A giant sprawling giga-factory of the future, where the essence of innovation and technological progress comes to life

Whistleblower Protection Act 2023 - What SMEs need to know!

On 2 July 2023, the Whistleblower Protection Act came into force. As an SME, you should familiarise yourself with this law and ensure compliance. The law aims to better protect whistleblowers and make it easier to report misconduct in companies. In the following article, you will learn what the Whistleblower Protection Act for SMEs means for your company, what duties and responsibilities are associated with it and how you can take advantage of the law. Read on to learn how you can prepare for the implementation of the law and which legal principles and framework conditions are relevant.

Key Takeaways:

  • The Whistleblower Protection Act, which came into force on 2 July 2023, aims to protect whistleblowers and make it easier to report misconduct in companies.
  • Companies with 50 or more employees are obliged to set up internal whistleblowing units to ensure the protection and confidentiality of reports.
  • Violations of the law can lead to significant fines of up to €50,000.
  • Reported violations that are deemed relevant require appropriate follow-up measures.
  • The Whistleblower Protection Act also applies to German SMEs and brings new challenges and opportunities for companies and employees.
  • Whistleblowers play an important role in society and help to uncover and combat wrongdoing.
  • SMEs should ensure compliance with the law and benefit from the advantages.

What does the Whistleblower Protection Act mean for SMEs?

The Whistleblower Protection Act is a new legal regulation to protect whistleblowers in small and medium-sized enterprises. The HinSchG was published in the Federal Law Gazette on 2 June 2023 and came into force on 2 July 2023. The Act aims to ensure that whistleblowers in companies, regardless of whether they are employees, former employees, temporary workers, self-employed persons, contractors, subcontractors or suppliers, are better protected and can report violations of laws and policies without having to fear disadvantages. The Whistleblower Protection Act is part of a broader European legal framework and aims to protect whistleblowers, fight corruption and illegal behaviour and increase transparency and integrity of companies. Similar laws already exist in almost all other European countries. The Whistleblower Protection Act is an important initiative to increase corporate compliance and transparency and to ensure that potential violations are detected at an early stage.

Legal basis and framework

The Whistleblower Protection Act was drafted on the basis of an EU Directive on whistleblower protection. The purpose of the Whistleblower Protection Act is to provide the best possible support to companies - including SMEs - in implementing the EU Directive and to ensure the protection of whistleblowers. The law provides clear duties and responsibilities for companies to prevent and uncover misconduct and wrongdoing.

Entry into force of the Whistleblower Protection Act

The Whistleblower Protection Act has been in full effect since July 2023 and already applies to SMEs. There is no transition period for implementation for SMEs, which means that companies must act now to ensure that they comply with the requirements of the Act. Only administrative penalties for failing to implement the legally required internal reporting channel exist until 02 December 2023, but the impending penalties from whistleblower proceedings are not covered.

Effects on German companies

The Whistleblower Protection Act affects all German companies, especially small and medium-sized enterprises. The regulation obliges them to ensure protection and confidentiality for whistleblowers in their company and to give them the opportunity to address grievances without employees having to face employment law consequences. Companies with a size of 50 employees or more must set up an internal reporting office that works independently and confidentially. Companies must inform their employees about the establishment and function of the reporting channel as well as refer to the possibility of external reporting offices. The reporting office must be equally accessible to all employees. Companies must also ensure that the internal reporting office is accessible to all employees at all times, that employees understand the meaning of the Whistleblower Protection Act, that they are informed about their rights and obligations, and that the reporting office can also be reached in case of doubt by former or future employees, such as job applicants. With regard to the operation of the hotline, it should be noted that the company must ensure that only a defined group of employees can evaluate the reports received. This is because the company must ensure that the hotline operates confidentially, independently and competently at all times. Adequate and regular training of those responsible for the reporting office is also mandatory. The regulation also stipulates that companies must not disclose the identity of whistleblowers. They must also protect whistleblowers from possible retaliation, including dismissal, contractual penalties or other adverse effects on their careers. One of the other fundamental requirements of the IHR is that the IHR must offer whistleblowers the possibility to contact the IHR anonymously. Failure to comply with the regulation may result in fines and other sanctions. For this reason, companies should take the regulation seriously and take appropriate precautions to avoid potential violations.

Responsibilities of companies

Companies are required to give their employees the opportunity to report violations that affect the company. The Ordinance states that companies must establish a reporting office that is available to whistleblowers. This reporting office must be made known in the company and explained through training or other ways. Whistleblowers should be able to be contacted through the hotline without revealing their identity. It is the responsibility of companies to investigate all reported violations and take appropriate action to address grievances. Companies should also promote a culture of transparency and trust among their employees to detect and follow up on grievances in their operations.

Whistleblowers and reporting channels

The Whistleblower Protection Act requires SMEs to establish internal reporting channels to report potential violations. The law does not prescribe how reporting channels are to be set up, be it in the form of a mailbox, a hotline or an email address. However, these types of reporting channel are not secure for many reasons and often do not cover the requirements placed on an internal reporting centre. Thus, the implementation of a professional reporting system via an external service provider is recommended. In any case, an effective whistleblowing system requires a clear reporting chain and a independent body to monitor and evaluate the reports. According to the Whistleblower Protection Act, the internal reporting office must be independent and separate from the management. It is also important that the reporting offices are easily accessible and, at best, offer functions to submit reports anonymously. In any case, the reporting office is obliged to treat all reports and the information about the reporting persons strictly confidential. According to § 16 HinSchG, the contents of the reports may only be made accessible to a certain group of persons. It is the responsibility of the reporting office and thus of the company to handle whistleblower reports professionally, confidentially and independently in accordance with data protection requirements. In addition, all necessary documentation obligations must be fulfilled.

Sanctions and consequences

The Whistleblower Protection Act for SMEs also stipulates sanctions for violations. If the regulations are not complied with, the companies concerned face fines. The law provides for fines of up to 50,000 euros in this regard. Compliance with the Whistleblower Protection Act is therefore not only important for ethical and moral reasons, but also from an economic perspective. Companies that violate the law risk severe penalties and can also suffer damage to their image. It is therefore advisable for companies to take appropriate measures at an early stage to ensure that they comply with the requirements of the law.

Sanctions for violations

There are various sanctions that a company can face if it violates the Whistleblower Protection Act. For example, fines may be imposed if the company has not established and/or does not operate an adequate internal or external whistleblowing office. Violations of whistleblower protection can also lead to penalties. Companies that do not take appropriate measures to prevent breaches may also be sanctioned.

Follow-up measures for violations

Companies that violate the Whistleblower Protection Act for SMEs must take appropriate follow-up measures. This includes, for example, that the company investigates the incident and takes appropriate measures to stop the conduct or abuse. Appropriate handling of a case is also required if a tip-off was made anonymously. Taking steps to avoid a similar incident in the future is also part of the follow-up action to be taken. Furthermore, the company must inform the whistleblower about the receipt of his report and its processing, progress and the follow-up measures taken or the submission to external reporting bodies. The Whistleblower Protection Act can result in severe penalties for companies that violate applicable regulations. Therefore, companies should now immediately address the requirements of the Act.

Advantages of the Whistleblower Protection Act for SMEs

The Whistleblower Protection Act offers numerous advantages for companies, including SMEs. By providing whistleblowers with better protection in the future and enabling them to uncover violations of legal provisions, the implementation of the Act contributes to improved corporate governance and compliance management. The law also promotes transparency in companies and can thus strengthen the trust of customers, investors and other business partners. An open and responsible corporate culture can also help to retain employees in the long term and attract talent. The Whistleblower Protection Act is an important step for SMEs towards responsible corporate governance and a transparent, more sustainable economy. The law can also be a valuable tool for preventing reputational risks. By responding to breaches of laws and internal policies and taking appropriate action, companies can protect their reputation and avoid long-term damage. Ultimately, the Whistleblower Protection Act supports SMEs and also the strengthening of ethical standards. Companies that comply with legal provisions and other guidelines can make a positive contribution to a sustainable and responsible economy.

Implementation of the Whistleblower Protection Act - what to do now?

In order to effectively implement the Whistleblower Protection Act for SMEs, companies need to take several steps. First, they should familiarise themselves with the requirements and obligations of the Act and ensure that all employees are informed about it and that they provide employees with an easy and accessible way to report possible violations. It is now critical to establish clear and legally compliant reporting channels for potential violations and to ensure that reports are protected from unauthorised access. To ensure that reported breaches are handled appropriately, companies should also implement processes and procedures for investigation, documentation and reporting, as well as comply with data protection.

Examples of measures:

  • Establish a reporting office
  • Ensure anonymity and protection for whistleblowers.
  • Develop guidelines and procedures for checking and processing reports, including the definition of fixed standards (keyword: check scheme for validity check, role assignments, deadline and documentation management).
  • Safeguarding against possible future labour court proceedings by means of clear documentation.
  • Safeguarding against retaliation
  • Regular training of employees (incl. documentation) By implementing the Whistleblower Protection Act (HinSchG), companies can benefit from better compliance and reputation, which can help to strengthen the trust of customers and business partners.


The Whistleblower Protection Act for SMEs came into force in July 2023 and has far-reaching implications for German companies. Failure to implement or properly operate a whistleblowing office can result in severe fines and sanctions. The introduction of reporting offices and channels also ensures that breaches of ethics and compliance guidelines can be detected and corrected, which in turn can lead to improved corporate governance and transparency. Companies should therefore take the implementation of the Whistleblower Protection Act seriously and ensure that all employees are informed about compliance and that responsible whistleblower operators are trained. By implementing the law, SMEs can also reap its benefits and strengthen their position as responsible and ethical economic actors.


Please also read the following of our blog posts and our further overview article on the topic.

**Q: What does the Whistleblower Protection Act mean for SMEs? A: The Whistleblower Protection Act (HinSchG)is a law specifically designed for small and medium-sized enterprises. It is designed to protect whistleblowers and make it easier to report wrongdoing in companies.

**Q: What impact does the Whistleblower Protection Act have on German small and medium-sized enterprises? A: The Whistleblower Protection Act sets out certain obligations and responsibilities for German companies. They must establish appropriate reporting points to receive reports of possible violations and ensure that whistleblowers are protected and remain as anonymous as possible.

**Q: When does the Whistleblower Protection Act for SMEs come into force? A: The Whistleblower Protection Act comes into force on 2 July 2023.

**Q: What are the penalties for violations of the Whistleblower Protection Act? A: Companies may be subject to fines and other sanctions of up to €50,000 for violations of the Whistleblower Protection Act. In addition, in case of doubt, the management is personally liable to the company for damages incurred by the company if it is clear that the management knew about the non-implementation of the requirements of the Act. It is therefore important to take appropriate measures to investigate and remedy reported violations.

**Q: What are the benefits of the Whistleblower Protection Act? A: The Whistleblower Protection Act offers numerous benefits to companies, including improved corporate governance, increased transparency and strong ethical standards.

**Q: How can SMEs implement the Whistleblower Protection Act? A: Mid-sized companies should take appropriate measures to implement the Whistleblower Protection Act. This includes setting up an internal reporting office, training employees and implementing protective measures for whistleblowers.

**Q: What is the legal basis and framework for the Whistleblower Protection Act for SMEs? A: The Whistleblower Protection Act is based on various legal foundations and guidelines. It was also examined and supported by the Federal Council as part of the legislative process.


The Whistleblower Protection Act has a profound impact on the world of work in Germany, especially for SMEs. It brings with it new responsibilities for companies, but also more security and protection for those who wish to point out wrongdoing. With clear guidelines and sanctions, the law helps to promote a transparent and ethical corporate culture. It remains to be seen how the law will prove itself in practice and whether future adjustments will be necessary to ensure the best possible protection for whistleblowers and companies. Always also be aware that these services can also be strengthened by consulting and considerable relief can be provided by third parties taking over the statutory requirements in the form of whistleblowing.