The Whistleblower Protection Act (HSchG), which implemented the European Union's Whistleblower Directive in Austria, is now in force. Fast action is required:

1. The first step: clarify whether the scope of application of the HSchG is fulfilled. For example, companies as well as legal entities of the public sector with more than 50 employees are obliged to set up internal whistleblowing systems. The HSchG may also apply below this threshold if companies operate in certain sensitive areas (e.g. financial services).
2. The second step: Check the deadlines. Due to the statutory deadlines, large companies with more than 250 employees must implement the relevant measures until August 25, 2023. Companies with 50 to 250 employees must implement the requirements by December 17, 2023 at the latest.
3. It must also be determined which reporting system is most suitable for the specific company. It must be decided whether an internal or external reporting system should be implemented or whether a corporate approach should be implemented at all. The appropriate technological options should also be evaluated (e.g., setting up a physical "mailbox" or using technical/electronic "tools"/software solutions); thus, in the private sector, the company can decide whether to use a written or an oral reporting system (or both). Although the technology to be used and the means of communication with potential whistleblowers are not specified, it is important to ensure that the confidentiality of the identity of the whistleblowers and third parties mentioned in the report is maintained. However, it is important that the legal requirements for the reporting channel/reporting office are met.
4. Likewise, companies must decide on the scope for the reports. In particular, whether they want to allow reports that go beyond the legal scope (e.g. public procurement, consumer protection, product safety, environmental and animal protection, traffic safety, prevention of money laundering and corruption). It is advisable for companies not to "cling" rigidly to the legislator's list, but to expand the scope so that the reporting office also checks and processes reports on violations from other areas than those specified by law.
5. The creation and concretisation of internal specifications and guidelines must not be forgotten: For example, it must be clarified which organizational units are to be in charge of the reporting system, which internal and external experts are to be involved, who has to process the reports and who has to check whether a report can be processed and followed up or put on hold. Likewise, specifications should be made for a standardized procedure and a legally compliant process (e.g. ensuring compliance with the 7-day confirmation period or the 3-month information period). Since there is no obligation to receive and follow up anonymous reports, it must be clarified how anonymous reports are to be handled organizationally.
6. All employees must be informed in an easily accessible and comprehensible manner about the internal and/or external reporting channel, the reporting system and the reporting processes; this is most easily done via emails/newsletters, intranet postings and/or training.
7. Precautions must also be taken under labor law and data protection law (for example, it must be clarified whether it is necessary to conclude a company agreement or whether certain data protection regulations must be adapted or adopted).
8. The internal reporting offices have to be provided with the necessary financial and human resources to perform their duties.
9. Even if the implementation deadlines are generous, the planning and establishment of internal reporting channels/reporting offices should not be postponed for too long. On the contrary: The steps to implement the HSchG should be taken promptly to ensure that the legal requirements and organizational/technical processes are implemented in time and in compliance with the law.