The classic trap
Article 14 targets the competent authorities themselves (OFRS, CSSF, CNPD, ITM, CAA, ILR), but its effect cascades directly onto private organisations. When an external authority reviews its procedures every three years, it also raises its expectations regarding the internal channels of organisations with 50 or more employees. The trap: an organisation that set up a system in 2023 and never reviewed it ends up, when an external report is filed, with an internal channel judged obsolete, unused or undocumented. The OFRS and sector authorities sanction the lack of traceability of follow-up and the failure to meet the deadlines for acknowledgement (7 days) and feedback (3 months).
What your internal system must prove at every review
The triennial review by the authorities creates a de facto standard that your internal channels must follow. Concretely, you must be able to demonstrate, at any time:
- That the acknowledgement of each report went out within 7 days, with a retained timestamp.
- That reasoned feedback to the whistleblower was provided within the legal 3-month deadline.
- That the confidentiality of the whistleblower's identity was technically preserved at every step.
- That the internal channel remains accessible, tested and documented, not a forgotten intranet form.
- That protection measures against retaliation were activated where necessary.
- That your procedure has been reviewed periodically, mirroring the authorities' review, with a dated record of each revision.
How Luxgap automates this risk
Our Luxgap Whistleblowing Lifecycle Tracker makes it impossible to silently miss legal deadlines and turns every report into a file that stands up before the OFRS. The tool orchestrates the full lifecycle of a report, from encrypted intake to feedback, monitoring the 7-day and 3-month deadlines in real time, and integrating with your M365 mailbox, your Odoo workflows and your Teams channels without exposing the whistleblower's identity.
- Automatically starts the legal countdown as soon as a report enters the internal channel, and alerts the officer before each 7-day and 3-month deadline.
- Encrypts and compartmentalises the whistleblower's identity, with restricted and logged access, compliant with the law of 16 May 2023.
- Automatically generates acknowledgement and reasoned feedback templates, timestamped and archived.
- Produces an immutable audit log of each follow-up action, enforceable before the OFRS, CSSF or CNPD during an inspection.
- Schedules and documents the periodic review of your internal procedure, mirroring the triennial cycle of the competent authorities.
- Calculates a maturity score for your system and flags gaps before they become a compliance failure.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a personalised quote and our teams will prepare a demonstration on your real system, with a free blank audit within 48h to measure your exposure before any commitment.