The law that changed in 2023 - and again in 2024
The Protected Disclosures (Amendment) Act 2022 transposed the EU Whistleblowing Directive into Irish law. Its requirements came into force in two phases: since January 2023, companies with 50 or more employees have been legally required to establish, maintain, and operate a formal internal reporting channel for protected disclosures. Since December 2023, this obligation extends to organisations of any size.
If you work in HR for an Irish organisation with 50 or more employees and you do not have a qualifying internal reporting channel, you are currently non-compliant with Irish law. Not technically borderline. Non-compliant.
The Protected Disclosures Act is not a HR best-practice recommendation. It is a legal obligation with enforcement mechanisms. The question is not whether to comply - it is whether you have done so yet.
What the Act actually requires
The language of the Act is specific. A qualifying internal reporting channel must satisfy all of the following:
- Accessibility. The channel must be accessible to all employees, contractors, and certain other categories of worker. A channel that is hard to find, requires login credentials that not everyone has, or is only communicated in an onboarding document from three years ago does not satisfy this requirement.
- Confidentiality. The identity of the reporting person must be protected. An HR email address does not satisfy this. Email is identifiable by sender, and employees know that. The confidentiality must be structural - not a promise in a policy document.
- Acknowledgement within 7 days. The organisation must acknowledge receipt of a disclosure within seven days of receiving it. This must be documented.
- Follow-up within 3 months. The organisation must provide feedback on action taken within three months of acknowledgement. This must also be documented.
- Designated person or department. A specific individual or team must be responsible for managing disclosures. This cannot be ad hoc.
- Audit trail. Records of all disclosures received and actions taken must be maintained securely.
Where most organisations fall short
In our conversations with HR Directors across Irish organisations, the same gaps appear repeatedly:
The suggestion box or HR email assumption. Many organisations assume that having an HR email address or a general feedback mechanism qualifies. It does not. Neither provides structural confidentiality, neither automatically generates an acknowledgement record, and neither maintains an audit trail of the kind the Act requires.
The annual survey assumption. An engagement survey is not an internal reporting channel under the Act. It does not provide confidentiality for disclosures, it does not operate continuously, and it was not designed to handle the categories of concern the Act covers.
The phone hotline that nobody uses. Some organisations have a whistleblowing hotline - typically a third-party phone service - that technically qualifies but generates almost zero usage in practice. A channel that employees do not use is compliant on paper. It is not doing the job the Act intends it to do.
The risk if a disclosure arrives and you have no qualifying channel
If an employee makes a protected disclosure - about financial misconduct, a safety issue, a regulatory breach, or any of the other categories covered by the Act - and your organisation has no documented internal channel, that employee has legal grounds to go directly to a prescribed regulator or external authority. The absence of a qualifying internal channel does not protect you. It removes a step in which the issue might have been resolved internally before becoming an external matter.
Central Bank regulated firms: an additional layer
For organisations in financial services and insurance - a significant part of Pulsavox's target market - the compliance picture is more complex. The Central Bank of Ireland's fitness and probity regime creates additional governance and culture obligations around how concerns are raised and managed within regulated firms. A culture in which employees cannot safely raise concerns about conduct is itself a regulatory concern, not just a HR problem.
If your organisation is regulated by the Central Bank, the adequacy of your internal reporting channel is not just a tick-box exercise for HR. It is something a regulator may examine in the context of your broader governance and culture framework.
What a qualifying channel actually looks like
A qualifying internal reporting channel needs to do five things well: be genuinely accessible to all employees, protect the identity of the person making the disclosure, generate and log an acknowledgement automatically, track follow-up within the required timeframe, and maintain a secure audit trail.
It also needs to be used. A channel that employees do not trust - because it routes through IT systems their employer controls, or because the anonymity is a policy promise rather than a structural fact - will not generate the disclosures it is supposed to capture. Compliance and effectiveness are not separate goals.
Pulsavox is built specifically to satisfy these requirements. It operates independently of your organisation's IT infrastructure - employees are not submitting disclosures into a system their employer owns or controls. Anonymity is structural, not promised. Acknowledgements are automated and logged. The dashboard maintains the audit trail the Act requires.
The Act sets a floor. An effective internal channel goes further - it is one employees actually trust enough to use.
What to do now
If you are not confident that your current setup satisfies the requirements above, the practical steps are straightforward: audit what you have against the specific requirements of the Act, identify the gaps, and put a qualifying channel in place. The legal exposure of non-compliance is not theoretical - it is the risk that a disclosure arrives, you have no qualifying channel, and the issue goes directly to an external authority that you now have no opportunity to address internally.
If you would like to talk through where your current setup sits against the Act's requirements, that is exactly the kind of conversation we have with HR Directors. No pitch. Thirty minutes.