The classic trap
Article 2 defines the perimeter of protected breaches, and that is exactly where organisations get it wrong. Many believe the whistleblowing system only covers corruption or financial fraud, whereas the material scope covers ten very broad areas: public procurement, financial services and money laundering, product safety, environment, data protection and network security, corporate taxation, competition, and more. In Luxembourg, the law even extended this perimeter to national law, making the scope even wider. The OFRS and sectoral authorities (CSSF, CNPD, ITM, CAA, ILR) sanction any company that closes a report on the mistaken ground that it falls outside scope, which constitutes an indirect retaliation measure punishable by criminal fines.
The material scope qualification traps
- Rejecting a GDPR or cybersecurity report thinking it only concerns the CNPD: point (x) of Article 2 explicitly covers data protection and security of network and information systems.
- Ignoring tax alerts relating to corporate income tax or optimisation arrangements contrary to the purpose of the law, yet explicitly targeted in point (c).
- Confusing EU material scope with the extended national scope: the Luxembourg law of 16 May 2023 goes beyond the ten areas of the directive.
- Failing to train report handlers on the qualification grid, producing unmotivated and challengeable refusals to process.
- Omitting to document the qualification decision, while the burden of proving the absence of retaliation lies with the employer.
How Luxgap automates this risk
Our Luxgap Whistleblower Scope Classifier makes the wrongful rejection of a protected report impossible by automatically qualifying each alert against the ten areas of Article 2 and the extended Luxembourg national scope. A dedicated AI agent reads the content of the report from your internal channel (web form, dedicated mailbox, M365 or Odoo Helpdesk integration) and links it within seconds to the relevant material category, citing the EU legal basis and the law of 16 May 2023.
- Classifies each incoming report according to the ten areas of Article 2 (public procurement, money laundering, GDPR, corporate taxation, competition) and the extended Luxembourg national scope.
- Detects alerts falling under a specific sectoral authority and automatically routes them to OFRS, CSSF, CNPD, ITM, CAA or ILR depending on the matter.
- Generates a motivated, timestamped qualification record that justifies handling or transmission and prevents any accusation of indirect retaliation.
- Alerts the handler in real time via Teams or Slack as soon as a report enters the protected perimeter, with the applicable legal response deadline.
- Produces a cryptographically sealed PDF report, enforceable before the OFRS and sectoral authorities during an inspection, demonstrating compliant handling of each alert.
Disponible as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your perimeter. Request a personalised quote and our teams will prepare a demonstration on your real reporting channels, with a free blind audit within 48h to measure your exposure before any commitment.