HomeInsightsWhistleblowing — internal reporting channels

Internal Reporting Channels (Whistleblowing) — Employer Guide (2026)

Published: 10 April 2026 | Last updated: 10 April 2026

Bulgaria's Whistleblowing Protection Act (formally: Act on the Protection of Persons Reporting or Publicly Disclosing Information on Breaches) imposes on a broad range of employers the obligation to set up and maintain internal reporting channels. In this guide we summarise the scope of the law, the deadlines, the measures for the protection of reporting persons, sanctions and the practical steps for implementation — updated for 2026.

Legal framework

The protection of persons reporting breaches in Bulgaria is governed by the Whistleblowing Protection Act, promulgated in the State Gazette, issue 11 of 02.02.2023, in force as of 4 May 2023. The Act transposes into Bulgarian law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

The competent national authority under the Act and the central external reporting channel is the Commission for Personal Data Protection (CPDP). The CPDP receives external reports, maintains statistics, issues methodological guidelines and supervises the obligated employers.

The Act introduces not only the obligation for certain employers to provide an internal reporting channel, but also a comprehensive regime for the protection of reporting persons against retaliation, with reverse burden of proof in their favour.

Obligated employers (Art. 12)

The scope of the obligated persons under the Whistleblowing Protection Act is broad and covers both the public and the private sector. The decisive criteria are the number of workers and employees and/or belonging to a regulated sector.

Category Scope
Public sector Regardless of the number of employees (with limited exceptions for small municipalities)
Private sector 50 or more workers/employees
Financial services, AML, transport, environment Regardless of the number (specific sectors under the Annex to the Act)

Implementation deadlines

  • Employers with 250 or more employees and the public sector — the obligation has applied since 4 May 2023.
  • Employers with 50 to 249 employees — the obligation has applied since 17 December 2023.

Employers with fewer than 50 employees are in principle not required to establish an internal channel, unless they operate in a regulated sector (for example payment institutions, investment firms, licensed carriers, etc.), in which case the obligation applies regardless of headcount.

Internal reporting channel requirements (Art. 12–14)

The internal reporting channel must meet a number of procedural and organisational requirements to ensure protection of both the reporting person and the persons concerned.

Designated officer under Art. 14

  • The employer designates one or more employees responsible for the handling of reports.
  • The officer must be independent and free of any conflict of interest with the persons or activities concerned by the report.
  • The officer must undergo training for the performance of their functions.
  • The officer is bound by confidentiality as regards the identity of the reporting person and the content of the report.
  • The function may also be outsourced to an external provider (e.g. a law firm or specialised compliance provider), provided that the statutory requirements are observed.

Forms of reporting

The channel must allow reports to be submitted in the following forms:

  • In writing — on paper or electronically (e-mail, web platform);
  • Orally — by telephone, voicemail or other voice-messaging systems;
  • Through a physical meeting — at the request of the reporting person, within a reasonable time.

The employer must ensure technical and organisational confidentiality of the identity of the reporting person as well as of any third parties mentioned in the report. An internal register of reports with restricted access must be maintained, recording the reports received, the actions taken and the status of handling.

Key deadlines

  • 7 days — deadline for sending an acknowledgement of receipt to the reporting person;
  • 3 months (maximum) — deadline for providing feedback on the actions taken or envisaged as follow-up to the report.

These deadlines are mandatory and non-compliance may result in sanctions from the CPDP.

Mandatory internal rules

Each obligated employer must adopt written internal rules on the procedure for submitting and handling reports, and bring them to the knowledge of all workers and employees. The internal rules must describe at a minimum:

  • Description of the channel and the procedures for submitting a report (written, oral, physical meeting);
  • The designated officer (or unit) responsible for handling reports and the means of contact;
  • The deadlines for acknowledgement (7 days) and feedback (up to 3 months);
  • The measures for ensuring confidentiality of the identity of the reporting person and of third parties;
  • The procedure for examining the report, hearing the persons concerned and documenting the follow-up;
  • The prohibition of retaliation and the mechanisms for the protection of the reporting person;
  • The options for submitting a report to the external channel at the CPDP or to a competent authority.

The adoption and maintenance of these rules is subject to inspection by the CPDP during supervisory actions. We recommend that employers align the internal rules with their other GDPR and labour discipline policies in order to avoid conflicts in the processing of personal data of reporting persons and persons concerned.

Material scope — which breaches can be reported

Pursuant to Art. 3 of the Act, the law covers reports of breaches of Bulgarian legislation or EU acts in a number of regulated areas. The scope is significantly wider than an ordinary labour dispute and in particular includes:

  • Public procurement;
  • Financial services, products and markets, prevention of money laundering and terrorist financing (AML/CFT);
  • Product safety and compliance;
  • Transport safety;
  • Protection of the environment;
  • Nuclear safety and radiation protection;
  • Food and feed safety, animal health and welfare;
  • Public health;
  • Consumer protection;
  • Protection of privacy and personal data (GDPR) and security of network and information systems;
  • Financial interests of the European Union (EU funds fraud);
  • Internal market rules — competition and State aid;
  • Corporate taxation and breaches relating to corporate tax rules;
  • Labour legislation, health and safety at work;
  • Bribery, corruption and criminal offences.

Reports may relate both to breaches that have already occurred and to breaches that are reasonably suspected to be about to occur, as well as to attempts to conceal breaches.

Protected persons (Art. 5)

The circle of persons who benefit from protection under the Act is significantly wider than ordinary labour protection. The protection covers:

  • Workers and employees under an employment relationship;
  • Civil servants and persons holding public office;
  • Self-employed persons and persons exercising liberal professions;
  • Shareholders, partners and members of management, supervisory and control bodies of legal entities;
  • Volunteers and trainees, regardless of remuneration;
  • Contractors, subcontractors and suppliers under contractual relationships;
  • Job applicants, where the breaches are learned during recruitment or other pre-contractual relations;
  • Former employees, where the breaches are learned during an already terminated relationship;
  • Persons who assist the reporting person in submitting the report (so-called facilitators);
  • Third parties connected to the reporting person — colleagues, relatives — who might suffer retaliation;
  • Legal entities in which the reporting person has a participation, works or acts as a representative.

To benefit from the protection, the reporting person must have had reasonable grounds to believe that the information submitted is true at the time of reporting and falls within the material scope of the Act. Reports made in bad faith or maliciously are not covered by the protection.

Protection measures (Art. 33) — prohibition of retaliation

The essential core of the Act is the prohibition of retaliation against the reporting person. Under Art. 33 of the Act, neither the employer nor any connected person may apply any of the following measures to the reporting person:

  • Suspension, dismissal or removal from office;
  • Demotion or refusal of promotion;
  • Transfer to another position or workplace, change of functions or working time;
  • Reduction of remuneration or change in working conditions;
  • Negative performance appraisal or negative references;
  • Disciplinary measures, including disciplinary dismissal;
  • Coercion, intimidation, threats, harassment and discrimination;
  • Refusal of training, retraining or professional development;
  • Blacklisting in the sector or industry;
  • Early termination or refusal to renew a fixed-term contract;
  • Actions leading to reputational damage, including on social media;
  • Refusal to issue, withdrawal or revocation of a licence or permit.

Reverse burden of proof

In proceedings for damages brought by a reporting person, the Act introduces a presumption that the damage suffered is a consequence of the reporting. The burden of proof shifts to the defendant (the employer), who must show that the detrimental measure was taken for reasons unrelated to the reporting and objectively justified.

Special protection against dismissal

A dismissal carried out because of a report is null and void by operation of law. The reporting person may challenge the dismissal under a special procedure, including under the Labour Code rules on unlawful dismissal, with the possibility of reinstatement and compensation. The reverse burden of proof applies in those proceedings as well.

External channel — Commission for Personal Data Protection

Alongside the employer's internal channel, the Act also provides for an external channel for submitting reports. The central external authority is the Commission for Personal Data Protection (CPDP), which performs the following functions:

  • Receives reports of breaches within the scope of the Act from any protected person;
  • Forwards reports to the competent national authorities (e.g. the National Revenue Agency, the Public Financial Inspection Agency, the State Agency for National Security, sector regulators) according to the subject-matter of the breach;
  • Provides feedback to the reporting person within 3 months, and in complex cases within 6 months;
  • Maintains national statistics on reports;
  • Issues methodological guidelines for obligated employers.

The reporting person may choose whether to submit a report first internally, directly to the external channel, or both. The Act does not require exhaustion of the internal channel before using the external one.

Sanctions

For failure to comply with the obligations under the Act, the CPDP may impose administrative penalties. The amounts below are indicative and presented in EUR equivalent (following Bulgaria's adoption of the euro as of 1 January 2026):

Infringement Sanction
Failure to establish an internal channel — legal entities and sole traders EUR ~2,556 – 10,225
Failure to establish an internal channel — natural persons EUR ~511 – 2,556
Retaliation against a reporting person Higher fines (case-by-case assessment)
Breach of confidentiality of identity Specific fines depending on severity
Repeat infringements Double the amount

In addition to administrative sanctions, the employer may incur civil liability for damages caused to the reporting person as a result of prohibited retaliation. In compensation proceedings the burden of proof rests with the employer.

Statistical reporting

Obligated employers submit an annual report to the CPDP summarising the number of reports received, the actions taken and the status of handling, without disclosing the identity of reporting persons or the content of reports in detail which would compromise confidentiality.

Practical implementation steps

We recommend the following sequence for bringing the company into compliance with the Whistleblowing Protection Act:

  1. Assessment of the obligation — determine whether the company falls within the scope of the Act based on the number of employees and/or the sector of activity.
  2. Choice of channel technology — select a suitable format (dedicated web platform, secure e-mail, telephone line, physical mailbox) or a combination thereof.
  3. Designation of a responsible officer — appoint an independent person or unit, free of conflicts of interest, and document their powers and duties.
  4. Drafting of internal rules — adopt written rules by decision of the management body and publish them internally.
  5. Training of the designated officer — provide specialised training on procedure, confidentiality and data protection.
  6. Informing workers and employees — communicate the channel, procedures and protective measures via internal communications, intranet or notice boards.
  7. Publication of the procedure — where a public website exists, publish a brief description of the channel and how to submit a report.
  8. Register of reports — implement a secure register with restricted access, compliant with GDPR requirements for data processing.
  9. Annual report to the CPDP — set up the process for preparing and submitting annual statistics.

For companies with complex structures (groups, foreign owners, holdings) we recommend coordination with any group whistleblowing policies and alignment with Bulgarian statutory requirements, which take precedence over internal group rules.

Frequently asked questions

Do we need an internal channel if we have 30 employees?
As a general rule, no. The obligation under the Whistleblowing Protection Act applies to private-sector employers with 50 or more workers and employees. Exception: if the company operates in a regulated sector under the Annex to the Act — e.g. financial services, AML, transport, environment — the obligation applies regardless of headcount.
Who can be designated as the responsible officer?
Any employee of the employer who has no conflict of interest with the persons or activities concerned and who has undergone training. In practice the function is most often entrusted to HR directors, compliance/legal departments or external lawyers/consultants. The officer must be independent and bound by confidentiality.
What are the feedback deadlines?
The employer must send an acknowledgement of receipt within 7 days. Feedback on the follow-up actions taken or envisaged must be provided within a maximum of 3 months from the submission of the report. These deadlines are mandatory.
Is the identity of the reporting person protected?
Yes. The Act obliges the employer to guarantee the confidentiality of the identity of the reporting person and of any third parties mentioned in the report. Disclosure is permitted only with the person's consent or where this is a necessary and proportionate obligation under law in the context of judicial or administrative proceedings.
What happens if we dismiss an employee who has filed a report?
A dismissal carried out because of a report is null and void under the Act. The reporting person may challenge the dismissal and seek reinstatement and compensation for loss of earnings. In those proceedings the burden of proof shifts to the employer, who must prove that the dismissal was based on other, objective reasons.
What are the sanctions for failure to set up a channel?
The CPDP may impose administrative fines of up to approximately EUR 10,225 for legal entities and sole traders, and up to EUR 2,556 for natural persons. Repeat infringements carry double fines. In addition, the employer bears civil liability for damages caused to a reporting person.
Who may submit a report?
The scope of protection is broad: workers and employees, civil servants, self-employed persons, job applicants, former employees, volunteers, trainees, shareholders, members of management bodies, contractors, subcontractors and suppliers, as well as persons assisting the reporting person and connected third parties (colleagues, relatives).

Need help implementing a whistleblowing system?

The Innovires team can assist with a full assessment of your obligation, drafting the internal rules, training the designated officer, setting up a secure register and liaising with the CPDP. Contact us for an initial consultation.