HinSchG Updates 2024–2026: What Has Actually Changed?

1. Anonymous Reports Mandatory Since 01.01.2025

Effective 01.01.2025, Section 16(1) sentence 4 HinSchG (in conjunction with Section 42) requires employers to process anonymous reports. Both ends must work: an anonymous intake channel (e.g. anonymous web form, hotline without caller-ID) and an anonymous return channel for follow-up dialog (postbox, anonymous chat thread). Most common practitioner finding: anonymous return channel non-functional in many implementations.

2. HinSchGOWiZustV — BfJ Central Penalty Authority (09.04.2025)

The HinSchG Administrative Offences Jurisdiction Regulation (HinSchGOWiZustV), BGBl. 2025 I No. 111, in force since 09.04.2025, designates the Federal Office of Justice (BfJ) as the central authority for HinSchG fines. Previously: state-level allocation. Practical effect: violations of Section 12 (no reporting channel), Section 8 (confidentiality) or Section 36 (retaliation) are now centrally prosecuted nationwide — higher visibility of enforcement practice.

3. EU Infringement Procedure INFR(2024)0157 on Section 14 HinSchG

The European Commission opened infringement procedure INFR(2024)0157 against Germany in 2024. The point of dispute: Section 14 HinSchG — Germany's group outsourcing model (parent or sister company hosting the internal reporting channel for subsidiaries) is alleged to violate EU Whistleblower Directive 2019/1937, which requires every legal entity at or above 50 employees to maintain its own reporting channel. Status (02.05.2026): open — no amendment to German HinSchG yet. Group compliance officers should use hybrid models (subsidiary keeps its own channel plus the group channel as a third-party option) rather than pure group outsourcing.

4. Section 40 — Halved Fine Ceiling Compared to the Draft

During the legislative process, Section 40 HinSchG was tightened down on enactment in 2023: EUR 50,000 instead of the previously discussed EUR 100,000 as the maximum fine per natural person for retaliation (Section 36) and intentional confidentiality breach (Section 8(1)). The 10x multiplier for legal entities under Section 30(2) sentence 3 of the German Administrative Offences Act (OWiG) remains — corporate maximum thus EUR 500,000. Fine for failure to set up a reporting channel (Section 12): EUR 20,000 (natural) / EUR 200,000 (legal). Negligent confidentiality breach: EUR 10,000 (natural). Source: Section 40 HinSchG, gesetze-im-internet.de/hinschg.

5. Limitation Period: 3 Years

Limitation period for HinSchG administrative offences: 3 years (Section 31 OWiG). Practical consequence: retention concepts should cover at least 3 years — aligned with the Section 11 HinSchG retention period for case files.

6. Clarification: There is No "2026 Amendment" with Audit Obligation

For a structured voluntary self-review: 12-point effectiveness self-review for compliance officers.

Summary

HinSchG enforcement matured in 2024–2026: anonymous reports became mandatory, the BfJ became the central penalty authority, the EU pushed back on Germany's group outsourcing model, and the fine ceiling was clarified at EUR 50,000 (with the 10x multiplier reaching EUR 500,000 for legal entities). There is no statutory audit obligation — but a documented annual effectiveness self-review is best practice for management reporting and ISO 37301 alignment.

Sources

1. Whistleblower Protection Act (HinSchG), BGBl. 2023 I No. 140, in force since 02.07.2023, gesetze-im-internet.de/hinschg
2. HinSchGOWiZustV — Administrative Offences Jurisdiction Regulation, BGBl. 2025 I No. 111, in force since 09.04.2025
3. Directive (EU) 2019/1937 — EU Whistleblower Directive
4. European Commission infringement procedure INFR(2024)0157
5. Federal Office of Justice (BfJ), bundesjustizamt.de
6. Federal Cartel Office (Bundeskartellamt) — external HinSchG reporting channel under Section 22

View Whistleblower Kit →