#LuLex: Protection of whistle-blowers – what does your company have to do?










The role of whistleblowers in revealing public interest breaches is acknowledged. Due to inconsistencies in whistleblower protection laws across EU Member States, the Directive (EU) 2019/1937 was adopted on 23 October 2019 to provide a standardized framework for their protection. Luxembourg adopted this directive through the Law of 16 May 2023 (the “Law of 2023”).


The Law of 2023 protects whistle-blowers reporting any violations of Luxembourg or European law. The violations can be acts or omissions that (i) are unlawful, or (ii) are contrary to the object or purpose of directly applicable Luxembourg or European law, occurring in a professional context.

There are exceptions to the whistleblowers’ protection provided by the Law of 2023.

Indeed, such a protection does not apply :

  • to reports of breaches relating to national security ;
  • to whistleblowers whose relationships are covered by :
    • medical confidentiality, 
    • lawyer-client privilege,
    • the professional secrecy to which a notary is bound,
    • the professional secrecy to which a bailiff is bound,
    • the secrecy of judicial deliberations,
    • rules governing criminal proceedings.
  • when the conditions for the application of a specific system for reporting violations and protecting the whistleblower, provided for by law or by a sectoral act of the European Union, are met.

Furthermore, the Law of 2023 does not affect the rules relating to the exercise by employees of their right to consult their representatives or their trade unions, and to protection against any unjustified prejudicial measure arising from such consultation, as well as to the autonomy of the social partners and their right to conclude collective agreements.


The Law of 2023 has a very broad personal scope, protecting all natural persons who report or publicly disclose information about violations they have obtained in the course of their professional activities.

This includes:

  • various employment types;
  • self-employed workers ;
  • shareholders;
  • members of a company’s administrative, management or supervisory body, including non-executive members;
  • paid or unpaid volunteers and trainees;
  • any person working under the supervision and direction of contractors, subcontractors and suppliers.

The protective measures apply to whistleblowers:

  • in employment;
  • in the context of an employment relationship that has ended ; or
  • whose employment relationship has not yet begun, in cases where information about violations has been obtained during the recruitment process or other pre-contractual negotiations.

Protection extends to those facilitating whistleblowers, third parties who have a relationship with the whistleblower and who are at risk of reprisals (like colleagues or relatives), and legal entities linked to the whistleblower.


Whistleblowers can report violations either orally or in writing. While internal reporting is encouraged first, external reporting is also permitted, especially if internal channels are ineffective.

Internal and external reports can be made in French, German, Luxembourgish, or other accepted languages. If neither internal nor external channels are effective, or if there’s imminent danger or risk of retaliation, public disclosure is allowed.

The Law of 2023 lists various authorities for external reporting:

  • Commission de surveillance du secteur financier – CSSF
  • Commissariat aux assurances – CAA
  • Autorité de la concurrence
  • Administration de l’enregistrement, des domaines et de la TVA – AED
  • Inspection du travail et des mines – ITM
  • Commission nationale pour la protection des données – CNPD
  • Centre pour l’égalité de traitement – CET
  • Ombudsman, as part of his external monitoring of places where people are deprived of their liberty
  • Ombudsman for children and young people
  • Institut luxembourgeois de régulation – ILR
  • Autorité luxembourgeoise indépendante de l’audiovisuel – ALIA
  • Ordre des avocats du Barreau de Luxembourg
  • Ordre des avocats du Barreau de Diekirch
  • Chambre des notaires
  • Collège médical
  • Administration de la nature et des forêts – ANF
  • Administration de la gestion de l’eau – AGE
  • Administration de la navigation aérienne – ANA
  • Service national du Médiateur de la consommation
  • Ordre des architectes et des ingénieurs-conseils – OAI
  • Ordre des experts-comptables – OEC
  • Institut des réviseurs d’entreprises – IRE
  • Administration des contributions directes – ACD

A Reporting Office, which is a public authority, has been established by the Law of 2023 to guide and assist in the reporting process. The Reporting Office also has the power to impose administrative penalties.


4.1. Duty to establish internal reporting channels for companies with 50 or more employees

The extent of the obligation depends on the number of employees:

  • Companies with fewer than 50 employees are free to establish channels and procedures for internal reporting. If no internal reporting channels have been established within the company, whistleblowers can only report externally to a competent authority.
  • Companies with 50 or more employees must establish internal reporting channels. Those with fewer can decide whether to have these channels.
  • Companies with 50-249 employees can pool resources for reporting and investigations. Internal reporting becomes mandatory for companies with 50-249 employees by 17 December 2023

Internal reporting can be managed internally or by a third party. Reporting channels should be secure, confidential, and efficient. They should allow for written and/or oral reports and must acknowledge receipt within 7 days. Feedback should be given within 3 months of acknowledgment.

4.2. Duty of Confidentiality

The identity of whistleblowers must generally remain confidential, with exceptions under specific legal conditions. If no internal reporting channel has been established within the company, the duty of confidentiality must be assumed by the public authority to which the whistleblower has reported.

4.3. Processing of Personal Data

Personal data processing should adhere to regulations. Any irrelevant data should be deleted promptly.
Reporting can be done orally via recorded or unrecorded methods, with proper documentation and whistle-blower’s consent.
Whistle-blowers can review and approve records.Personal data processing should adhere to regulations. Any irrelevant data should be deleted promptly.

4.4. (Not mandatory but highly recommended) Drafting of an internal procedure that reflects the requirements of the Law of 2023 for internal reporting procedures

The company’s internal procedure on internal reporting of violations must reflect the following legal requirements:

  • The channel must provide clear and easily accessible information on the procedures for reporting to the competent authorities, as well as appropriate information on the use of internal reporting channels;
  • The internal reporting channel must be designed, established and managed in a secure manner (i) which guarantees the confidentiality of the identity of the whistleblower and any third party mentioned in the reporting and (ii) which prevents access by unauthorised members of staff;
  • An impartial person or department must be appointed to follow up on the reporting. This may be the same person or department that receives the report and maintains communication with the whistleblower and, if necessary, requests information and/or provides feedback;
  • The channel must enable reporting to be made in writing and/or orally, by telephone, by voice mail or by a face-to-face meeting at the whistleblower’s request, within a reasonable timeframe;
  • Follow-up must be diligent, including in the case of anonymous reporting;
  • An acknowledgement of receipt must be sent within 7 days of the reporting ;
  • Feedback must be provided within 3 months of said acknowledgement of receipt.


5.1. Relationships between the Law of 2023 and the law of 7 December 2005 on the insurance sector (the “LSA”)

The LSA sets out rules for external reporting of violations of laws and regulations applicable to the insurance sector.
These rules take precedence over the rules on external reporting in the Law of 2023. However, the rules relating to internal reporting and public disclosure in the Law of 2023 remain applicable to the insurance sector.

Article 4(o) of the LSA states that « The CAA shall put in place effective mechanisms which allow and encourage any reports of potential or actual breaches of the laws and regulations listed in Articles 303(1) and 304 or other conduct referred to in Articles referred to in Articles 303(1) and 304 and the measures taken for their enforcement thereof. (…)”

The violations mentioned in articles 303 and 304 of the LSA mainly cover:

  • any breach of the LSA;
  • any breach of the law of 27 July 1997 on insurance contracts, as amended, and its implementing regulations ;
  • any infringement of the law on annual accounts and its implementing regulations;
  • any infringement of the law of 16 April 2003 on compulsory insurance against civil liability in respect of motor vehicles, as amended, and its implementing regulations ;
  • any failure to comply with the CAA’s instructions;
  • any refusal to provide the accounting documents or other information ;
  • any refusal to provide accounting documents or other information requested;
  • any provision of documents or information that proves to be incomplete, inaccurate or false;
  • any breach of the rules governing the publication of balance sheets and any infringement of the rules governing the publication of balance sheets and statements of accounts ;
  • any obstruction of the CAA’s powers of supervision, inspection and investigation of the CAA ;
  • any behaviour likely to jeopardise the sound and prudent management of the institution concerned.
  • failure by insurance undertakings and intermediaries to comply with the conduct requirements set out in articles 295-7 to 295-20 in connection with the distribution of IBIPs.

In the context of these provisions, the Commissariat aux Assurances (the “CAA”) has defined a « procedure for reporting breaches of the legislative and regulatory framework applicable to the insurance sector to the CAA ».

The key-elements of this procedure can be summarised as follows:

  • Any person acting in good faith, and specifically persons who work or have worked with entities in the Luxembourg insurance sector, may report to the CAA in a confidential and secure manner any dysfunctions or failings committed by or with persons subject to the supervision of the CAA;
  • Facts that are clearly of a criminal nature, such as the illegal exercise of activities in the insurance sector, are excluded;
  • The procedure does not apply to persons who are legally subject to a professional duty of disclosure in relation to the CAA, such as approved auditors, actuaries, etc. ;
  • The whistleblowing procedure is primarily intended for employees and former employees of the insurance sector, but it can also be used by clients of professionals subject to the supervision of the CAA;
  • Before contacting the CAA, employees of professionals in the insurance sector are invited to first use the internal reporting procedure with the professional, if there is one;
  • In principle, the CAA will only examine reports submitted using the Whistleblowing form, which should be sent by e-mail to the following address: whistleblowing@caa.lu ;
    • If this is not possible, or if the whistleblower does not feel able to do this, they can call 226911-1 during office hours before submitting a written statement. The CAA will not record whistleblowing reports made by telephone.
  • The CAA will examine the report even if the whistleblower has not first used the internal whistleblowing procedure with the professional;
  • The CAA undertakes to protect the identity of the whistleblower and any interested third parties within the limits of the applicable legislation;
  • The whistleblower’s name and contact details are important to facilitate the processing of information and to enable the CAA to contact the whistleblower in the event of further questions;
  • The whistleblower must have reasonable grounds for believing that the information he or she provides to the CAA and any allegations contained therein are true and genuine;
  • Documents corroborating these disclosures may also be provided. In the case of anonymous reporting, supporting documentation must be provided;
  • Because of the legal obligation of professional secrecy, the CAA will not inform the whistleblower of the concrete measures taken as a result of his or her report.

5.2. Relationships between the Law of 2023, CSSF Circular 12/552 and the Q/A “Whistleblowing – reporting of breaches of financial sector regulations to the CSSF”

CSSF Circular 12/552 set out rules for internal reporting of violations of laws and regulations applicable to the banking sector.
The Q/A “Whistleblowing – reporting of breaches of financial sector regulations to the CSSF” (dated April 20221) set out rules for external reporting of violation of laws and regulations applicable to the financial sector.

These rules take precedence over the rules on external and internal reporting in the Law of 2023.

5.2.1. Internal reporting of violations in accordance with CSSF Circular 12/552

Circular CSSF 12/552, which applies to all credit institutions and professionals performing lending operations, provides that internal governance arrangements shall include “internal communication arrangements comprising an internal whistleblower procedure which enables the staff of the institution to draw the attention of those responsible to all their significant and legitimate concerns related to the internal governance of the institution, to compliance with internal policies and procedures, the national regulatory framework and Union law (in accordance with Directive 2019/1937 on the protection of persons who report breaches of Union law)”(p.13).

Internal alert arrangements must enable all the institution’s staff to draw attention to legitimate concerns about internal governance, internal requirements or national and EU regulatory frameworks.

These arrangements shall :

  • safeguard the identity of those raising such concerns as well as that of the persons those allegedly responsible for misconduct ;
  • provide for the possibility of raising such concerns outside the established reporting lines as well as with the supervisory body ;
  • ensure appropriate follow-up and retention of records ;
  • ensure that alerts issued in good faith do not engage the responsibility of their authors and do not adversely affect the persons who issued them.

5.2.2. External reporting of violations in accordance with CSSF’s Q/A “Whistleblowing – reporting of breaches of financial sector regulations to the CSSF”

The CSSF’s Q/A on the procedure for external reporting of breaches of financial sector regulations provide that :

  • Any person, and in particular employees or former employees of entities of the financial sector in Luxembourg, may in good faith submit a report directly to the CSSF in a confidential and secure manner if that person has reasonable grounds for believing that the report will show breaches of applicable regulation by entities or persons of the financial sector which fall under the supervision of the CSSF;
  • Reporting may be accompanied by any evidence available to the whistleblower ;
  • Before contacting the CSSF, employees of entities of the financial sector are requested to first use the internal reporting procedures in their workplace, if there are any ; if they do not do so, the CSSF will nevertheless examine the report made by the latter ;
  • Under certain circumstances, the whistleblowing procedure may also be used by customers of financial service providers;
  • The whistleblowing procedure should not be used for breaches which are clearly of a criminal nature;
  • In principle, the identity of the employee having blown the whistle, as well as the identity of third parties who may be involved, shall not be disclosed to the entity concerned by the CSSF; the identity of the whistleblower or of third parties will only be disclosed in circumstances in which the disclosure becomes unavoidable in law ;
  • Whistleblowers are requested to use the whistleblowing procedure at the European Central Bank (ECB) to report breaches by significant supervised entities within the meaning of the Single Supervisory Mechanism (SSM): https://www.bankingsupervision.europa.eu/banking/breach/html/index.en.html; when the CSSF receives such a report, the CSSF forwards it to the ECB and informs the whistleblower ;
  • When the CSSF receives a report relating to a less significant supervised entity (within the meaning of the SSM) in respect of a breach of ECB regulations or decisions, the CSSF forwards it to the ECB without communicating the whistleblower’s identity, unless the whistleblower provides their explicit consent;
  • The CSSF does not inform the whistleblower on the actions taken on the whistleblowing report.
  • The CSSF has made available on its website a tool and a procedure to report incidents directly to it: https://whistleblowing.apps.cssf.lu/index.html?language=fr.
    The CSSF will, in principle, only consider a written statement of information transmitted by e-mail to the following address: whistleblowing@cssf.lu.
    If the whistleblower cannot or does not wish to make a written statement, it is still possible to call the secretariat of the department JUR-GEN during office hours before transmitting a written statement: +352 26 25 1 27 57.


The Law of 2023 ensures the protection of whistleblowers by prohibiting any form of retaliation against them.
Retaliation, as defined by the law, includes acts like suspension of employment contracts, demotion, coercion, discrimination, negative performance appraisals, and blacklisting, among others. This list is not exhaustive.

Certain retaliatory measures are automatically null and void. Whistleblowers may, within 15 days of being notified, apply to the competent court for such a measure to be declared null and void and for its cessation to be ordered and/or for compensation for the harm suffered.
There is a simple legal presumption that any harm suffered by the whistleblower is due to their act of whistleblowing, shifting the burden of proof to the opposing party.

Whistleblowers have immunity under the Law of 2023. They shall not be deemed to have breached any disclosure restrictions, face liability for reporting/disclosing information, or be held liable in legal proceedings, provided their actions were in good faith as a result of reports or public disclosures made under the Law of 2023.

Whistleblowers are only protected by the Law of 2023 if they reasonably believed their reports were true, the reported information falls under the scope of the law, and they engaged in internal, external, or public disclosure.

Protection extends to those who were initially anonymous but later identified.


Those taking retaliatory actions against whistleblowers or obstructing reports can face fines ranging from €1,250 to €250,000. For repeat offenses within five years, the maximum fine can be doubled. These fines are pronounced by the Reporting Office.

Whistleblowers who falsely report or disclose information face potential imprisonment (8 days to 3 months) and fines (€1,500 to €50,000). Additionally, they can be held civilly liable for any damages caused by their false reports.