Compliant whistleblowing channel — EU legislation

EU Directive 2019/1937 requires your company to have an internal reporting channel. Are you compliant?

Fines for non-compliance vary by country — up to €1,000,000. WhistleBox — secure reporting channel, operational in 5 minutes. From €39/month. Everything included.

Start free — 14 days See how it works

ISO 27001E2E EncryptedGDPREU HostedAI Act ReadyListed on Capterra ★

What does the law say?

EU Directive 2019/1937 on the protection of persons who report breaches of Union law requires all public and private entities with 50 or more employees to implement a secure internal reporting channel through which employees, contractors, suppliers, and other persons can report breaches of law confidentially and, at their choice, anonymously.

Penalties for non-compliance are significant and vary by country: up to €1,000,000 in Spain, €500,000 in Greece, €250,000 in Ireland (plus criminal sanctions), €60,000 in France, €50,000 in Germany and Italy. All 27 EU member states have transposed the directive into national law. Additional sanctions apply for retaliation against whistleblowers or obstruction of reports.

The directive requires acknowledgment of receipt within 7 calendar days and feedback on actions taken within a maximum of 3 months. The channel must allow reporting in writing and orally. From 2 August 2026, the EU Whistleblower Protection Directive will explicitly cover reporting of breaches of the EU Artificial Intelligence Regulation (AI Act).

Each EU member state has designated an external reporting authority. Whistleblowers may choose to report internally (through the company channel), externally (to the designated authority), or, in justified cases, publicly.

Who is required to comply?

All private legal entities with a minimum of 50 employees.

All public legal entities, regardless of the number of employees.

Entities in regulated sectors (financial services, transport safety, environmental protection, food safety, consumer protection) — regardless of the number of employees.

Entities with fewer than 50 employees operating in high-risk areas, as determined by national risk assessments.

Companies with 50 to 249 employees may share the internal reporting channel with other entities, provided all legal obligations are met.

How does it work?

1. Create your account

Free registration, configure your company logo, reporting categories, and language. Takes under 5 minutes. No IT intervention.

2. Share with employees

Share the unique link, QR code, or embed the widget on your intranet. Employees can report immediately — confidentially or anonymously.

3. Manage reports

Receive notifications, communicate securely with the reporter, investigate and document — all with complete audit trail and automatic deadline tracking.

What does WhistleBox include?

Confidential and anonymous reporting

Employees can report confidentially or, at their choice, anonymously. The reporter's identity is protected through end-to-end encryption. No one — not even the WhistleBox team — can access report contents.

Written and oral reporting

In compliance with EU Directive requirements (Art. 9), WhistleBox enables reporting in writing (secure form) and orally (anonymized voice messages). Both channels are legally required.

AI Anonymization

Before submitting a report, artificial intelligence scans the text and highlights information that could reveal the reporter's identity — names, dates, department references. The reporter decides whether to modify or keep them.

Case management with audit trail

Every action is logged in an immutable register: report receipt, assignment, investigation, resolution. The complete audit trail is available for inspections and compliance audits.

Automatic deadline tracking

WhistleBox automatically tracks legal deadlines: 7 days for acknowledgment of receipt and 3 months for providing feedback. You receive automatic notifications when deadlines approach.

AI Triage

Artificial intelligence automatically classifies each report by category (fraud, harassment, safety, discrimination, AI Act breach) and urgency level. The AI suggestion assists the compliance team — the final decision remains human.

Encrypted two-way communication

The dialogue between the reporter and the designated person takes place through a secure E2E channel. The reporter can provide additional details without revealing their identity.

Analytics and export

Dashboard with statistics: number of reports, average resolution time, frequent categories, trends. PDF/CSV export for compliance reports and management presentations.

Setup in 5 minutes

Configure your logo, reporting categories, and language. Share the link or QR code with employees. No IT intervention, no implementation project, no consultants.

AI Act ready

From 2 August 2026, the EU Whistleblower Protection Directive explicitly covers reporting of breaches of the Artificial Intelligence Regulation. WhistleBox includes dedicated categories for AI risks: bias, discrimination, lack of transparency, health and safety risks.

Artificial intelligence included

WhistleBox is the only whistleblowing platform with AI included in all plans, from €39/month.

AI Anonymization

Automatically detects information that could reveal the reporter's identity and suggests rephrasing — before the report is submitted.

AI Triage

Automatically classifies reports by category and urgency level. Assists the compliance team — the final decision remains human.

AI Summary

Generates 2-3 sentence summaries for lengthy reports. Accelerates case review without losing essential details.

Enterprise-grade security

WhistleBox is ISO 27001 certified — the international standard for information security management. The platform is hosted exclusively in the European Union (Frankfurt, Germany).

End-to-end (E2E) encryption ensures that only the persons designated by the company can read report contents. Not even the WhistleBox team has access to your data. Metadata is automatically stripped from uploaded files. IP addresses are not collected.

ISO 27001 certified

End-to-end encryption

GDPR compliant

Hosted in the EU (Frankfurt)

AI Act ready

No IP collection

Automatic metadata removal

Ready for EU AI Act

From 2 August 2026, the EU Whistleblower Protection Directive (2019/1937) explicitly covers reporting of breaches of the EU Artificial Intelligence Regulation (Regulation 2024/1689).

This means employees, contractors, and collaborators can anonymously report AI-related risks — bias, discrimination, lack of transparency, health or safety risks, failure to meet documentation requirements — through channels legally protected against retaliation.

The European Commission has already launched an external reporting instrument for the AI Act. But companies also need an internal channel. WhistleBox includes dedicated categories for reporting AI risks.

Be ready for the AI Act — Start free →

Plans & Pricing

Start for free. Upgrade as you grow.

Starter

Free

How does WhistleBox compare?

All data is public and verifiable on competitors' websites.

Feature	WhistleBox	Formalize Core	FaceUp Starter
Starting price	Free / from €49/mo	From €149/mo	From $199/mo
Everything included	Yes	Yes	Limited
AI features	Included	No	No
AI Act ready	Yes	No	No
Setup time	5 minutes	20-45 minutes	5 minutes
Oral reporting (voice)	Included	Included	Included
ISO 27001	Yes	Yes	Yes
Balkan languages (RO, HR, BG)	Yes	No	No

FaceUp uses Claude AI at $199/mo. Formalize has no AI features.

Frequently asked questions

Are we compliant with EU Directive 2019/1937 if we use WhistleBox?

Yes. WhistleBox meets all requirements of EU Directive 2019/1937 and all national transpositions: secure and confidential reporting channel, written and oral reporting, two-way communication with the reporter, acknowledgment within 7 days, feedback within 3 months, complete audit trail, and protection of the reporter's identity through end-to-end encryption.

How long does setup take?

Under 5 minutes. Create your account, configure your logo and reporting categories, choose the language. Share the unique link or QR code with employees. No IT department intervention required.

What is the difference between plans?

Zero difference in features. All plans include all functionality: AI Anonymization, AI Triage, analytics, voice reporting, audit trail, unlimited admins and cases. The only difference is the number of company employees, which determines the price.

Our company has fewer than 50 employees. Do we need a reporting channel?

If you operate in regulated sectors (financial services, transport safety, environmental protection, food safety, consumer protection), the obligation applies regardless of employee count. If you develop or use AI systems, from August 2026 the EU Whistleblowing Directive explicitly protects reporting of AI Act breaches. Even without a legal obligation, an internal reporting channel prevents issue escalation and demonstrates good governance.

Is reporting anonymous?

Reporting is always confidential. The reporter may additionally choose to remain anonymous — in which case their identity is not disclosed to anyone, not even the designated persons managing the report. Two-way communication also works in anonymous mode.

What happens with our data?

All data is end-to-end encrypted and stored exclusively in the European Union (Frankfurt, Germany). WhistleBox is ISO 27001 certified. Metadata is automatically stripped from uploaded files. IP addresses are not collected. Not even the WhistleBox team can access the contents of your reports.

Can we try it for free?

Yes. The trial period is 14 days, with full access to all features, no credit card required. At the end of the period, you choose an annual plan or the account is automatically deactivated.

What is AI Anonymization?

Before submitting a report, artificial intelligence scans the text and identifies information that could reveal the reporter's identity: proper names, specific dates, department references or unique events. This information is highlighted, and the reporter decides whether to modify or keep it. The feature protects the reporter from accidental self-identification.

Does WhistleBox cover the EU AI Act?

Yes. From 2 August 2026, the EU Whistleblower Protection Directive explicitly covers reporting of breaches of the EU Artificial Intelligence Regulation (AI Act). WhistleBox includes dedicated reporting categories for AI risks: bias, discrimination, lack of transparency, health, safety or fundamental rights risks.

Can I cancel my subscription?

Yes, at any time. No penalties. Cancellation takes effect 30 days before annual renewal. There is no long-term commitment.

Partnership for law firms and consultants

Recommend WhistleBox to your clients and receive a recurring commission of 20-30% of the subscription, for as long as the client remains active.

Dedicated partner dashboard: track referred clients, commissions, and account status. Sales materials and co-branding available. Zero costs or obligations.

Become a partner — Apply now →

Don't risk fines. Be compliant today.

WhistleBox — secure reporting channel, compliant with EU Directive 2019/1937. ISO 27001. E2E encrypted. AI included. Operational in 5 minutes.

Start free — 14 days, no card

14 days free · No credit card · 5-minute setup

Get in touch

Have a question or want to learn more? Send us a message and we'll get back to you within 24 hours.