All credit institutions and investment firms operating in Luxembourg must already have whistleblowing mechanisms as a result of CSSF (Commission de Surveillance du Secteur Financier) Circular 12/552.

However, these systems will require a re-design as a result of the new Whistleblower Directive.

This will include changes to how reports are made, the receipt, investigation, and determination of complaints. Changes to the confidentiality, anonymity and the follow-up of reports must also be considered. 

Who receives, investigates and decides outcomes from Reports?

Human resources departments, compliance officers, risk officers and legal departments are usually in charge of hearing and deciding on whistleblowing complaints under current systems.

While the new legislation calls for “impartiality”, it does not specify that this requires the creation of new departments, or the involvement of third parties to ensure neutrality. It is, however, indicated in the Whistleblower Directive that staff members must receive specific training regarding the handling of reports. Existing staff responsible for whistleblowing complaints will likely maintain their responsibilities.

How can reports be made?

Current reporting systems with only one channel consisting of either written or oral reports are likely adequate under the existing legal framework, provided that confidentiality is preserved and data protection requirements are met. However, companies are also required to provide for in-person reporting if it is not already available.

There are numerous third-party whistleblowing software vendors which already comply with the privacy and confidentiality requirements. It may prove useful for certain organisations to consider using these in lieu of other reporting channels. This solution often effectively addresses cost, technology, and staffing issues. Such software can indeed feed reports to either internal employees or designated external investigators at an organisation’s discretion and may be useful for organisations which are unable to internally provide the required level of confidentiality or neutrality because of their internal organisation.

Confidentiality vs Anonymity

Existing systems already require confidentiality. Updates to confidentiality policies will involve making any new reporting channel guarantee a whistleblower’s identity from anyone but the report’s impartial receiver. It may actually be necessary that management not be informed immediately in certain situations where their notification would involve directly or indirectly divulging the identity of a whistleblower.

The Directive does not introduce a requirement for the anonymisation of a whistleblower’s personal data. Hence, the Luxembourg legislation will have to determine whether anonymous reports must be accepted by a private entity’s internal whistleblowing systems. While anonymous systems may encourage whistleblowing, they may also potentially cause issues  by complicating receipt and follow-up procedures.


The protocols of the Whistleblower Directive require stronger follow-up requirements. Existing procedures will need to be updated in order to reflect the importance of following-up in a timely manner.

Practically speaking, organisations will need to be more agile in order to meet the 7-day deadline.