EU frameworkGDPRNIS 2DORAAI ActWhistleblowing
Article 3

Relationship with other Union acts and national provisions

Directive on the protection of persons who report breaches of Union law · UE 2019/1937

Relationship with other Union acts and national provisions

1.   Where specific rules on the reporting of breaches are provided for in the sector-specific Union acts listed in Part II of the Annex, those rules shall apply. The provisions of this Directive shall be applicable to the extent that a matter is not mandatorily regulated in those sector-specific Union acts.

2.   This Directive shall not affect the responsibility of Member States to ensure national security or their power to protect their essential security interests. In particular, it shall not apply to reports of breaches of the procurement rules involving defence or security aspects unless they are covered by the relevant acts of the Union.

3.   This Directive shall not affect the application of Union or national law relating to any of the following:

(a)

the protection of classified information;

(b)

the protection of legal and medical professional privilege;

(c)

the secrecy of judicial deliberations;

(d)

rules on criminal procedure.

4.   This Directive shall not affect national rules on the exercise by workers of their rights to consult their representatives or trade unions, and on protection against any unjustified detrimental measure prompted by such consultations as well as on the autonomy of the social partners and their right to enter into collective agreements. This is without prejudice to the level of protection granted by this Directive.

Luxembourg specificity
loi luxembourgeoise du 16 mai 2023 relative a la protection des lanceurs d'alerte

In Luxembourg, the law of 16 May 2023 on the protection of whistleblowers transposes the Directive and confirms the precedence of sectoral regimes: specific reports remain governed by the CSSF (finance), the CNPD (data), the ITM (labour), the CAA (insurance) or the ILR (telecom), while the OFRS acts as the default cross-cutting external authority. An internal channel is mandatory from 50 employees (no threshold for public bodies), and mishandling a protected report exposes you to criminal fines of 1,250 to 25,000 EUR, doubled in case of recurrence, on top of civil compensation.

Luxgap practice: build a written matrix designating, for each type of report, the competent external authority (OFRS by default, CSSF/CNPD/ITM/CAA/ILR if sectoral), and keep it timestamped as proof of Article 3 articulation.