New whistleblowing rules in Norway – what's next?

by Jeppe Songe-Møller, Sondre A. Aaserud, Jørgen N. Hustad and Elisabeth D. Sandøy


Silhouette of a man walking
The EU's Whistleblowing Directive came into force in October 2019 with a two-year window for Member States to update their national legislation. The purpose of the directive is to provide common minimum standards of protection across the EU to whistleblowers to ensure that they are adequately protected. Although the EU directive is not formally binding in Norway, harmonization speaks in favour of following the EU's principles. The Norwegian Ministry of Justice submitted a public consultation report on 17 June 2022. The deadline for consultation responses was 16 September 2022 and the Norwegian Data Protection Authority ("NDPA") has raised concerns in its consultation response. In this article, we provide a brief overview of how Norwegian companies might be affected if the directive is implemented in Norway.

The Ministry's report proposes to establish new law to protect whistleblowers who report breaches in addition to the already existing whistleblowing provisions as set out in the Norwegian Working Environment Act ("NWEA"). The proposed new law seeks to meet the minimum standards of the EU directive, which is highly prescriptive in certain areas and goes beyond what is currently required under the NWEA.

Extended categories of persons may be given status as whistleblowers

Under the NWEA, employees have the right to notify censurable conditions at the employer's undertaking. Whereas article 4 of the EU directive expands the categories of persons who may be given status as whistleblowers, to include self-employed persons, shareholders, trainees, job applicants, former employees, and suppliers, provided they have acquired the relevant information in a work-related situation.

Extended categories of persons may be granted protection against retaliation

In addition to the whistleblower, a number of other persons connected to the whistleblower may be granted protection from retaliation if the EU directive is implemented, e.g., persons who could suffer retaliation in a work-related context, such as colleagues or relatives of the whistleblowers, as well as legal entities that the whistleblowers own, work for or are otherwise connected to in a work-related context.

Obligation to establish internal reporting channels and strict rules on follow-up

The EU directive requires legal entities in the private sector with more than 50 employees to establish channels  and procedures for internal reporting and follow-up. It will thus no longer be sufficient for employers to only have procedures in place pertaining to the handling of whistleblowing notices, as currently prescribed by the NWEA.

According to article 8 of the EU directive, legal entities in the private sector with between 50 and 249 employees may share resources regarding whistleblowing reports and any investigations to be conducted. There are also prescriptive rules pertaining to follow-up, e.g., employers must acknowledge receipt of whistleblowing reports within seven days. Furthermore, employers are obliged to provide feedback to whistleblowers within three months from the acknowledgement of receipt, or, if no acknowledgment was sent to the whistleblowers, three months from the expiry of the seven-day period after the reports were made.


One of the essential provisions of the EU directive is that a whistleblower's identity must be treated as confidential. Exceptions may apply when it is proportionate and necessary to safeguard the rights or defense of affected persons. The rationale behind this provision is that the protection of the whistleblower's identity is considered essential to prevent reprisals. The NDPA is in favor of implementing this provision given that the existing employment and privacy rules in Norway are unclear and cause unnecessary conflicts. Furthermore, the NDPA proposes to make an exception for cases where a whistleblower consents to his/her identity being disclosed or if the use of the information is necessary as part of further investigations.

External reporting channel

It follows from article 11 of the EU directive that all companies must establish an external and independent whistleblowing reporting channel. Both the NDPA and the Norwegian Labor and Welfare Authority have been touted as potential relevant supervisory authorities. However, in its consultation response, the NDPA does not support the proposal as regards establishing a centralized external reporting channel under which the relevant supervisory authority has a coordination function. In any case, the NDPA stresses that it is not the natural supervisory authority for such notifications as opposed to the Labor and Welfare Authority. The NDPA is especially concerned that it would not have the capacity to process whistleblower reports within the deadlines prescribed by the EU directive.

The right to compensation

The EU directive states that Member States must take necessary measures to ensure that all persons mentioned in article 4 have access to legal remedies and full compensation for damages "in accordance with national law".

It already follows from Norwegian law that an employee can claim compensation if the prohibition of retaliation is violated. It is proposed that the right to compensation and restitution is governed by one single provision, designed in accordance with the NWEA framework.


Both the NDPA and the Norwegian Labor and Welfare Authority acknowledge that the current legislation on whistleblowing in Norway is unclear. The NDPA is especially concerned about the lack of clear data protection and privacy regulations in whistleblowing cases.

Norwegian companies should expect detailed requirements concerning whistleblowing. It may be mandatory to implement an external whistleblowing reporting channel. There may also be stricter requirements as regards the internal whistleblowing reporting channel. Thus, companies should evaluate its internal procedures for handling whistleblowing cases and be prepared to take action within short timeframes. In addition, Norwegian companies must be able to keep a whistleblower's identity confidential and ensure that personal data is shared in compliance with the GDPR's requirements.

Do you have any questions?