On November 11, 2022, Greece formally implemented Law No. 4990/2022, a legislative instrument that aligns national law with Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law. This development marks a significant shift in Greece’s legal and institutional treatment of whistleblowers, introducing procedural safeguards, organisational obligations, and administrative sanctions in a domain that was previously fragmented and underregulated.
This article examines the scope, mechanisms, and implications of the new law, highlighting both its alignment with EU standards and the emerging tensions in its application, particularly in light of recent high-profile cases. It also considers the practical challenges organisations face in operationalising the law’s requirements and explores the broader socio-political implications for whistleblower protection in Greece.
Expanding the circle of protection and creating a Three-Tiered reporting model
One of the most progressive elements of Law 4990/2022 is the breadth of its scope. Protection is extended not only to current employees but also to self-employed workers, job applicants, former employees, volunteers, interns, contractors, shareholders, and members of governance bodies. This expansive reach reflects a growing recognition within EU law that access to reportable wrongdoing often exists beyond traditional employment relationships.
The material scope is equally comprehensive, covering breaches of EU law in areas including public procurement, financial services, money laundering prevention, transport safety, environmental protection, consumer rights, data privacy, and public health. The inclusion of national law breaches in specific sectors provides a crucial link between European standards and domestic enforcement realities.
The law mandates a tiered whistleblowing mechanism: internal, external, and public disclosure.
Internal reporting is strongly encouraged and legally prioritised, particularly for private sector entities with 50 or more employees. These organisations are required to establish secure, accessible, and confidential internal reporting channels. They must also appoint a Report Receipt and Follow-Up Officer (RFUO), ensure data protection compliance, and provide clear procedural information to employees and stakeholders.
External reporting is facilitated through the National Transparency Authority (NTA), which receives and investigates reports when internal procedures fail or when the whistleblower reasonably fears retaliation. Public disclosure — such as through the press or social media — is permitted only under exceptional conditions, such as when an imminent risk to the public interest is present, or when internal/external mechanisms prove ineffective.
Between legal text and technological practice
A critical component of the law is the obligation to preserve the confidentiality of both the whistleblower and any third parties mentioned in a report. This obligation intersects directly with GDPR requirements and raises practical questions about IT infrastructure, data access rights, and secure communication protocols.
In theory, the law mandates robust safeguards. In practice, organisations face difficulties in implementing secure whistleblowing channels that comply with both confidentiality and data minimisation principles. The effective anonymisation of reports, the role-based control of case data, and the secure retention of evidence are areas requiring further regulatory guidance and capacity-building.
Anti-retaliation and remedies
Law 4990/2022 prohibits retaliation in all its forms — from dismissal and demotion to threats, blacklisting, or reputational damage. It also allows whistleblowers access to legal remedies, including reinstatement, compensation, and injunctive relief. Notably, whistleblowers are also eligible for psychological support and free legal aid under certain conditions.
However, the challenge lies in enforcement. Greek labour courts have only recently begun to see cases involving whistleblowers, and there is still no established jurisprudence on the reversal of the burden of proof — a key element of the Directive. Moreover, the informal cultural perception of whistleblowing as disloyal behaviour may discourage victims from invoking these protections in the first place.
Sanctions and gaps in enforcement
Entities that fail to comply with the law’s obligations — such as failing to establish internal channels, retaliating against whistleblowers, or breaching confidentiality — are subject to administrative fines. In cases of severe violations committed on behalf of a legal entity, the law allows for sanctions of up to €500,000.
Yet, as of early 2025, key secondary legislation — especially the ministerial decisions needed to define and operationalise these fines — remains pending. This legislative delay undermines the law’s deterrent power and creates uncertainty for both companies and regulators.
When the law meets reality: case studies from Greece
Legal frameworks are only as effective as their enforcement and public reception. While Law 4990/2022 provides strong theoretical protections for whistleblowers, its impact depends on how real-world cases are handled, both in courts and in broader institutional settings. Two notable incidents in Greece—the Novartis bribery scandal and the Pylos migrant shipwreck—highlight the complex intersection of law, power, and accountability in whistleblower cases.
Novartis Greece Bribery Case:
The Novartis case stands as one of the most prominent corruption scandals involving Greece in recent decades. Whistleblowers revealed that the Swiss pharmaceutical giant had engaged in widespread bribery of Greek officials, including doctors and politicians, to boost sales of its products in public hospitals. The resulting investigations by U.S. and Greek authorities led to over $300 million in fines imposed by the U.S. Department of Justice and the Securities and Exchange Commission.
While the financial penalties and international scrutiny demonstrated the global implications of whistleblowing, the treatment of the whistleblowers in Greece exposed critical shortcomings in protection. Despite contributing to one of the most significant anti-corruption cases in Europe, these individuals faced public vilification, intense media scrutiny, and repeated attempts to unmask their identities. The situation escalated to the point that the Greek state had to assign bodyguards to protect both the whistleblowers and their lawyers.
From a legal perspective, the Novartis case raises crucial questions: How effectively can whistleblower protections be enforced when the individuals involved are challenging powerful corporate and political interests? Does existing Greek legislation adequately shield whistleblowers from reputational and physical harm? And more broadly, can confidentiality and anti-retaliation provisions hold up when public and media attention reach international dimensions?
2023 Pylos Migrant Shipwreck
In June 2023, a fishing boat carrying hundreds of migrants sank off the coast of Pylos, in what became one of the deadliest migrant shipwrecks in the Mediterranean. Survivor accounts and reports from NGOs alleged that the Greek Coast Guard failed to respond adequately to distress calls and may have contributed to the capsizing during an attempted tow.
The Greek Ombudsman launched an independent investigation and concluded that eight senior officers had likely failed to act in their duties. However, the government dismissed the Ombudsman’s findings, and no disciplinary or criminal proceedings followed. The response drew international criticism and demands for further inquiry, but institutional accountability remained elusive.
Although the case did not involve a traditional whistleblower in the legal sense, it illustrates the systemic obstacles that potential insiders may face if they choose to report misconduct by state agencies. It also shows the difficulty of enforcing whistleblower protections in hierarchical, opaque organisations like military or coast guard units, even under the new legal regime.
The Pylos incident also exposes the cultural and institutional resistance that may arise when allegations threaten national narratives or core state functions. For the law to function effectively in such contexts, whistleblower systems must extend beyond procedural compliance and foster a culture of ethical responsibility and institutional courage.
Comparative Reflections
Both cases underscore the critical distinction between formal legal rights and actual protection. In theory, Law 4990/2022 guarantees anonymity, prohibits retaliation, and imposes penalties for non-compliance. In practice, those who speak out may still face significant risks, not only from the individuals or entities they report, but also from political, media, or societal backlash.
Moreover, these incidents reveal the limitations of existing enforcement mechanisms. Where high-level political interests are involved, or where the state itself is implicated, administrative fines or procedural safeguards may prove insufficient. Strengthening whistleblower protection in Greece thus requires not only legal reform but institutional independence, judicial capacity, and a broader public commitment to transparency and the rule of law.
Cultural and organisational barriers to compliance
.webp?width=850&height=408&name=image%20139%20(1).webp)
Despite the law’s ambitious design, compliance remains uneven. In many Greek organisations, especially SMEs, whistleblowing systems are either absent or underdeveloped. Organisational leadership may lack familiarity with the law or the tools needed to implement it. Moreover, cultural taboos around reporting misconduct persist — often reinforced by hierarchical management styles and scepticism toward “anonymous” complaints.
Without proactive training, awareness campaigns, and model procedures issued by regulators or professional bodies, legal compliance risks are reduced to a formal check-the-box exercise.
Greece has taken a commendable step by adopting Law 4990/2022. It brings the country in line with European standards, defines a clear framework for reporting misconduct, and establishes both protection and sanction mechanisms. Yet, the true measure of success will lie in implementation: not just in the presence of hotlines or platforms, but in the trust they inspire and the institutional behaviour they reshape.
As we argued in our previous article, legal transposition is only the first step. Now the focus must shift to making the law operational through enforcement, training, judicial interpretation, and above all, a cultural reimagining of the whistleblower as a public interest ally rather than a workplace threat.