





















This page aims to provide an overview of the EU Whistleblowing Directive (2019) and how it relates to the EU AI Act, as well as provide useful resources for potential whistleblowers.
This resource was put together by Santeri Koivula, an EU Fellow at the Future of Life Institute, and Karl Koch, founder of the AI Whistleblower Initiative.
Coming up in this post:
Whistleblowing plays an important role in identifying violations of law in companies that would otherwise remain hidden. This is especially true in the case of artificial intelligence, where the rapid development of technology makes regulation difficult to keep up. Consequently, policymakers often operate with limited information. Whistleblowing can help fill this information gap, as insiders in companies are uniquely positioned to detect issues that are not readily observable externally. In a recent study, whistleblower protections were listed as one of the most effective interventions for mitigating AI risks. The effectiveness of whistleblowing has been documented in other industries. In the United States, the Securities and Exchange Commission’s Whistleblower Program has enabled the recovery of over US$6.3 billion in monetary sanctions since its launch in 2010.
To protect whistleblowers from adverse consequences connected to their speaking up, in 2019 the European Union adopted the Whistleblowing Directive, which mandates Member States to implement strong laws prohibiting retaliation against whistleblowers. It requires companies to establish internal reporting channels and Member States to set up external reporting channels through designated public authorities. The Directive also allows whistleblowers in certain cases to report directly to the media or the public. This option, though, has been transposed differently in each Member State, often with restrictions that make it an option of last resort.
This post provides an overview of the Whistleblowing Directive and how its provisions relate to the EU AI Act. It also offers practical advice to potential whistleblowers, such as appropriate reporting channels.
From 2nd August 2026 onward, the EU Whistleblowing Directive will explicitly cover reporting violations of the EU AI Act. This means that if you’re in any professional relationship with a company covered by the EU AI Act, and your relationship is governed by EU law, you are protected when reporting violations. For instance, an employee at a general-purpose AI (GPAI) provider could safely report that a GPAI model with systemic risk has inadequate cybersecurity protection, violating Article 55 of the Act.
However, as the Whistleblowing Directive does not currently cover violations specific to the AI Act, there remains uncertainty regarding the exact scope of reportable AI-related issues today. Further, there are some issues that will remain unclear after violations of the AI Act are covered. Namely, it is unclear whether risks arising solely from internal deployment would qualify for protection.
Nevertheless, even before 2nd August 2026, whistleblowers may already benefit from protections if reporting AI-related concerns under other categories like product safety, consumer protection, or data protection that are already within the Directive’s scope.
Our goal is to build the most useful, authoritative, and comprehensive guide to the AI Act anywhere on the internet. We’ll never put this behind a paywall or use it to sell you a service. We do this because we think good AI governance matters, and that means making authoritative guidance genuinely accessible.
If you want to help us out, please consider contributing a guest post to help others understand and navigate the Act, or send your ideas and feedback for the website to me (Taylor, Design & Web Manager) at: websites@futureoflife.org. To stay up-to-date, subscribe to our bi-weekly AI Act newsletter, the world’s most trusted regular AI Act publication with over 50,000+ subscribers. We’ve published over 100 updates since 2022.
This website is built and maintained by the Future of Life Institute — the world’s oldest and largest nonprofit working for the responsible development of AI.
The EU Whistleblowing Directive was adopted to establish comprehensive whistleblower protections across the EU Member States. Initially approved in 2019, it requires all Member States to transpose its provisions into national law by December 2021. As of July 2025, all Member States have adopted the law on paper. However, the European Commission has not yet reviewed and confirmed that these national laws fully comply with the Directive’s standards. Until this confirmation, legal uncertainty remains regarding the extent to which the Directive’s protections are enforceable in some Member States.
Indeed, implementation issues remain. A 2024 report by the European Commission states that the transposition in several Member States needs to be improved in areas such as the material scope and the measures of protection against retaliation. Given this legal uncertainty, those considering a report may benefit from seeking guidance, as the provisions of the Directive are not satisfied in each Member State. Several organisations listed at the end of this post offer support and legal advice.
The Whistleblowing Directive establishes clear reporting channels and protections for reporting misconduct. It applies to a wide range of areas such as public procurement, financial services, environmental protection, and from August 2026, violations related to the EU AI Act, although there may be a lag in implementation in different Member States. The Directive protects whistleblowers across various types of professional relationships, including employees, part-time workers, contractors, and suppliers.
The Directive rests on a straightforward principle: protection from retaliation is afforded to Covered Persons who report on violations of the EU law through appropriate channels. Below, we expand on these protections in detail.
The Directive prohibits any action triggered by a report that causes unjustified detriment to the whistleblower. This includes dismissal, suspension, demotion, withholding of promotion, transfer of duties, change of workplace location, reduction in wages, disciplinary measures, coercion, intimidation, harassment, discrimination, and damage to reputation.
Crucially, the burden of proof shifts to the employer to demonstrate that any adverse action was not related to the whistleblowing. If retaliation is found, remedies include reinstatement and full back pay, with some countries offering additional damages.
Protection applies to anyone who gained information in a professional context. This includes at least the following:
Protection also extends to facilitators who assist the whistleblower in the reporting process, and third persons connected with the whistleblower such as colleagues and relatives who might face retaliation. However, only natural persons qualify as facilitators, meaning support organisations themselves are not covered.
The professional relationship must be governed by EU law. This means that if you are based in the EU but under a non-EU contract, you are still covered when reporting EU law violations. Similarly, if you are based outside the EU but under an EU employment contract, you are also covered. Citizenship is not relevant to protection status.
From August 2026, any suspected violation of the EU AI Act will be covered under the Whistleblowing Directive. Currently, the Directive covers violations in areas such as public procurement, financial services, prevention of money laundering and terrorist financing, product safety, transport safety, environmental protection, nuclear safety, food and feed safety, public health, consumer protection, privacy and data protection, and security of network and information systems. Consequently, some activities related to AI may already fall within its scope, particularly concerning product safety, consumer protection, privacy and personal data, and information security.
Importantly, whistleblower protections do not depend on whether the resulting investigation confirms an actual violation of a law. Rather, whistleblowers are protected if they had reasonable cause to believe the information was true at the time of reporting and constituted a violation covered under the Directive. The “spirit of the law” is also covered, meaning attempts to circumvent the letter of the law are also reportable violations.
Certain exceptions apply to what can be reported under the Directive. National security matters are excluded, particularly reports of breaches involving defense or security procurement covered by Article 346 TFEU, which is subject to strict interpretation under EU case law. Trade secrets may be disclosed only if necessary to expose a violation and if doing so serves the public interest. Additionally, the Directive does not override confidentiality protections, such as confidential communications between a lawyer and their client.
Under the Whistleblowing Directive, individuals can choose freely between internal reporting channels within their organisation, external reporting channels managed by public authorities, or both in parallel. There is no requirement to wait for an internal process to conclude before turning to external reporting. Under certain circumstances, whistleblowers may also directly disclose their information publicly.
Internal reporting channels are established directly by companies and are mandatory for organisations with 50 or more employees. These channels must designate impartial persons or departments to handle reports, acknowledge reports within seven days, provide diligent follow-up, and give feedback to the whistleblower within three months. The confidentiality of both the reporter and the reported person must be maintained.
External reporting is directed to competent authorities designated by Member States. These authorities must diligently follow up on reports and maintain confidentiality, though not all allow for anonymous reporting. Authorities must respond within three months, and failure to do so can enable the whistleblower to go public with the information. In some extraordinary cases, the time frame may be six months due the nature and complexity of the subject of the report.
Public disclosure refers to sharing information outside of the official internal or external reporting channels, for example by directly informing the media or making information publicly available. Whistleblowers who disclose information publicly are protected under the Whistleblowing Directive only under specific conditions. Protection applies if the whistleblower has already reported internally or externally, but the violation remains unaddressed, meaning internal channels or authorities have not responded appropriately within three months, have inadequately investigated, or have failed to take sufficient action. Whistleblowers may also disclose publicly without prior internal or external reporting if they reasonably believe there is imminent danger to the public interest, such as a risk of irreversible damage or physical harm, or if there are reasonable grounds to suspect retaliation when reporting externally, or collusion between authorities and those responsible for the violation. Under these circumstances, those who choose to disclose information to the public will in principle retain full legal protections under the Directive. However, going public with the information is often seen as a last resort, and this option has been implemented differently in each Member State.
For AI Act violations specifically, enforcement responsibilities are divided between EU-level bodies and national authorities. As Member States are yet to integrate the EU AI Act into their implementations of the Whistleblower Directive, we do not yet have certainty on how exactly reporting channels surrounding suspected AI Act violations will be structured. While direct reporting to EU authorities is likely possible, the strongest protections will likely come from reporting through national authorities who can then refer cases to European bodies as needed. In the future, this direct channel to EU authorities may be strengthened; a statement by the Chairs and Vice-Chairs of the EU Code of Practice recommends that a dedicated reporting channel for the EU AI Office is established.
When considering reporting, proper preparation can help protect both you and the integrity of your disclosure. Below, we outline several considerations (for more, you can refer to e.g. “A Tech Workers Guide To Whistleblowing, Ireland Edition” by The Signals Network):
When gathering evidence of potential violations, consider your digital safety:
Whistleblowers can greatly benefit from knowing where to report concerns and where to seek assistance. Below we highlight key institutions and organisations across some EU Member States, as well as international efforts.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。