Why do companies need a whistleblower law?

On 22 December 2022, Law No. 361/2022 on the protection of whistleblowers in the public interest (the Law) entered into force, implementing Directive (EU) 2019/1937 on the protection of persons reporting breaches of Union law. The Law traces the general reporting framework and imposes minimum corporate governance standards for compliance and obligations for both public and private sector entities.

Key Takeaways

  • A wide range of persons may qualify as whistleblowers who can report actual/ potential legal breaches based on information obtained in a professional context
  • Reporting mechanisms provided by the Law are ancillary to reporting obligations provided by special legislation
  • Public and several categories of private entities must implement an internal reporting framework to support whistleblowers including by:
    • appointing a designated person/ department/ outsourcing to a third party
    • drawing up internal procedures
    • keeping reports for 5 years
    • ensuring confidentiality and complying with data privacy requirements
  • Reports may be filed via internal reporting channels, external reporting channels (i.e., directly to competent authorities) or by public disclosure
  • Reports are subject to several follow-up checkpoints at (i) 7 days (receipt confirmation by entity); (ii) 3 months (status update); and (iii) whenever evolutions occur thereafter
  • Whistleblowers benefit from a minimum confidentiality/ no liability/ no retaliation protection under the Law
  • Whistleblower protection is limited in case of public disclosure
  • Sanctions for breaching the Law range between EUR 400 and EUR 8,000


Whistleblowers report or publicly disclose information or reasonable suspicions regarding actual or potential legal breaches in various fields (e.g., employment, tax, competition, security, data protection etc.), obtained in a professional setting. Whistleblowers include:

  • workers (prospective, current or former) or self-employer persons
  • shareholders or management (including non-executive members)
  • anonymous persons, based on substantial grounds (in Romanian, indicii temeinice)


Target entities

Any public or private entity must comply with the provisions of the Law. However, only several types of organisations must implement internal reporting channels, procedures and must appoint a designated person to handle reports, as follows:

  • all public sector entities
  • all private sector entities in specific fields including financial services, insurance, oil
  • all private sector entities with at least 50 employees (entities with 50 to 249 employees must apply the rules as of 17 December 2023)

Reporting channels

Reports can be verbal (telephone, voice messaging, face to face meeting, etc.) or written (hard copy or electronic), must contain certain mandatory details (except for the whistleblower’s identity) and may be filed via:

  • internal channels set up by the target entity pursuant to the whistleblower procedures it has drawn up

Internal channels must be posted on the entity’s website and there must always be at least one available channel

  • external channels set up by each public authority (based on its area of expertise) within 45 days of the Law entering into force
  • public disclosure by any means (the press, professional bodies, unions, NGOs, parliament commissions or any other means of public disclosure available)

In order to be afforded legal protection, whistleblowers can use public disclosure conditionally (e.g., they have exhausted internal or external reporting channels).

There is a preferred hierarchy of reporting channels with internal channels taking precedence, where available. Whistleblowers can also rely directly on external channels taking into account the risk of retaliation and the impossibility to efficiently remedy the breach through internal channels.

Organisational measures

Target entities must:

  • implement internal reporting channels and dedicated procedures for report handling which must include anti-retaliation measures (e.g., target entities are prohibited from suspending/terminating/modifying the individual employment agreement, reducing the compensation, relegating, sanctioning the whistleblower in connection with filing the report)
  • appoint a designated independent and impartial person, department or third party (via outsourcing) to manage the report process
  • keep track of reports (reports being subject to a 5-year retention period) via a dedicated internal electronic registry (public entities and private entities with at least 50 employees must also draw up statistics)
  • ensure confidentiality of the whistleblower’s identity or identifying information in the report (depending on the type of data included in the report, additional confidentiality obligations apply) while complying with data protection legislation
  • cooperate with and provide information requested by competent authorities (based on the field of activity)


Sanctions range from around EUR 400 to around EUR 8,000 for, among others, failing to implement internal reporting channels, preventing the designated person from receiving/recording reports, not cooperating with authorities or failing to comply with confidentiality obligations. Whistleblowers may also be sanctioned for fake reporting. Administrative sanctions may be applied by the National Integrity Agency.


*This ePublication is provided by Radu Taracila Padurari Retevoescu SCA and is for information purposes only. It does not constitute legal advice or an offer for legal services. The distribution of this document does not create an attorney−client relationship. If you require advice on any of the matters raised in this document, please call your usual contact at Radu Taracila Padurari Retevoescu SCA at +40 31 405 7777.