The Directive (EU) 2019/1937 on the Protection of Persons Who Report Breaches of Union Law (EU Whistleblower Directive), hereinafter “the Directive”, was adopted on 23 October 2019 and has a transposition deadline of 17 December 2021 (with the exception of the obligation to establish internal reporting channels with a further two-year extended deadline), with the aim of ensuring a harmonised framework at national level, provided the current fragmentation in whistleblower protection across the EU. Currently, only about ten member states have a comprehensive legislative framework. In the case of Cyprus, at the time of writing, the Directive has not yet been transposed, but the Ministry of Justice and Public Order is in the process of drafting the relevant proposed bill. Nevertheless, Cyprus law does provide some piecemeal protection in the fields of the civil service, corruption and bribery offences, competition law, and termination of employment, without however any established reporting channels.
Given the frequency of threats, intimidation and discrimination encountered by whistleblowers, particularly in employment, and the fact that persons who work for a public or private organisation are often the first to know about threats or harm to the public interest, as explicitly mentioned in therein, the Directive is intended to offer protection to persons reporting breaches of Union law. This covers a number of critical areas including public procurement, financial services, consumer protection, public health, protection of the environment, animal welfare, the security of network and information systems, data privacy, money laundering, as well as breaches affecting the financial interests of the Union, the internal market (including competition and state aid), and corporate tax law. Member States may extend this protection to further fields under national law. This protection is available to reporting persons working (or that worked in the past) in the private or public sector who acquired information on breaches in a work-related context, as well as persons facilitating such whistleblowing, provided that they had reasonable grounds to believe that the information on breaches reported was true at the time and reported that information either internally or externally or made a public disclosure.
Indicatively, the Directive requires the establishment of safe channels for reporting both within an organisation and to public authorities and requires national authorities to inform citizens and provide training for public authorities on how to deal with whistleblowers. In addition, companies in the private sector are required to set up channels and procedures for internal reporting and follow-up if they have 50 or more employees. As far as the public sector is concerned, governmental and local administrative entities such as municipalities also have to set up reporting channels and internal reporting procedures. However, municipalities with fewer than 10,000 inhabitants or fewer than 50 workers or other qualifying entities are exempt from the above obligations.