The classic trap
Article 10 enshrines a principle many organisations refuse to accept: the whistleblower may go directly to the external authority (the OFRS in Luxembourg, or the CSSF, CNPD, ITM, CAA, ILR depending on the field), without using the internal channel first. The classic trap is companies that build a deterrent, slow or intimidating internal system, betting the employee will never dare contact the regulator. The opposite happens: a defective internal channel mechanically pushes reports towards the external route, and both the OFRS and the CSSF then sanction the absence of internal follow-up, retaliation and obstruction of reporting.
Why a credible internal channel remains your best defence
Article 10 does not force you to require employees to report internally first. But it gives you a window: if your internal channel is fast, confidential and free of retaliation, the directive encourages reporting persons to use it as a priority. Here is what triggers a switch to the OFRS or CSSF:
- Acknowledgement of receipt exceeding the 7 days required by the directive.
- No reasoned feedback within the 3 months following the internal report.
- Reporting person's identity left unprotected or disclosed to the relevant hierarchy.
- Retaliation measures (transfer, sanction, non-renewal, sidelining) following the report.
- No dedicated person or service for follow-up, or one in a conflict of interest with the reported facts.
At the first of these signals, the employee goes straight to the external authority, which then opens a file documenting your internal failings.
How Luxgap automates this risk
Our Luxgap Whistleblower Flow Tracker makes it impossible to silently breach the legal deadlines that push your employees towards the OFRS. The tool plugs into your reporting channel (dedicated M365 mailbox, web form, phone line) and starts the clock on every alert from the moment it arrives, cross-referencing Microsoft 365, your helpdesk and your Active Directory to orchestrate end-to-end follow-up.
- Detects every new incoming report and automatically triggers the acknowledgement of receipt compliant with the 7-day deadline, timestamped and archived.
- Calculates in real time the countdown of the 3-month reasoned feedback period and alerts the case handler via Teams before any critical deadline.
- Isolates the reporting person's identity through encryption and logs every access, to demonstrate the confidentiality required by the law of 16 May 2023.
- Detects retaliation signals by correlating HR actions (transfer, sanction, contract termination) occurring after a report and alerts the compliance management.
- Produces a timestamped, sealed PDF report, enforceable before the OFRS or the CSSF during an inspection, demonstrating deadline compliance and the absence of obstruction.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real scope, with a free blind audit within 48h to measure your exposure before any commitment.