Whistleblower reports about NIS 2 failures
EU Directive 2019/1937 protects reports of network and information security breaches. The German Hinweisgeberschutzgesetz (HinSchG) is the national transposition. This page describes the framework, not legal advice for a specific case.
What this page is
Whistleblowing is a separate legal track from NIS 2 incident reporting. An employee, contractor, or job applicant who reports a NIS 2 compliance failure is protected by EU Directive 2019/1937. The Directive lists network and information security explicitly in its Annex Part I.B as a protected reporting area.
In Germany the Hinweisgeberschutzgesetz (HinSchG, in force since 2 July 2023) transposes the Directive. The Bundesamt fuer Justiz hosts the central external channel. Entities with 50 or more employees are required to maintain an internal reporting channel under Section 12 HinSchG.
A whistleblower disclosure to an external authority does not replace the entity's own incident notification under Article 23 NIS 2 (Section 32 BSIG in Germany). Both duties can be triggered by the same event and both run on their own clocks.
EU Directive 2019/1937, Annex Part I.B
Network and information systems security, as defined in Article 4, point (1), of Directive (EU) 2016/1148 of the European Parliament and of the Council.
The Annex enumerates the policy areas in which a report is protected. Network and information security sits in Part I.B alongside transport safety and environmental protection. NIS 2 (Directive 2022/2555) replaces Directive 2016/1148, so reports about NIS 2 compliance failures fall inside this scope.
EU Directive 2019/1937, Article 4 (personal scope)
This Directive shall apply to reporting persons working in the private or public sector who acquired information on breaches in a work-related context.
Personal scope covers employees, the self-employed, shareholders, members of administrative bodies, volunteers, paid or unpaid trainees, contractors, subcontractors, and suppliers. Job applicants and former workers are also protected. Anonymous reports are allowed by HinSchG Section 16(1) but follow-up may be limited.
HinSchG Section 12 (internal reporting channels)
Beschaeftigungsgeber mit in der Regel mindestens 50 Beschaeftigten sind verpflichtet, eine Stelle einzurichten und zu betreiben, an die sich Beschaeftigte zur Abgabe von Meldungen nach diesem Gesetz wenden koennen.
The 50-employee threshold is headcount as a rule, not a precise daily figure. Entities below 50 employees may set up an internal channel voluntarily; entities at or above 50 must. The Bundesamt fuer Justiz operates the external channel.
What can be reported
HinSchG Section 2 lists the protected reporting subjects. Among them: breaches of EU law, including network and information security. A report about a NIS 2 obligation, for example failure to implement Article 21 measures or failure to file an incident notification under Article 23, is in scope.
Internal first, external in parallel
Internal channel under Section 12 HinSchG (50+ employees). External channels under Section 19 HinSchG: Bundesamt fuer Justiz as the central external office, plus sector-specific authorities. The reporting person may choose either; the Directive recital 33 expresses a preference for internal first but does not make it a precondition.
Documentation duty
Section 11 HinSchG: reports are documented in a durable, retrievable form. Documentation is deleted three years after the procedure closes; longer retention is permitted where necessary for legal proceedings. Personal data follows GDPR principles.
Confidentiality of identity
Section 8 HinSchG: the identity of the reporting person, of persons named in the report, and of third parties mentioned is kept confidential. Disclosure is permitted only in narrow exceptions, for example a written request from a criminal prosecution authority. The case handlers must be independent and free of conflicts of interest.
Prohibition of reprisals
Section 36 HinSchG prohibits reprisals against the reporting person. This covers dismissal, demotion, withholding of training, negative performance evaluation, and similar measures. Section 36(2) reverses the burden of proof: if a person experiences a disadvantage after a report, the disadvantage is presumed to be a reprisal unless the employer proves otherwise.
BSI as sector authority
The Bundesamt fuer Sicherheit in der Informationstechnik (BSI) is the competent authority for NIS 2 supervision under Section 61 BSIG. A whistleblower report alleging that an entity fails to meet Article 21 measures or has not registered under Article 27 will typically end up at BSI through the external channel routing, even if it is first lodged with the Bundesamt fuer Justiz.
Bundesbeauftragte fuer den Datenschutz und die Informationsfreiheit
BfDI is the sector-specific external channel for federal data protection breaches. NIS 2 and GDPR overlap when an incident involves personal data. A whistleblower report can name both legal bases; the receiving authority routes the parts to the competent body.
Bundesamt fuer Justiz as central external channel
Bundesamt fuer Justiz operates the central external reporting office under Section 19 HinSchG. It is the default external address if no sector-specific channel applies, and it routes reports to the competent supervisor (BSI, BNetzA, BAFin, BfDI) when the subject matter sits there.
A whistleblower report to BSI replaces our Article 23 incident notification.
It does not. Article 23 NIS 2 and Section 32 BSIG put the duty to notify on the entity. A third-party report opens a separate supervisory file. The entity's own early warning, 24-hour and 72-hour notifications run independently.
We have 60 employees, but no one has ever reported anything, so we do not need a channel.
Section 12 HinSchG ties the duty to headcount, not to whether reports have been filed. Section 40 HinSchG attaches an administrative fine of up to 20.000 EUR for failure to operate an internal channel. The fine starts on 1 December 2023 for entities with 50 to 249 employees.
We can let go of the person who filed the report because performance has dropped.
Section 36 HinSchG presumes the measure is a reprisal once a report has been filed. The burden of proof is on the employer to show an unrelated, documented reason. Decisions about the reporting person taken after a report sit under heightened scrutiny.
Two clocks run in parallel after a report about a NIS 2 failure. Clock one is the HinSchG response timeline: acknowledgement within seven days under Section 17(1)(1), feedback to the reporting person within three months under Section 17(1)(4). Clock two is whatever NIS 2 incident duty the substance of the report triggers, which is the entity's own Article 23 obligation and not the whistleblower's.
The cleanest pattern in mid-sized entities: one named case handler in compliance or HR, a second named deputy, a written intake form that captures the substance without forcing identity disclosure, and a written log that records every step with a timestamp. The log is the only evidence that exists later if a court asks how the report was handled.
Whistleblower reports are not part of the NIS 2 obligation register itself. They are a parallel governance duty under HinSchG, with their own channel, their own retention, and their own non-retaliation rule.
The obligation register answers the question of which NIS 2 measures the entity has implemented and how that is documented. The whistleblower channel answers the question of how the entity receives and processes reports about gaps in those measures. Both are independent records and both can be requested by a supervisor.
- Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law (OJ L 305, 26.11.2019, p. 17). Annex Part I.B and Article 4.
- Hinweisgeberschutzgesetz (HinSchG) of 31 May 2023, BGBl. 2023 I Nr. 140. Sections 2, 8, 11, 12, 16, 17, 19, 36, 40.
- Directive (EU) 2022/2555 (NIS 2) of 14 December 2022, Articles 21, 23, 27.
- BSI-Gesetz (BSIG), Sections 32, 33, 61, 65.
- Bundesamt fuer Justiz, external reporting office under Section 19 HinSchG.