Whistleblower Gap: First Fines for Mid-Sized Firms
5 Min. reading time
The Whistleblower Protection Act has been in effect since December 2023, with the second stage for companies with 50 or more employees also taking effect in December 2023, and the two-year grace period for penalty-free corrections expired in spring 2026. Initial fines of up to €50,000 are being imposed on medium-sized businesses that never set up an internal reporting channel or shut it down after a short consulting phase. Managing directors are personally liable, the Federal Ministry of Justice checks in the background, and the EU AI Act introduces additional obligations to the same reporting office.
May 10, 2026
Key Takeaways
- Fines of up to €50,000 are being imposed: Companies with 50 or more employees that do not operate an internal reporting channel risk a fine of up to €50,000 under Section 40 of the Whistleblower Protection Act. Inadequately or superficially set up channels are treated the same as their complete absence.
- The Federal Ministry of Justice is the external reporting office: Whistleblowers can use the Federal Ministry of Justice in Bonn at any time, instead of choosing the internal channel. Companies that make the internal path unattractive will have their cases handled directly by the authority, including all consequences for reputation and supervisory communication.
- The EU AI Act expands the reporting office: From Q2 2026, internal whistleblower systems must also record violations of AI rules. Companies that currently limit their channel to corruption and discrimination have already fallen short.
Related:DORA-TLPT: Stress tests that banks are currently failing / Microsoft stack vulnerability in medium-sized businesses
What the two-year grace period really concealed
What is a whistleblower protection reporting channel? A whistleblower protection reporting channel is a confidential internal route through which employees and external third parties can report legal violations without fear of reprisal. Since December 2023, the Whistleblower Protection Act has required companies with 50 or more employees to set up such a channel and confirm reports within seven days.
The first two years were used by many medium-sized companies to purchase a platform, set up a whistleblower mailbox link on the career page, and tick off the topic. What was rarely done beneath the surface was the second half of the obligation: training for the reporting officers, documented processing paths, a genuine separation of personnel and HR structures, and above all, the annual audit that proves the channel is functioning. The authorities tolerated this during the grace period. Not since spring 2026.
Specifically, three escalation paths are running in parallel. Direct notifications to the Federal Ministry of Justice, which lead to fine proceedings. Employees who, after unsuccessful internal reporting, take the litigation route and enforce damages for reprisals before labor courts. And the authorities of the states, which, as part of their audits, also check compliance with reporting obligations, for example, during data protection audits, supply chain checks, or occasion-related tax audits.
Who is now in the crosshairs
Three profiles are currently particularly visible in advisory practices. Family businesses with 80 to 250 employees, whose compliance function has historically been located in the personnel department and cannot provide a genuine separation from the reporting office. Banks and insurance companies from the cooperative and savings bank sector, which are simultaneously busy with the implementation of DORA and have underestimated whistleblower protection as a second compliance front. And health-tech and pharmaceutical medium-sized companies, whose BfJ reports from patient and study contexts have increased.
In addition, there is a fourth category that rarely appears in compliance whitepapers. IT service providers and SaaS providers with 50 to 200 employees, whose customers explicitly query the reporting channel structure in the supplier audit. If you serve a large customer in the public sector or a regulated industry, you will have to demonstrate compliance with reporting obligations; otherwise, you will be dropped from the supplier pool.
What all four profiles share is the typical mistake. An external platform was purchased, a reporting officer was nominated in the personnel department, training was provided, and then the topic continued to run under the radar. Today, the authorities are checking precisely where the handover from purchasing to operations takes place and rarely find it cleanly documented.
What’s Immediate, What’s Due by Summer
Immediate
- Verify if the reporting channel is actively accessible (phone, email, platform). Dead links and undelivered emails are the most common audit findings.
- Check confirmation and feedback deadlines: 7 days for acknowledgement, 3 months for substantive response are legally required.
- Document the separation of the reporting office from disciplinary and personnel decisions, and resolve the dual role of the HR manager.
By Summer
- Document training for reporting officers, with repetition at least annually.
- Explicitly include AI Act violations as a reporting reason, and expand the category list in internal documentation.
- Set up an annual audit that anonymously reports the number of notifications, processing times, and escalations.
- Update supplier questionnaires and provide own compliance evidence.
A 60-Day Plan for Management
Those who start repairs now don’t need expensive consulting, but an honest assessment.
Frequently Asked Questions
Do the fines apply retroactively, including the grace period?
No, the authorities do not work retroactively. The situation is assessed at the time of the audit. If you don’t have a functioning channel in summer 2026, you risk the full fine according to Paragraph 40 HinSchG. If you document improvements, you will get a deadline and a condition, which is the usual administrative practice.
Is an external platform sufficient, or must an internal person be designated?
Both are permissible, but even with an external platform, an internal person responsible for the whistleblowing channel must be designated, who is responsible for processing, sends confirmations, and does the reporting. The platform alone is a tool, not fulfilling the obligation. In the audit, the person is checked, not the tool.
What role does the EU AI Act play for the whistleblowing channel from Q2 2026?
The EU AI Act expands the list of reportable offenses to include incidents related to high-risk AI systems, manipulative applications, and inadmissible biometric procedures. Companies that use AI in recruiting, credit rating, or employee monitoring must explicitly open the whistleblowing channel for such cases. An update of the categories list in the internal guidelines is usually sufficient.
Is the management personally liable if the channel fails?
In the case of reprisals against whistleblowers, the management can be personally held liable for damages, supplemented by the fine for the company. In D&O insurance, this is a classic exclusion area if intentional omission is established. Personal liability is the reason why HinSchG increasingly ends up in board meetings instead of just in the HR department.
About the Author
Angelika Beierlein is COO at Evernine. She knows boardroom realities from several industries and regularly writes about where compliance topics are really shaped, instead of just being ticked off. She thinks little of empowerment phrases and a lot of structures that withstand stress.
More from the MBF Media Network
Source of title image: AI-generated with Google Imagen 4 Fast, SynthID-verified