Content updated on May 7, 2026
The EU Whistleblowing Directive has been fully transposed across all 27 member states since mid-2024. For most organisations with EU operations, the question is no longer whether to comply, but whether the system they have built actually meets the requirements, particularly when it comes to how reporting channels are structured across corporate groups.
The centralised versus decentralised debate remains one of the most consequential and misunderstood aspects of the directive. Getting it wrong has real consequences, both in terms of regulatory exposure and in terms of whether employees actually trust and use the system.
The Commission's Position Has Not Changed
When the directive was adopted, the European Commission was clear: a group-wide centralised whistleblowing system is not sufficient on its own. Every legal entity with more than 50 employees must have its own dedicated reporting channel, regardless of whether a central system already exists at the group level.
This view is not shared by all member states. Countries including Austria, Denmark, Germany, and Spain have transposed the directive in ways that explicitly allow companies to pool centralised resources at the group level. However, the Commission's position remains that a group-wide system cannot exempt subsidiaries from the obligation to maintain their own internal channels.
The practical implication for multinational organisations is that they cannot rely on national law alone. The safest approach is to ensure that every qualifying entity has its own channel, even where local law might appear more permissive.
What the 2024 Commission Review Found
The Commission's implementation report, published in July 2024, identified local versus central reporting channels as one of the key areas where compliance has fallen short. Only a few countries, such as Ireland and Poland, have fully implemented the internal reporting channel requirement as intended. Several countries, including Germany and France, have allowed centralised reporting systems even for companies with 250 or more employees, which the Commission flagged as a major concern.
The Commission has since launched a public consultation on the directive and an action plan to review and improve whistleblower protections further, with a report suggesting possible amendments expected in late 2026. Organisations that have built their programmes around permissive national interpretations should be aware that those interpretations may not hold as the Commission pushes for stronger and more consistent enforcement.
What the Rules Actually Require
Under Article 8 of the directive, every company with more than 50 employees must set up its own separate reporting channel. This applies to independent companies and to subsidiaries within a group. While a central system can, and often should, operate in parallel, it cannot replace the local channel. The whistleblower must have access to both.
For Mid-Size Subsidiaries (50 to 249 employees)
Medium-sized subsidiaries benefit from certain simplifications. They can share reporting infrastructure with other entities in the same country and, under certain conditions, refer investigations to the group's central compliance function. However, the subsidiary must still:
- Maintain its own reporting channel.
- Inform the whistleblower if their report is being escalated to a central team.
- Handle all follow-up communication directly with the reporter.
For Larger Entities (250 or more employees)
For these entities, the rules are stricter. The Commission's view is that a group-wide channel cannot be the only option. Local reporting channels must be available, staffed by local case managers, and fully operational to ensure compliance.
The Real Compliance Risk
Structural questions matter, but they aren't the only risk. Organisations should also assess whether their programmes are adjusted based on real-world performance. If whistleblowers are consistently bypassing internal channels and going directly to external authorities, that is a clear signal the internal system lacks trust.
The Commission also flagged insufficient diligence in follow-up processes, unclear timelines for acknowledging reports, and gaps in procedural guidance across several member states, with France, Germany, and Poland specifically mentioned. Reviewing whether your acknowledgement and feedback processes meet the directive's requirements is a top priority for 2026.
How Whispli Solves the Complexity
Implementing these requirements can be daunting for organisations with complex cross-border structures. Non-compliance doesn't just carry reputational risk: it pushes employees toward external reporting channels, which is rarely in the organisation's best interest.
Whispli is designed specifically for this level of complexity:
- Reporting Channels per Entity and Country: You can create and configure reporting forms for each subsidiary, tailored to local language and regulatory requirements, without losing coherence across the group.
- Automatic Triage of Reports: Define rules to automatically route reports to the right local case managers based on the reporter's entity, ensuring nothing falls through the gap between central and local management.
- Common Dashboards: Running a decentralised structure does not mean losing visibility. Custom dashboards give compliance teams a real-time view across all entities—report volumes, topics, and case status—from a single interface.
Conclusion: Compliance is Not a Choice Between Efficiency and Law
In 2026, the "centralised vs. decentralised" debate is finally reaching its endgame. If your subsidiaries are still relying on a single, distant group hotline, you aren't just flirting with a regulatory fine, you're signaling to your employees that their local reality doesn't matter.
Whispli allows you to have it both ways. You can maintain the oversight and expertise of a central compliance team while giving your local entities the legal autonomy and specific reporting channels they are mandated to have. By removing the friction between "the group" and "the local branch," Whispli helps you build a system that satisfies Brussels, your local regulators, and most importantly, your people.
Is your reporting structure legally resilient for the 2026 enforcement wave? Book a demo with Whispli today to see our decentralised reporting in action.
%201.avif)
%201%20(2).avif)
%201%20(1).avif)
