Whistleblowing serves to disclose wrongdoings or corruption with long history in number of democratic countries all over the world. For many years it is a mandatory obligation of private companies operating in different sectors, having certain number of employees and/or are listed in most of the stock-exchanges to provide strong mechanisms for whistleblowing reporting and protection.

However, this is not exactly the case in EU. Number of researches on the local legislations of the EU countries prior to the adoption of Directive EU 2019/1937 of the European Parliament and of the Council of 23rd of October 2019 on the protection of persons who report breaches of Union law (“Directive 2019/1937” or the “Directive”) show that not all of the Member States have sufficient (or any) legislative measures to ensure effective reporting and protection of the whistleblowers. As it is underlined in the Preamble of the Directive, most of the local legislations are “fragmented” and “uneven across policy areas”.

On the other hand, it is evident that the fight with corruption, bribery, financial frauds and other wrongdoings affecting the public interest are a top priority for the EU.

As a result, in 2019 European Parliament and the Council adopted Directive 2019/1937 aiming harmonization of the Member States’ legislation on this very important topic.

The Member States have a two-year period for the transposition of the Directive into their local legislations and this period almost expired but the big picture how Member States will implement the Directive is still missing. Some of the general purposes and rules are discussed below and we hope that soon we will be able to provide you with an informative comparison on how the new rules will be implemented in practice in each EU country.


       I. What is the main aim of these legislative changes?

The primary aim of the Directive is to provide for minimum standards that would ensure sufficient protection to the whistleblowers and encourage them to undertake actions and report wrongdoings.

The main focus of the Directive concerns breaches of the Union law. However, the Member States have the freedom to further expand its effect to breaches of their national legislations and by this to ensure a more complex and methodical protection to whistleblowers.

In any case, the initiative for creating and providing an overall and cross-border orientated whistleblowers protection is expected to positively influence the whistleblowers in EU and make the idea of speaking on wrongdoings more susceptible to the general public.

       II. Key points of the Directive

A) Covered areas

The main areas where breaches are expected to lead to considerable harm of the public interest according to the Directive are:

  • Public procurement;
  • Financial services, products and markets, as well as prevention of money laundering and terrorist financing;
  • Product, food and transport safety;
  • Environmental protection, radiation protection and nuclear safety;
  • Public health and consumer protection;
  • Privacy and personal data protection;
  • Breaches related to the financial interests of the Union or to the internal markets falling under the scope of the Directive, etc.

B) Who is protected under the Directive?

The Directive offers protection to “reporting persons working in the private or public sector” (the so-called whistleblowers) who gained information on breaches in work-related context, such as:

  • persons having the status of workers, civil servants where protection is given during the employment or even during recruitment process and other pre-contractual negotiations;
  • self-employed persons;
  • shareholders and persons belonging to the administrative, managing or supervising body of an undertaking as well as non-executive members, volunteers and paid or unpaid trainees;
  • anyone working under the supervision and direction of contractors, subcontractors and suppliers.

In addition, the Directive attempts to offer a more intact protection. It allows the measures for protection, if applicable, to be available also for facilitators and third persons connected to the reporting persons who might become a retaliation target in work-related context (e.g. relatives or colleagues or even legal entities that the reporting person owns, works for or is otherwise connected to in a work-related context).

C) Requirements for protection of reporting persons

One of the big issues raised as a result of the use of whistleblowing reporting channels is the assessment of the accuracy of the filed reports. With this regards the Directive provides protection to reporting persons only if:

  • they had reasonable grounds to believe that the reported information on breaches was true at the time of the reporting and that such information falls under the scope of the Directive; and
  • the reporting has been done either internally or externally, or via public disclosure, as defined under the Directive.

However, it is interesting to point out that the Directive does not impose a requirement for the reporting person to act in good faith, but rather ties the reporting to the existence of ‘reasonable grounds’. No definition for ‘reasonable ground’ is given in the Directive, which means that its defining is left to the Member States’ discretion.

Another important point is that as per the Directive the burden of proof for an actual violation is lifted from the reporting person, should they have had reasons to believe that the reported information was truthful at the time of the reporting.

D) Reporting mechanisms and manner of reporting

According to the Directive there are three reporting mechanisms:

Internal reporting ⇔ External reporting ⇔ Public disclosure

The methods for reporting can be:

  • in writing
  • verbally
  • via phone
  • personal meeting

In general, the Directive favours the internal reporting requiring the Member States to encourage reporting through internal channels before reporting through external channels.

The reporting channels should adhere to specific standards set forth in the Directive and should be able to provide protection over the identity of the reporting person as well as to any other person related to them or the reporting itself. The reporting channels can be operated internally by the company or externally by a specifically appointed third party.

It is quite important to be noted that the reporting procedures and channels should be also in compliance with the GDPR (also with top priority for the Union). This makes the implementation of the whistleblowing policies and rules a hard and complex task. In July 2016 the Article 29 Working Party (the EU body dealing with issues relating to the protection of privacy and personal data until 25 May 2018) issued Guidance on Whistleblowing giving more detailed guidelines how this compliance could be reached. In the end of 2019 the new data protection authority issued updated version of these guidelines. This requires the whistleblowing policy and reporting channels to be created and implemented after making a specific and detailed analysis preferably with the assistance of professional advisors ensuring compliance of all applicable rules.

       III. Progress in Bulgaria so far

A working group with the Ministry of Justice was established in January 2020. The group’s task is to analyze the legislation in force and assess the possibilities for statutory amendments in order to facilitate the transposition of the Directive. Further, there was a larger discussion whether the Directive should be implemented via a specific new legislative act, or amendments to the existing statutory should be preferred.

Legislative initiative was undertaken through the embedding of key principals of the Directive into the National Strategy for preventing and countering Corruption, which was adopted with Resolution № 235 of the Council of Ministers as of 19.03.2021.

       IV. Term for implementation

  • By the 17th of December 2021 the Member States should complete the legislation implementation of the Directive;
  • By the 17th of December 2023 legislative provisions for the establishing of internal reporting channel in legal entities in the private sector with 50 or more employees should be provided.

       V. General advice to the business

Although there is no specific act or said legislation adopted as of now, the business can undertake some preliminary actions in order to ease the forthcoming compliance. Such actions can vary from detecting running processes in the company and possible weaknesses to reviewing and assessing organisational and technical options for the establishment of internal reporting channels which comply with the GDPR.

The Directive concerns both the public and the private sector and will inevitably have a significant impact on a lot of businesses, public authorities, governing institutions, etc. obliging the latter to make quite a lot of changes in order to be compliant with the whistleblower protection related requirements. The good news is that there are number of multinational companies in Bulgaria who have such policies and reporting channels already and they may give a good example to all the others who will face this for the first time.

In case you need more information please contact us:

+359 (0)2 943 4350

Vesela Kabatliyska – Partner


Sofia Dimitrova – Associate

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.