marketude Camillo Campli, Contenzioso, Diritto Europeo e della Concorrenza, Jacopo Piemonte, Matteo Bilei, Prospettive, Protezione dei Dati e Cybersecurity, Pubblicazioni

By way of the Decree No. 24/2023 (“Decree”), Italy has transposed into law the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of union law into various jurisdictions.

The purpose of the Decree is to safeguard individuals who report breaches of certain national or European Union laws (which came to their knowledge in the work context) that may jeopardize the public interest, the integrity of public administration or of a private entity[1].

Already in July 2023, the National Anti-Corruption Authority (“ANAC”) had published guidelines focused on the submission of the external reports in accordance with the Decree (“ANAC Guidelines”).

While it now approaches the last deadline for the compliance to the Decree (i.e., 17 December 2023, see below point 2), the main association representing manufacturing and service companies in Italy (“Confindustria”) has now published on 30 October 2023 guidelines for the implementation of the Decree in the private sector[2] (“Confindustria Guidelines“).

The indications therein contained are very useful in clarifying aspects, including those of an operational nature, on which the Decree was silent.

In this article, we will provide an overview of the Decree, as now better clarified by the Confindustria Guidelines, focusing especially on the obligations laying on the private entities[3].


In the Decree it is provided that the following private entities are required to comply with the new whistleblowing rules[4]:

    • private entities which have employed an average of 50 or more workers with permanent or fixed-term employment contract;
    • regardless of the number of workers employed, private entities dealing in sectors such as “… financial services, products and markets, and prevention of money laundering and terrorist financing …”, “… transport safety” and “protection of the environment …” (listed in a specific annex of the Decree);
    • regardless of the number of workers employed, private entities which have adopted an organizational model pursuant to Legislative Decree 231/2001 (“Model 231”)[5].

The Decree took effect on 15 July 2023 for employers with an average of at least 250 employees in the year 2022[6]

For companies that had an average of up to 249 employees in 2022 the main obligation provided by the Decree to set up internal reporting channels (see below point 5.1) will have to be implemented by 17 December 2023[7].


In the first place, below we will assess who are the protected individuals and what is the protected reporting under the Decree.

    • The protected individuals

It is noted that the Decree notably expands the scope of protected individuals when there is a reporting.
In particular, the Decree grants legal protection to[8]:

      • the whistleblower (the category of individuals entitled to make a whistleblowing report is extensive and encompasses candidates for employment, current employees, former employees, trainees, shareholders, members of corporate bodies, consultants and professionals, as well as employees or consultants of contractors);
      • persons supporting and helping the whistleblower in its reporting (so called “facilitators”);
      • work colleagues or relatives of the whistleblower;
      • entities owned by the whistleblower or operating in the same work environment as the whistleblower;
      • entities owned by the whistleblower or entities for which the whistleblower works[9].
    • The protected reporting[10]

The reporting of information is covered by the Decree when it pertains to violations that harm public interests or the integrity of companies. In the Decree it is prescribed that[11]:

      • whistleblowers can report breaches pertaining to a very broad perimeter of matters (administrative, accounting, civil or criminal offenses, as well as to certain specified laws such as financial services, money laundering, environment, public health, etc.);
      • in companies that have adopted Model 231 whistleblowers can report breaches of Model 231 and related laws (e., offenses or attempted offenses). In this regard, it is noted that Legislative Decree 231/2001 makes specific reference to a broad category of crimes for which a company may be liable expanding thus the object of the reporting quite significantly.

Hereinbelow, we will now look at the duties imposed to the companies based on the Decree.

    • The duty to establish an internal channel of reporting[12]

The employers are mandated to establish internal reporting channels (following consultations with the internal representatives of the workers or with the trade unions)[13]. The management of the reporting channel shall be entrusted: (i) either to an individual or to an autonomous internal office dedicated to it, with personnel specifically trained for the management of the reporting channel; or (ii) to an external entity, also autonomous and with personnel specifically trained.

The internal reporting channel must allow individuals to:

      • submit reports in writing, which can include using online platforms. In this respect, the company shall abide with: (i)provisions promoting, inter alia, the utilization of encryption tools to safeguard the confidentiality of the communications[14]; and (ii) the obligation to process personal data in compliance with the GDPR[15];
      • make oral reports, utilizing methods such as telephone lines or voice messaging systems;
      • request a face-to-face meeting for reporting if the whistleblower prefers this option.

In any case, it is imperative that: (i) the internal channels ensure the confidentiality of the identity of the whistleblower, the person involved, and the person mentioned in the report, as well as the content of the report and its related documentation; (ii)the company provides clear information on the operation of the channel to all the stakeholders[16] setting thus up whistleblowing procedures.

    • Management of the reports at the Group level

We note that the Decree limits to prescribe that employers with less than 250 employees can share the same internal reporting channels[17].

On the other hand, the Decree does not provide any guidance regarding the possibility to share channels within corporate groups[18].

The recently published Confindustria Guidelines[19], which also take into consideration the ANAC Guidelines, provide useful indications/instructions in this regard taking note that the Groups may have an interest in sharing the same channel of reporting.

In this regard, the following two possibilities seem to be endorsed:

      1. a first solution could be to adopt a unique IT platform, with a decentralized management at the level of the individual subsidiary company. In such cases, group companies would allow the whistleblowers, once logged in the IT platform, to select the company where they work and to which they intend to report. In this way, the appropriate office in the selected company could initiate the process and handle the report;
      2. a second solution could be to entrust the parent company, as a third party with respect to the subsidiaries, with the activities related to the handling of the reports. In this case, in addition to the use of a unique IT platform (possibly, with dedicated and segregated channels for each company) set up by the parent company, each subsidiary may entrust, with specific service contracts, the management of the reporting channel to the parent company itself.

However, we note that there are still some interpretative doubts on such topics. It shall thus be carried out a case-by-case analysis.

    • The duty to follow-up

The Decree introduces a specific obligation to effectively handle and follow-up on reports. The subject designated to receive and manage reports through the internal reporting channel is entrusted, inter alia, with the following obligations[20]:

      • promptly acknowledge the receipt of the report to the reporting person within seven days of receiving it;
      • maintain ongoing communication with the reporting person and, if necessary, request additional information;
      • thoroughly investigate the report to assess the veracity of the reported facts and take any necessary corrective actions;
      • provide feedback to the reporting person within three months from the date of acknowledgment of receipt. If no acknowledgment was sent to the reporting person, the feedback should be provided within three months from the end of the seven-day period following the submission of the report[21].



The whistleblowers and the other connected individuals mentioned in paragraph 4.1 above are entitled to certain protections under the Decree[23].

In particular:

    • any action taken by the employer against them (such as dismissal or changing of work location) is automatically considered retaliation and is null and void unless the employer can prove in court that the action was entirely unrelated to the whistleblowing. This represents a complete shift of the burden of proof to the employer;
    • there is an exclusion of liability for defamation, copyright infringement, breach of confidentiality obligations, violation of data protection laws, disclosure of trade secrets for the whistleblower to the extent he/she has reasonable grounds to believe that the disclosure of information (giving rise to the above breaches) is necessary to report a violation and he/she acts in compliance with the Decree[24];
    • the identity of whistleblowers should generally remain confidential, even in disciplinary proceedings against accused individuals based on the whistleblowing report[25]. On the other hand, if the knowledge of the identity of the reporting person is essential for the defense of the accused individual, the report shall only be usable for disciplinary proceedings with the express consent of the reporting person for the disclosure of his/her own identity[26].

The protective measures provided above are not granted when a criminal or civil court has determined that the reporting person, either intentionally or with gross negligence, made a false or unfounded report[27].


The Decree provides that the ANAC may apply administrative sanctions in case of:

    • adoption of retaliatory measures or acts aimed at breaching the confidentiality of the identity of the reporting person or aimed at hindering the reporting (with a fine ranging from Euro 10,000 to Euro 50,000); or
    • failure to implement the internal reporting channels in compliance with the Decree and/or failure to adopt the relevant procedures (with a fine ranging from Euro 10,000 to Euro 50,000).

Based on all the above, the steps which shall be complied with to ensure compliance with the Decree by 17 December 2023 are the following:

    1. Assessment of existing reporting channels
      In the first place, it will be necessary to assess the current reporting channels and procedures (if any) to ensure to which extent they may be considered in line with the Decree’s requirements.
    2. Introduction of Internal Reporting Channels compliant to the Decree and the GDPR
      Subject to the assessment made under point A. above, it will be necessary to introduce internal reporting channels compliant with the Decree and the GDPR and set the relevant procedures.

    3. Consultation with the internal representatives of the workers or with the trade unions
      In the frame of the actions sub A) and B) it will be necessary to inform the internal representatives of the workers or the trade unions about the need to create new reporting channels or enhance existing ones in compliance with the Decree.

    4. Update of the Organization, management and control model adopted pursuant to Italian Legislative Decree no. 231 of 2001 (if any)
      In cases where companies have adopted Organization, management and control models in accordance with Legislative Decree no. 231 of 2001, it will be necessary to update, also in light of the previous steps, the requirements/prescriptions contained in the models, especially in order to include the rules related to the internal reporting channels (and related safeguards).

Scarica l’articolo

[1] See article 1(1) of the Decree.


[3] This article will not deal with the aspects of the Decree related to the GDPR. We will publish soon another contribution entirely focused on such matter.

[4] See article 3(2) of the Decree.

[5] For the purposes of calculating the average annual number of workers employed, in order to determine whether the threshold set forth in the Decree is exceeded or not, reference should be made to the last calendar year preceding the current one, except for newly established companies, for which the current year (i.e., 2023) is considered. Therefore, for companies other than newly established ones, upon first application, it will be necessary to refer to the average annual number of workers employed as of 31 December 2022, and then, for subsequent years, the previous calendar year’s computation should be considered, again as of 31 December. See paragraph 1 of the Confindustria guidelines “NUOVA DISCIPLINA “WHISTLEBLOWING” GUIDA OPERATIVA PER GLI ENTI PRIVATI” (, and paragraph 1.3 of the ANAC guidelines approved on 12 July 2023 (

[6] See article 24(1) of the Decree.

[7] See article 24(2) of the Decree.

[8] See article 3(3) of the Decree.

[9] The protection measures also applies if reporting occurs in the following cases:

  • when the employment (or similar/respective) relationship has not yet begun, if information about violations was acquired during the selection process or other pre-contractual stages;
  • during the probationary period;
  • after the termination of the relationship if information on violations was acquired during the course of the relationship.

[10] From the scope of the Decree, are excluded reports:

  • related to a personal interest of the whistleblower (e., pertaining to working relationships with hierarchically subordinate figures);
  • related to matters of national security and defense;
  • related to violations already regulated on a mandatory basis in certain special sectors, to which ad hoc reporting regulations therefore continue to apply.

The measures set forth in the Decree for the protection of the whistleblower will not apply in case the reporting falls within the abovementioned cases.

[11] See article 3(2) of the Decree.

[12] Please also note that, following the changes introduced by the recent Decree, it is provided directly in Legislative Decree no. 231 of 2001 (see article 6) that the Organizational, management and control Models, provided for in the regulation, must include internal reporting channels (in the manner prescribed by the Decree), the prohibition of retaliation against the whistleblower and the relevant requirements of the disciplinary system.

[13] See article 4 of the Decree.

[14] See the ANAC guidelines approved on 12 July 2023

[15] See article 13 of the Decree.

[16] It is worth noting that whistleblowers can report to public authorities through so called external channels if one or more of the following conditions are met:

  • internal reporting channels do not exist, are inactive, or do not comply with the Decree;
  • whistleblowers have previously reported internally, but there has been no timely follow-up;
  • whistleblowers have reasonable grounds to believe that an internal report would not be effectively followed up or could lead to retaliation risks;
  • the breach represents an immediate and clear danger to public interests.

The ANAC is responsible for implementing and managing an external reporting channel that complies with the Decree’s requirements.

In addition, whistleblowers can make information publicly available with a public disclosure under the following circumstances:

  • whistleblowers have already reported internally or externally, but no timely feedback has been received;
  • whistleblowers have reasonable grounds to believe that the breach poses an immediate and clear danger to public interests;
  • there are concerns that other reporting channels may result in retaliation or may not be effectively followed-up, given the specific circumstances of the case.

[17] See article 4(4) of the Decree.

[18] See G.Cossu, “Il diritto a segnalare: la nuova normativa in materia whistleblowing: il Decreto Legislativo 10 marzo 2023, n. 24”, in LavorodirittiEuropa, Rivista di diritto del lavoro, 2/2023.

[19] See paragraphs 3 and 5 of the Confindustria guidelines “NUOVA DISCIPLINA “WHISTLEBLOWING” GUIDA OPERATIVA PER GLI ENTI PRIVATI” (,

[20] See article 5 of the Decree.

[21] In this regard, it shall be clarified the following:

  • the abovementioned obligations apply after the subject designated with the management of the reports has verified the existence of the subjective and objective limits set in the Decree (namely, that the whistleblower is a person entitled to make the report, and that the subject of the report falls within the scope of application of the Decree);
  • once it has been verified that the report falls within the subjective and objective scope of the Decree, it is also necessary to assess the circumstances of time and place in which the facts occurred, including, the manner in which the whistleblower became aware of the facts and the details or other elements that may enable the identification of the person to whom the facts are attributed;
  • in the event that these circumstances are not indicated or otherwise obtainable from the report, the report could be deemed inadmissible. In particular, the report may be affected by: (i) lack of the data that constitute the essential elements of the report; (ii) manifest absence of the factual elements referrable to the relevant violations; (iii) generic exposition of facts or contents such that they do not allow the understanding of the report; (iv) filing of documentation without actual reporting of violations.

[22] See articles 16-20 of the Decree.

[23] This provided that the following conditions are met:

  • at the time of making the report, the whistleblower must have had reasonable grounds to believe that the reported information was both true and within the scope of the Decree.
  • The report must have been made through the designated reporting channels in accordance with the Decree.

[24] See article 20(1) of the Decree.

[25] See article 12(5) of the Decree.

[26] See article 12(5) of the Decree.

[27] See article 16(3) of the Decree.

[28] See article 21 of the Decree.