At a glance: Approximately 30,000 German companies under NIS2 must establish whistleblower reporting channels and must meet standards for confidentiality, protection against retaliation, and documentation.
The EU NIS2 Directive requires approximately 30,000 companies in Germany to establish reporting channels for internal and external whistleblowers. This measure is part of the requirements for critical infrastructure and important entities in the cyber domain.
Whistleblower protection is a central component of the Network and Information Security Directive (NIS2), which establishes harmonized security standards for critical infrastructure across the EU. Affected companies must provide functioning reporting channels for security breaches, vulnerabilities, and suspicious activities by the implementation deadline.
For compliance officers, this means in concrete terms: reporting channels must be designed technically and organizationally to protect whistleblowers – both employees and external persons. The channels should be confidential, easily accessible, and configured for different types of reporting (anonymous, named, by telephone, or in writing). The documentation and follow-up of received reports must be verifiable.
The regulation also requires companies to protect whistleblowers from retaliation and to establish feedback mechanisms. Compliance with these requirements is part of regulatory auditing and is monitored by national authorities. A missing or insufficient reporting infrastructure can result in fines.
Source: news.google.com · Published 15 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.