v2.4.0 | Report Errata
docs operations docs operations

Whistleblower Protection (Directive 2019/1937) The organisation extends its existing whistleblower protection mechanisms under Directive (EU) 2019/1937 to cover AI compliance concerns. This ensures that individuals at every level of the oversight pyramid can report concerns about AI system behaviour, compliance posture, or governance effectiveness without fear of retaliation. The protection covers concerns about the system’s behaviour (potential harm, discrimination, opacity), the organisation’s compliance processes (inadequate documentation, superficial assessment, ignored non-conformities), and the governance framework itself (suppressed escalations, modified thresholds without approval, inadequate resources). Protection extends to both internal and external reporting. The Legal and Regulatory Advisor ensures the whistleblower framework’s AI extension complies with national implementing legislation in each deployment jurisdiction, as the Directive has been transposed differently across member states. Key outputs

  • Directive 2019/1937 protection extended to AI compliance concerns
  • Coverage of system behaviour, process, and governance concerns
  • National implementation variations addressed per jurisdiction
  • Module 7 AISDP documentation

Reporting Channels Four reporting channels are available. Confidential reporting to the AI Governance Lead provides the primary internal pathway. Anonymous reporting through a dedicated channel (hotline, online portal) ensures that individuals who fear identification can still report. Direct reporting to the Internal Audit Assurance Lead bypasses the AI Governance Lead, covering concerns about the Lead’s own conduct. External reporting to the national competent authority provides a pathway outside the organisation entirely. Each channel is documented, communicated during training, and tested periodically. The organisation logs the use of each channel (without identifying anonymous reporters) to track reporting volume and channel effectiveness. Key outputs

  • Four reporting channels (confidential, anonymous, internal audit, external NCA)
  • Documented and communicated during training
  • Periodic testing of channel functionality
  • Volume tracking without anonymous reporter identification

Cultural Reinforcement Formal policies are necessary but insufficient. The organisation actively cultivates a culture in which AI concern reporting is valued. This means leadership publicly acknowledging and responding to reported concerns, recognising individuals who identify genuine problems, including AI concern reporting in performance evaluation criteria (positively, not punitively), and conducting regular training that normalises concern reporting as a professional responsibility. Cultural reinforcement is the difference between a compliance framework that exists on paper and one that functions in practice. An operator who observes harmful system behaviour must believe, based on experience and organisational signals, that reporting the concern will be welcomed rather than resented. Key outputs

  • Leadership acknowledgement and recognition of concern reporting
  • Performance evaluation integration (positive framing)
  • Regular training normalising reporting as professional responsibility
  • Cultural reinforcement as operational effectiveness mechanism

Documented Response to Every Escalation Every escalation receives a documented response within a defined timeframe. The response addresses the substance of the concern, identifies actions taken or planned, explains the rationale if no action is taken, and confirms that no retaliation has occurred or will occur. The escalation and response are retained in the documentation repository. Escalations that receive no response, or responses that dismiss the concern without substantive engagement, erode trust in the escalation framework. The quarterly oversight review examines the escalation response rate and quality as governance health indicators. Key outputs

  • Documented response to every escalation within defined timeframe
  • Substantive engagement with the concern raised
  • Retained in documentation repository
  • Response rate and quality reviewed quarterly

Annual Audit Verification The Internal Audit Assurance Lead verifies the non-retaliation framework’s effectiveness annually. Verification includes reviewing escalation logs for patterns suggesting suppression, conducting confidential interviews with a sample of oversight pyramid personnel, assessing whether reported concerns received documented responses, and checking for any adverse employment actions following escalation events. Findings are reported to the audit committee. Deficiencies in the non-retaliation framework represent a systemic risk to the entire oversight programme: if people do not escalate, the oversight pyramid fails from the bottom up. Key outputs

  • Annual audit of non-retaliation framework effectiveness
  • Confidential interviews with oversight pyramid personnel
  • Escalation pattern analysis for suppression indicators
  • Audit committee reporting
On This Page