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

2.Where specific rules on the reporting of breaches are provided for in sector-specific Union acts listed in Part 2 of the Annex, those rules shall apply. The provisions of this Directive shall be applicable for all matters relating to the protection of reporting persons not regulated in those sector-specific Union acts.

Article 2

Personal scope

1.This Directive shall apply to reporting persons working in the private or public sector who acquired information on breaches in a work-related context including, at least, the following:

a)persons having the status of worker, with the meaning of Article 45 TFEU;

b)persons having the status of self-employed, with the meaning of Article 49 TFEU;

c)shareholders and persons belonging to the management body of an undertaking, including non-executive members, as well as volunteers and unpaid trainees;

d) any persons working under the supervision and direction of contractors, subcontractors and suppliers.

2.This Directive shall also apply to reporting persons whose work-based relationship is yet to begin in cases where information concerning a breach has been acquired during the recruitment process or other pre-contractual negotiation.

Article 3

Definitions

For the purposes of this Directive, the following definitions shall apply:

(1)‘breaches’ means actual or potential unlawful activities or abuse of law relating to the Union acts and areas falling within the scope referred to in Article 1 and in the Annex;

(2)‘unlawful activities’ means acts or omissions contrary to Union law;

(3)‘abuse of law’ means acts or omissions falling within the scope of Union law which do not appear to be unlawful in formal terms but defeat the object or the purpose pursued by the applicable rules;

(4)‘information on breaches’ means evidence about actual breaches as well as reasonable suspicions about potential breaches which have not yet materialised;

(5)‘report’ means the provision of information relating to a breach which has occurred or is likely to occur in the organisation at which the reporting person works or has worked or in another organisation with which he or she is or was in contact through his or her work;

(6)‘internal reporting’ means provision of information on breaches within a public or private legal entity;

(7)‘external reporting’ means provision of information on breaches to the competent authorities;

(8)‘disclosure’ means making information on breaches acquired within the work-related context available to the public domain;

(9)‘reporting person’ means a natural or legal person who reports or discloses information on breaches acquired in the context of his or her work-related activities;

(10)‘work-related context’ means current or past work activities in the public or private sector through which, irrespective of their nature, persons may acquire information on breaches and within which these persons may suffer retaliation if they report them.

(11)‘concerned person’ means a natural or legal person who is referred to in the report or disclosure as a person to whom the breach is attributed or with which he or she is associated;

(12)‘retaliation’ means any threatened or actual act or omission prompted by the internal or external reporting which occurs in a work-related context and causes or may cause unjustified detriment to the reporting person;

(13)‘follow-up’ means any action taken by the recipient of the report, made internally or externally, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including actions such as internal enquiry, investigation, prosecution, action for recovery of funds and closure;

(14)‘competent authority’ means any national authority entitled to receive reports in accordance with Chapter III and designated to carry out the duties provided for in this Directive, in particular as regards the follow up of reports.

CHAPTER II

INTERNAL REPORTING AND FOLLOW UP OF REPORTS

Article 4

Obligation to establish internal channels and procedures for reporting and follow-up of reports

1.Member States shall ensure that legal entities in the private and in the public sector establish internal channels and procedures for reporting and following up on reports, following consultations with social partners, if appropriate.

2.Such channels and procedures shall allow for reporting by employees of the entity. They may allow for reporting by other persons who are in contact with the entity in the context of their work-related activities, referred to in Article 2(1)(b),(c) and (d), but the use of internal channels for reporting shall not be mandatory for these categories of persons.

3.The legal entities in the private sector referred to in paragraph 1 are the following:

a)private legal entities with 50 or more employees;

b)private legal entities with an annual business turnover or annual balance sheet

total of EUR 10 million or more;

c)private legal entities of any size operating in the area of financial services or vulnerable to money laundering or terrorist financing, as regulated under the Union acts referred to in the Annex.

4.Following an appropriate risk assessment taking into account the nature of activities of the entities and the ensuing level of risk, Member States may require small private legal entities, as defined in Commission Recommendation of 6 May 2003 62 , other than those referred to in paragraph 3(c) to establish internal reporting channels and procedures.

5.Any decision taken by a Member State pursuant to paragraph 4 shall be notified to the Commission, together with a justification and the criteria used in the risk assessment. The Commission shall communicate that decision to the other Member States.

6.The legal entities in the public sector referred to in paragraph 1 shall be the following:

a)state administration;

b)regional administration and departments;

c)municipalities with more than 10 000 inhabitants;

d)other entities governed by public law.

Article 5

Procedures for internal reporting and follow-up of reports

1.The procedures for reporting and following-up of reports referred to in Article 4 shall include the following:

a)channels for receiving the reports which are designed, set up and operated in a manner that ensures the confidentiality of the identity of the reporting person and prevents access to non-authorised staff members;

b)the designation of a person or department competent for following up on the reports;

c) diligent follow up to the report by the designated person or department;

d) a reasonable timeframe, not exceeding three months following the report, to provide feedback to the reporting person about the follow-up to the report;

e)clear and easily accessible information regarding the procedures and information on how and under what conditions reports can be made externally to competent authorities pursuant to Article 13(2) and, where relevant, to bodies, offices or agencies of the Union. 

2.The channels provided for in point (a) of paragraph 1 shall allow for reporting in all of the following ways:

(a) written reports in electronic or paper format and/or oral report through telephone lines, whether recorded or unrecorded;

(b) physical meetings with the person or department designated to receive reports.

Reporting channels may be operated internally by a person or department designated for that purpose or provided externally by a third party, provided that the safeguards and requirements referred to in point (a) of paragraph 1 are respected.

3.The person or department referred to in point (b) of paragraph 1 may be the same person who is competent for receiving the reports. Additional persons may be designated as “trusted persons” from whom reporting persons and those considering reporting may seek confidential advice.

CHAPTER III

EXTERNAL REPORTING AND FOLLOW UP OF REPORTS

Article 6

Obligation to establish external reporting channels and to follow up on reports

1.Member States shall designate the authorities competent to receive and handle reports.

2.Member States shall ensure that the competent authorities:

a)establish independent and autonomous external reporting channels, which are both secure and ensure confidentiality, for receiving and handling information provided by the reporting person;

b)give feedback to the reporting person about the follow-up of the report within a reasonable timeframe not exceeding three months or six months in duly justified cases;

c)transmit the information contained in the report to competent bodies, offices or agencies of the Union, as appropriate, for further investigation, where provided for under national or Union law.

3.Member States shall ensure that competent authorities follow up on the reports by taking the necessary measures and investigate, to the extent appropriate, the subject-matter of the reports. The competent authorities shall communicate to the reporting person the final outcome of the investigations.

4.Member States shall ensure that any authority which has received a report but does not have the competence to address the breach reported transmits it to the competent authority and that the reporting person is informed.

Article 7

Design of external reporting channels

1.Dedicated external reporting channels shall be considered independent and autonomous, if they meet all of the following criteria:

a)they are separated from general communication channels of the competent authority, including those through which the competent authority communicates internally and with third parties in its ordinary course of business;

b)they are designed, set up and operated in a manner that ensures the completeness, integrity and confidentiality of the information and prevents access to non-authorised staff members of the competent authority;

c)they enable the storage of durable information in accordance with Article 11 to allow for further investigations.

2.The dedicated reporting channels shall allow for reporting in at least all of the following ways:

a)written report in electronic or paper format;

b)oral report through telephone lines, whether recorded or unrecorded;

c)physical meeting with dedicated staff members of the competent authority.

3.Competent authorities shall ensure that a report received by means other than dedicated reporting channels referred to in paragraphs 1 and 2 is promptly forwarded without modification to the dedicated staff members of the competent authority by using dedicated communication channels.

4.Member States shall establish procedures to ensure that, where a report being initially addressed to a person who has not been designated as responsible handler for reports that person is refrained from disclosing any information that might identify the reporting or the concerned person.

Article 8

Dedicated staff members

1.Member States shall ensure that competent authorities have staff members dedicated to handling reports. Dedicated staff members shall receive specific training for the purposes of handling reports.

2.Dedicated staff members shall exercise the following functions:

a)providing any interested person with information on the procedures for reporting;

b)receiving and following-up reports;

c)maintaining contact with the reporting person for the purpose of informing the reporting person of the progress and the outcome of the investigation.

Article 9

Procedures applicable to external reporting

1.The procedures applicable to external reporting shall provide for the following:

a)the manner in which the competent authority may require the reporting person to clarify the information reported or to provide additional information that is available to the reporting person;

b)a reasonable timeframe, not exceeding three months or six months in duly justified cases, for giving feed-back to the reporting person about the follow-up of the report and the type and content of this feed-back;

c)the confidentiality regime applicable to reports, including a detailed description of the circumstances under which the confidential data of a reporting person may be disclosed.

2.The detailed description referred to in point (c) of paragraph 1 shall include the exceptional cases in which confidentiality of personal data may not be ensured, including where the disclosure of data is a necessary and proportionate obligation required under Union or national law in the context of investigations or subsequent judicial proceedings or to safeguard the freedoms of others including the right of defence of the concerned person, and in each case subject to appropriate safeguards under such laws.

3.The detailed description referred to in point (c) of paragraph 1 must be written in clear and easy to understand language and be easily accessible to the reporting persons.

Article 10

Information regarding the receipt of reports and their follow-up

Member States shall ensure that competent authorities publish on their websites in a separate, easily identifiable and accessible section at least the following information:

a)the conditions under which reporting persons qualify for protection under this Directive;

b)the communication channels for receiving and following-up the reporting:

i)the phone numbers, indicating whether conversations are recorded or unrecorded when using those phone lines;

ii)dedicated electronic and postal addresses, which are secure and ensure confidentiality, to contact the dedicated staff members;

c)the procedures applicable to the reporting of breaches referred to in Article 9;

d)the confidentiality regime applicable to reports, and in particular the information in relation to the processing of personal data in accordance with Article 13 of Regulation (EU) 2016/679, Article 13 of Directive (EU) 2016/680 and Article 11 of Regulation (EC) 45/2001, as applicable.

e)the nature of the follow-up to be given to reports;

f)the remedies and procedures available against retaliation and possibilities to receive confidential advice for persons contemplating making a report;

g)a statement clearly explaining that persons making information available to the competent authority in accordance with this Directive are not considered to be infringing any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and are not to be involved in liability of any kind related to such disclosure.

Article 11

Record-keeping of reports received

1.Member States shall ensure that competent authorities keep records of every report received.

2.Competent authorities shall promptly acknowledge the receipt of written reports to the postal or electronic address indicated by the reporting person, unless the reporting person explicitly requested otherwise or the competent authority reasonably believes that acknowledging receipt of a written report would jeopardise the protection of the reporting person’s identity.

3.Where a recorded telephone line is used for reporting, subject to the consent of the reporting person, the competent authority shall have the right to document the oral reporting in one of the following ways:

a)a recording of the conversation in a durable and retrievable form;

b)a complete and accurate transcript of the conversation prepared by the dedicated staff members of the competent authority.

The competent authority shall offer the possibility to the reporting person to check, rectify and agree the transcript of the call by signing it.

4.Where an unrecorded telephone line is used for reporting, the competent authority shall have the right to document the oral reporting in the form of accurate minutes of the conversation prepared by the dedicated staff members. The competent authority shall offer the possibility to the reporting person to check, rectify and agree with the minutes of the call by signing them.

5.Where a person requests a meeting with the dedicated staff members of the competent authority for reporting according to Article 7(2)(c), competent authorities shall ensure, subject to the consent of the reporting person, that complete and accurate records of the meeting are kept in a durable and retrievable form. A competent authority shall have the right to document the records of the meeting in one of the following ways:

a)a recording of the conversation in a durable and retrievable form;

b)accurate minutes of the meeting prepared by the dedicated staff members of the competent authority.

The competent authority shall offer the possibility to the reporting person to check, rectify and agree with the minutes of the meeting by signing them.

Article 12

Review of the procedures by competent authorities

Member States shall ensure that competent authorities review their procedures for receiving reports and their follow-up regularly, and at least once every two years. In reviewing such procedures competent authorities shall take account of their experience and that of other competent authorities and adapt their procedures accordingly.

CHAPTER IV

PROTECTION OF REPORTING AND CONCERNED PERSONS

Article 13

Conditions for the protection of reporting persons

1.A reporting person shall qualify for protection under this Directive provided he or she has reasonable grounds to believe that the information reported was true at the time of reporting and that this information falls within the scope of this Directive.

2.A person reporting externally shall qualify for protection under this Directive where one of the following conditions is fulfilled :

a)he or she first reported internally but no appropriate action was taken in response to the report within the reasonable timeframe referred in Article 5;

b)internal reporting channels were not available for the reporting person or the reporting person could not reasonably be expected to be aware of the availability of such channels;

c)the use of internal reporting channels was not mandatory for the reporting person, in accordance with Article 4(2);

d)he or she could not reasonably be expected to use internal reporting channels in light of the subject-matter of the report;

e)he or she had reasonable grounds to believe that the use of internal reporting channels could jeopardise the effectiveness of investigative actions by competent authorities;

f) he or she was entitled to report directly through the external reporting channels to a competent authority by virtue of Union law.

3.A person reporting to relevant bodies, offices or agencies of the Union on breaches falling within the scope of this Directive shall qualify for protection as laid down in this Directive under the same conditions as a person who reported externally in accordance with the conditions set out in paragraph 2.

4.A person publicly disclosing information on breaches falling within the scope of this Directive shall qualify for protection under this Directive where:

a)he or she first reported internally and/or externally in accordance with Chapters II and III and paragraph 2 of this Article, but no appropriate action was taken in response to the report within the timeframe referred to in Articles 6(2)(b) and 9(1)(b); or

b) he or she could not reasonably be expected to use internal and/or external reporting channels due to imminent or manifest danger for the public interest, or to the particular circumstances of the case, or where there is a risk of irreversible damage.

Article 14

Prohibition of retaliation against reporting persons

Member States shall take the necessary measures to prohibit any form of retaliation, whether direct or indirect, against reporting persons meeting the conditions set out in Article 13, including in particular in the form of:

a)suspension, lay-off, dismissal or equivalent measures;

b)demotion or withholding of promotion;

c)transfer of duties, change of location of place of work, reduction in wages, change in working hours;

d)withholding of training;

e)negative performance assessment or employment reference;

f)imposition or administering of any discipline, reprimand or other penalty, including a financial penalty;

g)coercion, intimidation, harassment or ostracism at the workplace;

h)discrimination, disadvantage or unfair treatment;

i)failure to convert a temporary employment contract into a permanent one;

j)failure to renew or early termination of the temporary employment contract;

k)damage, including to the person’s reputation, or financial loss, including loss of business and loss of income;

l)blacklisting on the basis of a sector or industry-wide informal or formal agreement, which entails that the person will not, in the future, find employment in the sector or industry;

m)early termination or cancellation of contract for goods or services;

n)cancellation of a licence or permit.

Article 15

Measures for the protection of reporting persons against retaliation

1.Member States shall take the necessary measures to ensure the protection of reporting persons meeting the conditions set out in Article 13 against retaliation. Such measures shall include, in particular, those set out in paragraphs 2 to 8.

2. Comprehensive and independent information and advice shall be easily accessible to the public, free of charge, on procedures and remedies available on protection against retaliation.

3.Reporting persons shall have access to effective assistance from competent authorities before any relevant authority involved in their protection against retaliation, including, where provided for under national law, certification of the fact that they qualify for protection under this Directive.

4.Persons reporting externally to competent authorities or making a public disclosure in accordance with this Directive shall not be considered to have breached any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, and incur liability of any kind in respect of such disclosure.

5.In judicial proceedings relating to a detriment suffered by the reporting person, and subject to him or her providing reasonable grounds to believe that the detriment was in retaliation for having made the report or disclosure, it shall be for the person who has taken the retaliatory measure to prove that the detriment was not a consequence of the report but was exclusively based on duly justified grounds.

6.Reporting persons shall have access to remedial measures against retaliation as appropriate, including interim relief pending the resolution of legal proceedings, in accordance with the national framework.

7. In addition to the exemption from measures, procedures and remedies provided for in Directive (EU) 2016/943, in judicial proceedings, including for defamation, breach of copyright, breach of secrecy or for compensation requests based on private, public, or on collective labour law, reporting persons shall have the right to rely on having made a report or disclosure in accordance with this Directive to seek dismissal.

8.    In addition to providing legal aid to reporting persons in criminal and in cross-border civil proceedings in accordance with Directive (EU) 2016/1919 and Directive 2008/52/EC of the European Parliament and of the Council 63 , and in accordance with national law, Member States may provide for further measures of legal and financial assistance and support for reporting persons in the framework of legal proceedings.

Article 16

Measures for the protection of concerned persons

1.Member States shall ensure that the concerned persons fully enjoy the right to an effective remedy and to a fair trial as well as the presumption of innocence and the rights of defence, including the right to be heard and the right to access their file, in accordance with the Charter of Fundamental Rights of the European Union.

2.Where the identity of the concerned persons is not known to the public, competent authorities shall ensure that their identity is protected for as long as the investigation is ongoing.

3.The procedures set out in Articles 9 and 11 shall also apply for the protection of the identity of the concerned persons.

Article 17

Penalties

1.Member States shall provide for effective, proportionate and dissuasive penalties applicable to natural or legal persons that:

a)hinder or attempt to hinder reporting;

b)take retaliatory measures against reporting persons;

c)bring vexatious proceedings against reporting persons;

d)breach the duty of maintaining the confidentiality of the identity of reporting persons.

2.Member States shall provide for effective, proportionate and dissuasive penalties applicable to persons making malicious or abusive reports or disclosures, including measures for compensating persons who have suffered damage from malicious or abusive reports or disclosures.

Article 18

Processing of personal data

Any processing of personal data carried out pursuant to this Directive, including the exchange or transmission of personal data by the competent authorities, shall be made in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680. Any exchange or transmission of information by competent authorities at Union level should be undertaken in accordance with Regulation (EC) No 45/2001. Personal data which are not relevant for the handling of a specific case shall be immediately deleted.

CHAPTER V

FINAL PROVISIONS

Article 19

More favourable treatment

Member States may introduce or retain provisions more favourable to the rights of the reporting persons than those set out in this Directive, without prejudice to Article 16 and Article 17(2).

Article 20

Transposition

1.Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 15 May 2021, at the latest. They shall forthwith communicate to the Commission the text of those provisions.

2.When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.

Article 21

Reporting, evaluation and review

1.Member States shall provide the Commission with all relevant information regarding the implementation and application of this Directive. On the basis of the information provided, the Commission shall, by 15 May 2023, submit a report to the European Parliament and the Council on the implementation and application of this Directive.

2.Without prejudice to reporting obligations laid down in other Union legal acts, Member States shall, on an annual basis, submit the following statistics on the reports referred to in Chapter III to the Commission, if they are available at a central level in the Member State concerned:

a)the number of reports received by the competent authorities;

b)the number of investigations and proceedings initiated as a result of such reports and their final outcome;

c) the estimated financial damage, if ascertained and the amounts recovered following investigations and proceedings related to the breaches reported.

3.The Commission shall, by 15 May 2027, taking into account its report submitted pursuant to paragraph 1 and the Member States’ statistics submitted pursuant to paragraph 2, submit a report to the European Parliament and to the Council assessing the impact of national law transposing this Directive. The report shall evaluate the way in which this Directive has operated and consider the need for additional measures, including, where appropriate, amendments with a view to extending the scope of this Directive to further areas or Union acts.

Article 22

Entry into force

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 23

Addressees

This Directive is addressed to the Member States.

Done at Brussels,

(1)    See Council of Europe Recommendation CM/Rec(2014)7 of 30 April 2014 on the protection of whistleblowers; Resolution 2171 (2017) of the Parliamentary Assembly of the Council of Europe of 27 June 2017.

(2)    Whistleblower protection standards are set out in international instruments and guidelines such as the 2004 UN Convention against Corruption, to which all Member States as well as the EU are parties; the G20 Anti-Corruption Action Plan; the OECD report of March 2016: ‘Committing to Effective Whistleblower Protection’.

(3)     http://ec.europa.eu/information_society/newsroom/image/document/2016-50/2016-fundamental-colloquium-conclusions_40602.pdf

(4)    Such as complaint mechanisms and statutory audits.

(5)    For more information see under ‘Subsidiarity’.

(6)    For more information see under ‘Consistency with existing policy provisions’.

(7)     http://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/Survey/getSurveyDetail/instruments/SPECIAL/surveyKy/2176

(8)     http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=54254

(9)    Milieu (2017), on ‘Estimating the economic benefits of whistleblower protection in public procurement’ https://publications.europa.eu/en/publication-detail/-/publication/8d5955bd-9378-11e7-b92d-01aa75ed71a1/language-en

(10)    2016/2224(INI) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2017-0402+0+DOC+XML+V0//EN and (2016/2055(INI) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A8-2017-0004+0+DOC+XML+V0//EN .

(11)     http://www.consilium.europa.eu/en/press/press-releases/2016/10/11-ecofin-conclusions-tax-transparency/

(12)    Such as Transparency International, Eurocadres, the European Public Service Union and the European Federation of Journalists.

(13)    C/2016/8600, OJ C 18, p. 10.

(14)    As listed in Article 1 of the proposal, with relevant acts also being listed in the Annex.

(15)    As outlined in its Action Plan for a greener and cleaner economy https://ec.europa.eu/info/sites/info/files/180308-action-plan-sustainable-growth_en.pdf

(16)    Communication of 5 July 2016 on further measures to enhance transparency and the fight against tax evasion and avoidance, COM(2016) 451.

(17)    Directive 2011/16/EU of 15 February 2011 on administrative cooperation in the field of taxation; Directive (EU) 2016/1164 of 12 July 2016 laying down rules against tax avoidance practices that directly affect the functioning of the internal market; Proposal for a Council Directive on a Common Consolidated Corporate Tax Base, COM/2016/0683 final — 2016/0336; Proposal for a Council Directive on a Common Corporate Tax Base, COM/2016/0685 final — 2016/0337.

(18)    Proposals for a Directive amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directive 2009/101/EC, COM(2016) 450 final 2016/0208 (COD).

(19)     https://ec.europa.eu/commission/priorities/deeper-and-fairer-economic-and-monetary-union/european-pillar-social-rights/european-pillar-social-rights-20-principles_en

(20)    Directive 2006/54/EC of 5 July 2006 on the implementation of the principle of equal opportunities and equal treatment of men and women in matters of employment and occupation (recast); Directive 2004/113/EC of 13 December 2004 implementing the principle of equal treatment between men and women in the access to and supply of goods and services; Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation; Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin.

(21)    Directive 89/391/EC of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work, OJ L 183, 29.6.1989, p. 1; Autonomous framework agreements signed by the European social partners, respectively, on 26 April 2007 on harassment and violence at work and on  8 October 2004 on work-related stress.

(22)    Council Directive 89/391/ECC of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work, OJ L 183, 29.6.1989, p. 1 (Article 11).

(23)    Commission Communication on Safer and Healthier Work for All – Modernisation of the EU Occupational Safety and Health Legislation and Policy (COM(2017)12 final.

(24)    Council Regulation (EC, Euratom) No 723/2004 of 22 March 2004 amending the Staff Regulations of officials of the European Communities and the Conditions of Employment of other servants of the European Communities, OJ L 124, 27.4.2004, p. 1 (see Article 22 bis, ter et quater).

(25)    Not applicable.

(26)    See Annex 2 of the Impact Assessment for more details.

(27)    More than a quarter (26 %) of the 191 organisations taking part were NGOs, 22 % were business associations; 19 % trade unions; 13 % enterprises and 7 % public authorities.

(28)    See Annex 13 to the Impact Assessment for the report of the study. In Annex 14, methods, assumptions, sources and qualifications to the impact assessment can be found as well as country-by-country figures for the option assessment.

(29)    SEC(2018) 198.

(30)    SWD(2018) 116.

(31)    OJ C […], […], p. […].

(32)    OJ C […], […], p. […].

(33)    OJ C […], […], p. […].

(34)    Communication of 8.12.2010 "Reinforcing sanctioning regimes in the financial services sector".

(35)    Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

(36)    The body of relevant ‘Union harmonisation legislation’ is circumscribed and listed in Regulation [XXX] laying down rules and procedures for compliance with and enforcement of Union harmonisation legislation, 2017/0353 (COD).

(37)    Regulated by Directive (EC) 2001/95 of the European Parliament and of the Council, of 3 December 2001, on general product safety (OJ L 11, p. 4).

(38)    Regulation (EU) No 376/2014 of the European Parliament and of the Council, of 3 April 2014, on the reporting, analysis and follow-up of occurrences in civil aviation (OJ L 122, p. 18).

(39)    Directive 2013/54/EU, of the European Parliament and of the Council, of 20 November 2013, concerning certain flag State responsibilities for compliance with and enforcement of the Maritime Labour Convention (OJ L 329, p. 1), Directive 2009/16/EC of the European Parliament and of the Council, of 23 April 2009, on port State control (OJ L 131, p. 57).

(40)    COM(2018) 10 final.

(41)    Directive 2013/30/EU of the European Parliament and of the Council, of 12 June 2013, on safety of offshore oil and gas operations (OJ L 178, p. 66).

(42)    Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (OJ L 31, p. 1).

(43)    OJ L 84, p. 1

(44)    Council Directive 2014/87/Euratom of 8 July 2014 amending Directive 2009/71/Euratom establishing a Community framework for the nuclear safety of nuclear installations (OJ L 219, 25.7.2014, p. 42–52).

(45)    Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

(46)    Commission Notice on Immunity from fines and reduction of fines in cartel cases (OJ C 298/17, 8.12.2006); http://europa.eu/rapid/press-release IP-17-591 en.htm

(47)    Council Directive 2011/16/EU of 15 February 2011 on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC (as amended).

(48)    Council Directive (EU) 2016/1164 of 12 July 2016 laying down rules against tax avoidance practices that directly affect the functioning of the internal market (as amended); Proposal for a Council Directive on a Common Consolidated Corporate Tax Base, COM/2016/0683 final — 2016/0336; Proposal for a Council Directive on a Common Corporate Tax Base, COM/2016/0685 final — 2016/0337.

(49)    OJ L 173, p. 1.

(50)    Commission Implementing Directive (EU) 2015/2392 of 17 December 2015 on Regulation (EU) No 596/2014 of the European Parliament and of the Council as regards reporting to competent authorities of actual or potential infringements of that Regulation (OJ L 332, p. 126).

(51)    CM/Rec(2014)7.

(52)    Judgments of 3 July 1986, Lawrie-Blum, Case 66/85; 14 October 2010, Union Syndicale Solidaires Isère, Case C-428/09; 9 July 2015, Balkaya, Case C-229/14; 4 December 2014, FNV Kunsten, Case C-413/13; and 17 November 2016, Ruhrlandklinik, Case C-216/15.

(53)    Cited above.

(54)    Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, OJ L 122, p. 18.

(55)    Directive 2013/30/EU of the European Parliament and of the Council of 12 June 2013 on safety of offshore oil and gas operations and amending Directive 2004/35/EC.

(56)    Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).

(57)    One of the criteria for determining whether retaliation against whistleblowers making public disclosures interferes with freedom of expression in a way which is not necessary in a democratic society, is whether the persons who made the disclosure had at their disposal alternative channels for making the disclosure; see, for instance, Guja v. Moldova [GC], no 14277/04, ECHR 2008.

(58)    Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).

(59)    Directive (EU) 2016/1919 of the European Parliament and of the Council of 26 October 2016 on legal aid for suspects and accused persons in criminal proceedings and for requested persons in European arrest warrant proceedings (OJ L 297 4.11.2016, p. 1).

(60)    Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(61)    OJ C ….

(62)    Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises OJ L 124, 20.5.2003, p. 36.

(63)    Directive 2008/52/EC of the European Parliament and of the Council of 21 May 2008 on certain aspects of mediation in civil and commercial matters (OJ L 136, 24.5.2008, p. 3).

EUROPEAN COMMISSION

Brussels,23.4.2018

COM(2018) 218 final

ANNEX

to the Proposal

for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of persons reporting on breaches of Union law

{SWD(2018) 116 final}
{SWD(2018) 117 final}

ANNEX

Part I

A.Article 1(a)(i) – public procurement: 

1.Procedures for procurement relating to supplies contracts for defence products and supplies and services contracts for water, energy, transport and postal services and any other contract or service as regulated under Union legislation:

(i)Directive 2014/23/EU of the European Parliament and of the Council of 26 February 2014 on the award of concession contracts (OJ L 94, 28.3.2014, p. 1);

(ii)Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65);

(iii)Directive 2014/25/EU of the European Parliament and of the Council of 26 February 2014 on procurement by entities operating in the water, energy, transport and postal services sectors and repealing Directive 2004/17/EC (OJ L 94, 28.3.2014, p. 243);

(iv)Directive 2009/81/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of procedures for the award of certain works contracts, supply contracts and service contracts by contracting authorities or entities in the fields of defence and security, and amending Directives 2004/17/EC and 2004/18/EC (OJ L 216, 20.8.2009, p. 76).

2.Review procedures regulated by:

(i)Council Directive 92/13/EEC of 25 February 1992 coordinating the laws, regulations and administrative provisions relating to the application of Community rules on the procurement procedures of entities operating in the water, energy, transport and telecommunications sectors (OJ L 76, 23.3.1992, p. 14);

(ii)Council Directive 89/665/EEC of 21 December 1989 on the coordination of the laws, regulations and administrative provisions relating to the application of review procedures to the award of public supply and public works contracts (OJ L 395, 30.12.1989, p. 33).

B.Article 1(a)(ii) – financial services, prevention of money laundering and terrorist financing:

Rules establishing a regulatory and supervisory framework and consumer and investor protection in the Union financial services and capital markets, banking, credit, insurance and re-insurance, occupational or personal pensions, securities, investment funds, payment and investment advice and the services listed in Annex I to Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338), as regulated by:

(i)Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267, 10.10.2009, p. 7);

(ii)Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010 (OJ L 174, 1.7.2011, p. 1);

(iii)Regulation (EU) No 236/2012 of the European Parliament and of the Council of 14 March 2012 on short selling and certain aspects of credit default swaps (OJ L 86, 24.3.2012, p. 1);

(iv)Regulation (EU) No 345/2013 of the European Parliament and of the Council of 17 April 2013 on European venture capital funds (OJ L 115, 25.4.2013, p. 1);

(v)Regulation (EU) No 346/2013 of the European Parliament and of the Council of 17 April 2013 on European social entrepreneurship fund (OJ L 115, 25.4.2013, p. 18);

(vi)Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 (OJ L 60, 28.2.2014, p. 34);

(vii)Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of public-interest entities and repealing Commission Decision 2005/909/EC (OJ L 158, 27.5.2014, p. 77);

(viii)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84);

(ix)Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35);

(x)Directive 2004/25/EC of the European Parliament and of the Council of 21 April 2004 on takeover bids (OJ L 142, 30.4.2004, p. 12);

(xi)Directive 2007/36/EC of the European Parliament and of the Council of 11 July 2007 on the exercise of certain rights of shareholders in listed companies (OJ L 184, 14.7.2007, p. 17).

C.Article 1(a)(iii) – product safety:

1.General safety requirements of products placed in the Union market as defined and regulated by:

(i)Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety (OJ L 11, 15.1.2002, p. 4);

(ii)Union harmonisation legislation concerning manufactured products other than food, feed, medicinal products for human and veterinary use, living plants and animals, products of human origin and products of plants and animals relating directly to their future reproduction as listed in the Regulation XX laying down rules and procedures for compliance with and enforcement of Union harmonisation legislation 1 ;

(iii)Directive 2007/46/EC of the European Parliament and of the Council of 5 September 2007 establishing a framework for the approval of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles (Framework Directive) (OJ L 263, 9.10.2007, p. 1).

2.Marketing and use of sensitive and dangerous products, as regulated by:

(i)Directive 2009/43/EC of the European Parliament and of the Council of 6 May 2009 simplifying terms and conditions of transfers of defence-related products within the Community (OJ L 146, 10.06.2009, p. 1);

(ii)Council Directive 91/477/EEC of 18 June 1991 on control of the acquisition and possession of weapons (OJ L 256, 13.9.1991, p. 51);

(iii)Regulation (EU) No 258/2012 of the European Parliament and of the Council of 14 March 2012 implementing Article 10 of the United Nations’ Protocol against the illicit manufacturing of and trafficking in firearms, their parts and components and ammunition, supplementing the United Nations Convention against Transnational Organised Crime (UN Firearms Protocol), and establishing export authorisation, and import and transit measures for firearms, their parts and components and ammunition (OJ L 94, 30.3.2012, p. 1);

(iv)Regulation (EU) No 98/2013 of 15 January 2013 on the marketing and use of explosives precursors (OJ L 39, 9.2.2013, p. 1).

D.Article 1(a)(iv) – transport safety:

1.Safety requirements in the railway sector as regulated by Directive (EU) 2016/798 of the European Parliament and of the Council of 11 May 2016 on railway safety (OJ L 138, 26.5.2016, p. 102).

2.Safety requirements in the civil aviation sector as regulated by Regulation (EU) No 996/2010 of the European Parliament and of the Council of 20 October 2010 on the investigation and prevention of accidents and incidents in civil aviation and repealing Directive 94/56/EC (OJ L 295, 12.11.2010, p. 35).

3.Safety requirements in the road sector as regulated by:

(i)Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59);

(ii)Directive 2004/54/EC of the European Parliament and of the Council of 29 April 2004 on minimum safety requirements for tunnels in the Trans-European Road Network (OJ L 167, 30.4.2004, p. 39).

4.Safety requirements in the maritime sector as regulated by:

(i)Regulation (EC) No 391/2009 of the European Parliament and of the Council of 23 April 2009 on common rules and standards for ship inspection and survey organisations (Recast) (OJ L 131, 28.5.2009, p. 11);

(ii)Regulation (EC) 392/2009 of the European Parliament and of the Council of 23 April 2009 on the liability of carriers of passengers by sea in the event of accidents (OJ L 131, 28.5.2009, p. 24);

(iii)Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146);

(iv)Directive 2009/18/EC of the European Parliament and of the Council of 23 April 2009 establishing the fundamental principles governing the investigation of accidents in the maritime transport sector and amending Council Directive 1999/35/EC and Directive 2002/59/EC (OJ L 131, 28.5.2009, p. 114);

(v)Directive 2008/106/EC of the European Parliament and of the Council of 19 November 2008 on the minimum level of training of seafarers (OJ L 323, 3.12.2008, p. 33);

(vi)Directive 98/41/EC of 18 June 1998 on the registration of persons sailing on board passenger ships operating to or from ports of the Member States of the Community (OJ L 188, 2.7.1998, p.35);

(vii)Directive 2001/96/EC of the European Parliament and of the Council of 4 December 2001 establishing harmonised requirements and procedures for the safe loading and unloading of bulk carriers (OJ L 13, 16.1.2002, p. 9).

E.Article 1(a)(v) – protection of the environment:

(i)Any criminal offence against the protection of the environment as regulated by Directive 2008/99/EC of the European Parliament and of the Council of 19 November 2008 on the protection of the environment through criminal law (OJ L 328, 6.12.2008, p. 28) or any unlawful conduct infringing the legislation set out in the Annexes of the Directive 2008/99/EC;

(ii)Directive (EC) 2004/35 of the European Parliament and of the Council of 21 April 2004 on environmental liability with regard to the prevention and remedying of environmental damage (OJ L 143, 30.4.2004, p. 56);

(iii)Regulation of (EU) 995/2010 of the European Parliament and of the Council of 20 October 2010 laying down the obligations of operators who place timber and timber products on the market (OJ L 295, 12.11.2010, p. 23);

(iv)Directive 2009/123/EC of the European Parliament and of the Council of 21 October 2009 amending Directive 2005/35/EC on ship-source pollution and on the introduction of penalties for infringements (OJ L 280, 27.10.2009, p. 52);

(v)Regulation (EU) 2015/757 of the European Parliament and of the Council of 29 April 2015 on the monitoring, reporting and verification of carbon dioxide emissions from maritime transport, and amending Directive 2009/16/EC (OJ L 123, 19.5.2015, p. 55);

(vi)Regulation (EU) No 1257/2013 of the European Parliament and of the Council of 20 November 2013 on ship recycling and amending Regulation (EC) No 1013/2006 and Directive 2009/16/EC (OJ L 330, 10.12.2013, p. 1);

(vii)Regulation (EU) No 649/2012 of the European Parliament and of the Council of 4 July 2012 concerning the export and import of hazardous chemicals (OJ L 201, 27.7.2012, p. 60);

(viii)Regulation (EC) No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), establishing a European Chemicals Agency, amending Directive 1999/45/EC and repealing Council Regulation (EEC) No 793/93 and Commission Regulation (EC) No 1488/94 as well as Council Directive 76/769/EEC and Commission Directives 91/155/EEC, 93/67/EEC, 93/105/EC and 2000/21/EC (OJ L 396, 30.12.2006, p.1);

(ix)Directive (EU) 2015/2193 of the European Parliament and of the Council of 25 November 2015 on the limitation of emissions of certain pollutants into the air from medium combustion plants (OJ L 313, 28.11.2015, p. 1).

F.Article 1(a)(vi) – nuclear safety

Rules on nuclear safety as regulated by:

(i)Council Directive 2009/71/Euratom of 25 June 2009 establishing a Community framework for the nuclear safety of nuclear installations (OJ L 172, 2.7.2009, p. 18);

(ii)Council Directive 2013/51/Euratom of 22 October 2013 laying down requirements for the protection of the health of the general public with regard to radioactive substances in water intended for human consumption (OJ L 296, 7.11.2013, p. 12);

(iii)Council Directive 2013/59/Euratom of 5 December 2013 laying down basic safety standards for protection against the dangers arising from exposure to ionising radiation, and repealing Directives 89/618/Euratom, 90/641/Euratom, 96/29/Euratom, 97/43/Euratom and 2003/122/Euratom (OJ L 13, 17.1.2014, p. 1);

(iv)Council Directive 2011/70/Euratom of 19 July 2011 establishing a Community framework for the responsible and safe management of spent fuel and radioactive waste (OJ L 199, 2.8.2011, p. 48);

(v)Council Directive 2006/117/Euratom of 20 November 2006 on the supervision and control of shipments of radioactive waste and spent fuel (OJ L 337, 5.12.2006, p. 21).

G.Article 1(a)(vii) – food and feed safety, animal health and animal welfare:

1.Union food and feed law governed by the general principles and requirements as defined by Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (OJ L 31, 1.2.2002, p. 1).

2.Animal health as regulated by Regulation (EU) 2016/429 of the European Parliament and of the Council of 9 March 2016 on transmissible animal diseases and amending and repealing certain acts in the area of animal health (‘Animal Health Law’) (OJ L 84, 31.3.2016, p. 1).

3.Regulation (EU) 2017/625 of the European Parliament and of the Council of 15 March 2017 on official controls and other official activities performed to ensure the application of food and feed law, rules on animal health and welfare, plant health and plant protection products, amending Regulations (EC) No 999/2001, (EC) No 396/2005, (EC) No 1069/2009, (EC) No 1107/2009, (EU) No 1151/2012, (EU) No 652/2014, (EU) 2016/429 and (EU) 2016/2031 of the European Parliament and of the Council, Council Regulations (EC) No 1/2005 and (EC) No 1099/2009 and Council Directives 98/58/EC, 1999/74/EC, 2007/43/EC, 2008/119/EC and 2008/120/EC, and repealing Regulations (EC) No 854/2004 and (EC) No 882/2004 of the European Parliament and of the Council, Council Directives 89/608/EEC, 89/662/EEC, 90/425/EEC, 91/496/EEC, 96/23/EC, 96/93/EC and 97/78/EC and Council Decision 92/438/EEC (Official Controls Regulation) (OJ L 95, 7.4.2017, p. 1).

4.Protection of animal welfare as regulated by:

(i)Council Directive 98/58/EC of 20 July 1998 concerning the protection of animals kept for farming purposes (OJ L 221, 8.8.1998, p. 23);

(ii)Council Regulation (EC) No 1/2005 of 22 December 2004 on the protection of animals during transport and related operations and amending Directives 64/432/EEC and 93/119/EC and Regulation (EC) No 1255/97 (OJ L 3, 5.1.2005, p. 1);

(iii)Council Regulation (EC) No 1099/2009 of 24 September 2009 on the protection of animals at the time of killing (OJ L 303, 18.11.2009, p. 1).

H.Article 1(a)(viii) – public health:

1.Measures setting high standards of quality and safety of organs and substances of human origin, as regulated by:

(i)Directive 2002/98/EC of the European Parliament and of the Council of 27 January 2003 setting standards of quality and safety for the collection, testing, processing, storage and distribution of human blood and blood components and amending Directive 2001/83/EC (OJ L 33, 8.2.2003, p. 30);

(ii)Directive 2004/23/EC of the European Parliament and of the Council of 31 March 2004 on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells (OJ L 102, 7.4.2004, p. 48);

(iii)Directive 2010/45/EU of the European Parliament and of the Council of 7 July 2010 on standards of quality and safety of human organs intended for transplantation (OJ L 207, 6.8.2010, p. 14).

2.Measures setting high standards of quality and safety for medicinal products and devices of medical use as regulated by:

(i)Regulation (EC) No 141/2000 of the European Parliament and of the Council of 16 December 1999 on orphan medicinal products (OJ L 18, 22.1.2000, p. 1);

(ii)Directive 2001/83/EC of 6 November 2001 on the Community code relating to medicinal products for human use (OJ L 311, 28.11.2001, p. 67);

(iii)Directive 2001/82/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to veterinary medicinal products (OJ L 311 , 28.11.2001 p.1);

(iv)Regulation (EC) 726/2004 of the European Parliament and of the Council of 31 March 2004 laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency (OJ L 136, 30.4.2004, p. 1);

(v)Regulation (EC) No 1901/2006 of the European Parliament and of the Council of 12 December 2006 on medicinal products for paediatric use and amending Regulation (EEC) No 1768/92, Directive 2001/20/EC, Directive 2001/83/EC and Regulation (EC) No 726/2004 (OJ L 378, 27.12.2006, p. 1);

(vi)Regulation (EC) 1394/2007 of the European Parliament and of the Council of 13 November 2007 on advanced therapy medicinal products and amending Directive 2001/83/EC and Regulation (EC) No 726/2004 (OJ L 324, 10.12.2007, p. 121);

(vii)Regulation (EU) 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC (OJ L 158, 27.5.2014, p. 1).

3.Serious cross-border threats to health as regulated by Decision No 1082/2013/EU of the European Parliament and of the Council of 22 October 2013 on serious cross-border threats to health and repealing Decision No 2119/98/EC (OJ L 293, 5.11.2013, p. 1).

4.Patients’ rights as regulated by Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).

5.Manufacture, presentation and sale of tobacco and related products regulated by Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014 on the approximation of the laws, regulations and administrative provisions of the Member States concerning the manufacture, presentation and sale of tobacco and related products and repealing Directive 2001/37/EC (OJ L 127, 29.4.2014, p. 1).

I.Article 1(a)(ix) – consumer protection:

Consumer rights and consumer protection as regulated by:

(i)Directive 98/6/EC of the European Parliament and of the Council of 16 February 1998 on consumer protection in the indication of the prices of products offered to consumers (OJ L 80, 18.3.1998, p. 27);

(ii)Directive 1999/44/EC of the European Parliament and of the Council of 25 May 1999 on certain aspects of the sale of consumer goods and associated guarantees (OJ L 171, 7.7.1999, p. 12);

(iii)Directive 2002/65/EC of the European Parliament and of the Council of 23 September 2002 concerning the distance marketing of consumer financial services and amending Council Directive 90/619/EEC and Directives 97/7/EC and 98/27/EC (OJ L 271, 9.10.2002, p. 16);

(iv)Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22);

(v)Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66);

(vi)Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (OJ L 304, 22.11.2011, p. 64);

(vii)Directive 2014/92/EU of the European Parliament and of the Council of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (OJ L 257, 28.8.2014, p. 214).

J.Article 1(a)(x) –protection of privacy and personal data, and security of network and information systems:

(i)Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37);

(ii)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1);

(iii)Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).

Part II

Article 1(2) of the Directive refers to the following Union legislation:

A.Article 1(a)(ii) – financial services, prevention of money laundering and terrorist financing:

1.Financial services:

(i)Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32);

(ii)Directive (EU) 2016/2341 of the European Parliament and of the Council of 14 December 2016 on the activities and supervision of institutions for occupational retirement provision (IORPs) (OJ L 354, 23.12.2016, p. 37);

(iii)Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC (OJ L 157, 9.6.2006, p. 87);

(iv)Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (OJ L 173, 12.6.2014, p. 1);

(v)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338);

(vi)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349);

(vii)Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1);

(viii)Regulation (EU) No 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs) (OJ L 352, 9.12.2014, p. 1);

(ix)Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse and amending Regulation (EU) No 648/2012 (OJ L 337, 23.12.2015, p. 1);

(x)Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (recast) (OJ L 26, 2.2.2016, p. 19);

(xi)Regulation (EU) No 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market (OJ L 168, 30.6.2017, p. 12).

2.Prevention of money laundering and terrorist financing:

(i)Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73);

(ii)Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).

B.Article 1(a)(iv) – transport safety:

(i)Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Commission Regulations (EC) No 1321/2007 and (EC) No 1330/2007 (OJ L 122, 24.4.2014, p. 18);

(ii)Directive 2013/54/EU of the European Parliament and of the Council of 20 November 2013 concerning certain flag State responsibilities for compliance with and enforcement of the Maritime Labour Convention, 2006 (OJ L 329, 10.12.2013, p. 1);

(iii)Directive 2009/16/EC of the European Parliament and of the Council of 23 April 2009 on port State control (OJ L 131, 28.5.2009, p. 57).

C.Article 1(a)(v) – protection of the environment:

(i)Directive 2013/30/EU of the European Parliament and of the Council of 12 June 2013 on safety of offshore oil and gas operations and amending Directive 2004/35/EC (OJ L 178, 28.6.2013, p. 66).

(1)    2017/0353 (COD) - This is currently a Proposal for a Regulation laying down rules and procedures for compliance with and enforcement of Union harmonisation legislation on products and amending Regulations (EU) No 305/2011, (EU) No 528/2012, (EU) 2016/424, (EU) 2016/425, (EU) 2016/426 and (EU) 2017/1369 of the European Parliament and of the Council, and Directives 2004/42/EC, 2009/48/EC, 2010/35/EU, 2013/29/EU, 2013/53/EU, 2014/28/EU, 2014/29/EU, 2014/30/EU, 2014/31/EU, 2014/32/EU, 2014/33/EU, 2014/34/EU, 2014/35/EU, 2014/53/EU, 2014/68/EU and 2014/90/EU of the European Parliament and of the Council containing a definition of “EU harmonised legislation” and listing in the Annex with all the harmonised legislation and refer to “harmonised products” in general terms.