• Governance I Risk I Compliance Management

Austria: Update on Whistleblowing, the implementation status of the EU Whistleblower Directive1 in Austria

Since 3 June 2022, a draft of the Whistleblower Protection Act exists,2 which is supposed to implement the EU directive in Austria. The law is expected to enter into force in the year’s third quarter. After that, companies will still have room for practical implementation, but preparations should be started promptly. In the following FAQ, our experts have already answered the most important questions about the draft legislation relevant to employers.

FAQ on the Whistleblower Protection Act

Which obligations do employers have? 

Companies must set up an internal reporting body to which legal violations can be reported. This body is a separate department or organisational unit within the company that receives (e.g., via telephone hotlines, online tools or apps) and handles the reports. The concrete design of these bodies is left to the company, but certain requirements must be met (see below). In addition, there are various documentation and storage obligations concerning the reports made and protection and information obligations toward whistleblowers.

Will all employers be obligated? 

No, only companies with 50 or more employees.

Who can be a whistleblower?

In the context of employment law, primarily employees (including temporary workers), applicants or freelancers can be whistleblowers.

Which legal violations does the draft legislation cover? 

Only certain legal violations, such as legal violations in the area of public procurement, finance, money laundering, product safety, environmental protection, food safety, public health, consumer protection, privacy, network security, abuse of authority or corruption, fall under the scope of the Whistleblower Protection Act.

What protection do whistleblowers have? 

They are entitled to special protection from the moment they make a report. The top priority is the protection of their identity. Whistleblowers must also not be subject to retaliatory measures under the labour law, such as dismissals, transfers or demotions. Such measures are ineffective and must be reversed by those responsible. Any resulting damage must be compensated. Severe administrative penalties may also be imposed. However, in order to receive protection, whistleblowers must have sufficient reason to believe that their report is accurate. In addition, the report must concern a legal violation that falls within the above-mentioned scope of the Whistleblower Protection Act.

Does every report have to be followed up? 

Yes, unless the legal violation falls outside the act’s scope or there is no substantial evidence. The act does not specify how a reported legal violation investigation must be conducted. Receipt of the report must be confirmed within seven days. Whistleblowers must then, in any event, be informed about the progress of the investigation and the measures taken within three months. If reports are not being followed up, reasons for this must be given to whistleblowers within the same period.

Can reports also be made to external bodies?

Yes, whistleblowers can alternatively turn to a body established outside of the company that performs the same function as an internal body. The Federal Office for Preventing and Combating Corruption (BAK) is to be established as an external body. As whistleblowers can also turn to the external body as an equivalent to the (company) internal body, no sanction is attached to the non-establishment of an internal body. However, companies should have an interest in having whistleblowers report internally.

Does the works council have to be involved?

Yes. This is because establishing a reporting system is usually a control measure that affects human dignity. In such cases, the conclusion of a works council agreement is mandatory for implementing the system.

What applies in companies where there is no works council?

In this case, each employee’s written consent must be obtained.

When is the law expected to come into force?

The law is not expected to come into force before September 2022. Once it comes into force, employers with at least 250 employees still have a period of six months for the factual implementation. The law will not take effect for companies with 50 to 249 employees until 18 December 2023.

What are the penalties for violations? 

There are severe fines. For example, obstructing whistleblowers or retaliation against them is punishable by a fine of up to EUR 20,000, or significantly more in the case of a repeated offence. In addition, whistleblowers who knowingly make a false or misleading report also face such a fine.

Requirements for internal reporting channels

The law does not specify in detail how exactly the internal reporting body should look, but the following requirements can be found in the draft:

  • The technology and communication devices used must maintain the identity’s confidentiality and be designed per data protection law.
  • The internal reporting body must be provided with sufficient financial and human resources.
  • It must be possible for the internal reporting body to receive reports in written and verbal form; if the whistleblower wishes, a personal meeting must be possible within 14 days.
  • Feedback to whistleblowers must be possible within three months.
  • Employees of the internal reporting body must be free from instructions concerning the receipt and follow-up of reports.
  • Employees of the internal reporting body must be equipped with sufficient authority to review reports and take appropriate action.


Protecting your organisation through combatting fraud and misconduct with ISO 37002 Whistleblowing Management Systems – Guidance

The International Organization for Standardization (ISO) has developed new guidelines for whistleblowing management systems — ISO 37002:2021. ISO 37002 provides guidelines for implementing, managing, evaluating, maintaining and improving a robust and effective whistleblowing management system. But what does it mean in practice, and how can it improve and add value to an organisation’s existing whistleblowing programme?

The ISO Whistleblowing Guidelines assist organisations in creating whistleblowing management systems based on trust, impartiality, and protection principles. The guidelines are adaptable, and their use will vary with the organisation’s activities’ size, nature, complexity, and jurisdiction. The ISO Whistleblowing Guidelines can assist an organisation in improving its existing whistleblowing policy and procedures or in complying with applicable whistleblowing legislation.



The ISO Whistleblower Guidelines give principles for establishing, implementing and maintaining an effective whistleblowing management system based on the principles of trust, impartiality and protection in the following four steps:

  • receiving reports of wrongdoing
  • assessing reports of wrongdoing
  • addressing reports of wrongdoing
  • concluding whistleblowing cases.

The ISO Whistleblower Guidelines are generic and intended to apply to all organisations, regardless of type, size and nature of activities, and whether in the public, private or not-for-profit sector. You can easily adjust the programme you are building based on your organisation’s needs.


Contact our team

Do you have questions about ISO Certification or Training? Or are you interested in learning more about ISO standards in your region? Meet the ABAC® team, qualified and dedicated to helping worldwide organisations to overcome business risks across the globe. We are an international team of talented compliance professionals shaping the future of the global compliance solutions industry. Contact us today.




1 DIRECTIVE (EU) 2019/1937 on protecting persons who report breaches of Union law.

2 The act is still in the drafting phase. Changes are still possible and to be expected.