The corporate value of effective whistleblowing systems | In Principle

Whistleblowing became a buzzword in Poland in 2024 following the delayed implementation of the EU’s Whistleblower Directive (Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law) (WBD). By September 2024, most private companies in Poland were required to comply with national legislation mandating internal policies for reporting and follow-up actions. At the time, many organisations scrambled to meet these statutory requirements—some were fine-tuning existing speak-up channels to align with the new law, while others were building a framework from scratch. The business press was flooded with discussions on compliance, and webinars and seminars on the topic were everywhere. However, much of the focus was on setting up reporting channels and policies, often overlooking the broader significance and long-term impact of these changes.

Now, several months after the implementation deadline, most companies have established internal policies and consider their compliance obligations fulfilled. This moment offers an opportunity to examine the deeper purpose of whistleblowing regulations, their practical functioning, and—crucially—how organisations can effectively manage reports and follow-up actions.

The strategic importance of whistleblowing laws

In regions (like Poland) with historical experiences of occupation and authoritarian regimes, whistleblowing often carries negative connotations. The act of reporting misconduct can evoke uncomfortable parallels with state surveillance systems of the past. But the motivations behind whistleblowing differ significantly from those of a snitch. A snitch typically seeks personal gain, trading information for reduced charges or other benefits. By contrast, a whistleblower is an insider who exposes illegal activities within an organisation without expecting a quid pro quo. The essence of whistleblowing is not to foster distrust but to bolster integrity and legal compliance.

Traditional “top-down” public enforcement of laws is no longer enough, and whistleblowing, as a form of “bottom-up” enforcement, is aimed at improving overall compliance. Never has the regulatory burden on companies been so overwhelming. Today, virtually every type of business is subject to myriad regulatory requirements. Law enforcement, which once focused on common criminality, now grapples with a broader spectrum of misconduct, including environmental crimes, bid-rigging, cybercrime, and market manipulation, to name a few. These new regulations are not straightforward, rule-based directives, but rather objective-based mandates. They require businesses to implement appropriate measures commensurate with the level of risk and available technical capabilities. This means that large businesses and small businesses must comply with the same regulations in materially different ways, adding layers of complexity.

In this intricate regulatory environment, traditional top-down public law enforcement is increasingly ineffective. Even with the creation of new agencies and the allocation of substantial resources to build enforcement capacities, the sheer breadth and complexity of modern regulations, coupled with the cross-border nature of many activities and the digitalisation of operations generating terabytes of data, makes public enforcement a daunting task. Western economies have long recognised this challenge. The United States, a pioneer in whistleblowing regulatory frameworks, has established robust protections as part of its bottom-up enforcement system.

Public agencies rely heavily on whistleblowers to detect violations that might otherwise go unnoticed. Employees, contractors, and business partners often have unique insights into corporate wrongdoing, but may hesitate to report them due to fear of retaliation. Cases of whistleblowers facing lawsuits, job loss, or even criminal charges are well-documented. To mitigate these risks, whistleblower protection laws provide statutory safeguards. The European Union expressly acknowledges that whistleblower reports are essential for enforcing Union laws and policies, and has sought to harmonise protection across member states to ensure effective enforcement and safeguard the public interest.

The idea behind this bottom-up enforcement system is more complex than merely protecting those who tip off public enforcement agencies. The EU aims to encourage internal reporting before external disclosure. Initially, the directive proposed that external disclosures would be protected only if prior internal reports proved ineffective. However, this was amended to allow whistleblowers to choose whether to report internally or externally, without first exhausting internal channels. This system creates competition between internal and external reporting channels. Companies that build trust in their internal systems can expect more internal reports. To build trust, it must be clear that whistleblowers are protected and appreciated, and that the company will investigate reports fairly, take robust actions in cases of actual breaches, and seek to improve their overall legal compliance.

When companies receive internal reports, they can act on the information, verify the merits, and take corrective actions. They can improve internal processes, reduce harm, provide redress to victims, and ultimately self-report breaches to the appropriate agencies. The system is evolving to build more incentives for self-reporting. Currently, leniency mechanisms are scarce in Poland, without statutory provisions for non-trial resolutions, such as deferred prosecution agreements. However, this is expected to change. The goal is not to punish corporations, which are merely legal entities incapable of taking decisions different from those taken by their managers, but to hold dishonest managers accountable for wrongdoing or wilful neglect. By modernising corporate criminal liability and regulatory frameworks, and introducing mechanisms for self-reporting and leniency, the enforcement system can further encourage robust whistleblowing.

A common fallacy in the context of whistleblowing is the belief that “no reports mean no problems” and “it is better not to know if any misconduct occurs.” The issue with this mindset is that the absence of internal reports does not equate to full compliance with laws and regulations. Lack of internal reports may often indicate unwillingness of organisation’s workforce to report irregularities rather than lack of such irregularities.

While it is true that internal reports can sometimes be trivial or pertain to conduct that is mistakenly perceived as illegal due to a lack of knowledge or understanding of the bigger picture, it is also true that whistleblowing can be weaponised by competitors or internal office rivalries. This places a burden on the organisation to verify and filter reports to protect against false claims, while not overlooking genuine issues. But overall this burden outweighs the potential benefits that result from having actionable information about gross misconduct early on. Without it, the organisation may remain in the dark for a long time, until an external report is made and processed by regulatory agencies. By that time, the harm and penalties may have mushroomed.

Moreover, in many regulatory and white-collar contexts, “not knowing” is not a valid defence against liability. Modern laws often impose liability on those who maintain wilful ignorance. Consider for example the recently adopted liability for circumvention of EU sanctions. As stated in Art. 9(1) of Council Regulation (EU) 2024/2642: “It shall be prohibited to participate, knowingly and intentionally, in activities the object or effect of which is to circumvent the measures referred to in this Regulation, including by participating in such activities without deliberately seeking that object or effect but being aware that the participation may have that object or effect and accepting that possibility.” Accountability can be imposed for negligence—for being aware of the possibility of circumvention yet accepting that possibility.

Viewed from this perspective, whistleblowing is a vital component of bottom-up enforcement. It is in the best interest of companies to encourage internal reporting and act effectively on reports. By doing so, companies can address issues internally rather than allowing them to escalate into external reports, which could lead to dawn raids and full-scale public enforcement actions.

Empirically, does whistleblowing work?

Empirical evidence demonstrates that whistleblowing systems are effective at detecting misconduct both within organisations and beyond. By creating decentralised reporting systems, whistleblowing frameworks help address the information asymmetry that often hampers law enforcement in corporate misconduct cases. The US Department of Justice fraud statistics reveal that over the past 35 years, whistleblowers have helped recover more than twice the funds from entities defrauding the government than the authorities have recovered through their own initiatives.

Organisations that implement robust reporting mechanisms experience tangible benefits. According to the Association of Certified Fraud Examiners, more than 40% of frauds are detected through tips from employees, vendors, or customers. Organisations without hotlines take 50% longer to detect frauds and suffer nearly twice the average losses of those with established reporting channels. A 2020 empirical study analysing nearly two million internal whistleblowing reports found that companies receiving more reports faced fewer fines and lawsuits—likely because they could detect and remedy misconduct earlier, preventing escalation. Specifically, a 10% increase in whistleblowing reports corresponded to a 2% decrease in fines and a 1% decrease in settlements in subsequent years.

Building on whistleblowing infrastructure

The Whistleblower Directive and its implementing national legislation should be examined through two distinct layers.

The first layer involves establishing the foundational whistleblowing infrastructure by defining who is entitled to protection and against what types of actions. This also includes mandates for creating external single-point reporting channels and internal reporting channels for companies meeting certain thresholds and conditions for so-called protected public disclosure.

The second, more substantive layer, delineates the types of reports on breaches of law that qualify for protection. This aspect is expected to expand, broadening the scope of protected disclosures. Currently, the directive mandates protection for individuals reporting specific breaches of EU law, as outlined in Art. 2(1) WBD. These areas include public procurement; financial services, products and markets; prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety; animal health and welfare; public health; consumer protection; privacy and personal data protection; and security of networks and information systems. Breaches affecting the financial interests of the EU, internal market violations (including EU competition and state aid rules), and corporate tax violations are also covered. These areas are expressly listed in the annex to the directive. However, these areas represent the “minimum standards” under current EU law, and the EU’s minimum standards are set to expand. New EU legislation is expected to incrementally add to this list. For instance, the EU’s recently adopted sanctions enforcement directive added “violation of Union restrictive measures” to the AML Directive, and thus to the WBD’s minimum standards (Art. 18 of Directive (EU) 2024/1226 on the definition of criminal offences and penalties for the violation of Union restrictive measures). This approach is likely to continue, progressively broadening the core minimum standards.

Furthermore, the WBD expressly allows member states to extend protection under national law to areas or acts not covered by the directive’s minimum standards. Poland’s implementing act exemplifies this by broadening the scope of protection. While the subject-matter list mirrors that of the WBD, it extends to cover breaches of purely national laws in the same areas, not just acts implementing EU law. Additionally, the Polish act expands the scope of protection to include reports on “corruption and bribery, financial interests of the Polish state or its regional governments, and constitutional freedoms in dealings between individuals and public authorities.” Moreover, the act allows private entities the discretion to extend protection to breaches of internal policies and employment laws. If private entities choose to expand their internal policies to accept reports on such breaches, they must provide protection to whistleblowers reporting them. However, this protection does not extend to external reporting or public disclosure.

Poland’s whistleblowing framework—key requirements

The WBD and the Polish implementing act require companies to designate a function responsible for accepting, investigating and following up on whistleblower reports. However, the law offers little guidance on how these follow-ups should be conducted. While Polish law indirectly requires due diligence, it leaves the specifics to be determined by practice. Notably, the Polish legislation does not impose sanctions for failing to conduct follow-ups. Does this imply that companies must merely accept reports without necessarily acting on them? Legally, there may be no explicit penalties, but in practice, failing to act on whistleblower reports undermines trust in internal reporting systems and may push whistleblowers toward external or public disclosures. In such cases, companies may no longer be in control of whether and how to report externally and how to mitigate the adverse impact; instead, they may be surprised by a governmental investigation. Furthermore, ignoring a report that indicates wrongdoing—such as bribery or fraud—could be construed as mismanagement, potentially leading to civil liability or, in some cases, even charges for criminal mismanagement.

At this stage, the key question is not whether companies have established whistleblowing policies, but rather how they are using them. Understanding this broader context is crucial—it is not just about compliance but about corporate risk management and fostering a culture of integrity. Companies must go beyond merely satisfying the “tone from the top” requirement; they need to ensure their reporting systems are functional and trusted.

This discussion must now shift toward best practices in handling whistleblower reports: how to assess their credibility, conduct investigations fairly, and maintain due process. Proper follow-up is essential not only for legal and reputational reasons but also for strengthening internal governance and reducing the risk of external enforcement actions. The true test of these whistleblowing frameworks lies not in their establishment but in their execution.

Polish Whistleblower Protection Act

The whistleblowing framework in Poland is established in the Whistleblower Protection Act of 14 June 2024. The Polish act closely mirrors the two layers of the directive. On the first layer, the Polish act identifies the individuals entitled to protection and the scope of that protection, and mandates reporting channels for companies. On the second layer, the act lists the types of reports on breaches of law that qualify for protection.

The Polish act protects individuals who report irregularities discovered in work-related contexts. Protection extends beyond traditional employees to include associates, board members, proxies, shareholders, external vendors, job candidates who observe irregularities during recruitment, and anyone who has assisted in reporting misconduct.

The protection relies on several elements. The first includes a general prohibition of retaliation against whistleblowers. The extensive list of examples of retaliation includes terminating the whistleblower’s cooperation, cutting their salary, demotion, delegating the whistleblower’s tasks to someone else, relocating the whistleblower or changing their working schedule, discrimination, unfair treatment, threats, and so on. The second element of the protection framework is that, so long as the whistleblower is acting in good faith, they cannot be subject to disciplinary proceedings for the report they made or held liable for damage to third parties mentioned in their reports. The third element is that whistleblowers against whom retaliatory steps have been taken can claim compensation. They can also use such circumstances to argue that their report was not adequately dealt with, and thus they should be protected even if they make the irregularities public.

Companies employing 50 or more people are required to establish reporting channels for whistleblowers and adopt whistleblowing policies, governing how whistleblowing reports are handled after they are received. Certain formalities must be observed prior to receipt and verification of reports. First, the internal whistleblowing policy must be consulted with workforce representatives before it is enforced in the company as its official whistleblowing procedure. The policy must be consulted with the trade union, or if there is no union, with representatives selected by the workforce. Second, all individuals engaged in handling whistleblowing reports, whether at the stage of receipt, initial assessment, internal investigation, follow-up communication with the whistleblower, or deciding on follow-up measures, needs authorisation from the company, made in writing by members of the management board or other authorised signatories.

Next, the internal whistleblowing policy must provide an option to make a report either in writing or orally, and in any case the whistleblower must have the opportunity to express their concerns in Polish. The procedure must specify clearly how to contact the whistleblowing channel, e.g. email or postal address. If the company wishes to outsource the receipt of reports to an external service provider, or in the case of group companies to have the reports received via a centralised group channel, this is allowed, provided that the company enters into a contract with the provider assuming this task. There is room to argue that a formal contract is unnecessary if reports from whistleblowers in a company are processed by its parent company. Recital 55 in the preamble to the directive recognises that companies should be able to investigate whistleblower reports from their subsidiaries. Based on this, the European Commission noted in a comment letter of June 2021 that where persons working in a subsidiary feel safer reporting directly to the subsidiary’s parent company, or believe that the breach might be more effectively resolved by the parent company, then the parent company can, and indeed must, accept the report and follow up on it. It is advisable for the internal whistleblowing policy to provide a transparent and easily understood procedure for making whistleblowing reports, to encourage potential whistleblowers to use this channel instead of reporting first to the public authorities.

As for internal investigations, however, under the Polish Whistleblowing Act the function of verifying the report, including the initial assessment of the reported wrongdoing, subsequent communications with the whistleblower, and taking a decision to open an investigation or to close the case, should not be outsourced to a third party. In its July 2024 report on implementation of the Whistleblower Directive, the Commission pointed out that setting up whistleblowing channels solely at the group level, with no resources at the level of local group companies, runs counter to the objective of the directive to ensure proximity to potential whistleblowers. But this should not prevent companies from drawing on the expertise of external resources, such as the investigative knowhow of global audit teams often found in multinational corporate groups, or advice from legal counsel. In such cases, the process should nevertheless be organised in a way that allows a person or unit within the company to retain control and manage the report verification process. Otherwise, the setup could be seen as circumventing the statutory requirement to keep this function within the company. In practical terms, whenever external resources are engaged to perform investigative activities, such as reviewing emails or interviewing employees, a designated person or unit within the company should have access to materials upon request, receive updates about the progress and outcomes, and be consulted on the further steps to be taken.

As for follow-up communications with the whistleblower, the Polish act requires internal whistleblowing policies to set time limits for confirming to the whistleblower that their report was received, and to provide them with feedback on how their report has been handled. This includes information about actions the company has taken or will take to clarify the allegations. Confirmation of receipt should be made within seven days of filing of the report with the dedicated channel, whereas substantive feedback should be provided within three months from receipt. Note that if the reporting channel has multiple layers, e.g. the report is forwarded between authorised persons, the time limits still run from the date when the report was made by the whistleblower, not the time the report reaches the person designated to verify it.

The requirements discussed above under the Polish act apply to wrongdoing concerning any of the following areas: corruption, public procurement, financial services, the EU internal market, consumer protection, personal data protection, cybersecurity, AML, environmental protection, public health, product safety, transport safety, food safety, nuclear safety, animal health, the financial interests of state or local government or the EU, as well as fundamental constitutional freedoms between the individual and the state. Companies may extend this framework at their own initiative, to allow reporting of irregularities also in other areas. The fact that a company extends is internal reporting to non-compulsory areas does not mean, however, that also external reporting will be available in such areas. The scope of external reporting is outlined in the Whistleblowing Act, and may be amended only in legislative process.

Beyond compliance—making whistleblowing systems work

A common misconception is that adopting an internal whistleblowing policy satisfies all obligations under the Polish Whistleblower Protection Act. But establishing a whistleblowing infrastructure should be viewed as merely foundational, creating the capacity to effectively handle misconduct allegations and, crucially, build trust among employees. Without confidence in internal reporting systems, employees are far more likely to voice concerns externally to the public authorities or the media.

The Polish act grants whistleblowers the freedom to choose whether to report internally via the company’s whistleblowing system or to go directly to the relevant state authorities. And then, if the chosen recipient of the report fails to provide feedback or take appropriate steps to investigate, the whistleblower may publicly disclose the alleged irregularities. However, if the company has properly followed up on the internal report, but the whistleblower discloses the allegations publicly anyway, the whistleblower forfeits the statutory protections. Consequently, companies that maintain a reliable internal reporting system and conduct diligent investigations can minimise the risk of whistleblowers bypassing internal channels in favour of external disclosures.

To build effective whistleblowing systems, organisations must go beyond mere legal compliance. Two elements are critical: thorough investigations and meaningful feedback to whistleblowers. While the Polish act requires companies to inform whistleblowers of the actions taken, it offers little guidance on investigation methods. This regulatory gap must be filled with robust internal practices that transform reporting channels from compliance checkboxes into valuable risk management tools.

When whistleblowing is weaponised

Whistleblower reports should always be approached with a degree of scepticism and thoroughly investigated for accuracy. The spread of hotlines and the option of anonymity also opens the door to potential abuses. These can range from competitors seeking to disrupt operations, to vendors aggrieved over lost contracts, and even internal backstabbing, where employees might seek to undermine colleagues for personal gain. Such instances do occur in practice, underscoring the importance of not accepting reports at face value or hastily acting on them. Every report, regardless of how implausible it may seem, deserves a proper investigation. In most instances, these investigations can be conducted informally using in-house resources. However, high-profile allegations may require a comprehensive investigation by external experts.

The purpose of the investigation is to determine whether misconduct has occurred or might occur, the nature of the misconduct, and the consequences. The ramifications can range from legal liability—civil, administrative, or criminal—to severe reputational damage. The economic theory of deterrence posits that larger corporations have a higher likelihood of detecting misconduct—stemming from more frequent interactions with various stakeholders—and the potential for more severe sanctions. These sanctions can be hefty, taking into account the deep pockets of large corporations for paying fines in both public and private enforcement, and the potential impact to their reputation is also great because big companies have more of an established reputation to lose.

Whistleblowing can vary significantly. Some cases may involve one-off misconduct, potentially caused by a single, undisciplined employee. Other reports might highlight isolated incidents that, nevertheless, stem from deeper, systemic flaws within the organisation’s processes and culture. Some instances of whistleblowing expose actions that have already been committed, while others signal looming threats, indicating that the organisation’s processes or culture might facilitate wrongdoing. The appropriate response to a whistleblower’s allegations will greatly depend on the specific nature of the concerns raised.

Conclusion

Whistleblowing systems represent far more than mere regulatory compliance. When properly implemented and managed, they become powerful tools for corporate governance, enabling early detection of misconduct, mitigating financial and reputational damage, and fostering a culture of accountability. Companies that view whistleblowing through this strategic lens, rather than as a bureaucratic requirement, gain competitive advantages through stronger internal controls and enhanced stakeholder trust.

As Poland’s whistleblowing framework continues to evolve, the organisations that will thrive are those that embrace these mechanisms as opportunities for corporate improvement rather than resenting them as regulatory burdens.

Łukasz Lasek, adwokat, Bartosz Troczyński, adwokat, Dispute Resolution & Arbitration practice, Wardyński & Partners