New regulation on whistleblowing in Italy: the role of the Supervisory Body and coordination with internal group reporting channels

Tuesday 22 August 2023

Letizia Catalano
RP Legal & Tax, Milan 


Piero Magri 
RP Legal & Tax, Milan


On 9 March 2023, the Council of Ministers approved Legislative Decree 24/2023, which transposes the European Union Directive on the ‘Protection of individuals who report violations of EU regulations’ into Italian law.

With this Decree, the Italian Government aims to strengthen the legal protection of individuals who report violations of national or European regulatory provisions that harm the interests of the entity to which they belong.

This Italian legislation has a significant impact on the current reporting channels adopted by companies, as it provides detailed requirements for internal reporting channels (‘whistleblowing’) to comply with the new legislation.

Among the violations subject to reporting, the Decree provides a broad range of behaviours, acts or omissions, which harm the public interest or the integrity of the public administration or a private entity. These violations may consist of administrative, accounting, civil or criminal offences, acts or omissions that harm the financial interests of the EU and/or pertain to the internal market – therefore, not only conduct relevant under Legislative Decree 231/2001 or violations of Model 231. Consequently, at first it will be necessary to assess the extent of what can be validly reported through the implemented channels.

Furthermore, the protection of whistleblowers is extended to individuals connected to the organisation (self-employed workers, consultants, volunteers, trainees, etc). Therefore, companies will need to allow external individuals to make reports and publish instructions and procedures for managing these reports on their websites.

According to the Decree, the management of the whistleblowing channel should be entrusted to an internal person or an independent internal office of the entity. Alternatively, it can be assigned to a specially trained and independent external person (for entities with less than 50 employees, the channel may be shared). Consequently, companies must define who will be responsible for managing the internal whistleblowing channel.

Reports can be submitted in written form (using informatic tools) or orally (via call lines, messaging and face-to-face meetings). Accordingly, it will be necessary to consider adopting an encryption-based informatic tool and provide the option of making oral reports through interviews with the individual or team managing the reporting channel.

The Decree also establishes the following obligations for handling reports:

  1. Ensuring confidentiality of the reporter’s identity, the person involved in the report, and the content of the report.
  2. The people handling the report must:
  • issue an acknowledgement of receipt to the reporter within seven days;
  • maintain communication with the reporter and request additional information when necessary;
  • follow up on the report and provide feedback within three months from the acknowledgement of receipt or, if not provided, within three months from the expiration of the initial seven-day submission period;
  • provide clear information on internal and external reporting channels, procedures and requirements.

In some specific cases, whistleblowing reports can also be made to an external channel (ANAC), for instance, if the legal entity has not implemented an internal channel or has implemented a non-compliant one.

Confidentiality obligations are defined in Article 12 and subsequent articles of the Decree, which aim to clarify doubts related to previous regulations. Notably:

  • reports should not be used beyond what is necessary to follow up on them;
  • the identity of people involved in the reports is protected;
  • whistleblowers who make use of public disclosure systems in the media are also protected, subject to the conditions stipulated in the Decree;
  • protection is also extended to reports or complaints made to judicial or accounting authorities or through anonymous public disclosures if the person is subsequently identified and retaliated against; and
  • reports and related documentation must be retained for the time strictly necessary to process the report, but no longer than five years from the date of the of the final outcome communication.

The provisions of the Decree will take effect from 15 July 2023, except for private-sector entities that employed an average of no more than 249 employees in the last year, for which the provisions will take effect from 17 December 2023.

Companies must promptly update their procedures and ensure their proper dissemination to internal staff and external consultants/suppliers. Additionally, companies should organise training courses for workers and include appropriate contractual clauses in agreements with third parties.

In conclusion, companies in Italy need to update their internal whistleblowing procedures in order to incorporate the indications provided by the Decree and assess the impact on privacy regulations of the tools adopted for managing whistleblowing channels.

It is important to note that failure to comply with the provisions of the Decree or the adoption of non-compliant procedures may result in sanctions ranging from €10,000 up to €50,000.

Currently, two important practical issues in Italy are the identification of the entity responsible for managing the reports and the coordination with the Supervisory Body.

For smaller companies, it is suggested that the Supervisory Body provided for by Decree 231/2001 manage the whistleblowing channels. However, for larger companies (more than 250 employees), an internal function (Internal Audit) or an external consultant is recommended to manage the channel cooperation with the Supervisory Body provided for by the Decree 231/2001.

For multinational companies, coordination with internal regulations, such as an ‘open reporting system’ or a ‘speak up channel’, that have already been implemented poses a challenge.

Therefore, on the one hand it is necessary to empower and adapt the internal channel to comply with the new local legislation and, on the other hand, although a group reporting system may already be in place, it will not be sufficient to guarantee full compliance with Decree 24/2023.